生成自签名证书:
#生成私钥
openssl genrsa -out server.key 4096
#生成证书请求
openssl req -new -nodes -out server.csr -key server.key -subj "/C=CN/O=Haiyun/CN=haiyun.me/CN=www.haiyun.me"
#作用同上面2个步骤
openssl req -new -newkey rsa:4096 -nodes -out server.csr -keyout server.key -subj "/C=CN/O=Haiyun/CN=haiyun.me/CN=www.haiyun.me"
#签发证书
openssl x509 -req -days 7300 -in server.csr -signkey server.key -out server.crt
#下面这个命令加上前2个步骤效果同最下面命令
openssl req -x509 -key server.key -in server.csr -out server.crt -days 36500
#一条命令生成自签名证书
openssl req -new -x509 -newkey rsa:4096 -days 7300 -nodes -out server.crt -keyout server.key -subj "/C=CN/L=City/O=Haiyun/CN=haiyun.me/CN=www.haiyun.me"使用CA签发证书:
openssl req -new -x509 -newkey rsa:4096 -days 7300 -nodes -out ca.crt -keyout ca.key -subj "/C=CN/O=Haiyun/CN=My CA"
openssl req -new -newkey rsa:4096 -nodes -out server.csr -keyout server.key -subj "/C=CN/O=Haiyun/CN=haiyun.me/CN=www.haiyun.me"
openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -days 7300 -CAcreateserial查看证书信息:
openssl x509 -noout -text -in server.crt
openssl rsa -noout -text -in server.key
openssl req -noout -text -in server.csr生成ecc证书:
openssl ecparam -genkey -name prime256v1 -out server.key
# -name secp384r1
openssl req -new -x509 -days 7300 -key server.key -out server.crtcaddy使用上面自签名ssl的证书错误:
loading tls app module: provision tls: caching unmanaged certificate: certificate has no names
在签名时指定DNS名称为当前IP解决:
-addext 'subjectAltName=DNS:192.168.1.1,DNS:127.0.0.1'参考:
https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
https://blog.csdn.net/qq_41827547/article/details/105682770