Shulou(Shulou.com)06/01 Report--

! Firefox browser has a problem with multi-CN wildcard recognition and only recognizes the first one, so it is recommended to use alternate hostname (DNS). It has been tested and valid!

Openssl self-built CA signs a single domain name certificate by default, because there are multiple https domain names on a single server, and sometimes you want one certificate to solve all the problems. If it is the same top-level domain name, then the pan-domain name (wildcard) certificate is just right for you.

There is no need to modify the openssl.cnf. Other extensions had better be commented out and will not be affected.

Just change www.baidu.com to * .baidu.com when entering the domain name (CN)

!! Note here that a.b.baidu.com should be written as * .b.baidu.com

!! In addition, after testing, the pan-domain name can be used at the same time as multi-CN, using * .xxx.com instead of multiple CN domain names.

As for the alternate hostname method, you can test it yourself.

Other steps:

Some files and directories are required to exist in openssl.cnf:

[root@localhost] # mkdir-p CA/ {certs,crl,newcerts,private}

[root@localhost] # touch CA/index.txt

[root@localhost] # echo 00 > CA/serial

1. Generate ca.key and self-sign it

Openssl req-new-x509-days 3650-keyout ca.key-out ca.crt-config openssl.cnf

two。 Generate server.key (name is not important)

Openssl genrsa-out server.key 2048

3. Generate a certificate signing request

Openssl req-new-key server.key-out server.csr-config openssl.cnf

Common Name is filled in in this step, * .baidu.com

4. Sign the server.scr using a self-signed CA

Openssl ca-days 180-in server.csr-out server.crt-cert ca.crt-keyfile ca.key-config openssl.cnf

# enter the password set in the first step and press y all the time

Server.crt server.key is the file used in the web server.

NGINX two-way authentication

If you want to do NGINX client certificate verification, repeat 2, 3, 4, and execute the following command to generate a personal certificate

5. Generate personal certificates

Openssl pkcs12-export-inkey xxx.key-in xxx.crt-out xxx.p12

Import the personal certificate into pc and add settings based on nginx ssl:

Ssl_verify_client on

Ssl_client_certificate ca.crt

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.