https 443 server ssl cret crt caroot

create-crt.sh

# root 密钥
openssl genrsa -des3 -out rootCA.key 2048

# root 证书
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 2048 -out rootCA.pem

# 添加信任 root 证书

# 组织：生成密钥并且申请函
openssl req -new -sha256 -nodes -out pikachu.csr -newkey rsa:2048 -keyout pikachu.key -config pikachu.csr.cnf

# root 承认组织 生成证书给组织
openssl x509 -req -in pikachu.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out pikachu.crt -days 2048 -sha256 -extfile pikachu.v3.ext

# 组织: 拿上自己的密钥与被颁发的证书配置WEB服务器

    listen       443 ssl;
    ssl_certificate      /Users/sunny/.crt/pikachu.crt;
    ssl_certificate_key  /Users/sunny/.crt/pikachu.key;
    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;
    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

pikachu.com.csr.cnf

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=CN
ST=Sunny
L=Yang
O=Yang
OU=Yang
[email protected]
CN = pikachu.com

pikachu.com.v3.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = mobile.pikachu.com
DNS.2 = pikachu.local
DNS.3 = pikachu.com

# DNS 为识别域名 [重要]