自建内网服务时会用到ssl,就需要自签名(通用)证书了。

一个证书主要有两个文件:秘钥文件(公钥、私钥)、证书文件。私钥签发证书,公钥验证证书。可以给自己签名生成自签名证书,也可以给别人签名,生成通用证书。

专门给别人签名的秘钥一般由证书颁发机构CA保管,如Let's Entrypt。浏览器存有可信证书颁发机构的公钥信息。

证书生成脚本

需要openssl,执行以下命令即可给指定域名颁发证书。将生成的ca.crt导入浏览器证书颁发机构,将domain.com.keydomain.com.crt用于WEB服务器配置即可。

1
./gencert.sh domain.com
  1. 证书生成脚本gencert.sh
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    
    #!/bin/bash
    
    # 生成根证书
    genCa()
    {
        openssl genrsa -out ca.key 4096
        openssl req \
            -x509 \
            -new \
            -nodes \
            -subj /CN=LocalCa \
            -sha256 \
            -days 7300 \
            -reqexts SAN \
            -extensions SAN \
            -config <(cat openssl.cnf \
                <(printf "[SAN]\nsubjectAltName=DNS:localhost")) \
            -key ca.key \
            -out ca.crt
    }
    
    # 生成域名证书并用根证书签名
    # 2019年7月1日以后签发的证书,有效期必须小于等于825天。可以调整系统时间来改变证书签发日期。
    # https://support.apple.com/zh-cn/HT210176
    genCe()
    {
        domain=${1:-localhost}
        target=${2:-${domain}}
        openssl genrsa -out ${target}.key 2048
        openssl req \
            -new \
            -subj /CN=${domain} \
            -sha256 \
            -reqexts SAN \
            -extensions SAN \
            -config <(cat openssl.cnf \
                <(printf "[SAN]\nsubjectAltName=DNS:${domain},DNS:*.${domain}")) \
            -key ${target}.key \
            -out ${target}.csr
        openssl x509 \
            -req \
            -CA ca.crt \
            -CAkey ca.key \
            -CAcreateserial \
            -sha256 \
            -days 825 \
            -extensions SAN \
            -extfile <(cat openssl.cnf \
                <(printf "[SAN]\nsubjectAltName=DNS:${domain},DNS:*.${domain}")) \
            -in ${target}.csr \
            -out ${target}.crt
    }
    
    # 如果根证书不存在,则生成根证书
    if [[ ! -f ca.key || ! -f ca.crt ]]; then
        genCa
    fi
    
    genCe $@
    
  2. openssl配置openssl.cnf
      1
      2
      3
      4
      5
      6
      7
      8
      9
     10
     11
     12
     13
     14
     15
     16
     17
     18
     19
     20
     21
     22
     23
     24
     25
     26
     27
     28
     29
     30
     31
     32
     33
     34
     35
     36
     37
     38
     39
     40
     41
     42
     43
     44
     45
     46
     47
     48
     49
     50
     51
     52
     53
     54
     55
     56
     57
     58
     59
     60
     61
     62
     63
     64
     65
     66
     67
     68
     69
     70
     71
     72
     73
     74
     75
     76
     77
     78
     79
     80
     81
     82
     83
     84
     85
     86
     87
     88
     89
     90
     91
     92
     93
     94
     95
     96
     97
     98
     99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154
    155
    156
    157
    158
    159
    160
    161
    162
    163
    164
    165
    166
    167
    168
    169
    170
    171
    172
    173
    174
    175
    176
    177
    178
    179
    180
    181
    182
    183
    184
    185
    186
    187
    188
    189
    190
    191
    192
    193
    194
    195
    196
    197
    198
    199
    200
    201
    202
    203
    204
    205
    206
    207
    208
    209
    210
    211
    212
    213
    214
    215
    216
    217
    218
    219
    220
    221
    222
    223
    224
    225
    226
    227
    228
    229
    230
    231
    232
    233
    234
    235
    236
    237
    238
    239
    240
    241
    242
    243
    244
    245
    246
    247
    248
    249
    250
    251
    252
    253
    254
    255
    256
    257
    258
    259
    260
    261
    262
    263
    264
    265
    266
    267
    268
    269
    270
    271
    272
    273
    274
    275
    276
    277
    278
    279
    280
    281
    282
    283
    284
    285
    286
    287
    288
    289
    290
    291
    292
    293
    294
    295
    296
    297
    298
    299
    300
    301
    302
    303
    304
    305
    306
    307
    308
    309
    310
    311
    312
    313
    314
    315
    316
    317
    318
    319
    320
    321
    322
    323
    324
    325
    326
    327
    328
    329
    330
    331
    332
    333
    334
    335
    336
    337
    338
    339
    340
    341
    342
    343
    344
    345
    346
    347
    348
    349
    350
    
    #
    # OpenSSL example configuration file.
    # This is mostly being used for generation of certificate requests.
    #
    
    # Note that you can include other files from the main configuration
    # file using the .include directive.
    #.include filename
    
    # This definition stops the following lines choking if HOME isn't
    # defined.
    HOME			= .
    
    # Extra OBJECT IDENTIFIER info:
    #oid_file		= $ENV::HOME/.oid
    oid_section		= new_oids
    
    # To use this configuration file with the "-extfile" option of the
    # "openssl x509" utility, name here the section containing the
    # X.509v3 extensions to use:
    # extensions		= 
    # (Alternatively, use a configuration file that has only
    # X.509v3 extensions in its main [= default] section.)
    
    [ new_oids ]
    
    # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
    # Add a simple OID like this:
    # testoid1=1.2.3.4
    # Or use config file substitution like this:
    # testoid2=${testoid1}.5.6
    
    # Policies used by the TSA examples.
    tsa_policy1 = 1.2.3.4.1
    tsa_policy2 = 1.2.3.4.5.6
    tsa_policy3 = 1.2.3.4.5.7
    
    ####################################################################
    [ ca ]
    default_ca	= CA_default		# The default ca section
    
    ####################################################################
    [ CA_default ]
    
    dir		= /etc/ssl		# Where everything is kept
    certs		= $dir/certs		# Where the issued certs are kept
    crl_dir		= $dir/crl		# Where the issued crl are kept
    database	= $dir/index.txt	# database index file.
    #unique_subject	= no			# Set to 'no' to allow creation of
                        # several certs with same subject.
    new_certs_dir	= $dir/newcerts		# default place for new certs.
    
    certificate	= $dir/cacert.pem 	# The CA certificate
    serial		= $dir/serial 		# The current serial number
    crlnumber	= $dir/crlnumber	# the current crl number
                        # must be commented out to leave a V1 CRL
    crl		= $dir/crl.pem 		# The current CRL
    private_key	= $dir/private/cakey.pem# The private key
    
    x509_extensions	= usr_cert		# The extensions to add to the cert
    
    # Comment out the following two lines for the "traditional"
    # (and highly broken) format.
    name_opt 	= ca_default		# Subject Name options
    cert_opt 	= ca_default		# Certificate field options
    
    # Extension copying option: use with caution.
    # copy_extensions = copy
    
    # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
    # so this is commented out by default to leave a V1 CRL.
    # crlnumber must also be commented out to leave a V1 CRL.
    # crl_extensions	= crl_ext
    
    default_days	= 365			# how long to certify for
    default_crl_days= 30			# how long before next CRL
    default_md	= default		# use public key default MD
    preserve	= no			# keep passed DN ordering
    
    # A few difference way of specifying how similar the request should look
    # For type CA, the listed attributes must be the same, and the optional
    # and supplied fields are just that :-)
    policy		= policy_match
    
    # For the CA policy
    [ policy_match ]
    countryName		= match
    stateOrProvinceName	= match
    organizationName	= match
    organizationalUnitName	= optional
    commonName		= supplied
    emailAddress		= optional
    
    # For the 'anything' policy
    # At this point in time, you must list all acceptable 'object'
    # types.
    [ policy_anything ]
    countryName		= optional
    stateOrProvinceName	= optional
    localityName		= optional
    organizationName	= optional
    organizationalUnitName	= optional
    commonName		= supplied
    emailAddress		= optional
    
    ####################################################################
    [ req ]
    default_bits		= 2048
    default_keyfile 	= privkey.pem
    distinguished_name	= req_distinguished_name
    attributes		= req_attributes
    x509_extensions	= v3_ca	# The extensions to add to the self signed cert
    
    # Passwords for private keys if not present they will be prompted for
    # input_password = secret
    # output_password = secret
    
    # This sets a mask for permitted string types. There are several options. 
    # default: PrintableString, T61String, BMPString.
    # pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
    # utf8only: only UTF8Strings (PKIX recommendation after 2004).
    # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
    # MASK:XXXX a literal mask value.
    # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
    string_mask = utf8only
    
    # req_extensions = v3_req # The extensions to add to a certificate request
    
    [ req_distinguished_name ]
    countryName			= Country Name (2 letter code)
    countryName_default		= AU
    countryName_min			= 2
    countryName_max			= 2
    
    stateOrProvinceName		= State or Province Name (full name)
    stateOrProvinceName_default	= Some-State
    
    localityName			= Locality Name (eg, city)
    
    0.organizationName		= Organization Name (eg, company)
    0.organizationName_default	= Internet Widgits Pty Ltd
    
    # we can do this but it is not needed normally :-)
    #1.organizationName		= Second Organization Name (eg, company)
    #1.organizationName_default	= World Wide Web Pty Ltd
    
    organizationalUnitName		= Organizational Unit Name (eg, section)
    #organizationalUnitName_default	=
    
    commonName			= Common Name (e.g. server FQDN or YOUR name)
    commonName_max			= 64
    
    emailAddress			= Email Address
    emailAddress_max		= 64
    
    # SET-ex3			= SET extension number 3
    
    [ req_attributes ]
    challengePassword		= A challenge password
    challengePassword_min		= 4
    challengePassword_max		= 20
    
    unstructuredName		= An optional company name
    
    [ usr_cert ]
    
    # These extensions are added when 'ca' signs a request.
    
    # This goes against PKIX guidelines but some CAs do it and some software
    # requires this to avoid interpreting an end user certificate as a CA.
    
    basicConstraints=CA:FALSE
    
    # Here are some examples of the usage of nsCertType. If it is omitted
    # the certificate can be used for anything *except* object signing.
    
    # This is OK for an SSL server.
    # nsCertType			= server
    
    # For an object signing certificate this would be used.
    # nsCertType = objsign
    
    # For normal client use this is typical
    # nsCertType = client, email
    
    # and for everything including object signing:
    # nsCertType = client, email, objsign
    
    # This is typical in keyUsage for a client certificate.
    # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    
    # This will be displayed in Netscape's comment listbox.
    nsComment			= "OpenSSL Generated Certificate"
    
    # PKIX recommendations harmless if included in all certificates.
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer
    
    # This stuff is for subjectAltName and issuerAltname.
    # Import the email address.
    # subjectAltName=email:copy
    # An alternative to produce certificates that aren't
    # deprecated according to PKIX.
    # subjectAltName=email:move
    
    # Copy subject details
    # issuerAltName=issuer:copy
    
    #nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
    #nsBaseUrl
    #nsRevocationUrl
    #nsRenewalUrl
    #nsCaPolicyUrl
    #nsSslServerName
    
    # This is required for TSA certificates.
    # extendedKeyUsage = critical,timeStamping
    
    [ v3_req ]
    
    # Extensions to add to a certificate request
    
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    
    [ v3_ca ]
    
    
    # Extensions for a typical CA
    
    
    # PKIX recommendation.
    
    subjectKeyIdentifier=hash
    
    authorityKeyIdentifier=keyid:always,issuer
    
    basicConstraints = critical,CA:true
    
    # Key usage: this is typical for a CA certificate. However since it will
    # prevent it being used as an test self-signed certificate it is best
    # left out by default.
    # keyUsage = cRLSign, keyCertSign
    
    # Some might want this also
    # nsCertType = sslCA, emailCA
    
    # Include email address in subject alt name: another PKIX recommendation
    # subjectAltName=email:copy
    # Copy issuer details
    # issuerAltName=issuer:copy
    
    # DER hex encoding of an extension: beware experts only!
    # obj=DER:02:03
    # Where 'obj' is a standard or added object
    # You can even override a supported extension:
    # basicConstraints= critical, DER:30:03:01:01:FF
    
    [ crl_ext ]
    
    # CRL extensions.
    # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
    
    # issuerAltName=issuer:copy
    authorityKeyIdentifier=keyid:always
    
    [ proxy_cert_ext ]
    # These extensions should be added when creating a proxy certificate
    
    # This goes against PKIX guidelines but some CAs do it and some software
    # requires this to avoid interpreting an end user certificate as a CA.
    
    basicConstraints=CA:FALSE
    
    # Here are some examples of the usage of nsCertType. If it is omitted
    # the certificate can be used for anything *except* object signing.
    
    # This is OK for an SSL server.
    # nsCertType			= server
    
    # For an object signing certificate this would be used.
    # nsCertType = objsign
    
    # For normal client use this is typical
    # nsCertType = client, email
    
    # and for everything including object signing:
    # nsCertType = client, email, objsign
    
    # This is typical in keyUsage for a client certificate.
    # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    
    # This will be displayed in Netscape's comment listbox.
    nsComment			= "OpenSSL Generated Certificate"
    
    # PKIX recommendations harmless if included in all certificates.
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer
    
    # This stuff is for subjectAltName and issuerAltname.
    # Import the email address.
    # subjectAltName=email:copy
    # An alternative to produce certificates that aren't
    # deprecated according to PKIX.
    # subjectAltName=email:move
    
    # Copy subject details
    # issuerAltName=issuer:copy
    
    #nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
    #nsBaseUrl
    #nsRevocationUrl
    #nsRenewalUrl
    #nsCaPolicyUrl
    #nsSslServerName
    
    # This really needs to be in place for it to be a proxy certificate.
    proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
    
    ####################################################################
    [ tsa ]
    
    default_tsa = tsa_config1	# the default TSA section
    
    [ tsa_config1 ]
    
    # These are used by the TSA reply generation only.
    dir		= /etc/ssl		# TSA root directory
    serial		= $dir/tsaserial	# The current serial number (mandatory)
    crypto_device	= builtin		# OpenSSL engine to use for signing
    signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
                        # (optional)
    certs		= $dir/cacert.pem	# Certificate chain to include in reply
                        # (optional)
    signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
    signer_digest  = sha256			# Signing digest to use. (Optional)
    default_policy	= tsa_policy1		# Policy if request did not specify it
                        # (optional)
    other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
    digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
    accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
    clock_precision_digits  = 0	# number of digits after dot. (optional)
    ordering		= yes	# Is ordering defined for timestamps?
                    # (optional, default: no)
    tsa_name		= yes	# Must the TSA name be included in the reply?
                    # (optional, default: no)
    ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
                    # (optional, default: no)
    ess_cert_id_alg		= sha1	# algorithm to compute certificate
                    # identifier (optional, default: sha1)
    

**证书的有效期不能超过825天,否则浏览器会认为证书无效。**参考iOS 13 和 macOS 10.15 中的可信证书应满足的要求

ArchLinux添加自定义根证书

1.Move /usr/local/share/ca-certificates/.crt to /etc/ca-certificates/trust-source/anchors/ 2.Do the same with all manually-added /etc/ssl/certs/.pem files and rename them to *.crt 3.Instead of update-ca-certificates, run trust extract-compat

参考文章