快速创建自签名 SSL 证书(RSA + ECC)
运行环境为Linux,且已安装openssl组件。
签发的证书不被浏览器信任,但用于测试或内部系统完全没问题,谨慎用于生成环境。
签发证书
运行此脚本后,将同时获得RSA和ECC证书,便于在支持ECC的环境中(如现代Web服务器)部署以提升性能。
-
追求高性能/低延迟:优先选择ECC证书,尤其在移动端、物联网或高并发服务中
-
需兼容老旧设备:选择RSA证书,或采用ECC+RSA双证书方案
mkdir -p ~/myssl && cd ~/myssl
cat <<EOF > self.cnf
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = Beijing
localityName = Beijing
organizationName = Example Org
organizationalUnitName = IT Department
commonName = example.org
emailAddress = [email protected]
[ v3_req ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = example.org
DNS.2 = *.example.org
EOF
# Generate RSA certificate
openssl req -newkey rsa:4096 -x509 -nodes -days 3650 \
-config self.cnf -keyout server.key -out server.crt
# Generate ECC certificate
openssl ecparam -genkey -name prime256v1 -out server-ecc.key
openssl req -new -x509 -nodes -days 3650 \
-config self.cnf -key server-ecc.key -out server-ecc.crt
Nginx 配置示例
server {
listen 443 ssl;
server_name .example.org;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
# 其它配置 ...
}