生成自签名CA+SSL证书
1、创建CA证书配置CA.cnf文件
[ req ] distinguished_name = req_distinguished_name x509_extensions = root_ca [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = HuBei localityName = Locality Name (eg, city) localityName_default = WuHan 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Development CA organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Development CA commonName = Common Name (eg, fully qualified host name) commonName_default = Development CA Certification Authority commonName_max = 64 emailAddress = Email Address emailAddress_default = CA@dev.com emailAddress_max = 64 [ root_ca ] basicConstraints = critical, CA:true 2. 创建ssl证书cert.cnf文件 distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = HuBei localityName = Locality Name (eg, city) localityName_default = WuHan 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Development Server organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Development Server commonName = Common Name (eg, fully qualified host name) commonName_default = Development Server Certificate commonName_max = 64 emailAddress = Email Address emailAddress_default = server@dev.com emailAddress_max = 64
3. 创建ssl证书subjectName描述文件cert.ext
subjectAltName = @alt_names extendedKeyUsage = serverAuth [alt_names] DNS.1 = localhost DNS.2 = 127.0.0.1
4. 创建CA+SSL证书
# 生成CA 证书 openssl req -x509 -newkey rsa:4096 -out CA.cer -outform PEM -keyout CA.pvk -days 3650 -verbose -config CA.cnf -nodes -sha256 # 生成证书请求文件 openssl req -newkey rsa:4096 -keyout cert.pvk -out cert.req -config cert.cnf -sha256 -nodes #生成证书 openssl x509 -req -CA CA.cer -CAkey CA.pvk -in cert.req -out cert.cer -days 3650 -extfile cert.ext -sha256 -set_serial 0x1111
将生成的CA.cer导入到系统受信任的根证书颁发机构中,cert证书配置到应用服务器,即可通过https访问应用服务器
配置了subjectName后Chrome将不会再报 Subject Alternative Name Missing & ERR_SSL_VERSION_OR_CIPHER_MISMATCH 的错误