签发SSL多域名自签证书
本文章在CentOS7下操作通过.
多域名证书 , 有两种配置方式 :
1 . 使用openssl.cnf进行配置
2 . 直接命令行内内置生成
下面使用一个例子 , 来具体说明一下两种方式的做法 .
一 . 复制并修改openssl配置文件(openssl.cnf)
#CentOS的配置文件在/etc/pki/tls/下 mv /etc/pki/tls/openssl.cnf ./
修改配置文件并保存.
#这3个是取消注释并修改 copy_extensions = copy req_extensions = v3_req subjectAltName = @alt_names #新增alt_names节点并配置需要的域名和IP [alt_names] DNS.1 = *.org.example.com DNS.2 = *.abc.com IP.1 = 127.0.0.1 IP.2 = 2.0.12.10
二 . 生成根证书(CA) - 使用配置文件方式生成
#生成CA key文件 openssl genrsa -out ca.key 2048 #使用配置文件生成自签名CA证书 openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \ -subj "/C=CN/ST=ZHEJIANG/L=HANGZHOU/O=WANMA/OU=COMPANY/CN=127.0.0.1" \ -config ./openssl.cnf -extensions v3_req \ -out ca.pem
# 直接命令行生成ca.pem , 该命令可以不用复制openssl.cnf openssl req -x509 -new -nodes -key ./ca.key -sha256 -days 3650 \ -subj "/C=CN/ST=ZHEJIANG/L=HANGZHOU/O=WANMA/OU=COMPANY/CN=127.0.0.1" \ -reqexts SAN \ -config <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:*.abc.com,IP:0.0.0.0")) \ -out ca.pem
#使用这个命令可以查看生成的CA证书是否支持多域名 openssl x509 -text -in ca.pem -noout
三 . 生成服务器端证书 - 使用配置文件方式生成
#生成Server端 Key文件 openssl genrsa -out server.key 2048 #生成签名请求 openssl req -new -key ./server.key \ -subj "/C=CN/ST=ZHEJIANG/L=HANGZHOU/O=WANMA/OU=COMPANY/CN=127.0.0.1" \ -config ./openssl.cnf -extensions v3_req \ -out server.csr #使用CA证书签名Server端证书 openssl x509 -req -in ./server.csr -CA ca.pem -CAkey ca.key -CAcreateserial \ -extfile ./openssl.cnf -extensions v3_req \ -days 3650 -sha256 -out server.pem
#使用这个命令可以查看生成的Server端证书是否支持多域名 openssl x509 -text -in server.pem -noout
四 . 生成客户端证书 - 使用命令行直接生成
注意 : 配置中的DNS和IP,没有配置文件中的.1 .2
#生成Client端 Key文件 openssl genrsa -out client.key 2048 #生成签名请求 - 直接嵌入命令方式 openssl req -new -key ./client.key \ -subj "/C=CN/ST=ZHEJIANG/L=HANGZHOU/O=WANMA/OU=COMPANY/CN=127.0.0.1" \ -reqexts SAN \ -config <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:*.org.example.com,DNS:*.abc.com,IP:127.0.0.1,IP:2.0.12.10")) \ -out client.csr #使用CA证书签名Client端证书 openssl x509 -req -in ./client.csr -CA ca.pem -CAkey ca.key -CAcreateserial \ -extensions SAN \ -extfile <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:*.org.example.com,DNS:*.abc.com,IP:127.0.0.1,IP:2.0.12.10")) \ -days 3650 -sha256 -out client.pem
#使用这个命令可以查看生成的Server端证书是否支持多域名 openssl x509 -text -in client.pem -noout
五 . 转成jks证书(Java相关的程序使用 , 带密码,安全一点)
#CA根证书生成 , 相当于把 ca.pem > ca.jks keytool -import -noprompt -file ca.pem -keystore ca.jks -storepass capassword
#Client证书生成 , 相当于 client.key + client.pem > client.jks #首先需要先转成p12格式的证书 openssl pkcs12 -export -in client.pem -inkey client.key -out client.p12 -passout pass:clientpassword #把p12证书转成jks证书 , 密码就不改了 keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -destkeystore client.jks -srcstorepass clientpassword -deststorepass clientpassword
六 . Java中调用jks证书例子(以paho.client.mqttv3.MqttClient为例子)
package test.mqtt; import org.eclipse.paho.client.mqttv3.MqttClient; import org.eclipse.paho.client.mqttv3.MqttConnectOptions; import org.eclipse.paho.client.mqttv3.MqttException; import org.eclipse.paho.client.mqttv3.internal.security.SSLSocketFactoryFactory; import org.eclipse.paho.client.mqttv3.persist.MemoryPersistence; import java.util.Properties; /** * @author kreo * @description * @date 2020-6-23 23:15:16 */ public class MqttConnection { private final static String broker = "ssl://2.0.12.10:8883"; private final static String clientId = "LOCAL_JAVA_CLIENT"; private final static MemoryPersistence persistence = new MemoryPersistence(); private static MqttClient client; public static MqttClient getClient() { try { if (client == null) { client = new MqttClient(broker, clientId, persistence); // MQTT 连接选项 MqttConnectOptions connOptions = new MqttConnectOptions(); connOptions.setUserName("guest"); connOptions.setPassword("123456".toCharArray()); Properties sslProperties = new Properties(); sslProperties.put(SSLSocketFactoryFactory.KEYSTORE, "/usr/var/certs/client.jks"); sslProperties.put(SSLSocketFactoryFactory.KEYSTOREPWD, "client.wanmagroup.com"); sslProperties.put(SSLSocketFactoryFactory.KEYSTORETYPE, "JKS"); sslProperties.put(SSLSocketFactoryFactory.TRUSTSTORE, "/usr/var/certs/ca.jks"); sslProperties.put(SSLSocketFactoryFactory.TRUSTSTOREPWD, "wanmagroup.com"); sslProperties.put(SSLSocketFactoryFactory.TRUSTSTORETYPE, "JKS"); sslProperties.put(SSLSocketFactoryFactory.CLIENTAUTH, true); connOptions.setSSLProperties(sslProperties); // 保留会话 connOptions.setCleanSession(true); // 设置回调 client.setCallback(new OnMessageCallback()); // 建立连接 System.out.println("尝试建立连接... Broker >> " + broker); client.connect(connOptions); System.out.println("建立连接成功"); } } catch (MqttException me) { System.out.println("原因代码 " + me.getReasonCode()); System.out.println("信息 " + me.getMessage()); System.out.println("LOC " + me.getLocalizedMessage()); System.out.println("原因 " + me.getCause()); me.printStackTrace(); } return client; } public static void close() { try { client.disconnect(); System.out.println("断开连接"); client.close(); System.out.println("连接关闭"); } catch (MqttException me) { System.out.println("原因代码 " + me.getReasonCode()); System.out.println("信息 " + me.getMessage()); System.out.println("LOC " + me.getLocalizedMessage()); System.out.println("原因 " + me.getCause()); me.printStackTrace(); } } }
-sha256 -days 3650