lc/my
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

添加 lssl.sh

Browse Source 
内网证书部署
This commit is contained in:
lc
2025-10-22 02:50:34 +00:00
parent cd3221e237
commit 0e49c534b2
1 changed files with 81 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
lssl.sh Normal file
View File

@@ -0,0 +1,81 @@
#!/bin/bash
# 一键生成内网IP-HTTPS证书 & 配置Nginx
# 使用前请确认已安装 nginx & openssl
# ------------------------------
# 配置参数
SERVER_IP="10.105.36.33" # <-- 修改为你的内网IP
PORT1=3001
PORT2=444
PORT3=445
BACKEND1=3000
BACKEND2=4000
BACKEND3=5000
SSL_DIR="/home/ssl"
NGX_CONF_DIR="/etc/nginx/conf.d"
# ------------------------------
set -e
echo "==== 2. 生成根CA有效期10年 ===="
sudo openssl genrsa -out myCA.key 4096
sudo openssl req -x509 -new -nodes -key myCA.key -sha256 -days 3650 -out myCA.crt \
-subj "/C=CN/ST=Beijing/L=Beijing/O=MyCompany/OU=IT/CN=MyInternalCA"
echo "==== 3. 生成站点私钥 ===="
sudo openssl genrsa -out site.key 2048
echo "==== 4. 创建站点CSR配置包含SAN: $SERVER_IP ===="
cat > site.cnf <<EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[dn]
C = CN
ST = Beijing
L = Beijing
O = MyCompany
OU = IT
CN = $SERVER_IP
[req_ext]
subjectAltName = @alt_names
[alt_names]
IP.1 = $SERVER_IP
EOF
echo "==== 5. 生成站点CSR ===="
sudo openssl req -new -key site.key -out site.csr -config site.cnf
echo "==== 6. 配置v3.ext以支持SAN ===="
cat > v3.ext <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = $SERVER_IP
EOF
echo "==== 7. 用根CA签发站点证书有效期1年 ===="
sudo openssl x509 -req -in site.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial \
-out site.crt -days 365 -sha256 -extfile v3.ext
echo "==== ✅部署完成 ===="
echo "根CA证书文件: $SSL_DIR/myCA.crt (导入到客户端受信任根证书颁发机构)"
echo "IP访问地址:"
echo " https://$SERVER_IP:$PORT1 → 后端 $BACKEND1"
echo " https://$SERVER_IP:$PORT2 → 后端 $BACKEND2"
echo " https://$SERVER_IP:$PORT3 → 后端 $BACKEND3"
echo
echo "💡 导入根CA后浏览器应显示安全小锁。"
echo "- Windows: 双击myCA.crt → 安装到本地计算机 → 受信任的根证书颁发机构"
echo "- macOS: 双击myCA.crt → 钥匙串(系统) → 始终信任"
echo "- Linux(Ubuntu): sudo cp myCA.crt /usr/local/share/ca-certificates/ && sudo update-ca-certificates"