Profile Image of the Author
infini
Announcement
For more information,please click the more button.
264 words
1 minute
CA
2025-11-05
certificate
self-signed certificate

快速生成自签证书#

Terminal window
openssl req -x509 \
  -newkey rsa:2048 \
  -keyout /etc/nginx/ssl/service.lan.key \
  -out /etc/nginx/ssl/service.lan.crt \
  -days 365 \
  -nodes \
  -subj "/C=CN/ST=ShangHai/L=Shanghai/O=Myhomw/OU=Myhome/CN=*.service.lan" \
  -addext "subjectAltName = DNS:*.service.lan,DNS:service.lan
  # req -x509 创建一个自签名的X.509证书
  # -nodes 私钥文件不加密

创建本地CA并签发证书#

  1. 创建目录
Terminal window
sudo mkdir -p /etc/nginx/ssl/service.lan
cd /etc/nginx/ssl/service.lan
  1. 创建本地CA
  • 生成CA私钥
Terminal window
sudo openssl genrsa -out ca.key 4096
  • 生成CA根证书
Terminal window
sudo openssl req -x509 -new -nodes -key ca.key -days 3650 -out ca.crt \
-subj "/C=CN/ST=ShangHai/L=Shanghai/O=LocalCA/OU=Dev/CN=Local Root CA"
# ca.crt是要导入到浏览器的根证书
  1. 为域名生成证书请求(CSR)
  • 生成服务私钥
Terminal window
sudo openssl genrsa -out service.lan.key 2048
  • 创建一个service.lan.conf,指定SAN
[req]
default_bits    = 2048
prompt          = no
default_md      = sha256
req_extensions  = req_ext
distinguished_name = dn


[dn]
C=CN
ST=Shanghai
L=Shanghai
O=Myhome
OU=Myhome
CN=app.service.lan


[req_ext]
subjectAltName = @alt_name


[alt_name]
DNS.1 = app.service.lan
DNS.2 = *.service.lan
  • 生成CSR
Terminal window
sudo openssl req -new -key service.lan.key -out service.lan.csr -config service.lan.conf
  1. 用CA签发证书
Terminal window
sudo openssl x509 -req -in service.lan.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out service.lan.crt -days 3650 -sha256 -extensions req_ext -extfile service.lan.conf
  1. 导入证书
  • 将证书下载到主机上,用浏览器导入后重启打开网站就不会显示不安全
CA
https://infini.cv/posts/ca/
Author
infini
Published at
2025-11-05
License
CC BY-SA 4.0

Some information may be outdated

Scheme(1.1)
dnsmasq
© 2025 infini. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Mizuki