生成SSL证书(ca + server)

# 将下面代码保存在generate_ssl.sh
# cp d:\generate_ssl.sh /tmp/
# sudo ./generate_ssl.sh
sudo systemctl stop nginx
sudo systemctl stop gunicorn
sudo systemctl stop gunicorn.socket

sudo systemctl start gunicorn.socket
sudo systemctl start gunicorn
sudo systemctl start nginx

核心证书文件（保存在 /etc/nginx/ssl/ 目录）：
ca.key CA 私钥 证书颁发机构的私钥，用于签署所有服务器证书。必须严格保密。

ca.crt CA 根证书 证书颁发机构的根证书。Windows 和其他客户端需要安装这个证书。

server.key 服务器私钥 Nginx 服务器使用的私钥，用于 SSL/TLS 加密通信。必须保密。

server.crt 服务器证书 Nginx 服务器的公钥证书，包含服务器的身份信息（IP、域名），并由 CA 私钥签名。
┌─────────────────┐
│ CA 证书体系 │
└─────────────────┘
│
├─── ca.key (私钥，保密) ──┐
│ │
└─── ca.crt (公钥，安装到Windows) │ 签名
▼
┌─────────────────┐ ┌─────────────────┐
│ 服务器证书 │ │ 服务器文件 │
└─────────────────┘ └─────────────────┘
│ │
├─── server.csr ───────────┘
│ (证书请求) │
│ │
├─── server.key ────────────┤
│ (私钥，保密) │
│ │
└─── server.crt ◄───────────┘
(公钥，由 CA 签名)

#!/bin/bash
SSL_DIR="/etc/nginx/ssl"

echo "=== 清理旧证书 ==="
if [ -d "$SSL_DIR" ]; then
echo "删除目录: $SSL_DIR"
rm -rf "$SSL_DIR"
fi

echo "=== 创建新目录 ==="
mkdir -p "$SSL_DIR"

echo "=== 1. 创建CA私钥和根证书 ==="
# 生成CA私钥
openssl genrsa -out "$SSL_DIR/ca.key" 4096

# 生成CA根证书
openssl req -x509 -new -nodes -key "$SSL_DIR/ca.key" -sha256 -days 3650 \
-out "$SSL_DIR/ca.crt" \
-subj "/C=CN/ST=Beijing/L=Beijing/O=MyCompany/OU=IT/CN=MyCompany Root CA"

echo "=== 2. 创建服务器私钥和证书请求 ==="
# 生成服务器私钥
openssl genrsa -out "$SSL_DIR/server.key" 2048

# 创建证书请求配置文件
cat > /tmp/server.cnf << EOCONFIG
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[dn]
C = CN
ST = Beijing
L = Beijing
O = MyCompany
OU = IT
CN = mydjango.local

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = mydjango.local
DNS.2 = www.mydjango.local
DNS.3 = localhost
IP.1 = 192.168.220.135
IP.2 = 192.168.101.10
IP.3 = 127.0.0.1
EOCONFIG

# 生成证书请求
openssl req -new -key "$SSL_DIR/server.key" -out "$SSL_DIR/server.csr" \
-config /tmp/server.cnf

echo "=== 3. 创建扩展配置文件 ==="
cat > /tmp/v3.ext << EOCONFIG
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = mydjango.local
DNS.2 = www.mydjango.local
DNS.3 = localhost
IP.1 = 192.168.220.135
IP.2 = 192.168.101.10
IP.3 = 127.0.0.1
EOCONFIG

echo "=== 4. 用CA签发服务器证书 ==="
# 用CA证书签发服务器证书
openssl x509 -req -in "$SSL_DIR/server.csr" \
-CA "$SSL_DIR/ca.crt" -CAkey "$SSL_DIR/ca.key" -CAcreateserial \
-out "$SSL_DIR/server.crt" -days 3650 -sha256 \
-extfile /tmp/v3.ext

echo "=== 5. 设置权限 ==="
chmod 600 "$SSL_DIR/ca.key"
chmod 644 "$SSL_DIR/ca.crt"
chmod 600 "$SSL_DIR/server.key"
chmod 644 "$SSL_DIR/server.crt"

echo "=== 6. 验证证书 ==="
echo "CA证书信息:"
openssl x509 -in "$SSL_DIR/ca.crt" -noout -subject -dates
echo -e "\n服务器证书信息:"
openssl x509 -in "$SSL_DIR/server.crt" -noout -subject -dates
echo -e "\n服务器证书SAN信息:"
openssl x509 -in "$SSL_DIR/server.crt" -text -noout | grep -A1 "Subject Alternative Name"

echo -e "\n=== 7. 导出Windows证书 ==="
# 导出CA证书为Windows格式
openssl x509 -outform der -in "$SSL_DIR/ca.crt" -out "/tmp/mycompany-ca.der"
echo "CA证书已导出到: /tmp/mycompany-ca.der"

echo -e "\n=== 完成 ==="
echo "请将 /tmp/mycompany-ca.der 复制到Windows并执行以下操作："
echo "1. 双击 mycompany-ca.der 文件"
echo "2. 点击'安装证书'"
echo "3. 选择'本地计算机' -> 下一步"
echo "4. 选择'将所有的证书都放入下列存储'"
echo "5. 点击'浏览' -> 选择'受信任的根证书颁发机构'"
echo "6. 点击'确定' -> '下一步' -> '完成'"
echo -e "\n然后重启浏览器访问 https://192.168.101.10 和 https://192.168.220.135"

#为方便在ubuntu中查看，以下为英文版本：

#!/bin/bash
SSL_DIR="/etc/nginx/ssl"

echo "=== Clean up old certificates ==="
if [ -d "$SSL_DIR" ]; then
echo "Deleting directory: $SSL_DIR"
rm -rf "$SSL_DIR"
fi

echo "=== Create new directory ==="
mkdir -p "$SSL_DIR"

echo "=== 1. Create CA private key and root certificate ==="
# Generate CA private key
openssl genrsa -out "$SSL_DIR/ca.key" 4096

# Generate CA root certificate
openssl req -x509 -new -nodes -key "$SSL_DIR/ca.key" -sha256 -days 3650 \
-out "$SSL_DIR/ca.crt" \
-subj "/C=CN/ST=Beijing/L=Beijing/O=MyCompany/OU=IT/CN=MyCompany Root CA"

echo "=== 2. Create server private key and certificate request ==="
# Generate server private key
openssl genrsa -out "$SSL_DIR/server.key" 2048

# Create certificate request configuration file
cat > /tmp/server.cnf << EOCONFIG
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[dn]
C = CN
ST = Beijing
L = Beijing
O = MyCompany
OU = IT
CN = mydjango.local

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = mydjango.local
DNS.2 = www.mydjango.local
DNS.3 = localhost
IP.1 = 192.168.220.135
IP.2 = 192.168.101.10
IP.3 = 127.0.0.1
EOCONFIG

# Generate certificate signing request
openssl req -new -key "$SSL_DIR/server.key" -out "$SSL_DIR/server.csr" \
-config /tmp/server.cnf

echo "=== 3. Create extension configuration file ==="
cat > /tmp/v3.ext << EOCONFIG
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = mydjango.local
DNS.2 = www.mydjango.local
DNS.3 = localhost
IP.1 = 192.168.220.135
IP.2 = 192.168.101.10
IP.3 = 127.0.0.1
EOCONFIG

echo "=== 4. Sign server certificate with CA ==="
# Sign server certificate with CA certificate
openssl x509 -req -in "$SSL_DIR/server.csr" \
-CA "$SSL_DIR/ca.crt" -CAkey "$SSL_DIR/ca.key" -CAcreateserial \
-out "$SSL_DIR/server.crt" -days 3650 -sha256 \
-extfile /tmp/v3.ext

echo "=== 5. Set permissions ==="
chmod 600 "$SSL_DIR/ca.key"
chmod 644 "$SSL_DIR/ca.crt"
chmod 600 "$SSL_DIR/server.key"
chmod 644 "$SSL_DIR/server.crt"

echo "=== 6. Verify certificates ==="
echo "CA Certificate Information:"
openssl x509 -in "$SSL_DIR/ca.crt" -noout -subject -dates
echo -e "\nServer Certificate Information:"
openssl x509 -in "$SSL_DIR/server.crt" -noout -subject -dates
echo -e "\nServer Certificate SAN Information:"
openssl x509 -in "$SSL_DIR/server.crt" -text -noout | grep -A1 "Subject Alternative Name"

echo -e "\n=== 7. Export Windows certificate ==="
# Export CA certificate in Windows format
openssl x509 -outform der -in "$SSL_DIR/ca.crt" -out "/tmp/mycompany-ca.der"
echo "CA certificate exported to: /tmp/mycompany-ca.der"

echo -e "\n=== Complete ==="
echo "Please copy /tmp/mycompany-ca.der to Windows and perform the following:"
echo "1. Double-click mycompany-ca.der file"
echo "2. Click 'Install Certificate'"
echo "3. Select 'Local Machine' -> Next"
echo "4. Select 'Place all certificates in the following store'"
echo "5. Click 'Browse' -> Select 'Trusted Root Certification Authorities'"
echo "6. Click 'OK' -> 'Next' -> 'Finish'"
echo -e "\nThen restart browser and visit https://192.168.101.10 and https://192.168.220.135"