生成自签名CA+SSL证书

1、创建CA证书配置CA.cnf文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
[ req ]
distinguished_name  = req_distinguished_name
x509_extensions     = root_ca
 
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = HuBei
localityName                    = Locality Name (eg, city)
localityName_default            = WuHan
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Development CA
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Development CA
commonName                      = Common Name (eg, fully qualified host name)
commonName_default              = Development CA Certification Authority
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_default            = CA@dev.com
emailAddress_max                = 64
 
[ root_ca ]
basicConstraints            = critical, CA:true
  
 
2. 创建ssl证书cert.cnf文件
 
distinguished_name  = req_distinguished_name
 
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = HuBei
localityName                    = Locality Name (eg, city)
localityName_default            = WuHan
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Development Server
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Development Server
commonName                      = Common Name (eg, fully qualified host name)
commonName_default              = Development Server Certificate
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_default            = server@dev.com
emailAddress_max                = 64

 

3. 创建ssl证书subjectName描述文件cert.ext

1
2
3
4
5
6
subjectAltName = @alt_names
extendedKeyUsage = serverAuth
 
[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1

 

4. 创建CA+SSL证书

1
2
3
4
5
6
7
8
# 生成CA 证书
openssl req -x509 -newkey rsa:4096 -out CA.cer -outform PEM -keyout CA.pvk -days 3650 -verbose -config CA.cnf -nodes -sha256
 
# 生成证书请求文件
openssl req -newkey rsa:4096 -keyout cert.pvk -out cert.req -config cert.cnf -sha256 -nodes
 
#生成证书
openssl x509 -req -CA CA.cer -CAkey CA.pvk -in cert.req -out cert.cer -days 3650 -extfile cert.ext -sha256 -set_serial 0x1111

 

将生成的CA.cer导入到系统受信任的根证书颁发机构中,cert证书配置到应用服务器,即可通过https访问应用服务器

配置了subjectName后Chrome将不会再报 Subject Alternative Name Missing & ERR_SSL_VERSION_OR_CIPHER_MISMATCH 的错误

posted @   雪域熊猫  阅读(3688)  评论(1编辑  收藏  举报
点击右上角即可分享
微信分享提示