赞
踩
参考链接: 自签发ssl证书 【spring boot】配置ssl证书实现https
一、生成nginx的证书与配置chrome安全告警的问题
openssl req -x509 -nodes -days 1461 -newkey rsa:2048 -subj "/C=CN/ST=MyProvince/L=MyCity/O=MyOrganization" -keyout CA-private.key -out CA-certificate.crt -reqexts v3_req -extensions v3_ca
openssl genrsa -out private.key 2048
openssl req -new -key private.key -subj "/C=CN/ST=MyProvince/L=MyCity/O=MyOrganization/CN=123.123.123.123" -sha256 -out private.csr
- [ req ]
- default_bits = 2048
- distinguished_name = req_distinguished_name
- req_extensions = san
- extensions = san
- [ req_distinguished_name ]
- countryName = CN
- stateOrProvinceName = MyProvince
- localityName = MyCity
- organizationName = MyOrganization
- [SAN]
- authorityKeyIdentifier=keyid,issuer
- basicConstraints=CA:FALSE
- keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
- subjectAltName = IP:123.123.123.123
5.将上述内容放到一个文件中,命名为private.ext.执行命令,生成证书
openssl x509 -req -days 1461 -in private.csr -CA CA-certificate.crt -CAkey CA-private.key -CAcreateserial -sha256 -out private.crt -extfile private.ext -extensions SAN
- server {
- listen 168.130.1.31:4443;
- server_name localhost;
- ssl on;
- ssl_certificate /usr/local/nginx/ssl/private.crt;
- ssl_certificate_key /usr/local/nginx/ssl/private.key;
- error_page 497 https://$host$uri?$args;
-
- location / {
- root html;
- index index.html index.htm;
- try_files $uri $uri/ /index.html;
- }
- }
在window或者mac上安装private.crt文件后,nginx上页面或者接口就可以正常访问了。
二、为spring boot应用配置https证书,用上面生成的证书配置spring boot的证书
openssl pkcs12 -export -clcerts -in private.crt -inkey private.key -out server.p12
这样生成了spring boot上可以用的私钥格式文件server.p12在这个转换的过程中要求输入一个密码,请记住这个密码
- keytool -list -keystore server.p12
-
- 输入密钥库口令:
-
- 密钥库类型: JKS
- 密钥库提供方: SUN
-
- 您的密钥库包含 1 个条目
-
- 1, 2018-7-17, PrivateKeyEntry,
- 证书指纹 (SHA1): *********************************
注意这个1这是我们运行这个命令的目的,也就是我们的别名
- server:
- ssl:
- key-store: classpath:server.p12
- key-store-password: 123456
- protocol: TLS
- keyAlias: 1
- keyStoreType: PKCS12
至此我们的nginx和spring boot应用就配置了同一个https证书,只需要在windows或者mac上配置我们的CA-certificate.crt文件就可以成功达到效果了。
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。