背景
使用WebRTC需要SSL证书,所以我们需要在局域网自签SSL证书。
在 SSL/TLS 证书体系中,IP 地址证书(即证书主题中包含 IP 而非域名)是一种特殊类型的证书,适用于直接通过 IP 地址访问的服务(如内网 API、IoT 设备等)。
windows service 系统
前提准备
下载openssl
电脑需要安装openssl
下载地址:Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions
找到下图圈的下载,版本不重要,选对Win64 OpenSSL,不要选Light
安装openssl
提示这个就是缺失环境,弹出的网站自动下载安装就好了
一路下一步就行
出现这个就完成了
配置环境变量
windows搜索打开,输入环境,选择编辑账户的环境变量
选中这行点击编辑
点击新建
如果是默认安装,路径是:C:\Program Files\OpenSSL-Win64\bin
如果你自己选择了安装路径,根据实际情况填写就好了
脚本
一键生成脚本,根据需要修改《配置区域(根据实际修改)》
生成的证书会保存在CERT_DIR配置的路径中
@echo off
setlocal enabledelayedexpansion
:: =============================================
:: 全自动证书生成脚本
:: =============================================
title 全自动证书生成工具 v3.0
:: 配置区域(根据实际修改)
set "CERT_DIR=D:\Progra~2\SRS\cert"
set "CA_NAME=Srs Root CA"
set "SERVER_CN=192.168.19.103"
set "DAYS=3650"
:: 文件路径
set "CA_KEY=%CERT_DIR%\ca-key.pem"
set "CA_CRT=%CERT_DIR%\ca-crt.pem"
set "CA_CRT_DER=%CERT_DIR%\ca-crt.der"
set "CA_CRT_CRT=%CERT_DIR%\ca-crt.crt"
set "SERVER_KEY=%CERT_DIR%\server.key"
set "SERVER_CSR=%CERT_DIR%\server.csr"
set "SERVER_CRT=%CERT_DIR%\server.crt"
set "CHAIN_PEM=%CERT_DIR%\chain.pem"
:: 检查OpenSSL
where openssl >nul 2>&1 || (
echo [错误] OpenSSL未安装或未加入PATH
echo 请安装OpenSSL并添加至系统PATH
pause
exit /b 1
)
:: 创建目录
if not exist "%CERT_DIR%" (
mkdir "%CERT_DIR%"
if errorlevel 1 (
echo [错误] 无法创建目录 %CERT_DIR%
pause
exit /b 1
)
)
:: 生成CA配置文件(关键修复1:完整DN配置)
(
echo [req]
echo distinguished_name = dn
echo req_extensions = v3_ca
echo prompt = no
echo.
echo [dn]
echo C = CN
echo ST = Zhejiang
echo L = Zhuji
echo O = Jws
echo OU = Jws
echo CN = %CA_NAME%
echo emailAddress = jws@jws.com
echo.
echo [v3_ca]
echo basicConstraints = critical,CA:TRUE,pathlen:0
echo keyUsage = critical,keyCertSign,cRLSign
echo subjectKeyIdentifier = hash
) > "%CERT_DIR%\ca.cnf"
:: 1. 生成CA证书(完全自动化)
echo 正在生成CA根证书...
openssl req -x509 -newkey rsa:4096 -days %DAYS% -nodes ^
-config "%CERT_DIR%\ca.cnf" ^
-keyout "%CA_KEY%" ^
-out "%CA_CRT%" ^
-extensions v3_ca >nul 2>&1
if not exist "%CA_CRT%" (
echo [错误] CA证书生成失败!
goto CLEANUP
)
:: 2. 生成多平台格式
openssl x509 -in "%CA_CRT%" -outform DER -out "%CA_CRT_DER%" >nul 2>&1
openssl x509 -in "%CA_CRT%" -out "%CA_CRT_CRT%" -outform PEM >nul 2>&1
:: 3. 生成服务器配置文件(关键修复2:独立配置)
(
echo [req]
echo distinguished_name = dn
echo req_extensions = v3_req
echo prompt = no
echo.
echo [dn]
echo C = CN
echo ST = Zhejiang
echo L = Zhuji
echo O = Jws
echo OU = Jws
echo CN = %SERVER_CN%
echo emailAddress = jws@jws.com
echo.
echo [v3_req]
echo basicConstraints = CA:FALSE
echo keyUsage = digitalSignature,keyEncipherment
echo extendedKeyUsage = serverAuth
echo subjectAltName = IP:%SERVER_CN%
) > "%CERT_DIR%\server.cnf"
:: 4. 生成服务器证书(完全自动化)
echo 正在生成服务器证书...
openssl req -new -newkey rsa:2048 -nodes ^
-config "%CERT_DIR%\server.cnf" ^
-keyout "%SERVER_KEY%" ^
-out "%SERVER_CSR%" >nul 2>&1
if not exist "%SERVER_CSR%" (
echo [错误] CSR生成失败!
goto CLEANUP
)
openssl x509 -req -days %DAYS% ^
-in "%SERVER_CSR%" ^
-CA "%CA_CRT%" ^
-CAkey "%CA_KEY%" ^
-CAcreateserial ^
-out "%SERVER_CRT%" ^
-extensions v3_req ^
-extfile "%CERT_DIR%\server.cnf" >nul 2>&1
if not exist "%SERVER_CRT%" (
echo [错误] 服务器证书生成失败!
goto CLEANUP
)
:: 5. 生成证书链
type "%SERVER_CRT%" "%CA_CRT%" > "%CHAIN_PEM%"
:: 自动导入到本机(Windows)
echo 正在自动导入CA证书...
certutil -f -addstore "Root" "%CA_CRT_DER%" >nul 2>&1
:: 显示结果
echo.
echo ============== 生成成功 ==============
echo [CA证书]
echo Windows安装: %CA_CRT_DER%
echo Android安装: %CA_CRT_CRT%
echo.
echo [服务器证书]
echo 私钥: %SERVER_KEY%
echo 证书: %SERVER_CRT%
echo 证书链: %CHAIN_PEM%
echo.
echo [验证命令]
echo openssl verify -CAfile "%CA_CRT%" "%SERVER_CRT%"
echo.
:CLEANUP
del "%CERT_DIR%\ca.cnf" 2>nul
del "%CERT_DIR%\server.cnf" 2>nul
del "%CERT_DIR%\.srl" 2>nul
pause
把上方代码复制到txt文档,修改后缀名为bat
然后就是双击666我的宝贝,出现下方界面就算成功
去CERT_DIR就可以看到证书文件了
评论区