[转]签发使用自签发证书--指定使用多域名、泛域名及直接使用IP地址
<div id="sina_keyword_ad_area2" class="articalContent newfont_family">在开发环境及私有环境下需要使用SSL,于是创建自签发证书,而必须支持多域名、泛域名、直接IP访问:<div> </div>
<h3>1、使用openssl,反正这个在centos是标配了,所以自己直接在centos中操作</h3>
<h3> 2、因为要多个域名和IP,故而需要编辑一个配置文件,如下:</h3>
<div>
<div>
<div class="cnblogs_code">
<pre><span style="color: rgba(128, 0, 0, 1); font-weight: bold">[</span><span style="color: rgba(128, 0, 0, 1)">req</span><span style="color: rgba(128, 0, 0, 1); font-weight: bold">]</span><span style="color: rgba(0, 0, 0, 1)">
default_bits </span>= 2048<span style="color: rgba(0, 0, 0, 1)">
default_keyfile </span>=<span style="color: rgba(0, 0, 0, 1)"> privkey.pem
distinguished_name </span>=<span style="color: rgba(0, 0, 0, 1)"> req_distinguished_name
encrypt_key </span>=<span style="color: rgba(0, 0, 0, 1)"> no
default_md</span>=<span style="color: rgba(0, 0, 0, 1)"> sha256
req_extensions </span>=<span style="color: rgba(0, 0, 0, 1)"> req_ext
</span><span style="color: rgba(128, 0, 0, 1); font-weight: bold">[</span><span style="color: rgba(128, 0, 0, 1)">req_distinguished_name</span><span style="color: rgba(128, 0, 0, 1); font-weight: bold">]</span><span style="color: rgba(0, 0, 0, 1)">
commonName_default </span>=<span style="color: rgba(0, 0, 0, 1)"> www.flymote.com
commonName_max </span>= 64<span style="color: rgba(0, 0, 0, 1)">
organizationName_default </span>= flymote Technology Co.,<span style="color: rgba(0, 0, 0, 1)">Ltd.
organizationalUnitName_default </span>=<span style="color: rgba(0, 0, 0, 1)"> IT Support Dept
localityName_default </span>=<span style="color: rgba(0, 0, 0, 1)"> NanChang
stateOrProvinceName_default </span>=<span style="color: rgba(0, 0, 0, 1)"> JiangXi
countryName_default </span>=<span style="color: rgba(0, 0, 0, 1)"> CN
</span><span style="color: rgba(128, 0, 0, 1); font-weight: bold">[</span><span style="color: rgba(128, 0, 0, 1)">req_ext</span><span style="color: rgba(128, 0, 0, 1); font-weight: bold">]</span><span style="color: rgba(0, 0, 0, 1)">
subjectAltName </span>=<span style="color: rgba(0, 0, 0, 1)"> @alt_names
</span><span style="color: rgba(128, 0, 0, 1); font-weight: bold">[</span><span style="color: rgba(128, 0, 0, 1)">alt_names</span><span style="color: rgba(128, 0, 0, 1); font-weight: bold">]</span><span style="color: rgba(0, 0, 0, 1)">
DNS</span>.1 =<span style="color: rgba(0, 0, 0, 1)"> flymote.com
DNS</span>.2 =<span style="color: rgba(0, 0, 0, 1)"> *.flymote.com
DNS</span>.3 =<span style="color: rgba(0, 0, 0, 1)"> www.flymot.com
DNS</span>.4 =<span style="color: rgba(0, 0, 0, 1)"> *.flymot.com
IP</span>.1 = 192.168.0.198<span style="color: rgba(0, 0, 0, 1)">
IP</span>.2 = 192.168.1.198</pre>
</div>
<p>其中:</p>
</div>
<div>commonName_default: 证书的主域名</div>
<div>organizationName_default: 企业/单位名称</div>
<div>organizationalUnitName_default:企业部门</div>
<div>localityName_default: 城市</div>
<div>stateOrProvinceName_default: 省份</div>
<div>countryName_default: 国家代码,一般都是CN(大写)</div>
<div>: 后面为备用名称列表,这个alt_names(包括req_ext)可以自己改,需req中调用</div>
<div> </div>
<div>配置好该文件后,保存为san.conf (名字随意定,下面用)</div>
</div>
<h3><span style="font-size: 1.17em">3、创建根证书</span></h3>
<div> 创建秘钥</div>
<div><strong>openssl genrsa -out LocalRootCA.key 2048</strong></div>
<div> 生成证书并自签名</div>
<div><strong>openssl req -sha256 -new -x509 -days 3650 -key LocalRootCA.key -out LocalRootCA.crt -subj "/CN=LocalRootCA"</strong></div>
<div><strong> </strong></div>
<h3>4、使用前面的配置文件生成证书</h3>
<div><strong>openssl req -new -nodes -out myreq.csr -config san.conf -subj "/" -batch</strong></div>
<div>最后域名CSR文件在myreq.csr中,域名私钥在private.pem中,这样域名的CSR 就产生了。</div>
<div> </div>
<h3>5、下面用根证书签发</h3>
<div><strong>openssl x509 -req -in myreq.csr -CA LocalRootCA.crt -CAkey LocalRootCA.key -CAcreateserial -days 3560 -out mycom.crt -extfile san.conf -extensions req_ext</strong></div>
<div><strong> </strong></div>
<h3><strong>6、使用问题</strong></h3>
<div><strong>WEB服务器不要忘记加载SSL的模块!</strong></div>
<div><strong>防火墙不用忘记打开SSL端口!</strong></div>
<div><strong>配置WEB服务器时,使用</strong><strong>mycom.crt 和 private.pem (apache还需要用上</strong><strong>LocalRootCA.crt</strong><strong>)</strong></div>
<div><strong>将自己的CA证书 </strong><strong>LocalRootCA.crt,添加到操作系统的信任证书里面就OK了!可以域名、泛域名、IP访问SSL了</strong></div>
</div>
<div id="share" class="shareUp nor">
<div class="share SG_txtb clearfix"> </div>
<div class="share SG_txtb clearfix"> </div>
<div class="share SG_txtb clearfix">[转自:http://blog.sina.com.cn/s/blog_539d6e0c01032bm7.html]</div>
</div>
<div class="articalInfo"> </div>
</div>
<div id="MySignature" role="contentinfo">
--- auth:lzpong<br><br>
来源:https://www.cnblogs.com/lzpong/p/13030886.html
頁:
[1]