以签发 upyun-assets.4van.top 为例, 后续替换为对应的域名
1 openssl req -x509 -newkey rsa:2048 -nodes -keyout server.key -out server.crt -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=MyOrg/OU=IT/CN=upyun-assets.4van.top"
生成根证书 (Root CA) 创建虚拟的“CA机构”
1 openssl genrsa -out rootCA.key 2048
利用私钥生成自签名的根证书, 这里的 Common Name 的问题可以随便填
1 openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt
1 2 3 4 5 6 7 Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:GuangDong Locality Name (eg, city) []:GuangZhou Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:Avan Root CA Email Address []:layouwen@gmail.com
生成网站证书 (Server Cert):为 upyun-assets.4van.top 创建一个证书签发申请,并用根证书签名。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 [req] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [dn] C=CN ST=Beijing L=Beijing O=MyOrg OU=IT CN=upyun-assets.4 van.top [req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = upyun-assets.4 van.top
创建 csr
1 openssl req -new -key server.key -out server.csr -config san.cnf
使用根证书签发网站证书,有效期1年
1 openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extensions req_ext -extfile san.cnf
合并完整
1 type server.crt rootCA.crt > fullchain.crt
(可选) 可用此命令验证证书链是否完整
1 openssl verify -CAfile rootCA.crt fullchain.crt