生成自簽名CA+SSL證書

時間 2019-11-12

標籤生成簽名 ca+ssl ssl 證書欄目 SSL 简体版

原文原文鏈接

一、建立CA證書配置CA.cnf文件node

[ req ]
distinguished_name  = req_distinguished_name
x509_extensions     = root_ca

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = HuBei
localityName                    = Locality Name (eg, city)
localityName_default            = WuHan
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Development CA
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Development CA
commonName                      = Common Name (eg, fully qualified host name)
commonName_default              = Development CA Certification Authority
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_default            = CA@dev.com
emailAddress_max                = 64

[ root_ca ]
basicConstraints            = critical, CA:true
　　

2. 建立ssl證書cert.cnf文件

distinguished_name  = req_distinguished_name

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = HuBei
localityName                    = Locality Name (eg, city)
localityName_default            = WuHan
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Development Server
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Development Server
commonName                      = Common Name (eg, fully qualified host name)
commonName_default              = Development Server Certificate
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_default            = server@dev.com
emailAddress_max                = 64

3. 建立ssl證書subjectName描述文件cert.extbash

subjectAltName = @alt_names
extendedKeyUsage = serverAuth

[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1

4. 建立CA+SSL證書服務器

# 生成CA 證書
openssl req -x509 -newkey rsa:4096 -out CA.cer -outform PEM -keyout CA.pvk -days 3650 -verbose -config CA.cnf -nodes -sha256 

# 生成證書請求文件
openssl req -newkey rsa:4096 -keyout cert.pvk -out cert.req -config cert.cnf -sha256 -nodes

#生成證書
openssl x509 -req -CA CA.cer -CAkey CA.pvk -in cert.req -out cert.cer -days 3650 -extfile cert.ext -sha256 -set_serial 0x1111

將生成的CA.cer導入到系統受信任的根證書頒發機構中，cert證書配置到應用服務器，便可經過https訪問應用服務器ui

配置了subjectName後Chrome將不會再報 Subject Alternative Name Missing & ERR_SSL_VERSION_OR_CIPHER_MISMATCH 的錯誤spa

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。