今天在逛淘宝时,发现淘宝的 https SSL证书的使用者是 *.tmall.com,但是淘宝是 www.taobao.com,域名不一样,竟然还是绿色的(taobao.com域名能使用tmall.com的SSL证书?),顿时感到很奇怪,于是查看了其 SSL 证书的详细信息发现原来是这样的:SSL证书支持配置多个使用者备用名称(见下图红色区域):
于是到网上搜了下:“SSL证书配置使用者可选名称”,发现了下面这篇文档(http://colinzhouyj.blog.51cto.com/2265679/1566438),故留记备用了:
主要修改在 openssl.cnf:
# 确保req下存在以下2行(默认第一行是有的,第2行被注释了)
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
# 确保req_distinguished_name下没有 0.xxx 的标签,有的话把0.xxx的0. 去掉, 这个经测试,错的,不去掉
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = ShangHai
localityName = Locality Name (eg, city)
localityName_default = ShangHai
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Example,Inc.
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Domain Control Validated
commonName = Internet Widgits Ltd
commonName_max = 64
# 新增最后一行内容 subjectAltName = @alt_names(前2行默认存在)
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
# 新增 alt_names,注意括号前后的空格,DNS.x 的数量可以自己加
[ alt_names ]
DNS.1 = abc.example.com
DNS.2 = dfe.example.org
DNS.3 = ex.abcexpale.net
其他的步骤:
openssl.cnf 中会要求部分文件及目录存在:
[root@localhost]#mkdir -p CA/{certs,crl,newcerts,private}
[root@localhost]# touch CA/index.txt
[root@localhost]#echo 00 > CA/serial1. 生成ca.key并自签署
openssl req -new -x509 -days 3650 -keyout ca.key -out ca.crt -config openssl.cnf2. 生成server.key(名字不重要)
openssl genrsa -out server.key 20483. 生成证书签名请求
openssl req -new -key server.key -out server.csr -config openssl.cnfCommon Name 这个写主要域名就好了(注意:这个域名也要在openssl.cnf的DNS.x里)
4. 查看请求文件
openssl req -text -noout -in server.csr应该可以看到这些内容:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Texas, L=Fort Worth, O=My Company, OU=My Department, CN=server.example
Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit)
Modulus (2048 bit): blahblahblah
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions: X509v3
Basic Constraints: CA:FALSE
X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name: DNS:domain.example.com, DNS:xxx.example.com
Signature Algorithm: sha1WithRSAEncryption
5. 使用自签署的CA,签署server.scr
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -extensions v3_req -config openssl.cnf#输入第一步设置的密码,一直按y就可以了
server.crt server.key 就是web服务器中使用的文件。
nginx 双向认证
如果要做nginx客户端证书验证的话,重复2、3、4,并执行下面命令生成个人证书
5.生成个人证书
openssl pkcs12 -export -inkey xxx.key -in xxx.crt -out xxx.p12将个人证书导入pc,同时在nginx ssl基础上增加设置:
ssl_verify_client on;
ssl_client_certificate ca.crt;
==============================================服务器端生成# openssl genrsa -out /tmp/server.key
# vim openssl.conf
要增加 v3_req altNames ....
# openssl req -new -key /tmp/server.key -out /tmp/server.csr
[root@sh_proxy conf.d]# openssl req -text -noout -in server.csr Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=North Carolina, L=Raleigh, O=Example,Inc., OU=IT, CN=www.test.con Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:9c:6e:48:24:be:7a:d4:24:5b:b1:f1:b7:12:97: eb:ea:55:53:eb:72:2c:1c:46:85:12:58:d2:f6:49: f9:b9:cc:72:11:2b:5b:9e:fa:ab:45:ce:ae:9f:b0: 73:1d:cb:d1:16:ad:47:31:6e:ea:92:4f:d4:cf:d4: 32:bf:e9:3d:f3:f6:82:73:a9:2d:9d:05:e0:90:91: 57:3f:47:63:21:95:ea:2b:81:bf:9f:9d:e6:4f:aa: 51:1c:8a:71:a2:75:2b:3f:30:5f:41:78:80:f6:94: b9:f2:fe:77:32:6d:4e:ae:b5:58:82:58:e6:b4:12: ae:20:c8:45:d9:d5:2c:f8:9c:b8:b7:45:a0:aa:21: 92:9a:ba:09:a2:6d:43:52:f7:6d:e2:b1:a7:a4:1e: 0d:b5:a7:3f:47:2e:88:c1:65:9b:be:b3:e0:17:45: c7:87:2c:55:07:fe:36:c4:2e:d6:aa:31:f4:b6:58: 34:59:98:86:fd:1d:84:9d:3f:72:f3:f9:42:c8:90: ce:a2:67:f1:62:d8:0c:1a:20:a2:0c:5f:45:db:60: bc:53:ad:1c:2c:3e:bc:e2:87:3f:b4:0a:ec:6d:78: 4b:59:ac:b8:92:3c:28:5e:a1:19:6a:64:e3:7b:ef: b1:f6:78:a3:ff:5a:9b:65:31:bf:b9:c5:64:65:1a: 45:53 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:www.test.con, DNS:www.test.com Signature Algorithm: sha256WithRSAEncryption 6d:78:1b:c8:bf:97:5c:71:0e:98:e7:18:af:9f:2f:a6:a7:d5: 21:d3:b6:24:32:e4:fd:ba:fa:ef:3b:9f:d6:ff:6c:ac:ec:63: ea:92:3e:d2:3d:6d:67:22:65:d6:7b:3e:52:66:64:1b:63:60: 4f:fa:df:5e:e3:54:21:ba:99:33:de:b7:98:2d:05:5d:74:f7: 73:78:43:bd:7c:1e:bd:96:8b:40:1d:b9:df:2a:49:6b:92:5b: a2:f3:47:db:53:9d:4d:3a:de:b4:2e:c8:75:78:e4:8f:0f:74: 51:79:e7:60:cc:04:41:73:62:c2:01:60:a1:4f:c5:13:b2:4e: b9:da:36:c7:fb:2a:0a:1e:46:f5:37:17:a7:90:73:5d:5c:06: 4f:87:c0:4a:1b:67:27:56:66:ca:b1:51:b8:e6:3a:1f:34:82: f0:08:72:3c:95:d5:0a:53:c1:71:c0:1d:a0:6e:35:0f:6f:85: 9c:f0:01:ce:3f:d4:b6:ac:6e:6b:f2:f5:1a:ab:b3:04:2f:a9: 16:49:63:9f:97:51:b4:e4:3d:a1:a9:90:1c:f1:f4:d4:09:0d: 64:94:2b:89:a4:2d:a6:f4:a6:84:b4:50:13:03:75:f8:16:b8: e4:af:d3:9c:84:c4:d4:19:d1:ca:b4:19:69:38:44:a5:ba:b3: a6:d8:d8:59 [root@sh_proxy conf.d]
ca 主机上的openssl.conf # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: # extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 # Policies used by the TSA examples. tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. #certificate = $dir/cacert.pem # The CA certificate certificate = $dir/cacert.crt # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL #private_key = $dir/private/cakey.pem# The private key private_key = $dir/private/cakey.key # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha256 # use SHA-256 by default preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 2048 default_md = sha256 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString (PKIX recommendation before 2004) # utf8only: only UTF8Strings (PKIX recommendation after 2004). # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. string_mask = utf8only req_extensions = v3_req # The extensions to add to a certificate request # 打开注释 [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = North Carolina localityName = Locality Name (eg, city) localityName_default = Raleigh 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Example,Inc. # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = IT commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 emailAddress = Email Address emailAddress_default = root@stationX.example.com emailAddress_max = 64 # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectAltName=email:move # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName # This is required for TSA certificates. # extendedKeyUsage = critical,timeStamping [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ alt_names ] DNS.1 = www.test.con DNS.2 = www.test.com [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign # Some might want this also # nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy # DER hex encoding of an extension: beware experts only! # obj=DER:02:03 # Where 'obj' is a standard or added object # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always [ proxy_cert_ext ] # These extensions should be added when creating a proxy certificate # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectAltName=email:move # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName # This really needs to be in place for it to be a proxy certificate. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo #################################################################### [ tsa ] default_tsa = tsa_config1 # the default TSA section [ tsa_config1 ] # These are used by the TSA reply generation only. dir = ./demoCA # TSA root directory serial = $dir/tsaserial # The current serial number (mandatory) crypto_device = builtin # OpenSSL engine to use for signing signer_cert = $dir/tsacert.pem # The TSA signing certificate # (optional) certs = $dir/cacert.pem # Certificate chain to include in reply # (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) accuracy = secs:1, millisecs:500, microsecs:100 # (optional) clock_precision_digits = 0 # number of digits after dot. (optional) ordering = yes # Is ordering defined for timestamps? # (optional, default: no) tsa_name = yes # Must the TSA name be included in the reply? # (optional, default: no) ess_cert_id_chain = no # Must the ESS cert id chain be included? # (optional, default: no)
[root@blog /etc/pki/tls 03:51:52]$openssl ca -in /tmp/server.csr -out /tmp/server.crt -extensions v3_req -config openssl.cnf
Using configuration from openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.key: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 5 (0x5) Validity Not Before: Apr 13 19:51:58 2020 GMT Not After : Apr 13 19:51:58 2021 GMT Subject: countryName = US stateOrProvinceName = North Carolina organizationName = Example,Inc. organizationalUnitName = IT commonName = www.test.con X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:www.test.con, DNS:www.test.com Certificate is to be certified until Apr 13 19:51:58 2021 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@blog /etc/pki/tls 03:52:02]$openssl x509 -in /tmp/server.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 5 (0x5) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=North Carolina, L=Raleigh, O=Example,Inc., OU=IT, CN=blog.cc.cc Certificate Authority/emailAddress=root@stationX.example.com Validity Not Before: Apr 13 19:51:58 2020 GMT Not After : Apr 13 19:51:58 2021 GMT Subject: C=US, ST=North Carolina, O=Example,Inc., OU=IT, CN=www.test.con Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:9c:6e:48:24:be:7a:d4:24:5b:b1:f1:b7:12:97: eb:ea:55:53:eb:72:2c:1c:46:85:12:58:d2:f6:49: f9:b9:cc:72:11:2b:5b:9e:fa:ab:45:ce:ae:9f:b0: 73:1d:cb:d1:16:ad:47:31:6e:ea:92:4f:d4:cf:d4: 32:bf:e9:3d:f3:f6:82:73:a9:2d:9d:05:e0:90:91: 57:3f:47:63:21:95:ea:2b:81:bf:9f:9d:e6:4f:aa: 51:1c:8a:71:a2:75:2b:3f:30:5f:41:78:80:f6:94: b9:f2:fe:77:32:6d:4e:ae:b5:58:82:58:e6:b4:12: ae:20:c8:45:d9:d5:2c:f8:9c:b8:b7:45:a0:aa:21: 92:9a:ba:09:a2:6d:43:52:f7:6d:e2:b1:a7:a4:1e: 0d:b5:a7:3f:47:2e:88:c1:65:9b:be:b3:e0:17:45: c7:87:2c:55:07:fe:36:c4:2e:d6:aa:31:f4:b6:58: 34:59:98:86:fd:1d:84:9d:3f:72:f3:f9:42:c8:90: ce:a2:67:f1:62:d8:0c:1a:20:a2:0c:5f:45:db:60: bc:53:ad:1c:2c:3e:bc:e2:87:3f:b4:0a:ec:6d:78: 4b:59:ac:b8:92:3c:28:5e:a1:19:6a:64:e3:7b:ef: b1:f6:78:a3:ff:5a:9b:65:31:bf:b9:c5:64:65:1a: 45:53 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:www.test.con, DNS:www.test.com Signature Algorithm: sha256WithRSAEncryption 4c:19:b8:37:ba:5f:a5:c4:4d:33:97:67:5b:9e:9e:cd:cf:5a: 7b:58:39:98:5f:6c:4f:32:d1:02:d6:96:1b:4d:c9:41:20:5f: cb:cd:c3:6f:06:c0:bd:09:cb:bb:02:61:93:f8:09:c2:06:7e: e3:1c:f7:2b:2e:ef:16:84:8a:cd:47:bb:3c:c2:04:bf:e7:1a: 70:9a:a5:44:fc:11:3d:17:2c:c0:92:2c:01:4c:c7:2f:f3:bc: 3a:c1:d3:5f:f8:33:67:fd:ac:81:25:e8:62:66:bd:7c:2f:47: 4f:cb:1c:57:e5:d9:8e:c1:97:7f:64:86:ea:86:00:25:7a:84: 19:44:be:77:b8:fb:c9:60:a3:25:80:b8:2c:65:89:25:49:63: 85:e0:4a:46:6e:3a:ba:16:44:1a:8f:1a:6a:5b:a5:28:aa:e9: 28:6d:26:66:1e:85:55:df:69:8b:92:a0:4b:c4:74:14:ba:b4: 27:f7:b0:1c:b7:e6:ea:34:ec:5f:4b:d6:18:e9:44:f5:e0:81: b6:38:54:76:f8:c6:9b:06:9f:80:35:4c:4d:4c:5b:c1:05:06: 81:72:f7:18:68:c4:83:48:e7:fd:e1:92:33:0f:00:ee:ea:dc: c3:25:ee:a5:b9:3b:cf:16:ea:e7:2c:79:ff:32:8d:77:bb:e1: 6c:33:62:ac [root@blog /etc/pki/tls 03:53:24]$scp /tmp/server.crt 192.168.85.251:/etc/httpd/conf.d/ server.crt 100% 4446 4.3KB/s 00:00 [root@blog /etc/pki/tls 03:54:13
浙公网安备 33010602011771号