openssl创建证书解决不安全问题

1.首先生成根证书和私钥，我全部保存在D：\

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -subj  "/C=CN/ST=JiangSu/L=SuZhou/O=LinkAsia" -keyout D:/CA-private.key -out D:/CA-certificate.crt -reqexts v3_req -extensions v3_ca

2.生成自签名证书私钥 private.key

 openssl genrsa -out D:/private.key 2048

 3.根据自签名证书私钥生成自签名证书申请文件 private.csr

openssl req -new -key D:/private.key -subj "/C=CN/ST=JiangSu/L=SuZhou/O=LinkAsia/CN=127.0.0.1" -sha256 -out D:/private.csr
 

4.在D：/手动创建一个private.ext文件

内容如下

[ req ]
default_bits        = 1024
distinguished_name  = req_distinguished_name
req_extensions      = san
extensions          = san
[ req_distinguished_name ]
countryName         = CN
stateOrProvinceName = Definesys
localityName        = Definesys
organizationName    = Definesys
[SAN]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = IP:127.0.0.1

 5.根据根证书私钥及根证书-CA CA-certificate.crt -CAkey CA-private.key、自签名证书申请文件 -in private.csr、自签名证书扩展文件 -extfile private.ext,生成自签名证书 -out private.crt

openssl x509 -req -days 36500 -in D:/private.csr -CA D:/CA-certificate.crt -CAkey D:/CA-private.key -CAcreateserial -sha256 -out D:/private.crt -extfile D:/private.ext -extensions SAN 

 

6.在nginx中配置 

 

7.安装 CA-certificate.crt到受信任的根证书颁发机构下

8.安装好的证书信息

9.最终访问效果