土豆时光
首页
博客
文章
美图
笔记
管理后台
生成SSL证书(ca + server)
chen
13次查看
Tags:
nginx, gunicorn, shell
##### 中文版证书生成脚本 ```shell #!/bin/bash # generate_ssl.sh SSL_DIR="/etc/nginx/ssl" echo "=== 清理旧证书 ===" if [ -d "$SSL_DIR" ]; then echo "删除目录: $SSL_DIR" rm -rf "$SSL_DIR" fi echo "=== 创建新目录 ===" mkdir -p "$SSL_DIR" echo "=== 1. 创建CA私钥和根证书 ===" # 生成CA私钥 openssl genrsa -out "$SSL_DIR/ca.key" 4096 # 生成CA根证书 openssl req -x509 -new -nodes -key "$SSL_DIR/ca.key" -sha256 -days 3650 \ -out "$SSL_DIR/ca.crt" \ -subj "/C=CN/ST=Beijing/L=Beijing/O=MyCompany/OU=IT/CN=MyCompany Root CA" echo "=== 2. 创建服务器私钥和证书请求 ===" # 生成服务器私钥 openssl genrsa -out "$SSL_DIR/server.key" 2048 # 创建证书请求配置文件 cat > /tmp/server.cnf << EOCONFIG [req] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn req_extensions = req_ext [dn] C = CN ST = Beijing L = Beijing O = MyCompany OU = IT CN = mydjango.local [req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = mydjango.local DNS.2 = www.mydjango.local DNS.3 = localhost IP.1 = 192.168.220.135 IP.2 = 192.168.101.10 IP.3 = 127.0.0.1 EOCONFIG # 生成证书请求 openssl req -new -key "$SSL_DIR/server.key" -out "$SSL_DIR/server.csr" \ -config /tmp/server.cnf echo "=== 3. 创建扩展配置文件 ===" cat > /tmp/v3.ext << EOCONFIG authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = mydjango.local DNS.2 = www.mydjango.local DNS.3 = localhost IP.1 = 192.168.220.135 IP.2 = 192.168.101.10 IP.3 = 127.0.0.1 EOCONFIG echo "=== 4. 用CA签发服务器证书 ===" # 用CA证书签发服务器证书 openssl x509 -req -in "$SSL_DIR/server.csr" \ -CA "$SSL_DIR/ca.crt" -CAkey "$SSL_DIR/ca.key" -CAcreateserial \ -out "$SSL_DIR/server.crt" -days 3650 -sha256 \ -extfile /tmp/v3.ext echo "=== 5. 设置权限 ===" chmod 600 "$SSL_DIR/ca.key" chmod 644 "$SSL_DIR/ca.crt" chmod 600 "$SSL_DIR/server.key" chmod 644 "$SSL_DIR/server.crt" echo "=== 6. 验证证书 ===" echo "CA证书信息:" openssl x509 -in "$SSL_DIR/ca.crt" -noout -subject -dates echo -e "\n服务器证书信息:" openssl x509 -in "$SSL_DIR/server.crt" -noout -subject -dates echo -e "\n服务器证书SAN信息:" openssl x509 -in "$SSL_DIR/server.crt" -text -noout | grep -A1 "Subject Alternative Name" echo -e "\n=== 7. 导出Windows证书 ===" # 导出CA证书为Windows格式 openssl x509 -outform der -in "$SSL_DIR/ca.crt" -out "/tmp/mycompany-ca.der" echo "CA证书已导出到: /tmp/mycompany-ca.der" echo -e "\n=== 完成 ===" echo "请将 /tmp/mycompany-ca.der 复制到Windows并执行以下操作:" echo "1. 双击 mycompany-ca.der 文件" echo "2. 点击'安装证书'" echo "3. 选择'本地计算机' -> 下一步" echo "4. 选择'将所有的证书都放入下列存储'" echo "5. 点击'浏览' -> 选择'受信任的根证书颁发机构'" echo "6. 点击'确定' -> '下一步' -> '完成'" echo -e "\n然后重启浏览器访问 https://192.168.101.10 和 https://192.168.220.135" ``` ```shell sudo ./generate_ssl.sh ``` ###### 核心证书文件(保存在 /etc/nginx/ssl/ 目录): 文件 作用 详细说明 ca.key CA私钥 证书颁发机构的私钥,用于签署所有服务器证书。必须严格保密,泄露等于整个证书体系被攻破。 ca.crt CA根证书 证书颁发机构的根证书。Windows 和其他客户端需要安装这个证书,才能信任由这个 CA 签发的所有证书。 server.key 服务器私钥 Nginx 服务器使用的私钥,用于 SSL/TLS 加密通信。必须保密,仅 Nginx 进程需要读取。 server.crt 服务器证书 Nginx 服务器的公钥证书,包含服务器的身份信息(IP、域名),并由 CA 私钥签名。 ```shell sudo systemclt restart nginx #服务器重启 sudo cp /etc/nginx/ssl/ca.crt /mnt/hgfs/ub_share/ ``` ###### 以上两条命令执行完毕,要关闭所有浏览器再打开,以防有证书缓存出错 ###### 输入 192.168.101.10 或 192.168.220.135 皆可 ###### 192.168.101.10(要记得配置NAT 443端口转发) ###### 除了宿主机外正常与192.168.101.X的其他电脑也可以访问 ##### 附证书生成shell文件的英文版: ```shell #!/bin/bash SSL_DIR="/etc/nginx/ssl" echo "=== Clean up old certificates ===" if [ -d "$SSL_DIR" ]; then echo "Deleting directory: $SSL_DIR" rm -rf "$SSL_DIR" fi echo "=== Create new directory ===" mkdir -p "$SSL_DIR" echo "=== 1. Create CA private key and root certificate ===" # Generate CA private key openssl genrsa -out "$SSL_DIR/ca.key" 4096 # Generate CA root certificate openssl req -x509 -new -nodes -key "$SSL_DIR/ca.key" -sha256 -days 3650 \ -out "$SSL_DIR/ca.crt" \ -subj "/C=CN/ST=Beijing/L=Beijing/O=MyCompany/OU=IT/CN=MyCompany Root CA" echo "=== 2. Create server private key and certificate request ===" # Generate server private key openssl genrsa -out "$SSL_DIR/server.key" 2048 # Create certificate request configuration file cat > /tmp/server.cnf << EOCONFIG [req] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn req_extensions = req_ext [dn] C = CN ST = Beijing L = Beijing O = MyCompany OU = IT CN = mydjango.local [req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = mydjango.local DNS.2 = www.mydjango.local DNS.3 = localhost IP.1 = 192.168.220.135 IP.2 = 192.168.101.10 IP.3 = 127.0.0.1 EOCONFIG # Generate certificate signing request openssl req -new -key "$SSL_DIR/server.key" -out "$SSL_DIR/server.csr" \ -config /tmp/server.cnf echo "=== 3. Create extension configuration file ===" cat > /tmp/v3.ext << EOCONFIG authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = mydjango.local DNS.2 = www.mydjango.local DNS.3 = localhost IP.1 = 192.168.220.135 IP.2 = 192.168.101.10 IP.3 = 127.0.0.1 EOCONFIG echo "=== 4. Sign server certificate with CA ===" # Sign server certificate with CA certificate openssl x509 -req -in "$SSL_DIR/server.csr" \ -CA "$SSL_DIR/ca.crt" -CAkey "$SSL_DIR/ca.key" -CAcreateserial \ -out "$SSL_DIR/server.crt" -days 3650 -sha256 \ -extfile /tmp/v3.ext echo "=== 5. Set permissions ===" chmod 600 "$SSL_DIR/ca.key" chmod 644 "$SSL_DIR/ca.crt" chmod 600 "$SSL_DIR/server.key" chmod 644 "$SSL_DIR/server.crt" echo "=== 6. Verify certificates ===" echo "CA Certificate Information:" openssl x509 -in "$SSL_DIR/ca.crt" -noout -subject -dates echo -e "\nServer Certificate Information:" openssl x509 -in "$SSL_DIR/server.crt" -noout -subject -dates echo -e "\nServer Certificate SAN Information:" openssl x509 -in "$SSL_DIR/server.crt" -text -noout | grep -A1 "Subject Alternative Name" echo -e "\n=== 7. Export Windows certificate ===" # Export CA certificate in Windows format openssl x509 -outform der -in "$SSL_DIR/ca.crt" -out "/tmp/mycompany-ca.der" echo "CA certificate exported to: /tmp/mycompany-ca.der" echo -e "\n=== Complete ===" echo "Please copy /tmp/mycompany-ca.der to Windows and perform the following:" echo "1. Double-click mycompany-ca.der file" echo "2. Click 'Install Certificate'" echo "3. Select 'Local Machine' -> Next" echo "4. Select 'Place all certificates in the following store'" echo "5. Click 'Browse' -> Select 'Trusted Root Certification Authorities'" echo "6. Click 'OK' -> 'Next' -> 'Finish'" echo -e "\nThen restart browser and visit https://192.168.101.10 and https://192.168.220.135" ```
网站已永久关闭评论和点赞功能
最受欢迎文章
生成SSL证书(ca + server)
局域网内其他IP访问VM中ubuntu下django服务器
admin
配置Nginx同时支持HTTP和HTTPS
数据迁移失败-手动增加字段
安装Redis数据库
P244页实现删除课程,但确认框带网址
最新文章
生成SSL证书(ca + server)
配置Nginx同时支持HTTP和HTTPS
局域网内其他IP访问VM中ubuntu下django服务器
admin
最多评论文章
安装Redis数据库
admin
代码./article/views.py
推荐相似文章
暂无相似文章
copy right potatotime.top