效果图:
基于以上要求,我试了很多方法,one-self-signed-cert-to-rule-them-all-chrome-android-and-ios可以签出全平台通用的域名证书。
以下部分是关于IP 证书自签的:
[ req ]
default_bits = 2048
default_keyfile = ca.key
default_md = sha256
default_days = 825
encrypt_key = no
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
prompt = no
[ subject ]
countryName = US
stateOrProvinceName = Oklahoma
localityName = Stillwater
organizationName = My Company
OU = Engineering
commonName = 你的 IP
emailAddress = [email protected]
# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, cRLSign, keyCertSign
subjectAltName = IP:你的 IP
extendedKeyUsage = serverAuth
extendedKeyUsage = TLS Web Server Authentication
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = IP:你的 IP
nsComment = "OpenSSL Generated Certificate"
[alt_names]
IP.1=你的 IP
openssl req -config openssl.cnf -new -x509 -days 825 -out ca.crt
openssl x509 -in ca.crt -text -noout
在 Debian / Ubuntu / Alpine 系统中信任证书:
cp *.crt /usr/local/share/ca-certificates/
update-ca-certificates
ssl_certificate /home/ssl/xxx/ca.crt;
ssl_certificate_key /home/ssl/xxx/ca.key;
首次在此发言,若有安全隐患或者另有妙招还请多多指教。