准备

将如下脚本保存为 auto_create_cer.sh

#!/bin/bash
echo "自动创建自定义证书"
region=$1
region_suffix=$2

if [[ "X$region" == "X" ]]; then
  echo "region is empty"
  exit 1
fi

if [[ "X$region_suffix" == "X" ]]; then
  echo "region_suffix is empty"
  exit 1
fi

if [[ ! -f "openssl.cnf" ]]; then
  echo "openssl.cnf file is not exist"
  exit 1
fi

mkdir $region

cp openssl.cnf $region/

cd $region

mkdir demoCA

cd demoCA

mkdir private

SAN="[SAN]\nsubjectAltName=DNS:*.$region.$region_suffix"
subj="/C=CN/ST=SH_I/L=ZJ_L/O=Mlick_X/OU=ML_X/CN=$region"

echo "生成CA根证书"
openssl genrsa -des3 -passout pass:999999 -out private/cakey.pem 2048
openssl req -sha256 -new -nodes -key private/cakey.pem -passin pass:999999 \
  -x509 -days 3650 -out cacert.pem -subj "$subj"

cd ..

echo "生成中间CA证书"
openssl genrsa -des3 -passout pass:999999 -out $region.key 2048

openssl req -new -key $region.key \
  -passin pass:999999 \
  -subj "$subj" -reqexts SAN \
  -config <(cat openssl.cnf \
    <(printf "$SAN")) \
  -out $region.csr

echo "移除密码"
cp $region.key $region.key.org
openssl rsa -passin pass:999999 -in $region.key.org -out $region.key

echo "生成x509 crt证书"
openssl x509 -req \
  -days 36500 \
  -in $region.csr \
  -signkey $region.key \
  -out $region.crt \
  -extensions SAN \
  -extfile <(cat openssl.cnf <(printf "$SAN"))

echo "查看crt证书"
openssl x509 -text -in $region.crt

openssl.cnf 文件

HOME            = .
oid_section     = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

[ ca ]
default_ca  = CA_default        

[ CA_default ]
dir     = ./demoCA      
certs       = $dir/certs        
crl_dir     = $dir/crl      
database    = $dir/index.txt
new_certs_dir   = $dir/newcerts
certificate = $dir/cacert.pem   
serial      = $dir/serial       
crlnumber   = $dir/crlnumber
crl     = $dir/crl.pem      
private_key = $dir/private/cakey.pem
x509_extensions = usr_cert
name_opt    = ca_default        
cert_opt    = ca_default
default_days    = 365           
default_crl_days= 30            
default_md  = default       
preserve    = no
policy      = policy_match

[ policy_match ]
countryName     = match
stateOrProvinceName = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

[ policy_anything ]
countryName     = optional
stateOrProvinceName = optional
localityName        = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

[ req ]
default_bits        = 2048
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
attributes      = req_attributes
x509_extensions = v3_ca
string_mask = utf8only

[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = AU
countryName_min         = 2
countryName_max         = 2
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName            = Locality Name (eg, city)
0.organizationName      = Organization Name (eg, company)
0.organizationName_default  = Internet Widgits Pty Ltd
organizationalUnitName      = Organizational Unit Name (eg, section)
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_max          = 64
emailAddress            = Email Address
emailAddress_max        = 64

[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min       = 4
challengePassword_max       = 20
unstructuredName        = An optional company name

[ usr_cert ]
basicConstraints=CA:FALSE
nsComment           = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true

[ crl_ext ]
authorityKeyIdentifier=keyid:always

[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment           = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

[ tsa ]
default_tsa = tsa_config1   

[ tsa_config1 ]
dir     = ./demoCA      
serial      = $dir/tsaserial    
crypto_device   = builtin       
signer_cert = $dir/tsacert.pem
certs       = $dir/cacert.pem
signer_key  = $dir/private/tsakey.pem 
signer_digest  = sha256         
default_policy  = tsa_policy1
other_policies  = tsa_policy2, tsa_policy3  
digests     = sha1, sha256, sha384, sha512  
accuracy    = secs:1, millisecs:500, microsecs:100  
clock_precision_digits  = 0 
ordering        = yes
tsa_name        = yes
ess_cert_id_chain   = no
ess_cert_id_alg     = sha1

需要Linux环境下安装有openssl

用法

将如上两个文件 auto_create_cer.sh 和 openssl.cnf 放置在同一目录下
然后执行如下命令

bash auto_create_cer.sh gxfb  mlick.io

注意: 后面需要跟上两个参数
这样就会生成 *.gxfb.mlick.io 的根证书了。

然后就会在gxfb目录下生成 crt证书了

image.png

最后拿着 gxfb.crt 和 gxfb.key 就可以配置在服务上，本地导入 crt证书，再访问就ok了。

简单附上nginx配置的

image.png

附上成功后的截图

image.png