曹耘豪的博客

生成IP自签名https证书

  1. 创建OpenSSL配置
  2. 生成证书
  3. 为nginx配置SSL
  4. 参考

创建OpenSSL配置

先创建openssl.cnf文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CH
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = GD
localityName = Locality Name (eg, city)
localityName_default = ShenZhen
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = organizationalUnitName
commonName = Internet Widgits Ltd
commonName_max = 64

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]

# 改成自己的域名
#DNS.1 = kb.example.com
#DNS.2 = helpdesk.example.org
#DNS.3 = systems.example.net

# 改成自己的ip
IP.1 = 172.16.24.143
IP.2 = 172.16.24.85

生成证书

1
2
3
4
5
openssl genrsa -out my_ip.key 2048

openssl req -new -out my_ip.csr -key my_ip.key -config openssl.cnf

openssl x509 -req -days 3650 -in my_ip.csr -signkey my_ip.key -out my_ip.crt -extensions v3_req -extfile openssl.cnf

为nginx配置SSL

1
2
3
4
5
6
7
8
9
10
11
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;

ssl_certificate /root/openssl/my_ip.crt;
ssl_certificate_key /root/openssl/my_ip.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;

...
}

再配置一个server,将80接口重定向到443

1
2
3
4
5
6
7
8
9
server {
listen 80;
listen [::]:80;

server_name _;

# 将请求转成https
rewrite ^(.*)$ https://$host$1 permanent;
}

然后nginx -s reload即可~

参考