创建rootCA证书
cd ~ && mkdir mycert
cd mycert
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
配置v3.ext
cat >v3.ext<<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = test.com
DNS.2 = *.test.com
EOF
签名
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout mydomain.key
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out mydomain.crt -days 36500 -sha256 -extfile v3.ext
nginx 配置文件
# cat https.conf
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name test.com;
ssl_certificate /root/mycert/mydomain.crt;
ssl_certificate_key /root/mycert/mydomain.key;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
启动 nginx 容器
docker run -it --rm -v /root/mycert:/root/mycert -v /root/mycert/https.conf:/etc/nginx/conf.d/https.conf -p 80:80 -p 443:443 --name nginx nginx:alpine
导入证书
- 将rootCA.pem文件更名为rootCA.crt
- 双击安装证书,导入证书到受信任根证书颁发机构
- 重启浏览器