使用mkcert生成本地ssl证书
原创
项目地址 https://github.com/FiloSottile/mkcert
mkcert 是制作本地信任的开发证书的简单工具。它不需要配置。
请记住,mkcert 用于开发目的,而不是生产目的,因此它不应该在最终用户的机器上使用, 并且您不应该导出或共享 rootCA-key.pem。
下载最新版(我这里是1.4.4)的二进制文件,我是在windows上使用的,因此需要下载windows版本的包(win上建议使用choco install mkcert方式安装)。
https://github.com/FiloSottile/mkcert/releases/download/v1.4.4/mkcert-v1.4.4-windows-amd64.exe
安装完成后,执行mkcert,可以看到有些基础用法提示
# mkcert
Usage of mkcert:
$ mkcert -install
Install the local CA in the system trust store.
$ mkcert example.org
Generate "example.org.pem" and "example.org-key.pem".
$ mkcert example.com myapp.dev localhost 127.0.0.1 ::1
Generate "example.com+4.pem" and "example.com+4-key.pem".
$ mkcert "*.example.it"
Generate "_wildcard.example.it.pem" and "_wildcard.example.it-key.pem".
$ mkcert -uninstall
Uninstall the local CA (but do not delete it).安装ca证书
# mkcert -install
Created a new local CA �
The local CA is now installed in the system trust store! ⚡️
The local CA is now installed in Java's trust store! ☕️列出证书安装到了哪里
# mkcert -CAROOT
C:\Users\admin\AppData\Local\mkcert
生成aaaa.demo.com对应的证书文件
# mkcert "aaaa.demo.com"
Created a new certificate valid for the following names �
- "aaaa.demo.com"
The certificate is at "./aaaa.demo.com.pem" and the key at "./aaaa.demo.com-key.pem" ✅
It will expire on 18 July 2027 �将上面生成的2个文件,拷贝到nginx中,然后重载nginx
cat aaaa.demo.com.conf 内容如下:
server {
server_name aaaa.demo.com ;
listen 443 ssl http2;
ssl_certificate /etc/nginx/vhosts/aaaa.demo.com.pem;
ssl_certificate_key /etc/nginx/vhosts/aaaa.demo.com-key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_buffer_size 1400;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling_verify on;
location / {
proxy_redirect off;
proxy_pass http://127.0.0.1:8282;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy "frame-ancestors *;";
client_max_body_size 100m;
client_body_buffer_size 128k;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
在windows上浏览器访问 aaaa.demo.com 网址,可以看到已经是https了
(注意需要先绑定hosts,如果有问题,可以尝试先关闭浏览器,重新打开)。
其他命令
一次性生成包含多个域名的证书对
# mkcert -key-file key.pem -cert-file cert.pem example.com *.example.com
Created a new certificate valid for the following names �
- "example.com"
- "*.example.com"
Reminder: X.509 wildcards only go one level deep, so this won't match a.b.example.com ℹ️
The certificate is at "cert.pem" and the key at "key.pem" ✅
It will expire on 18 July 2027 �
或者
# mkcert "aaaa.demo.com" "bbbb.demo.com" "192.168.31.181"
Created a new certificate valid for the following names �
- "aaaa.demo.com"
- "bbbb.demo.com"
- "192.168.31.181"
The certificate is at "./aaaa.demo.com+2.pem" and the key at "./aaaa.demo.com+2-key.pem" ✅
It will expire on 18 July 2027 �
或者
$ mkcert example.com "*.example.com" example.test localhost 127.0.0.1 ::1
Created a new certificate valid for the following names 📜
- "example.com"
- "*.example.com"
- "example.test"
- "localhost"
- "127.0.0.1"
- "::1"
The certificate is at "./example.com+5.pem" and the key at "./example.com+5-key.pem" ✅原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
