简介

自签名 SSL 证书 中可以简单的得到 ssl 的证书。
如果我们有多个端点需要部署,那么就可以先创建 CA 根证书,部署根证书到服务器,并且客户端信任该根证书,那么使用该根证书签发的域名证书都会被信任,就不需要每一个域名再去设置信任规则了。
比起简单创建 ssl 证书,我们只需要先创建 CA 根证书,再创建 ssl 证书即可。只是参数有少许变化。

创建 CA 根证书

创建 CA 证书使用命令

1
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout ca.key -out ca.crt

根据提示输入相应的信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
..+.....................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..........+..............+.........+...+.......+...........+.......+.....+.......+...+.....+.......+.................+......+....+.....+....+..+....+...+.....+.......+...+..+.........+......+.+............+............+.........+.....+.......+..+...+.......+............+.........+.....+....+..+.........+.......+..+...............+................+.....+....+...............+............+...+...+.........+..............+............+.........+......+...+..........+...........+...+.+...............+.................+.........+.+.................+.+.....+......+.+..+.......+.....+.+........................+...+..+....+..+...+..........+..+.............+.....+..........+...........+......+......................+..+.............+.....+...+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+.....+....+.........+...........+...+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+.+.........+...........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.+.....+.....................+.+....................+...................+.....+.....................+....+......+...+.....+.+........+..................+.........+......+.......+............+.........+.....+.........+...............+............+...+.+.....+....+........+.......+..+................+............+..+...+.+......+...+...+........+......+.+...............+..+............+.+.....+..........+...+..+.......+............+.....+....+..+.......+.....+...+....+.....+.+..................+..+.......+...+..+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Hebei
Locality Name (eg, city) []:ZhangJiakou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Jack Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:JackVip RSA SSL CA
Email Address []:hello@jack.vip

我们发现和创建简单 ssl 证书并没有什么区别,只是在 Common Name
一项中填写根证书的名称,我这里填写的是 JackVip RSA SSL CA。然后 CA 证书就创建好了。

使用 CA 根证书签发服务器证书

使用以下命令创建服务证书

1
2
3
4
openssl req -newkey rsa:4096  -x509 -sha256 \
        -CA ca.crt -CAkey ca.key \
        -nodes -days 365 -out nginx.crt -keyout nginx.key \
        -addext "subjectAltName=DNS:*.test.com,IP:192.168.1.42"

这里新增加了 3 个参数

  • -CA 需要指定 CA 证书的路径
  • -CAkey 指定 CA 证书的秘钥
  • -addext 用来指定 SAN(subjectAltName) 信息,如果不设置这一项,就算信任了 CA
    证书,浏览器也会提示网站证书不合法。一般会提示安全证书没有指定主题备用名称

按照提示输入信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
.+...+....+.....+...+....+...+...........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.+..+............+...+................+............+..............+...+.+..+.......+...+.....+...+......+......+...+.........+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+.....+.............+.........+...+..+..........+.................+......+.......+...+........+.......+.....+........................+.....................+...+...............+......+...+...+....+...+...+..+......+.......+...+.....................+........+.+.....+....+.....+.......+...+............+......+..+...+....+...........+...+.+.....+.............+...+..+...............+...+...................+.........+......+.....+.+.....+..........+..+............+.+........+....+......+...........+.........................+....................+.+...+.....+.+........+.......+......+........+....+...+.....+....+...........+............+...............+.............+..............+.+..+..........+...........+...................+..+.............+...+.................+............+.+............+...........+.+.....+...............+.+...+......+...+..+...+...+...+.+...........+..................+..........+..+............+............+.+...................................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.....+..+...+..........+...............+..+...+...+............+...+..................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+..+...+......+....+...+............+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*................+............+............+..........+...............+...+.....+...+...+.......+.....+...+................+........+.+.........+...+.......................+..........+......+.....+.............+..+......+.......+......+.........+...........................+...............+.....+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:HeBei
Locality Name (eg, city) []:BaoDing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:*.test.com
Email Address []:hello@test.com

配置 CA 证书和服务器证书到 nginx

添加虚拟机配置到 nginx

configuration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
server {
    listen       443 ssl;
    listen  [::]:443 ssl;
    server_name  _; # 这里我不指定具体域名,可以用来测试泛域名证书
    
    # 以下 4 行用来配置服务器证书和根证书
    ssl_certificate  /etc/certs/nginx.crt; 
    ssl_certificate_key /etc/certs/nginx.key;
    ssl_client_certificate /etc/certs/ca.crt;
    ssl_verify_client optional;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

客户端信任 CA 证书

完成上述配置,我们直接用浏览器打开 https://a.test.com:8443
会提示 您计算机的操作系统不信任其安全证书

没有信任 CA 证书

我们把 ca.crt 下载到客户电脑端,双击打开导入到钥匙串(不同系统可能会不同),并设置成始终信任

设置信任 CA 证书

再次访问网址(最好重新打开无痕模式进行访问)就可以看到证书已经正常了,颁发者和颁发对象信息都是正确的。

合法的 SSL 证书