使用OpenSSL自签发SSL证书,支持chrome识别

  在网上经常看到自建CA和自签证书文档,但是发现自己生成之后,将ca证书导入客户端之后,Chrome访问网站总是会出现如下错误:
NET::ERR_CERT_COMMON_NAME_INVALID
  此服务器无法证实它就是 domain.com - 它的安全证书没有指定主题备用名称。这可能是因为某项配置有误或某个攻击者拦截了您的连接。一直以为是Chrome浏览器安全强度太高导致的,因为发现Firefox和IE没有这个问题,但是后来才发现自签证书有缺陷。

一、安装openssl

[root@server ~]# sudo apt-get install openssl

 

二、创建根证书


# 创建生成本地根证书的目录
[root@server ~]# mkdir -p certs/local && cd certs


# 生成根密钥
[root@server ~/certs]# openssl genrsa -out local/boot.key 2048
Generating RSA private key, 2048 bit long modulus
.................................+++
.......................................+++
e is 65537 (0x10001)


# 生成根CA证书:-days 选项指定时间(单位:天)
[root@server ~/certs]# openssl req -x509 -new -key local/boot.key -out local/boot.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) []:Steeze
Organizational Unit Name (eg, section) []:https://www.steeze.cn
Common Name (eg, fully qualified host name) []:Steeze
Email Address []:402085437@qq.com

生成完成后,将根证书文件 local/boot.pem 导入到浏览器和系统中

 

三、颁发应用证书

1. 创建应用证书请求

# 生成应用证书目录
[root@server ~/certs]# mkdir web

# 生成应用证书的密钥
[root@server ~/certs]# openssl genrsa -out web/app.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................................................................................+++
.....................+++
e is 65537 (0x10001)

# 生成证书颁发请求
[root@server ~/certs]# openssl req -new -key  web/app.key -out web/app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CN
State or Province Name (full name) []:Chongqing
Locality Name (eg, city) []:Chongqing
Organization Name (eg, company) []:Steeze app 
Organizational Unit Name (eg, section) []:https://www.app.com
Common Name (eg, fully qualified host name) []:App of steeze
Email Address []:spring.wind2006@163.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456

 

2. 创建证书附加用途文件

用于解决Chrome不能识别证书通用名称NET::ERR_CERT_COMMON_NAME_INVALID错误,签发基于IP地址证书和基于域名的证书的使用的文件格式不一样:

(1). 基于IP地址的证书

[root@server ~/certs]# vim web/app.ext
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@SubjectAlternativeName

[ SubjectAlternativeName ]
IP.1=192.168.1.1
IP.2=192.168.1.2

(2). 基于域名的证书(可以使用通配符"*")

[root@server ~/certs]# vim web/app.ext
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@SubjectAlternativeName

[ SubjectAlternativeName ]
DNS.1=app.com
DNS.2=*.app.com
DNS.3=test.com
DNS.4=*.test.com

extendedKeyUsage 可以指定证书目的,即用途,一般有:
serverAuth:保证远程计算机的身份
clientAuth:向远程计算机证明你的身份
codeSigning:确保软件来自软件发布者,保护软件在发行后不被更改
emailProtection:保护电子邮件消息
timeStamping:允许用当前时间签名数据
如果不指定,则默认为 所有应用程序策略

 

3. 签发证书

[root@server ~/certs]# openssl x509 -req -in web/app.csr -CA local/boot.pem -CAkey local/boot.key -CAcreateserial -out web/app.crt -days 3650 -sha256 -extfile web/app.ext
Signature ok
subject=/C=CN/ST=Chongqing/L=Chongqing/O=Steeze app/OU=https://www.app.com/CN=App of steeze/emailAddress=spring.wind2006@163.com
Getting CA Private Key

 

4. 部署应用证书

将web目录生成的应用证书app.crt和应用证书密钥app.key上传到服务器,然后配置服务器https访问。

nginx 服务器配置范例:

server {
     listen 443 ssl;
     server_name test.app.com;
     root /www/public;
     ssl_certificate "/usr/local/nginx/conf/cert/app.crt";
     ssl_certificate_key "/usr/local/nginx/conf/cert/app.key";
}

 

参考文章: https://www.cnblogs.com/will-space/p/11913744.html

posted @ 2021-01-13 17:46  程序人生♨︎  阅读(2483)  评论(0编辑  收藏  举报