评论

收藏

[Linux] 记录OPENSSL 以及SAN 扩展的方法

服务系统 服务系统 发布于:2021-08-09 15:37 | 阅读数:640 | 评论:0

 
自建根CA
1.1方法1
openssl genrsa -out ca.key 2048openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"
1.2方法2
openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt  -nodes -days 3650  -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"
1.3方法3
or(x509自签,不会利用openssl的配置文件)
openssl req -new -keyout ca.key  -nodes  -out ca.csr  -subj  "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"openssl x509 -req  -days  3650 -in ca.csr  -signkey ca.key -out ca.crt
1.4方法4
openssl genrsa -out ca.key 2048openssl req -new  -key ca.key -out ca.csr   -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"openssl x509 -req  -days  3650 -in ca.csr  -signkey ca.key -out ca.crt
自建多域名多IP根CA证书
2.1新建ca目录
cd /tmp &&mkdir ca  && cd ca
2.2新建配置文件san.cnf
cat > san.cnf <<EOF[ req ]default_bits       = 2048distinguished_name = req_distinguished_namereq_extensions     = v3_req [ req_distinguished_name ]countryName                 = Country Name (2 letter code)stateOrProvinceName         = State or Province Name (full name)localityName               = Locality Name (eg, city)organizationName           = Organization Name (eg, company)commonName                 = Common Name (e.g. server FQDN or YOUR name)[ v3_req ]subjectAltName = @alt_names[alt_names]DNS.1   = www.netsarang.comDNS.2   = localhostIP.1                      = 127.0.0.1IP.2                      = 192.168.14.37EOF
2.3新建多域名证书
​openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt   -extensions v3_req  -config san.cnf  -nodes -days 3650  -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"​
2.4查看证书详情
openssl x509 -noout -text -in ca.crt  | grep DNS
利用根CA签名多域名服务器证书
3.1新建ca目录
cd /tmp &&mkdir ca  && cd ca
3.2新建server证书请求
openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key  -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=server1"
3.3填写扩展命令,主要是针对被认证服务器的。server生成csr不需要添加这一项
cat > v3.ext <<EOFauthorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentextendedKeyUsage = serverAuthsubjectAltName = @alt_names​[alt_names]DNS.1   = www.netsarang.comDNS.2   = localhostIP.1    = 127.0.0.1IP.2    = 192.168.14.37EOF​
3.4使用CA进行签发(参考自建CA )
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
3.5查看证书扩展选项
openssl x509 -noout -text -in server.crt  | grep DNS
利用根CA签名多域名服务器证书(网上示例,出现bug场景)
4.1新建ca目录
cd /tmp &&mkdir ca  && cd ca
4.2新建配置文件san.cnf
cat > san.cnf <<EOF[ req ]default_bits       = 2048distinguished_name = req_distinguished_namereq_extensions     = v3_req [ req_distinguished_name ]countryName                 = Country Name (2 letter code)stateOrProvinceName         = State or Province Name (full name)localityName               = Locality Name (eg, city)organizationName           = Organization Name (eg, company)commonName                 = Common Name (e.g. server FQDN or YOUR name)[ v3_req ]subjectAltName = @alt_names[alt_names]DNS.1   = www.netsarang.comDNS.2   = localhostIP.1                      = 127.0.0.1IP.2                      = 192.168.14.37EOF
4.3.1新建服务器证书
openssl req -x509 -newkey rsa:4096 -keyout server.key -out ca.crt   -config san.cnf  -nodes -days 365  -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"
4.3.2命令行添加服务证书
要求openssl version > 1.1.1
openssl req -new -subj "/C=GB/CN=foo" \                  -addext "subjectAltName = DNS:foo.co.uk" \                  -addext "certificatePolicies = 1.2.3.4" \                  -newkey rsa:2048 -keyout key.pem -out req.pem
4.4查看证书请求扩展选项(可以看到请求扩展选项)
openssl req -noout -text -in ca.crt  | grep DNS​
4.5使用CA进行签发
利用如下命令可能存在BUG,参考NO2解决。参考
openssl-issues3708
Missing X509 extensions with an openssl-generated certificate
openssl x509 -req -in server.csr  -CA ca.crt -CAkey ca.key -out server.crt -CAcreateserial -days 365
4.6查看证书扩展选项(扩展选项直接失效)
openssl x509 -noout -text -in ca.crt  | grep DNS
证书转换参考
openssl x509 -inform PEM -in xx.com.crt -out xxx.com.cert
密钥用法证书类型
证书用法
OpenSSL密钥用法:​数字签名 digitalSignature​认可签名 nonRepudiation​密钥加密 keyEncipherment​数据加密 dataEncipherment​密钥协商 keyAgreement​证书签名 keyCertSign​CRL 签名 cRLSign​仅仅加密 encipherOnly​仅仅解密 decipherOnly
参考
OPENSSL X509
[Provide subjectAltName to openssl directly on the command line](https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line)


关注下面的标签,发现更多相似文章