lc/my
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0e49c534b2e308f7cf3fb22639016d9afe48dc58
my/lssl.sh
lc 0e49c534b2 添加 lssl.sh 
内网证书部署
2025-10-22 02:50:34 +00:00

82 lines
2.2 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/bash
# 一键生成内网IP-HTTPS证书 & 配置Nginx
# 使用前请确认已安装 nginx & openssl
# ------------------------------
# 配置参数
SERVER_IP="10.105.36.33" # <-- 修改为你的内网IP
PORT1=3001
PORT2=444
PORT3=445
BACKEND1=3000
BACKEND2=4000
BACKEND3=5000
SSL_DIR="/home/ssl"
NGX_CONF_DIR="/etc/nginx/conf.d"
# ------------------------------
set -e
echo "==== 2. 生成根CA有效期10年 ===="
sudo openssl genrsa -out myCA.key 4096
sudo openssl req -x509 -new -nodes -key myCA.key -sha256 -days 3650 -out myCA.crt \
-subj "/C=CN/ST=Beijing/L=Beijing/O=MyCompany/OU=IT/CN=MyInternalCA"
echo "==== 3. 生成站点私钥 ===="
sudo openssl genrsa -out site.key 2048
echo "==== 4. 创建站点CSR配置包含SAN: $SERVER_IP ===="
cat > site.cnf <<EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[dn]
C = CN
ST = Beijing
L = Beijing
O = MyCompany
OU = IT
CN = $SERVER_IP
[req_ext]
subjectAltName = @alt_names
[alt_names]
IP.1 = $SERVER_IP
EOF
echo "==== 5. 生成站点CSR ===="
sudo openssl req -new -key site.key -out site.csr -config site.cnf
echo "==== 6. 配置v3.ext以支持SAN ===="
cat > v3.ext <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = $SERVER_IP
EOF
echo "==== 7. 用根CA签发站点证书有效期1年 ===="
sudo openssl x509 -req -in site.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial \
-out site.crt -days 365 -sha256 -extfile v3.ext
echo "==== ✅部署完成 ===="
echo "根CA证书文件: $SSL_DIR/myCA.crt (导入到客户端受信任根证书颁发机构)"
echo "IP访问地址:"
echo " https://$SERVER_IP:$PORT1 → 后端 $BACKEND1"
echo " https://$SERVER_IP:$PORT2 → 后端 $BACKEND2"
echo " https://$SERVER_IP:$PORT3 → 后端 $BACKEND3"
echo
echo "💡 导入根CA后浏览器应显示安全小锁。"
echo "- Windows: 双击myCA.crt → 安装到本地计算机 → 受信任的根证书颁发机构"
echo "- macOS: 双击myCA.crt → 钥匙串(系统) → 始终信任"
echo "- Linux(Ubuntu): sudo cp myCA.crt /usr/local/share/ca-certificates/ && sudo update-ca-certificates"
Reference in New Issue View Git Blame Copy Permalink