使用OpenSSL生成SANs证书实操

当初:

原来的x.509证书,生成就一行代码,非常方便:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem

然后按照提示输入机构和dns信息即可。 

 

然而:

最近在开发一个websocket项目时,需要将原来的ws协议升级为wss协议。代码在机器A(win7)上调试没问题,在机器B(win10+go1.22.3)上调试,报错:

PS E:\zjw\golang\ws> go run ws/server1wss/client
2024/10/30 15:45:37 Error connecting to server: x509: certificate relies on legacy Common Name field, use SANs instead 

经查,go1.15以后的版本废弃了依赖Common Name字段的x509证书,必须使用SANs证书。SANs是Subject Alternate Names的简称,它支持添加多个域名,允许将多个域名写入同一个证书中,这样就可以保护多个域名,从而降低了运维人员的管理成本,提高了证书管理效率。

采用如下方法创建证书:

1.首先安装openssl。步骤略。

2.创建私钥:

PS E:\zjw\ca_fsd>  openssl genrsa -des3 -out fusude.com.key 2048

3. 生成CSR。按照提示输入信息即可。

PS E:\zjw\ca_fsd> openssl req -new -key fusude.com.key -out fusude.com.csr
Enter pass phrase for fusude.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:hebei
Locality Name (eg, city) []:shijiazhuang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:fusude
Organizational Unit Name (eg, section) []:dept
Common Name (e.g. server FQDN or YOUR name) []:zjw
Email Address []:zjw@fusude.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:*********
An optional company name []:fusude

4. 从秘钥中删除密码(特别提示:密码要用到,另外记好!

PS E:\zjw\ca_fsd> cp fusude.com.key fusude.com.key.org
PS E:\zjw\ca_fsd> openssl rsa -in fusude.com.key.org -out fusude.com.key

5. 为SAN证书创建config file,名字无所谓,例如叫v3.txt,内容如下。注意subjectAltName里,设置你需要的DNS Name

subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:TRUE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName = DNS:fusude.com, DNS:*.fusude.com
issuerAltName = issuer:copy

6. 创建自签名证书,生成的crt文件即为我们需要的SANs证书:

PS E:\zjw\ca_fsd> openssl x509 -req -in fusude.com.csr -signkey fusude.com.key -out fusude.com.crt -days 3650 -sha256 -extfile v3.txt
Signature ok
subject=C = CN, ST = hebei, L = shijiazhuang, O = fusude, OU = dept, CN = zjw, emailAddress = zjw@fusude.com
Getting Private keys

7. 还可以转换为pfx或pem格式:

PS E:\zjw\ca_fsd> openssl pkcs12 -export -out fusude.com.pfx -inkey fusude.com.key -in fusude.com.crt
Enter Export Password:
Verifying - Enter Export Password:

PS E:\zjw\ca_fsd> openssl pkcs12 -export -out fusude.com.pem -inkey fusude.com.key -in fusude.com.crt
Enter Export Password:
Verifying - Enter Export Password:

8. 自签名证书的使用不展开论述。仅提醒一句话:一般的应用都是单向验证,客户端需要预先将自签名证书放入受信任的根证书容器里(windows使用certmgr.msc,linux使用update-ca-certificates命令),而服务端则只要在服务启动时加载证书即可,不需要额外的证书收入容器操作。

  

感谢Azure Lei Zhang的博客  : Azure Application Gateway (6) 使用OpenSSL创建SAN证书

 

posted @ 2024-10-30 16:48  张疯牛  阅读(60)  评论(0编辑  收藏  举报
石家庄坦图计算机科技有限公司 石家庄市丰收路220号泽润大厦17层