自建内网服务时会用到ssl，就需要自签名（通用）证书了。

一个证书主要有两个文件：秘钥文件（公钥、私钥）、证书文件。私钥签发证书，公钥验证证书。可以给自己签名生成自签名证书，也可以给别人签名，生成通用证书。

专门给别人签名的秘钥一般由证书颁发机构CA保管，如Let's Entrypt。浏览器存有可信证书颁发机构的公钥信息。

证书生成脚本

需要openssl，执行以下命令即可给指定域名颁发证书。将生成的ca.crt导入浏览器证书颁发机构，将domain.com.key，domain.com.crt用于WEB服务器配置即可。

./gencert.sh domain.com

1. 证书生成脚本gencert.sh

   #!/bin/bash
   
   # 生成根证书
   genCa()
   {
       openssl genrsa -out ca.key 4096
       openssl req \
           -x509 \
           -new \
           -nodes \
           -subj /CN=LocalCa \
           -sha256 \
           -days 7300 \
           -reqexts SAN \
           -extensions SAN \
           -config <(cat openssl.cnf \
               <(printf "[SAN]\nsubjectAltName=DNS:localhost")) \
           -key ca.key \
           -out ca.crt
   }
   
   # 生成域名证书并用根证书签名
   # 2019年7月1日以后签发的证书，有效期必须小于等于825天。可以调整系统时间来改变证书签发日期。
   # https://support.apple.com/zh-cn/HT210176
   genCe()
   {
       domain=${1:-localhost}
       target=${2:-${domain}}
       openssl genrsa -out ${target}.key 2048
       openssl req \
           -new \
           -subj /CN=${domain} \
           -sha256 \
           -reqexts SAN \
           -extensions SAN \
           -config <(cat openssl.cnf \
               <(printf "[SAN]\nsubjectAltName=DNS:${domain},DNS:*.${domain}")) \
           -key ${target}.key \
           -out ${target}.csr
       openssl x509 \
           -req \
           -CA ca.crt \
           -CAkey ca.key \
           -CAcreateserial \
           -sha256 \
           -days 825 \
           -extensions SAN \
           -extfile <(cat openssl.cnf \
               <(printf "[SAN]\nsubjectAltName=DNS:${domain},DNS:*.${domain}")) \
           -in ${target}.csr \
           -out ${target}.crt
   }
   
   # 如果根证书不存在，则生成根证书
   if [[ ! -f ca.key || ! -f ca.crt ]]; then
       genCa
   fi
   
   genCe $@
   

2. openssl配置openssl.cnf

   #
   # OpenSSL example configuration file.
   # This is mostly being used for generation of certificate requests.
   #
   
   # Note that you can include other files from the main configuration
   # file using the .include directive.
   #.include filename
   
   # This definition stops the following lines choking if HOME isn't
   # defined.
   HOME			= .
   
   # Extra OBJECT IDENTIFIER info:
   #oid_file		= $ENV::HOME/.oid
   oid_section		= new_oids
   
   # To use this configuration file with the "-extfile" option of the
   # "openssl x509" utility, name here the section containing the
   # X.509v3 extensions to use:
   # extensions		=
   # (Alternatively, use a configuration file that has only
   # X.509v3 extensions in its main [= default] section.)
   
   [ new_oids ]
   
   # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
   # Add a simple OID like this:
   # testoid1=1.2.3.4
   # Or use config file substitution like this:
   # testoid2=${testoid1}.5.6
   
   # Policies used by the TSA examples.
   tsa_policy1 = 1.2.3.4.1
   tsa_policy2 = 1.2.3.4.5.6
   tsa_policy3 = 1.2.3.4.5.7
   
   ####################################################################
   [ ca ]
   default_ca	= CA_default		# The default ca section
   
   ####################################################################
   [ CA_default ]
   
   dir		= /etc/ssl		# Where everything is kept
   certs		= $dir/certs		# Where the issued certs are kept
   crl_dir		= $dir/crl		# Where the issued crl are kept
   database	= $dir/index.txt	# database index file.
   #unique_subject	= no			# Set to 'no' to allow creation of
                       # several certs with same subject.
   new_certs_dir	= $dir/newcerts		# default place for new certs.
   
   certificate	= $dir/cacert.pem 	# The CA certificate
   serial		= $dir/serial 		# The current serial number
   crlnumber	= $dir/crlnumber	# the current crl number
                       # must be commented out to leave a V1 CRL
   crl		= $dir/crl.pem 		# The current CRL
   private_key	= $dir/private/cakey.pem# The private key
   
   x509_extensions	= usr_cert		# The extensions to add to the cert
   
   # Comment out the following two lines for the "traditional"
   # (and highly broken) format.
   name_opt 	= ca_default		# Subject Name options
   cert_opt 	= ca_default		# Certificate field options
   
   # Extension copying option: use with caution.
   # copy_extensions = copy
   
   # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
   # so this is commented out by default to leave a V1 CRL.
   # crlnumber must also be commented out to leave a V1 CRL.
   # crl_extensions	= crl_ext
   
   default_days	= 365			# how long to certify for
   default_crl_days= 30			# how long before next CRL
   default_md	= default		# use public key default MD
   preserve	= no			# keep passed DN ordering
   
   # A few difference way of specifying how similar the request should look
   # For type CA, the listed attributes must be the same, and the optional
   # and supplied fields are just that :-)
   policy		= policy_match
   
   # For the CA policy
   [ policy_match ]
   countryName		= match
   stateOrProvinceName	= match
   organizationName	= match
   organizationalUnitName	= optional
   commonName		= supplied
   emailAddress		= optional
   
   # For the 'anything' policy
   # At this point in time, you must list all acceptable 'object'
   # types.
   [ policy_anything ]
   countryName		= optional
   stateOrProvinceName	= optional
   localityName		= optional
   organizationName	= optional
   organizationalUnitName	= optional
   commonName		= supplied
   emailAddress		= optional
   
   ####################################################################
   [ req ]
   default_bits		= 2048
   default_keyfile 	= privkey.pem
   distinguished_name	= req_distinguished_name
   attributes		= req_attributes
   x509_extensions	= v3_ca	# The extensions to add to the self signed cert
   
   # Passwords for private keys if not present they will be prompted for
   # input_password = secret
   # output_password = secret
   
   # This sets a mask for permitted string types. There are several options.
   # default: PrintableString, T61String, BMPString.
   # pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
   # utf8only: only UTF8Strings (PKIX recommendation after 2004).
   # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
   # MASK:XXXX a literal mask value.
   # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
   string_mask = utf8only
   
   # req_extensions = v3_req # The extensions to add to a certificate request
   
   [ req_distinguished_name ]
   countryName			= Country Name (2 letter code)
   countryName_default		= AU
   countryName_min			= 2
   countryName_max			= 2
   
   stateOrProvinceName		= State or Province Name (full name)
   stateOrProvinceName_default	= Some-State
   
   localityName			= Locality Name (eg, city)
   
   0.organizationName		= Organization Name (eg, company)
   0.organizationName_default	= Internet Widgits Pty Ltd
   
   # we can do this but it is not needed normally :-)
   #1.organizationName		= Second Organization Name (eg, company)
   #1.organizationName_default	= World Wide Web Pty Ltd
   
   organizationalUnitName		= Organizational Unit Name (eg, section)
   #organizationalUnitName_default	=
   
   commonName			= Common Name (e.g. server FQDN or YOUR name)
   commonName_max			= 64
   
   emailAddress			= Email Address
   emailAddress_max		= 64
   
   # SET-ex3			= SET extension number 3
   
   [ req_attributes ]
   challengePassword		= A challenge password
   challengePassword_min		= 4
   challengePassword_max		= 20
   
   unstructuredName		= An optional company name
   
   [ usr_cert ]
   
   # These extensions are added when 'ca' signs a request.
   
   # This goes against PKIX guidelines but some CAs do it and some software
   # requires this to avoid interpreting an end user certificate as a CA.
   
   basicConstraints=CA:FALSE
   
   # Here are some examples of the usage of nsCertType. If it is omitted
   # the certificate can be used for anything *except* object signing.
   
   # This is OK for an SSL server.
   # nsCertType			= server
   
   # For an object signing certificate this would be used.
   # nsCertType = objsign
   
   # For normal client use this is typical
   # nsCertType = client, email
   
   # and for everything including object signing:
   # nsCertType = client, email, objsign
   
   # This is typical in keyUsage for a client certificate.
   # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
   
   # This will be displayed in Netscape's comment listbox.
   nsComment			= "OpenSSL Generated Certificate"
   
   # PKIX recommendations harmless if included in all certificates.
   subjectKeyIdentifier=hash
   authorityKeyIdentifier=keyid,issuer
   
   # This stuff is for subjectAltName and issuerAltname.
   # Import the email address.
   # subjectAltName=email:copy
   # An alternative to produce certificates that aren't
   # deprecated according to PKIX.
   # subjectAltName=email:move
   
   # Copy subject details
   # issuerAltName=issuer:copy
   
   #nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
   #nsBaseUrl
   #nsRevocationUrl
   #nsRenewalUrl
   #nsCaPolicyUrl
   #nsSslServerName
   
   # This is required for TSA certificates.
   # extendedKeyUsage = critical,timeStamping
   
   [ v3_req ]
   
   # Extensions to add to a certificate request
   
   basicConstraints = CA:FALSE
   keyUsage = nonRepudiation, digitalSignature, keyEncipherment
   
   [ v3_ca ]
   
   
   # Extensions for a typical CA
   
   
   # PKIX recommendation.
   
   subjectKeyIdentifier=hash
   
   authorityKeyIdentifier=keyid:always,issuer
   
   basicConstraints = critical,CA:true
   
   # Key usage: this is typical for a CA certificate. However since it will
   # prevent it being used as an test self-signed certificate it is best
   # left out by default.
   # keyUsage = cRLSign, keyCertSign
   
   # Some might want this also
   # nsCertType = sslCA, emailCA
   
   # Include email address in subject alt name: another PKIX recommendation
   # subjectAltName=email:copy
   # Copy issuer details
   # issuerAltName=issuer:copy
   
   # DER hex encoding of an extension: beware experts only!
   # obj=DER:02:03
   # Where 'obj' is a standard or added object
   # You can even override a supported extension:
   # basicConstraints= critical, DER:30:03:01:01:FF
   
   [ crl_ext ]
   
   # CRL extensions.
   # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
   
   # issuerAltName=issuer:copy
   authorityKeyIdentifier=keyid:always
   
   [ proxy_cert_ext ]
   # These extensions should be added when creating a proxy certificate
   
   # This goes against PKIX guidelines but some CAs do it and some software
   # requires this to avoid interpreting an end user certificate as a CA.
   
   basicConstraints=CA:FALSE
   
   # Here are some examples of the usage of nsCertType. If it is omitted
   # the certificate can be used for anything *except* object signing.
   
   # This is OK for an SSL server.
   # nsCertType			= server
   
   # For an object signing certificate this would be used.
   # nsCertType = objsign
   
   # For normal client use this is typical
   # nsCertType = client, email
   
   # and for everything including object signing:
   # nsCertType = client, email, objsign
   
   # This is typical in keyUsage for a client certificate.
   # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
   
   # This will be displayed in Netscape's comment listbox.
   nsComment			= "OpenSSL Generated Certificate"
   
   # PKIX recommendations harmless if included in all certificates.
   subjectKeyIdentifier=hash
   authorityKeyIdentifier=keyid,issuer
   
   # This stuff is for subjectAltName and issuerAltname.
   # Import the email address.
   # subjectAltName=email:copy
   # An alternative to produce certificates that aren't
   # deprecated according to PKIX.
   # subjectAltName=email:move
   
   # Copy subject details
   # issuerAltName=issuer:copy
   
   #nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
   #nsBaseUrl
   #nsRevocationUrl
   #nsRenewalUrl
   #nsCaPolicyUrl
   #nsSslServerName
   
   # This really needs to be in place for it to be a proxy certificate.
   proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
   
   ####################################################################
   [ tsa ]
   
   default_tsa = tsa_config1	# the default TSA section
   
   [ tsa_config1 ]
   
   # These are used by the TSA reply generation only.
   dir		= /etc/ssl		# TSA root directory
   serial		= $dir/tsaserial	# The current serial number (mandatory)
   crypto_device	= builtin		# OpenSSL engine to use for signing
   signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
                       # (optional)
   certs		= $dir/cacert.pem	# Certificate chain to include in reply
                       # (optional)
   signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
   signer_digest  = sha256			# Signing digest to use. (Optional)
   default_policy	= tsa_policy1		# Policy if request did not specify it
                       # (optional)
   other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
   digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
   accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
   clock_precision_digits  = 0	# number of digits after dot. (optional)
   ordering		= yes	# Is ordering defined for timestamps?
                   # (optional, default: no)
   tsa_name		= yes	# Must the TSA name be included in the reply?
                   # (optional, default: no)
   ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
                   # (optional, default: no)
   ess_cert_id_alg		= sha1	# algorithm to compute certificate
                   # identifier (optional, default: sha1)
   

**证书的有效期不能超过825天，否则浏览器会认为证书无效。**参考iOS 13 和 macOS 10.15 中的可信证书应满足的要求

ArchLinux添加自定义根证书

1.Move /usr/local/share/ca-certificates/.crt to /etc/ca-certificates/trust-source/anchors/ 2.Do the same with all manually-added /etc/ssl/certs/.pem files and rename them to *.crt 3.Instead of update-ca-certificates, run trust extract-compat

参考文章

• openssl 生成SSL证书
• 如何创建自签名的 SSL 证书
• 给Nginx配置一个自签名的SSL证书
• 生成自签名证书
• 使用 OpenSSL 制作一个包含 SAN（Subject Alternative Name）的证书
• key_load_public: invalid format 怎么办？
• ubuntu系统上如何添加新的根证书
• iOS 13 和 macOS 10.15 中的可信证书应满足的要求
• ca-certificates update