\u914d\u7f6e\u6587\u4ef6\u5b57\u6bb5\u8bf4\u660e\uff1a <\/p>\n \u4e00\u3001\u521b\u5efa\u6839\u8bc1\u4e66 1\u3001\u521b\u5efa\u6839\u8bc1\u4e66\u5bc6\u94a5 openssl genrsa -out PrivateRootCA.key […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-22","post","type-post","status-publish","format-standard","hentry","category-7"],"_links":{"self":[{"href":"https:\/\/blog.unicom.cloudns.be\/index.php?rest_route=\/wp\/v2\/posts\/22","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.unicom.cloudns.be\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.unicom.cloudns.be\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.unicom.cloudns.be\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.unicom.cloudns.be\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=22"}],"version-history":[{"count":28,"href":"https:\/\/blog.unicom.cloudns.be\/index.php?rest_route=\/wp\/v2\/posts\/22\/revisions"}],"predecessor-version":[{"id":164,"href":"https:\/\/blog.unicom.cloudns.be\/index.php?rest_route=\/wp\/v2\/posts\/22\/revisions\/164"}],"wp:attachment":[{"href":"https:\/\/blog.unicom.cloudns.be\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=22"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.unicom.cloudns.be\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=22"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.unicom.cloudns.be\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=22"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}openssl genrsa -out PrivateRootCA.key 2048<\/code><\/p>\n2\u3001\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u751f\u6210CSR<\/h5>\n
openssl req -new -sha256 -key PrivateRootCA.key -out PrivateRootCA.csr<\/code><\/p>\n3\u3001\u751f\u6210\u8bc1\u4e66\u5e76\u81ea\u7b7e\u540d<\/h5>\n
openssl x509 -req -sha256 -days 3650 -in PrivateRootCA.csr -signkey PrivateRootCA.key -out PrivateRootCA.crt<\/code><\/p>\n4\u3001\u6216\u8005\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u4e00\u952e\u751f\u6210v3\u7248\u8bc1\u4e66<\/h5>\n
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout PrivateRootCA.key -out PrivateRootCA.crt -reqexts v3_req -extensions v3_ca<\/code><\/p>\n\u4e8c\u3001\u4e3a\u5355\u4e2a\u57df\u540d\u7b7e\u53d1\u8bc1\u4e66<\/h4>\n
1\u3001\u521b\u5efa\u5bc6\u94a5<\/h5>\n
openssl genrsa -out example.com.key 2048<\/code><\/p>\n2\u3001\u521b\u5efa\u8bf7\u6c42\u6587\u4ef6<\/h5>\n
openssl req -new -sha256 -key example.com.key -out example.com.csr<\/code><\/p>\n3\u3001\u751f\u6210\u8bc1\u4e66\u5e76\u7528\u6839\u8bc1\u4e66\u7b7e\u540d\uff08\u8981\u4f7f\u6d4f\u89c8\u5668\u4fe1\u4efb\uff0c\u5219\u5fc5\u987b\u52a0\u5165x509v3\u6269\u5c55\uff0c\u52a0\u5165\u5907\u7528\u540d\u79f0<(printf "subjectAltName=DNS:example.com"\uff0c\u4e14\u6700\u957f\u6709\u6548\u671f\u4e3a397\u5929)<\/h5>\n
openssl x509 -req -in example.com.csr -CA PrivateRootCA.crt -CAkey PrivateRootCA.key -CAcreateserial -days 397 -out example.com.crt -extfile <(printf "subjectAltName=DNS:example.com")<\/code><\/p>\n4\u3001\u5982\u679c\u9700\u8981\u5bfc\u51fapfx\uff0c\u9700\u8981\u6307\u5b9a\u8bc1\u4e66\u5bc6\u7801<\/h5>\n
openssl pkcs12 -export -out example.com.pfx -inkey example.com.key -in example.com.crt<\/code><\/p>\n\u4e09\u3001\u4f7f\u7528\u914d\u7f6e\u6587\u4ef6\uff0c\u4e3a\u591a\u4e2a\u57df\u540d\u7b7e\u53d1\u8bc1\u4e66<\/h4>\n
1\u3001\u521b\u5efa\u5bc6\u94a5<\/h5>\n
openssl genrsa -out example.com.key 2048<\/code><\/p>\n2\u3001\u51c6\u5907\u591a\u57df\u540d\u6587\u4ef6\u5217\u8868\uff0c\u914d\u7f6e\u6587\u4ef6\u5185\u5bb9\uff1a<\/h5>\n
[req]\ndefault_bits = 2048\ndefault_keyfile = privkey.pem\ndistinguished_name = req_distinguished_name\nencrypt_key = no\ndefault_md = sha256\nreq_extensions = req_ext\n\n[req_distinguished_name]\ncommonName_default = www.example.com\ncommonName_max = 64\norganizationName_default = Example Technology Co.,Ltd.\norganizationalUnitName_default = IT Support Dept\nlocalityName_default = NanChang\nstateOrProvinceName_default = JiangXi\ncountryName_default = CN\n\n[req_ext]\nsubjectAltName = @alt_names\n\n[alt_names]\nDNS.1 = example.com\nDNS.2 = *.example00.com\nDNS.3 = www.example.com\nDNS.4 = *.example01.com\nIP.1 = 192.168.0.1\nIP.2 = 10.0.0.1<\/code><\/pre>\n\n
\n
3\u3001\u914d\u7f6e\u597d\u8be5\u6587\u4ef6\u540e\uff0c\u4fdd\u5b58\u4e3asan.conf\uff0c\u7136\u540e\u8fd0\u884c\u4e0b\u9762\u547d\u4ee4\uff1a<\/h5>\n
openssl req -new -nodes -out myreq.csr -config san.conf -subj "\/" -batch<\/code><\/p>\n4\u3001\u6700\u540eCSR\u6587\u4ef6\u5728myreq.csr\u4e2d\uff0c\u79c1\u94a5\u5728private.pem\u4e2d\u3002\u63a5\u4e0b\u6765\u7528\u6839\u8bc1\u4e66\u7b7e\u53d1\uff1a<\/h5>\n
openssl x509 -req -in myreq.csr -CA PrivateRootCA.crt -CAkey PrivateRootCA.key -CAcreateserial -days 397 -out mycom.crt -extfile san.conf -extensions req_ext<\/code><\/p>\n\u56db\u3001\u5c06\u6839\u8bc1\u4e66\u5bfc\u5165\u5230\u64cd\u4f5c\u7cfb\u7edf\u4e2d\uff08Ubuntu\uff09<\/h4>\n
$ sudo cp PrivateRootCA.crt \/usr\/local\/share\/ca-certificates #\u6dfb\u52a0\u8bc1\u4e66<\/code>
\n$ sudo rm -f \/usr\/local\/share\/ca-certificates\/PrivateRootCA.crt #\u5220\u9664\u8bc1\u4e66<\/code>
\n$ sudo update-ca-certificates<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"