Inicio Explorar Axuda
Iniciar sesión
joker
/
frp
réplica de https://github.com/fatedier/frp/
1
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

update docs: add example for building tls certificates (#2251)

yuyulei %!s(int64=4) %!d(string=hai) anos
pai
8fcd4f4a95
achega
78b8bb7bc6
Modificáronse 1 ficheiros con 68 adicións e 0 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 68 0
      README.md

+ 68 - 0
README.md
Ver ficheiro 

@@ -545,6 +545,74 @@ You will need **a root CA cert** and **at least one SSL/TLS certificate**. It **
 
 
 If you using `frp` via IP address and not hostname, make sure to set the appropriate IP address in the Subject Alternative Name (SAN) area when generating SSL/TLS Certificates.
 
 
+Given an example:
 
+
 
+* Prepare openssl config file. It exists at `/etc/pki/tls/openssl.cnf` in Linux System and `/System/Library/OpenSSL/openssl.cnf` in MacOS, and you can copy it to current path, like `cp /etc/pki/tls/openssl.cnf ./my-openssl.cnf`. If not, you can build it by yourself, like:
 
+```
 
+cat > my-openssl.cnf << EOF
 
+[ ca ]
 
+default_ca = CA_default
 
+[ CA_default ]
 
+x509_extensions = usr_cert
 
+[ req ]
 
+default_bits        = 2048
 
+default_md          = sha256
 
+default_keyfile     = privkey.pem
 
+distinguished_name  = req_distinguished_name
 
+attributes          = req_attributes
 
+x509_extensions     = v3_ca
 
+string_mask         = utf8only
 
+[ req_distinguished_name ]
 
+[ req_attributes ]
 
+[ usr_cert ]
 
+basicConstraints       = CA:FALSE
 
+nsComment              = "OpenSSL Generated Certificate"
 
+subjectKeyIdentifier   = hash
 
+authorityKeyIdentifier = keyid,issuer
 
+[ v3_ca ]
 
+subjectKeyIdentifier   = hash
 
+authorityKeyIdentifier = keyid:always,issuer
 
+basicConstraints       = CA:true
 
+EOF
 
+```
 
+
 
+* build ca certificates:
 
+```
 
+openssl genrsa -out ca.key 2048
 
+openssl req -x509 -new -nodes -key ca.key -subj "/CN=example.ca.com" -days 5000 -out ca.crt
 
+```
 
+
 
+* build frps certificates:
 
+```
 
+openssl genrsa -out server.key 2048
 
+
 
+openssl req -new -sha256 -key server.key \
 
+    -subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=server.com" \
 
+    -reqexts SAN \
 
+    -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:localhost,IP:127.0.0.1,DNS:example.server.com")) \
 
+    -out server.csr
 
+
 
+openssl x509 -req -days 365 \
 
+	-in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
 
+	-extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1,DNS:example.server.com") \
 
+	-out server.crt
 
+```
 
+
 
+* build frpc certificates:
 
+```
 
+openssl genrsa -out client.key 2048
 
+openssl req -new -sha256 -key client.key \
 
+    -subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=client.com" \
 
+    -reqexts SAN \
 
+    -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:client.com,DNS:example.client.com")) \
 
+    -out client.csr
 
+
 
+openssl x509 -req -days 365 \
 
+    -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
 
+	-extfile <(printf "subjectAltName=DNS:client.com,DNS:example.client.com") \
 
+	-out client.crt
 
+```
 
+
 
 ### Hot-Reloading frpc configuration
 
 
 The `admin_addr` and `admin_port` fields are required for enabling HTTP API: