Shulou(Shulou.com)06/01 Report--

The previous section talked about the signing method of multi-CN using openssl to sign multi-domain name certificates. There is a problem in practical use. In the android system, browsers do not recognize multi-CN domain names and will report an error "the certificate name does not match the server name". At first, it is thought that it is due to the problem of signing CA, but it will be normal after changing to a single CN. We have no choice but to use other methods. After a long time with google N, we have found a way:

The main modification is in openssl.cnf.

# make sure the following 2 lines exist under req (the first line is available by default, and the second line is commented)

[req]

Distinguished_name = req_distinguished_name

Req_extensions = v3_req

# make sure there is no 0.xxx tag under req_distinguished_name, and if so, set 0.xxx to 0. 0. Remove

[req_distinguished_name]

CountryName = Country Name (2 letter code)

CountryName_default = CN

StateOrProvinceName = State or ProvinceName (full name)

StateOrProvinceName_default = ShangHai

LocalityName = Locality Name (eg, city)

LocalityName_default = ShangHai

OrganizationalUnitName = Organizational UnitName (eg, section)

OrganizationalUnitName_default = Domain Control Validated

CommonName = Internet Widgits Ltd

CommonName_max = 64

# add the last line subjectAltName = @ alt_names (the first 2 lines exist by default)

[v3_req]

# Extensions to add to a certificate request

BasicConstraints = CA:FALSE

KeyUsage = nonRepudiation, digitalSignature, keyEncipherment

SubjectAltName = @ alt_names

# add alt_names. Pay attention to the spaces before and after parentheses. The number of DNS.x can be added by yourself.

[alt_names]

DNS.1 = abc.example.com

DNS.2 = dfe.example.org

DNS.3 = ex.abcexpale.net

Other steps:

Some files and directories are required to exist in openssl.cnf:

[root@localhost] # mkdir-p CA/ {certs,crl,newcerts,private}

[root@localhost] # touch CA/index.txt

[root@localhost] # echo 00 > CA/serial

1. Generate ca.key and self-sign it

Openssl req-new-x509-days 3650-keyout ca.key-out ca.crt-config openssl.cnf

two。 Generate server.key (name is not important)

Openssl genrsa-out server.key 2048

3. Generate a certificate signing request

Openssl req-new-key server.key-out server.csr-config openssl.cnf

Just write the main domain name Common Name (Note: this domain name should also be in the DNS.x of openssl.cnf)

4. View request file

Openssl req-text-noout-in server.csr

You should be able to see this:

Certificate Request:

Data:

Version: 0 (0x0)

Subject: C=US, ST=Texas, L=Fort Worth, O=My Company, OU=My Department, CN=server.example

Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit)

Modulus (2048 bit): blahblahblah

Exponent: 65537 (0x10001)

Attributes:

Requested Extensions: X509v3

Basic Constraints: CA:FALSE

X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment

X509v3 Subject Alternative Name: DNS:domain.example.com, DNS:xxx.example.com

Signature Algorithm: sha1WithRSAEncryption

5. Sign the server.scr using a self-signed CA

Openssl ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.key-extensions v3_req-config openssl.cnf

# enter the password set in the first step and press y all the time

Server.crt server.key is the file used in the web server.

NGINX two-way authentication

If you want to do NGINX client certificate verification, repeat 2, 3, 4, and execute the following command to generate a personal certificate

5. Generate personal certificates

Openssl pkcs12-export-inkey xxx.key-in xxx.crt-out xxx.p12

Import the personal certificate into pc and add settings based on nginx ssl:

Ssl_verify_client on

Ssl_client_certificate ca.crt

Attachment: http://down.51cto.com/data/2364976

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.