前言
以前就写过了, 只是写的太乱, 这篇是一个整理版. 以前的文章:
我已经没有用 PowerSheel 做证书了, 所以就不介绍了.
参考:
generate-trusted-ssl-certificate
Git Bash OpenSSL
OpenSSL 是最终使用的 tool, 它是 Linux 世界的东西, 要跑它最好是通过 Git.
安装 Git. Git 里面又有一个冬冬叫 Bash.
所以 Git > Bash > OpenSSL
Create .sh and .cnf
创建一个 folder 和 2 个 files
1. openssl.cnf
[ req ] default_bits = 2048 default_md = sha256 default_days = 825 encrypt_key = no distinguished_name = subject req_extensions = req_ext x509_extensions = x509_ext string_mask = utf8only prompt = no # The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description). # Its sort of a mashup. For example, RFC 4514 does not provide emailAddress. [ subject ] countryName = MY stateOrProvinceName = Johor localityName = Skudai organizationName = Stooges Web Design OU = Engineering # Use a friendly name here because it's presented to the user. The server's DNS # names are placed in Subject Alternate Names. Plus, DNS names here is deprecated # by both IETF and CA/Browser Forums. If you place a DNS name here, then you # must include the DNS name in the SAN too (otherwise, Chrome and others that # strictly follow the CA/Browser Baseline Requirements will fail). commonName = 192.168.1.152 emailAddress = stoogeswebdesign@gmail.com # Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ... [ x509_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer # You only need digitalSignature below. *If* you don't allow # RSA Key transport (i.e., you use ephemeral cipher suites), then # omit keyEncipherment because that's key transport. basicConstraints = critical, CA:TRUE keyUsage = critical, digitalSignature, keyEncipherment, cRLSign, keyCertSign subjectAltName = @alternate_names extendedKeyUsage = serverAuth # RFC 5280, Section 4.2.1.12 makes EKU optional # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused # In either case, you probably only need serverAuth. #extendedKeyUsage = TLS Web Server Authentication # Section req_ext is used when generating a certificate signing request. I.e., openssl req ... [ req_ext ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" # RFC 5280, Section 4.2.1.12 makes EKU optional # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused # In either case, you probably only need serverAuth. # extendedKeyUsage = serverAuth, clientAuth [ alternate_names ] IP.1 = 192.168.1.152 DNS.1 = *.192.168.1.152 DNS.2 = 192.168.1.152
它是一个 config file, 把 IP 和公司信息换掉就可以了. 825 days 是因为 IOS 的限制, 不能放太久.
2. generate.sh
它是一个 command file, 内容是
#!/bin/bash openssl req -config openssl.cnf -new -x509 -out 192.168.1.152.crt -keyout 192.168.1.152.key
config link to 上面的 openssl.cnf, IP 换掉就可以了.
Run command
对着 folder 打开 Git Bash
然后输入 command
bash generate.sh
它会生成 2 个 files, .crt 和 .key.
Convert to .pfx
继续输入 command
openssl pkcs12 -export -out 192.168.1.152.pfx -inkey 192.168.1.152.key -in 192.168.1.152.crt
在输入密码就可以了.