域名证书文件包含两段证书
<h2 id="域名证书文件包含两段证书">域名证书文件包含两段证书</h2><blockquote>
<p>通过阿里云生成一个单域名证书的文件</p>
</blockquote>
<h3 id="一单域名证书文件">一、单域名证书文件</h3>
<h4 id="11证书内容">1.1、证书内容</h4>
<pre><code class="language-bash">pem]$ cat 2048227_www.xxx.com.cn.pem
-----BEGIN CERTIFICATE-----
MIIFmDCCBICgAwIBAgIQCEZS6MCdneB/9dgvdbLKLDANBgkqhkiG9w0BAQsFADBu
......
q9kYr+G8Ga0ILktc0/kgDeEEYCiMj0GCdKfAdEBCWsmSo9LFMqcSCr+zUSw=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAgIQAnmsRYvBskWr+YBTzSybsTANBgkqhkiG9w0BAQsFADBh
......
rMKWaBFLmfK/AHNF4ZihwPGOc7w6UHczBZXH5RFzJNnww+WnKuTPI0HfnVH8lg==
-----END CERTIFICATE-----
</code></pre>
<h4 id="12将这两段证书分别写入到文件查看">1.2、将这两段证书分别写入到文件查看</h4>
<p><strong>第一段证书</strong></p>
<p>这段证书是Encryption Everywhere DV TLS CA - G1颁发给www.xxx.com.cn的</p>
<pre><code class="language-bash">pem]$ openssl x509 -in 1.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
......
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G1
Validity
Not Before: Apr 11 00:00:00 2019 GMT
Not After : Apr 10 12:00:00 2020 GMT
Subject: CN = www.xxx.com.cn
Subject Public Key Info:
......
X509v3 extensions:
......
Signature Algorithm: sha256WithRSAEncryption
......
</code></pre>
<p><strong>第二段证书</strong></p>
<p>这段证书是DigiCert Global Root CA颁发给Encryption Everywhere DV TLS CA - G1的</p>
<pre><code class="language-bash">pem]$ openssl x509 -in 2.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:79:ac:45:8b:c1:b2:45:ab:f9:80:53:cd:2c:9b:b1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Validity
Not Before: Nov 27 12:46:10 2017 GMT
Not After : Nov 27 12:46:10 2027 GMT
Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G1
Subject Public Key Info:
......
X509v3 extensions:
......
Signature Algorithm: sha256WithRSAEncryption
......
</code></pre>
<h4 id="13所以">1.3、所以</h4>
<p>所以DigiCert Global Root CA是根CA;Encryption Everywhere DV TLS CA - G1是小弟,中级CA;中级CA给www.xxx.com.cn域名办法域名证书</p>
<h3 id="二通配域名证书文件">二、通配域名证书文件</h3>
<p>使用letsencrypt生成的通配证书:xxx.com *.xxx.com</p>
<h4 id="21证书内容">2.1、证书内容</h4>
<p><strong>也是两段证书</strong></p>
<pre><code class="language-bash">-----BEGIN CERTIFICATE-----
MIIFXjCCBEagAwIBAgISAybDGjCLRsJDjUnQ1qNen2QbMA0GCSqGSIb3DQEBCwUA
......
kbCSfpYWgkJhFbHnVsP8LKn9ftgudQEKJRfEEGzLwEbw9w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
......
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
</code></pre>
<h4 id="22将这两段证书分别写入文件查看">2.2将这两段证书分别写入文件查看</h4>
<p><strong>第一段证书</strong></p>
<p>Let's Encrypt Authority X3给xxx.com颁发的</p>
<pre><code class="language-bash">$ openssl x509 -in 1.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
......
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: Jun 22 22:32:16 2020 GMT
Not After : Sep 20 22:32:16 2020 GMT
Subject: CN = xxx.com
Subject Public Key Info:
......
X509v3 extensions:
......
Signature Algorithm: sha256WithRSAEncryption
......
</code></pre>
<p><strong>第二段</strong></p>
<p>DST Root CA X3给Let's Encrypt Authority X3颁发的中间CA</p>
<pre><code class="language-bash">$ openssl x509 -in 2.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Validity
Not Before: Mar 17 16:40:46 2016 GMT
Not After : Mar 17 16:40:46 2021 GMT
Subject: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Subject Public Key Info:
......
X509v3 extensions:
......
Signature Algorithm: sha256WithRSAEncryption
......
</code></pre>
<h4 id="13所以-1">1.3、所以</h4>
<p>所以DST Root CA X3是根CA,它给Let's Encrypt Authority X3颁发的中间CA,Let's Encrypt Authority X3给xxx.com颁发证书</p>
<h3 id="三所以">三、所以</h3>
<p>每个域名证书里面都要有中间CA证书证书那一段</p><br><br>
来源:https://www.cnblogs.com/uscWIFI/p/13958198.html
頁:
[1]