生成自签名CA+SSL证书

1、创建CA证书配置CA.cnf文件

[ req ]
distinguished_name  = req_distinguished_name
x509_extensions     = root_ca

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = HuBei
localityName                    = Locality Name (eg, city)
localityName_default            = WuHan
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Development CA
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Development CA
commonName                      = Common Name (eg, fully qualified host name)
commonName_default              = Development CA Certification Authority
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_default            = CA@dev.com
emailAddress_max                = 64

[ root_ca ]
basicConstraints            = critical, CA:true
  

2. 创建ssl证书cert.cnf文件

distinguished_name  = req_distinguished_name

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = HuBei
localityName                    = Locality Name (eg, city)
localityName_default            = WuHan
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Development Server
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Development Server
commonName                      = Common Name (eg, fully qualified host name)
commonName_default              = Development Server Certificate
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_default            = server@dev.com
emailAddress_max                = 64

 

3. 创建ssl证书subjectName描述文件cert.ext

subjectAltName = @alt_names
extendedKeyUsage = serverAuth

[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1

 

4. 创建CA+SSL证书

# 生成CA 证书
openssl req -x509 -newkey rsa:4096 -out CA.cer -outform PEM -keyout CA.pvk -days 3650 -verbose -config CA.cnf -nodes -sha256 

# 生成证书请求文件
openssl req -newkey rsa:4096 -keyout cert.pvk -out cert.req -config cert.cnf -sha256 -nodes

#生成证书
openssl x509 -req -CA CA.cer -CAkey CA.pvk -in cert.req -out cert.cer -days 3650 -extfile cert.ext -sha256 -set_serial 0x1111

 

将生成的CA.cer导入到系统受信任的根证书颁发机构中,cert证书配置到应用服务器,即可通过https访问应用服务器

配置了subjectName后Chrome将不会再报 Subject Alternative Name Missing & ERR_SSL_VERSION_OR_CIPHER_MISMATCH 的错误

posted @ 2018-05-04 11:51  雪域熊猫  阅读(3671)  评论(1编辑  收藏  举报