admin管理员组

文章数量:1030071

使用mkcert生成本地ssl证书

项目地址

mkcert 是制作本地信任的开发证书的简单工具。它不需要配置。

请记住,mkcert 用于开发目的,而不是生产目的,因此它不应该在最终用户的机器上使用, 并且您不应该导出或共享 rootCA-key.pem。

下载最新版(我这里是1.4.4)的二进制文件,我是在windows上使用的,因此需要下载windows版本的包(win上建议使用choco install mkcert方式安装)。

.4.4/mkcert-v1.4.4-windows-amd64.exe

安装完成后,执行mkcert,可以看到有些基础用法提示

代码语言:txt复制
# mkcert
Usage of mkcert:

        $ mkcert -install
        Install the local CA in the system trust store.

        $ mkcert example
        Generate "example.pem" and "example-key.pem".

        $ mkcert example myapp.dev localhost 127.0.0.1 ::1
        Generate "example+4.pem" and "example+4-key.pem".

        $ mkcert "*.example.it"
        Generate "_wildcard.example.it.pem" and "_wildcard.example.it-key.pem".

        $ mkcert -uninstall
        Uninstall the local CA (but do not delete it).

安装ca证书

代码语言:txt复制
# mkcert -install
Created a new local CA �
The local CA is now installed in the system trust store! ⚡️
The local CA is now installed in Java's trust store! ☕️

列出证书安装到了哪里

代码语言:txt复制
# mkcert -CAROOT
C:\Users\admin\AppData\Local\mkcert

生成aaaa.demo对应的证书文件

代码语言:txt复制
# mkcert "aaaa.demo"

Created a new certificate valid for the following names �
 - "aaaa.demo"

The certificate is at "./aaaa.demo.pem" and the key at "./aaaa.demo-key.pem" ✅

It will expire on 18 July 2027 �

将上面生成的2个文件,拷贝到nginx中,然后重载nginx

cat aaaa.demo.conf 内容如下:

代码语言:txt复制
server {
   server_name aaaa.demo ;

   listen 443 ssl http2;

   ssl_certificate /etc/nginx/vhosts/aaaa.demo.pem;
   ssl_certificate_key /etc/nginx/vhosts/aaaa.demo-key.pem;


  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  ssl_prefer_server_ciphers on;
  ssl_session_timeout 10m;
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_buffer_size 1400;
  add_header Strict-Transport-Security max-age=15768000;
  ssl_stapling_verify on;


  location / {
    proxy_redirect off;
    proxy_pass http://127.0.0.1:8282;

    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Ssl on;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Frame-Options SAMEORIGIN;

    add_header Content-Security-Policy "frame-ancestors *;";

    client_max_body_size 100m;
    client_body_buffer_size 128k;

    proxy_buffer_size 4k;
    proxy_buffers 4 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
  }


}

在windows上浏览器访问 aaaa.demo 网址,可以看到已经是https了

(注意需要先绑定hosts,如果有问题,可以尝试先关闭浏览器,重新打开)。

其他命令

一次性生成包含多个域名的证书对

代码语言:txt复制
# mkcert -key-file key.pem -cert-file cert.pem example *.example
Created a new certificate valid for the following names �
 - "example"
 - "*.example"

Reminder: X.509 wildcards only go one level deep, so this won't match a.b.example ℹ️

The certificate is at "cert.pem" and the key at "key.pem" ✅

It will expire on 18 July 2027 �


或者 
# mkcert "aaaa.demo" "bbbb.demo" "192.168.31.181"
Created a new certificate valid for the following names �
 - "aaaa.demo"
 - "bbbb.demo"
 - "192.168.31.181"

The certificate is at "./aaaa.demo+2.pem" and the key at "./aaaa.demo+2-key.pem" ✅

It will expire on 18 July 2027 �

或者
$ mkcert example "*.example" example.test localhost 127.0.0.1 ::1
Created a new certificate valid for the following names 
使用mkcert生成本地ssl证书


项目地址 
mkcert 是制作本地信任的开发证书的简单工具。它不需要配置。
请记住,mkcert 用于开发目的,而不是生产目的,因此它不应该在最终用户的机器上使用, 并且您不应该导出或共享 rootCA-key.pem。
下载最新版(我这里是1.4.4)的二进制文件,我是在windows上使用的,因此需要下载windows版本的包(win上建议使用choco install mkcert方式安装)。
.4.4/mkcert-v1.4.4-windows-amd64.exe
安装完成后,执行mkcert,可以看到有些基础用法提示
代码语言:txt复制
# mkcert
Usage of mkcert:

        $ mkcert -install
        Install the local CA in the system trust store.

        $ mkcert example
        Generate "example.pem" and "example-key.pem".

        $ mkcert example myapp.dev localhost 127.0.0.1 ::1
        Generate "example+4.pem" and "example+4-key.pem".

        $ mkcert "*.example.it"
        Generate "_wildcard.example.it.pem" and "_wildcard.example.it-key.pem".

        $ mkcert -uninstall
        Uninstall the local CA (but do not delete it).
安装ca证书
代码语言:txt复制
# mkcert -install
Created a new local CA �
The local CA is now installed in the system trust store! ⚡️
The local CA is now installed in Java's trust store! ☕️
列出证书安装到了哪里
代码语言:txt复制
# mkcert -CAROOT
C:\Users\admin\AppData\Local\mkcert
生成aaaa.demo对应的证书文件
代码语言:txt复制
# mkcert "aaaa.demo"

Created a new certificate valid for the following names �
 - "aaaa.demo"

The certificate is at "./aaaa.demo.pem" and the key at "./aaaa.demo-key.pem" ✅

It will expire on 18 July 2027 �
将上面生成的2个文件,拷贝到nginx中,然后重载nginx
cat aaaa.demo.conf  内容如下:
代码语言:txt复制
server {
   server_name aaaa.demo ;

   listen 443 ssl http2;

   ssl_certificate /etc/nginx/vhosts/aaaa.demo.pem;
   ssl_certificate_key /etc/nginx/vhosts/aaaa.demo-key.pem;


  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  ssl_prefer_server_ciphers on;
  ssl_session_timeout 10m;
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_buffer_size 1400;
  add_header Strict-Transport-Security max-age=15768000;
  ssl_stapling_verify on;


  location / {
    proxy_redirect off;
    proxy_pass http://127.0.0.1:8282;

    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Ssl on;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Frame-Options SAMEORIGIN;

    add_header Content-Security-Policy "frame-ancestors *;";

    client_max_body_size 100m;
    client_body_buffer_size 128k;

    proxy_buffer_size 4k;
    proxy_buffers 4 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
  }


}

在windows上浏览器访问 aaaa.demo 网址,可以看到已经是https了
(注意需要先绑定hosts,如果有问题,可以尝试先关闭浏览器,重新打开)。
其他命令
一次性生成包含多个域名的证书对
代码语言:txt复制
# mkcert -key-file key.pem -cert-file cert.pem example *.example
Created a new certificate valid for the following names �
 - "example"
 - "*.example"

Reminder: X.509 wildcards only go one level deep, so this won't match a.b.example ℹ️

The certificate is at "cert.pem" and the key at "key.pem" ✅

It will expire on 18 July 2027 �


或者 
# mkcert "aaaa.demo" "bbbb.demo" "192.168.31.181"
Created a new certificate valid for the following names �
 - "aaaa.demo"
 - "bbbb.demo"
 - "192.168.31.181"

The certificate is at "./aaaa.demo+2.pem" and the key at "./aaaa.demo+2-key.pem" ✅

It will expire on 18 July 2027 �

或者
$ mkcert example "*.example" example.test localhost 127.0.0.1 ::1
Created a new certificate valid for the following names 

                本文标签:
                使用mkcert生成本地ssl证书

                        版权声明:本文标题:使用mkcert生成本地ssl证书 内容由热心网友自发贡献,该文观点仅代表作者本人,
                        转载请联系作者并注明出处:http://it.en369.cn/jiaocheng/1747636582a2196756.html,
                        本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。