使用java jdk生成自定义SSL证书-CA免费证书
1、生成环境准备(版本不限):
openssl-1.0.2k
nginx-1.21.1
2、生成CA根证书
-
准备ca配置文件,得到ca.conf:(vim ca.conf,内容如下:)
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = CN
countryName_default = CN
stateOrProvinceName = Shandong
stateOrProvinceName_default = Shandong
localityName = jn
localityName_default = Jinan
organizationName = zxy
organizationName_default = zxy
commonName = json
commonName_max = 64
commonName_default = json
-
生成ca秘钥,得到ca.key(内容如下:)
openssl genrsa -out d:/ca.key 4096
-
生成ca证书签发请求,得到ca.csr(内容如下:)输入内容后一路回车
openssl x509 -req -days 3650 -in d:/ca.csr -signkey d:/ca.key -out d:/ca.crt
3.生成终端用户证书
-
准备配置文件,得到server.conf ( vim server.conf,内容如下)
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = CN
countryName_default = CN
stateOrProvinceName = Shandong
stateOrProvinceName_default = Shandong
localityName = Jinan
localityName_default = Jinan
organizationName = zxy
organizationName_default = zxy
commonName = json
commonName_max = 64
commonName_default = 192.168.1.14
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
IP = 192.168.1.14
-
生成秘钥,得到server.key (内容如下)
openssl genrsa -out d:/server.key 2048
-
生成证书签发请求,得到server.csr (内容如下:)输入内容后一路回车
openssl req -new -sha256 -out d:/server.csr -key d:/server.key -config d:/server.conf
-
用CA证书生成终端用户证书,得到server.crt
openssl x509 -req -days 3650 -CA d:/ca.crt -CAkey d:/ca.key -CAcreateserial -in d:/server.csr -out d:/server.crt -extensions req_ext -extfile d:/server.conf
4.使用证书
-
nginx 配置nginx.config (内容如下:)
server {
listen 443 ssl;
server_name localhost;
ssl_certificate D:/diy_ca/server.crt;
ssl_certificate_key D:/diy_ca/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}