记录OPENSSL 以及SAN 扩展的方法
自建根CA
1.1方法1
openssl genrsa -out ca.key 2048openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"1.2方法2
openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt-nodes -days 3650-subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"1.3方法3
or(x509自签,不会利用openssl的配置文件)
openssl req -new -keyout ca.key-nodes-out ca.csr-subj"/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"openssl x509 -req-days3650 -in ca.csr-signkey ca.key -out ca.crt 1.4方法4
openssl genrsa -out ca.key 2048openssl req -new-key ca.key -out ca.csr -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"openssl x509 -req-days3650 -in ca.csr-signkey ca.key -out ca.crt 自建多域名多IP根CA证书
2.1新建ca目录
cd /tmp &&mkdir ca&& cd ca 2.2新建配置文件san.cnf
cat > san.cnf <<EOF[ req ]default_bits = 2048distinguished_name = req_distinguished_namereq_extensions = v3_req [ req_distinguished_name ]countryName = Country Name (2 letter code)stateOrProvinceName = State or Province Name (full name)localityName = Locality Name (eg, city)organizationName = Organization Name (eg, company)commonName = Common Name (e.g. server FQDN or YOUR name)[ v3_req ]subjectAltName = @alt_namesDNS.1 = www.netsarang.comDNS.2 = localhostIP.1 = 127.0.0.1IP.2 = 192.168.14.37EOF2.3新建多域名证书
openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -extensions v3_req-config san.cnf-nodes -days 3650-subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"2.4查看证书详情
openssl x509 -noout -text -in ca.crt| grep DNS利用根CA签名多域名服务器证书
3.1新建ca目录
cd /tmp &&mkdir ca&& cd ca 3.2新建server证书请求
openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key-subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=server1" 3.3填写扩展命令,主要是针对被认证服务器的。server生成csr不需要添加这一项
cat > v3.ext <<EOFauthorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentextendedKeyUsage = serverAuthsubjectAltName = @alt_namesDNS.1 = www.netsarang.comDNS.2 = localhostIP.1 = 127.0.0.1IP.2 = 192.168.14.37EOF3.4使用CA进行签发(参考自建CA )
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt3.5查看证书扩展选项
openssl x509 -noout -text -in server.crt| grep DNS利用根CA签名多域名服务器证书(网上示例,出现bug场景)
4.1新建ca目录
cd /tmp &&mkdir ca&& cd ca 4.2新建配置文件san.cnf
cat > san.cnf <<EOF[ req ]default_bits = 2048distinguished_name = req_distinguished_namereq_extensions = v3_req [ req_distinguished_name ]countryName = Country Name (2 letter code)stateOrProvinceName = State or Province Name (full name)localityName = Locality Name (eg, city)organizationName = Organization Name (eg, company)commonName = Common Name (e.g. server FQDN or YOUR name)[ v3_req ]subjectAltName = @alt_namesDNS.1 = www.netsarang.comDNS.2 = localhostIP.1 = 127.0.0.1IP.2 = 192.168.14.37EOF4.3.1新建服务器证书
openssl req -x509 -newkey rsa:4096 -keyout server.key -out ca.crt -config san.cnf-nodes -days 365-subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"4.3.2命令行添加服务证书
要求openssl version > 1.1.1
openssl req -new -subj "/C=GB/CN=foo" \ -addext "subjectAltName = DNS:foo.co.uk" \ -addext "certificatePolicies = 1.2.3.4" \ -newkey rsa:2048 -keyout key.pem -out req.pem4.4查看证书请求扩展选项(可以看到请求扩展选项)
openssl req -noout -text -in ca.crt| grep DNS4.5使用CA进行签发
利用如下命令可能存在BUG,参考NO2解决。参考
openssl-issues3708
Missing X509 extensions with an openssl-generated certificate
openssl x509 -req -in server.csr-CA ca.crt -CAkey ca.key -out server.crt -CAcreateserial -days 3654.6查看证书扩展选项(扩展选项直接失效)
openssl x509 -noout -text -in ca.crt| grep DNS证书转换参考
openssl x509 -inform PEM -in xx.com.crt -out xxx.com.cert密钥用法证书类型
证书用法
OpenSSL密钥用法:数字签名 digitalSignature认可签名 nonRepudiation密钥加密 keyEncipherment数据加密 dataEncipherment密钥协商 keyAgreement证书签名 keyCertSignCRL 签名 cRLSign仅仅加密 encipherOnly仅仅解密 decipherOnly参考
OPENSSL X509
(https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line)
文档来源:51CTO技术博客https://blog.51cto.com/u_9406836/3301822
页:
[1]