Shulou(Shulou.com)06/01 Report--

Openssl self-built CA signs a single domain name certificate by default, because there are multiple https domain names on a single server, and it is much more convenient to sign multiple domain name certificates. Today, we have been looking for it for a long time, except that some websites that sell certificates have scr tools that can add "user alternate name". No openssl-related adding method has been found.

Later, I looked at openssl.cnf and found a way to record it here:

!! This method is bulky, if there is any other way, welcome to leave a message to me, thank you very much.

(found. For more information, see adding "subject alternate name (DNS)" to ssl certificate using openssl.)

The main modification is in openssl.cnf.

Change the original

CommonName = Common Name (eg, your name or your server\'s hostname)

CommonName_max = 64

Modify to

0.commonName = Common Name (eg, your name or your server\'s hostname)

0.commonName_max = 64

Just add a "0." in front of it. Well, if you want to add other domain names, you only need to add the same record, and the serial numbers in front of you can be incremented in turn:

0.commonName = Common Name (eg, your name or your server\'s hostname)

0.commonName_max = 64

1.commonName = other Common Name

1.commonNAme_max = 64

.

Other steps:

Some files and directories are required to exist in openssl.cnf:

[root@localhost] # mkdir-p CA/ {certs,crl,newcerts,private}

[root@localhost] # touch CA/index.txt

[root@localhost] # echo 00 > CA/serial

1. Generate ca.key and self-sign it

Openssl req-new-x509-days 3650-keyout ca.key-out ca.crt-config openssl.cnf

two。 Generate server.key (name is not important)

Openssl genrsa-out server.key 2048

3. Generate a certificate signing request

Openssl req-new-key server.key-out server.csr-config openssl.cnf

Common Name is filled in in this step. One at a time. If there are not so many, you can enter directly.

4. Sign the server.scr using a self-signed CA

Openssl ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.key-config openssl.cnf

# enter the password set in the first step and press y all the time

Server.crt server.key is the file used in the web server.

NGINX two-way authentication

If you want to do NGINX client certificate verification, repeat 2, 3, 4, and execute the following command to generate a personal certificate

Openssl pkcs12-export-inkey server.key-in server.crt-out server.p12

Import the personal certificate into pc and add settings based on nginx ssl:

Ssl_verify_client on

Ssl_client_certificate ca.crt

In addition: the two-way authentication of nginx is relatively independent, you can use the ssl certificate you purchased on the verification server, and then use the self-signed ca and certificate on the verification client.

Attachment: http://down.51cto.com/data/2364956

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.