签发SSL多域名自签证书

勘探营地 發表於 2020-6-28 17:56:00

本文章在CentOS7下操作通过.
多域名证书 , 有两种配置方式 : 
1 . 使用openssl.cnf进行配置
2 . 直接命令行内内置生成
 
下面使用一个例子 , 来具体说明一下两种方式的做法 .
 
一 . 复制并修改openssl配置文件(openssl.cnf)
<div class="cnblogs_code">
<pre>#CentOS的配置文件在/etc/pki/tls/下
mv /etc/pki/tls/openssl.cnf ./</pre>
</div>
修改配置文件并保存.
<div class="cnblogs_code">
<pre>#这3个是取消注释并修改
copy_extensions = copy
req_extensions = v3_req
subjectAltName = @alt_names
#新增alt_names节点并配置需要的域名和IP

DNS.1 = *.org.example.com
DNS.2 = *.abc.com
IP.1 = 127.0.0.1
IP.2 = 2.0.12.10</pre>
</div>
 
二 . 生成根证书(CA) - 使用配置文件方式生成
<div class="cnblogs_code">
<pre>#生成CA key文件
openssl genrsa -out ca.key 2048

#使用配置文件生成自签名CA证书
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
-subj "/C=CN/ST=ZHEJIANG/L=HANGZHOU/O=WANMA/OU=COMPANY/CN=127.0.0.1" \
-config ./openssl.cnf -extensions v3_req \
-out ca.pem</pre>
</div>
 
<div class="cnblogs_code">
<pre># 直接命令行生成ca.pem , 该命令可以不用复制openssl.cnf
opensslreq -x509 -new -nodes -key ./ca.key -sha256 -days 3650 \
-subj "/C=CN/ST=ZHEJIANG/L=HANGZHOU/O=WANMA/OU=COMPANY/CN=127.0.0.1" \
-reqexts SAN \
-config <(cat /etc/pki/tls/openssl.cnf<(printf "\n\nsubjectAltName=DNS:*.abc.com,IP:0.0.0.0")) \
-out ca.pem</pre>
</div>
 
<div class="cnblogs_code">
<pre>#使用这个命令可以查看生成的CA证书是否支持多域名
openssl x509 -text -in ca.pem -noout</pre>
</div>
 
三 . 生成服务器端证书 - 使用配置文件方式生成
<div class="cnblogs_code">
<pre>#生成Server端 Key文件
openssl genrsa -out server.key 2048

#生成签名请求
openssl req -new -key ./server.key \
-subj "/C=CN/ST=ZHEJIANG/L=HANGZHOU/O=WANMA/OU=COMPANY/CN=127.0.0.1" \
-config ./openssl.cnf -extensions v3_req \
-out server.csr

#使用CA证书签名Server端证书
openssl x509 -req -in ./server.csr -CA ca.pem -CAkey ca.key -CAcreateserial \
-extfile ./openssl.cnf -extensions v3_req \
-days 3650 -sha256 -out server.pem</pre>
</div>
 
<div class="cnblogs_code">
<pre>#使用这个命令可以查看生成的Server端证书是否支持多域名
openssl x509 -text -in server.pem -noout</pre>
</div>
 
四 . 生成客户端证书 - 使用命令行直接生成
 注意 : 配置中的DNS和IP,没有配置文件中的.1 .2
<div class="cnblogs_code">
<pre>#生成Client端 Key文件
openssl genrsa -out client.key 2048

#生成签名请求 - 直接嵌入命令方式
openssl req -new -key ./client.key \
-subj "/C=CN/ST=ZHEJIANG/L=HANGZHOU/O=WANMA/OU=COMPANY/CN=127.0.0.1" \
-reqexts SAN \
-config <(cat /etc/pki/tls/openssl.cnf<(printf "\n\nsubjectAltName=DNS:*.org.example.com,DNS:*.abc.com,IP:127.0.0.1,IP:2.0.12.10")) \
-out client.csr

#使用CA证书签名Client端证书
openssl x509 -req -in ./client.csr -CA ca.pem -CAkey ca.key -CAcreateserial \
-extensions SAN \
-extfile <(cat /etc/pki/tls/openssl.cnf<(printf "\n\nsubjectAltName=DNS:*.org.example.com,DNS:*.abc.com,IP:127.0.0.1,IP:2.0.12.10")) \
-days 3650 -sha256 -out client.pem</pre>
</div>
 
<div class="cnblogs_code">
<pre>#使用这个命令可以查看生成的Server端证书是否支持多域名
openssl x509 -text -in client.pem -noout</pre>
</div>
 
五 . 转成jks证书(Java相关的程序使用 , 带密码,安全一点)
<div class="cnblogs_code">
<pre>#CA根证书生成 , 相当于把 ca.pem > ca.jks
keytool -import -noprompt -file ca.pem -keystore ca.jks -storepass capassword</pre>
</div>
 
<div class="cnblogs_code">
<pre>#Client证书生成 , 相当于 client.key + client.pem > client.jks

#首先需要先转成p12格式的证书
openssl pkcs12 -export -in client.pem -inkey client.key -out client.p12 -passout pass:clientpassword

#把p12证书转成jks证书 , 密码就不改了
keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -destkeystore client.jks -srcstorepass clientpassword -deststorepass clientpassword</pre>
</div>
 
六 . Java中调用jks证书例子(以paho.client.mqttv3.MqttClient为例子)
<div class="cnblogs_code">
<pre>package test.mqtt;

import org.eclipse.paho.client.mqttv3.MqttClient;
import org.eclipse.paho.client.mqttv3.MqttConnectOptions;
import org.eclipse.paho.client.mqttv3.MqttException;
import org.eclipse.paho.client.mqttv3.internal.security.SSLSocketFactoryFactory;
import org.eclipse.paho.client.mqttv3.persist.MemoryPersistence;

import java.util.Properties;

/**
* @author kreo
* @description
* @date 2020-6-23 23:15:16
*/
public class MqttConnection {
private final static String broker = "ssl://2.0.12.10:8883";
private final static String clientId = "LOCAL_JAVA_CLIENT";
private final static MemoryPersistence persistence = new MemoryPersistence();

private static MqttClient client;

public static MqttClient getClient() {
 try {
 if (client == null) {
 client = new MqttClient(broker, clientId, persistence);

 // MQTT 连接选项
 MqttConnectOptions connOptions = new MqttConnectOptions();
 connOptions.setUserName("guest");
 connOptions.setPassword("123456".toCharArray());
 Properties sslProperties = new Properties();
 sslProperties.put(SSLSocketFactoryFactory.KEYSTORE, "/usr/var/certs/client.jks");
 sslProperties.put(SSLSocketFactoryFactory.KEYSTOREPWD, "client.wanmagroup.com");
 sslProperties.put(SSLSocketFactoryFactory.KEYSTORETYPE, "JKS");

 sslProperties.put(SSLSocketFactoryFactory.TRUSTSTORE, "/usr/var/certs/ca.jks");
 sslProperties.put(SSLSocketFactoryFactory.TRUSTSTOREPWD, "wanmagroup.com");
 sslProperties.put(SSLSocketFactoryFactory.TRUSTSTORETYPE, "JKS");
 sslProperties.put(SSLSocketFactoryFactory.CLIENTAUTH, true);

 connOptions.setSSLProperties(sslProperties);
 // 保留会话
 connOptions.setCleanSession(true);

 // 设置回调
 client.setCallback(new OnMessageCallback());

 // 建立连接
 System.out.println("尝试建立连接... Broker >> " + broker);
 client.connect(connOptions);

 System.out.println("建立连接成功");
 }
 } catch (MqttException me) {
 System.out.println("原因代码 " + me.getReasonCode());
 System.out.println("信息 " + me.getMessage());
 System.out.println("LOC " + me.getLocalizedMessage());
 System.out.println("原因 " + me.getCause());
 me.printStackTrace();
 }
 return client;
}

public static void close() {
 try {
 client.disconnect();
 System.out.println("断开连接");
 client.close();
 System.out.println("连接关闭");
 } catch (MqttException me) {
 System.out.println("原因代码 " + me.getReasonCode());
 System.out.println("信息 " + me.getMessage());
 System.out.println("LOC " + me.getLocalizedMessage());
 System.out.println("原因 " + me.getCause());
 me.printStackTrace();
 }

}
}</pre>
</div>
 
<pre> -sha256 -days 3650</pre> 
来源：https://www.cnblogs.com/kreo/p/13203973.html

頁: [1]

琼殿技术论坛's Archiver

签发SSL多域名自签证书