编辑脚本
vim ca_ip.sh
#!/bin/bash
rm -rf CA_certificate.crt CA_certificate.srl CA_private.key private.crt private.csr private.ext private.key
set -x
cip=$1
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -subj "/C=CN/ST=BJ/L=BJ/O=SADC" -keyout CA_private.key -out CA_certificate.crt -reqexts v3_req -extensions v3_ca
openssl genrsa -out private.key 2048
openssl req -new -key private.key -subj "/C=CN/ST=BJ/L=BJ/O=SADC/CN=$cip" -sha256 -out private.csr
cat <<EOF > private.ext
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
req_extensions = san
extensions = san
[ req_distinguished_name ]
contryName = CN
stateOrProvinceName = bj
localityName = bj
organizationName = bj
[ san ]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = IP:$cip
EOF
openssl x509 -req -days 3650 -in private.csr -CA CA_certificate.crt -CAkey CA_private.key -CAcreateserial -sha256 -out private.crt -extfile private.ext -extensions san
使用方式:
chmod +x ca_ip.sh && sh ca_ip.sh 127.0.0.1
注意修改上面的 IP 为自己服务器的 IP。
查看生成结果
ca_ip.sh 执行结果
nginx 配置
ssl on;
ssl_certificate /usr/local/ssl/private.crt;
ssl_certificate_key /usr/local/ssl/private.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNUKK:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
下载并安装证书
下载 CA_certificate.crt 证书并安装到电脑中。
清理浏览记录后,再次通过 IP 访问网站不安全提醒消失。
网友评论