openssl自签名证书
Contents
无CA签名
生成证书
1 2 3 4 5 6openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout domain.key -out domain.crt \ -addext "subjectAltName=DNS:www.mkl.io,DNS:*.mkl.io" \ -subj '/C=CN/ST=Guangdong/L=Shenzhen/O=mkl/OU=IT/CN=mkl.io' # 查看证书 openssl x509 -in domain.crt -noout -textnginx配置参考
ssl_certificate /path/domain.crt; ssl_certificate_key /path/domain.key;
CA签名
生成证书签发机构证书
生成CA证书私钥
1openssl genrsa -out ca.key 4096生成CA证书
1openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/O=MegaCombine/CN=MegaCombine Certs C1" -key ca.key -out ca.crt
生成服务器证书
- 生成私钥
1openssl genrsa -out mkl.io.key 4096 - 生成证书签名请求(CSR)
1openssl req -sha512 -new -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=mkl/OU=IT/CN=mkl.io" -key mkl.io.key -out mkl.io.csr - 生成x509 v3 扩展文件
1 2 3 4 5 6 7 8 9 10 11tee v3.ext <<- EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=www.mkl.io DNS.2=*.mkl.io EOF - 生成证书
1openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in mkl.io.csr -out mkl.io.crt
- 生成私钥
查看证书
1openssl x509 -in mkl.io.crt -noout -textnginx配置参考
ssl_certificate /path/mkl.io.crt; ssl_certificate_key /path/mkl.io.key;
参考链接
https://goharbor.io/docs/2.0.0/install-config/configure-https/