无CA签名

  • 生成证书

1
2
3

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout domain.key -out domain.crt \
  -addext "subjectAltName=DNS:www.example.com,DNS:*.example.com" \
  -subj '/C=CN/ST=Guangdong/L=Shenzhen/O=example/OU=IT/CN=example.com'

  • 查看证书

1

openssl x509 -in domain.crt -noout -text

  • nginx配置参考

1
2

ssl_certificate     /path/domain.crt;
ssl_certificate_key /path/domain.key;

CA签名

  • 生成签发机构证书

  1. 生成CA证书私钥
1

openssl genrsa -out ca.key 4096
  1. 生成CA证书
1

openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/O=Example/CN=Example Certs C1" -key ca.key -out ca.crt

  • 生成服务器证书

  1. 生成私钥
1

openssl genrsa -out example.com.key 4096
  1. 生成证书签名请求(CSR)
1

openssl req -sha512 -new -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=Example/OU=IT/CN=example.com" -key example.com.key -out example.com.csr
  1. 生成x509 v3 扩展文件
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

tee v3.ext <<- EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=www.example.com
DNS.2=*.example.com
EOF
  1. 生成证书
1

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in example.com.csr -out example.com.crt

  • 查看证书

1

openssl x509 -in example.com.crt -noout -text

  • nginx配置参考

1
2

ssl_certificate     /path/example.com.crt;
ssl_certificate_key /path/example.com.key;

参考链接

https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs#generate-a-self-signed-certificate

https://goharbor.io/docs/2.0.0/install-config/configure-https/