使用openssl生成多DNS的自签名证书

说明

注意:[host]是自定义证书CN(如IP地址,域名,主机名等)

生成CA密钥

1
openssl genrsa -aes256 -out ca-key.pem 4096

输出

Generating RSA private key, 4096 bit long modulus
....................................................................................++
...........................................................................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:

修改openssl.cnf

确保[ req ]下存在以下2行(默认第一行是有的,第2行被注释了)

[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req

在[ v3_req ]段最后一行后新增内容 subjectAltName = @alt_names(前2行默认存在)

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# 以下新增内容
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.domain1.com
DNS.2 = *.domain2.com
DNS.3 = *.domain2.com

额外要求

openssl.cnf中会要求部分文件及目录存在

####################################################################
[ CA_default ]

dir        = /etc/pki/CA        # Where everything is kept
1
2
3
4
[root@localhost]# ls /etc/pki/CA
[root@localhost]# mkdir -p /etc/pki/CA/{certs,crl,newcerts,private}
[root@localhost]# touch /etc/pki/CA/index.txt
[root@localhost]# echo 00 > /etc/pki/CA/serial

自签署CA证书

1
2
openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca-cert.pem -config openssl.cnf
#按照步骤填写需要的信息,包括国家代码,省份,城市,公司机构名等

输出

Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GZ
Locality Name (eg, city) [Default City]:ZY
Organization Name (eg, company) [Default Company Ltd]:Com Ltd
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:[host]
Email Address []:ca@domain.com

生成服务端密钥

1
openssl genrsa -out server-key.pem 4096

输出

Generating RSA private key, 4096 bit long modulus
....................................................................++
.................................................................................................................................................................................................++
e is 65537 (0x10001)

生成服务端证书签发请求

1
2
openssl req -sha256 -new -key server-key.pem -out server.csr -config openssl.cnf
#按照步骤填写需要的信息,包括国家代码,省份,城市,公司机构名等

输出

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GZ]:
Locality Name (eg, city) [ZY]:
Organization Name (eg, company) [Com Ltd]:
Organizational Unit Name (eg, section) [Domain Control Validated]:Dev
Common Name (eg, your name or your server's hostname) []:*.domain1.com
Email Address []:ca@domain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Com Ltd

签署服务端证书

1
openssl ca -days 3650 -in server.csr -out server-cert.pem -cert ca-cert.pem -keyfile ca-key.pem -extensions v3_req -config openssl.cnf

输出

Using configuration from openssl.cnf
Enter pass phrase for ca-key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Dec 29 08:43:06 2017 GMT
            Not After : Dec 27 08:43:06 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GZ
            organizationName          = Com Ltd
            organizationalUnitName    = Dev
            commonName                = *.domain1.com
            emailAddress              = ca@domain.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:*.domain1.com, DNS:*.domain2.com, DNS:*.domain3.com
Certificate is to be certified until Dec 27 08:43:06 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

生成客户端密钥

1
openssl genrsa -out client-key.pem 4096

输出

Generating RSA private key, 4096 bit long modulus
...........................................................................................++
....................................................................................................++
e is 65537 (0x10001)

生成客户端证书签发请求

1
openssl req -sha256 -new -key client-key.pem -out client.csr -config openssl.cnf

签署客户端证书

1
openssl ca -days 3650 -in client.csr -out client-cert.pem -cert ca-cert.pem -keyfile ca-key.pem -extensions v3_req -config openssl.cnf

检查证书

1
2
3
4
5
6
7
#检查服务端证书
openssl x509 -in server-cert.pem -text -noout
openssl verify -CAfile ca-cert.pem server-cert.pem

#检查客户端证书
openssl x509 -in client-cert.pem -text -noout
openssl verify -CAfile ca-cert.pem client-cert.pem

测试单向认证

1
2
3
openssl s_server -accept 10001 -key server-key.pem -cert server-cert.pem
openssl s_client -connect localhost:10001
openssl s_client -connect localhost:10001 -CAfile ca-cert.pem

测试双向认证

1
2
3
openssl s_server -accept 10001 -key server-key.pem -cert server-cert.pem -Verify 5
openssl s_client -connect localhost:10001
openssl s_client -connect localhost:10001 -cert client-cert.pem -key client-key.pem