使用mkcert生成本地ssl证书
项目地址
mkcert 是制作本地信任的开发证书的简单工具。它不需要配置。
请记住,mkcert 用于开发目的,而不是生产目的,因此它不应该在最终用户的机器上使用, 并且您不应该导出或共享 rootCA-key.pem。
下载最新版(我这里是1.4.4)的二进制文件,我是在windows上使用的,因此需要下载windows版本的包(win上建议使用choco install mkcert方式安装)。
.4.4/mkcert-v1.4.4-windows-amd64.exe
安装完成后,执行mkcert,可以看到有些基础用法提示
代码语言:txt复制# mkcert
Usage of mkcert:
$ mkcert -install
Install the local CA in the system trust store.
$ mkcert example
Generate "example.pem" and "example-key.pem".
$ mkcert example myapp.dev localhost 127.0.0.1 ::1
Generate "example+4.pem" and "example+4-key.pem".
$ mkcert "*.example.it"
Generate "_wildcard.example.it.pem" and "_wildcard.example.it-key.pem".
$ mkcert -uninstall
Uninstall the local CA (but do not delete it).安装ca证书
代码语言:txt复制# mkcert -install
Created a new local CA �
The local CA is now installed in the system trust store! ⚡️
The local CA is now installed in Java's trust store! ☕️列出证书安装到了哪里
代码语言:txt复制# mkcert -CAROOT
C:\Users\admin\AppData\Local\mkcert生成aaaa.demo对应的证书文件
代码语言:txt复制# mkcert "aaaa.demo"
Created a new certificate valid for the following names �
- "aaaa.demo"
The certificate is at "./aaaa.demo.pem" and the key at "./aaaa.demo-key.pem" ✅
It will expire on 18 July 2027 �将上面生成的2个文件,拷贝到nginx中,然后重载nginx
cat aaaa.demo.conf 内容如下:
代码语言:txt复制server {
server_name aaaa.demo ;
listen 443 ssl http2;
ssl_certificate /etc/nginx/vhosts/aaaa.demo.pem;
ssl_certificate_key /etc/nginx/vhosts/aaaa.demo-key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_buffer_size 1400;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling_verify on;
location / {
proxy_redirect off;
proxy_pass http://127.0.0.1:8282;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy "frame-ancestors *;";
client_max_body_size 100m;
client_body_buffer_size 128k;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
在windows上浏览器访问 aaaa.demo 网址,可以看到已经是https了
(注意需要先绑定hosts,如果有问题,可以尝试先关闭浏览器,重新打开)。
其他命令
一次性生成包含多个域名的证书对
代码语言:txt复制# mkcert -key-file key.pem -cert-file cert.pem example *.example
Created a new certificate valid for the following names �
- "example"
- "*.example"
Reminder: X.509 wildcards only go one level deep, so this won't match a.b.example ℹ️
The certificate is at "cert.pem" and the key at "key.pem" ✅
It will expire on 18 July 2027 �
或者
# mkcert "aaaa.demo" "bbbb.demo" "192.168.31.181"
Created a new certificate valid for the following names �
- "aaaa.demo"
- "bbbb.demo"
- "192.168.31.181"
The certificate is at "./aaaa.demo+2.pem" and the key at "./aaaa.demo+2-key.pem" ✅
It will expire on 18 July 2027 �
或者
$ mkcert example "*.example" example.test localhost 127.0.0.1 ::1
Created a new certificate valid for the following names 
发布评论