Azure Lei Zhang的博客

weibo: LeiZhang的微博/QQ: 185165016/QQ群:319036205/邮箱:leizhang1984@outlook.com/TeL:139-161-22926

  博客园 :: 首页 :: 博问 :: 闪存 :: 新随笔 :: 联系 :: 订阅 订阅 :: 管理 ::

  《Windows Azure Platform 系列文章目录

 

  Azure Application Gateway可以使用SAN证书,创建多站点域名。

  SANs是Subject Alternate Names的简称,SANs证书是一种SSL证书,它支持添加多个域名,允许将多个域名写入同一个证书中,这样就可以保护多个域名,从而降低了运维人员的管理成本,提高了证书管理效率

  比如www.bing.com的证书,如下图:

  

 

  我们首先需要准备一下pfx证书,具体步骤如下:

  1.首先安装openssl。步骤略

  2.创建私钥:

openssl genrsa -des3 -out example.com.key 2048

  3.生成CSR

openssl req -new -key example.com.key -out example.com.csr
Enter pass phrase for example.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:XX
State or Province Name (full name) []:State
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:BU
Common Name (eg, your name or your server's hostname) []:*.example.com
Email Address []:admin@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

  

  3.从秘钥中删除密码

cp example.com.key example.com.key.org
openssl rsa -in example.com.key.org -out example.com.key

 

  4.为SAN证书创建config file

touch v3.ext

  在文件里,保存如下信息:

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:TRUE
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName         = DNS:example.com, DNS:*.example.com
issuerAltName          = issuer:copy

  注意subjectAltName里,设置你需要的DNS Name

  我这里设置如下:

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:TRUE
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName         = DNS:leicorp.biz, DNS:*.leicorp.biz, DNS:leidemo.biz, DNS:*.leidemo.biz
issuerAltName          = issuer:copy

 

  5.创建自签名证书:

openssl x509 -req -in example.com.csr -signkey example.com.key -out example.com.crt -days 3650 -sha256 -extfile v3.ext

 

  6.把crt证书转换为pfx证书

openssl pkcs12 -export -out certificate.pfx -inkey example.com.key -in example.com.crt

 

  如果要导出pem证书,请按照下面操作:

openssl pkcs12 -export -out certificate.pem -inkey example.com.key -in example.com.crt

 

 

  7.把certificate.pfx证书下载到本地

 

  8.创建Azure Application Gateway v2,创建basic listener,上传pfx证书。

  这里一个SAN证书包含多个域名,只需要创建一个listener即可。

  

  

  9.设置Application Gateway Rule。

  

 

  10.修改DNS指向,或者修改windows的host文件

  11.登录域名,查看证书效果:

  

 

posted on 2022-07-10 16:20  Lei Zhang的博客  阅读(423)  评论(0编辑  收藏  举报