当前位置：首页 > article >正文

本地局域基于ip地址生成证书

article 2024/11/30 4:47:03

将这个脚本直接执行，然后输入需要绑定的ip和输入证书年限就可以了，然后配置nginx。

脚本：sslzhegnhsu.sh

#! /bin/bash

echo "请输入服务器IP地址"
read ip 

echo "请输入证书年限"
read year

year=$(expr $year + 0)

days=$(expr $year \* 365)

# echo $days

# 生成私钥
openssl genrsa -out ca.key 2048

# 生成公钥
openssl req -new -x509 -days $days -key ca.key -out ca.crt -subj "//C=CN/C=CN/ST=BJ/L=SJS/O=GuFei/OU=dev/CN=xxzx.com"

# 创建 openssl.cnf 配置文件
cat << EOF > openssl.cnf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = NY
localityName = Locality Name (eg, city)
localityName_default = NYC
organizationalName  = Organizational Name (eg, section)
organizationalName_default  = gufei
organizationalUnitName  = Organizational Unit Name (eg, section)
organizationalUnitName_default  = dev
commonName = Common Name (eg, your name or your server's hostname)
commonName_max  = 64

[v3_req]
# Extensions to add to a certificate request
basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
IP.1 = $ip 
EOF

# 创建v3.ext文件
cat << EOF > v3.ext 
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=@alt_names
[alt_names]
IP.1 = $ip 
EOF

# 服务器证书私钥
openssl genrsa -out server.key 2048

# 服务器证书公钥
openssl req -new -days $days -key server.key -out server.csr -config openssl.cnf -subj //C=CN/C=CN/ST=BJ/L=SJS/O=GuFei/OU=dev/CN=xxzx.com

# 用自己的 CA 给自己的服务器公钥签名
openssl x509 -days $days -req -sha256 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt

rm {ca.key,ca.srl,server.csr,openssl.cnf,v3.ext}

生成 server.crt 和server.crt 放到nginx的配置文件下

nginx配置

server {
       listen       443 ssl;	   
	   server_name  localhost;
        ssl_certificate      cert/server.crt;
        ssl_certificate_key  cert/server.key;		
        ssl_session_timeout  5m;
        ssl_ciphers  ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers  on;
 
        location / {
		        root   html;
		        index  index.html index.htm;
		    }
      
    }

在配置一个80转443端口

#80转443
	
	# server {
    #    listen       80;
    #    server_name  servername.com; 
	#	  rewrite ^/(.*)$ https://servername.com/$1 permanent;
    #   		  
    #}

参照：lesson --- ip_https_cert: 生成基于IP的https证书

自定义基于IP地址的Https证书_哔哩哔哩_bilibili

查看全文

http://www.kler.cn/a/415152.html