duyong mac 3ab87c045b grpc | 5 meses atrás | |
---|---|---|
.. | ||
ca | 5 meses atrás | |
client | 5 meses atrás | |
conf | 5 meses atrás | |
server | 5 meses atrás | |
.srl | 5 meses atrás | |
readme.md | 5 meses atrás |
SAN(Subject Alternative Name)是 SSL 标准 x509 中定义的一个扩展。使用了 SAN 字段的 SSL 证书,可以扩
展此证书支持的域名,使得一个证书可以支持多个不同域名的解析。接下来我们重新利用配置文件生成CA证书,
再利用ca相关去生成服务端的证书。
生成根证书
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = ShanXi
localityName = Locality Name (eg, city)
localityName_default = TaiYuan
organizationName = Organization Name (eg, company)
organizationName_default = Step
commonName = CommonName (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = localhost
cd ssl
# 生成ca秘钥,得到ca.key
openssl genrsa -out ./ca/ca.key 4096
# 生成ca证书签发请求,得到ca.csr
openssl req -new -sha256 -out ./ca/ca.csr -key ./ca/ca.key -config ./conf/ca.conf
# 成ca根证书,得到ca.pem
openssl x509 -req -sha256 -days 3650 -in ./ca/ca.csr -signkey ./ca/ca.key -out ./ca/ca.pem
生成服务端证书
#req 总配置
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name #使用 req_distinguished_name配置模块
req_extensions = req_ext #使用 req_ext配置模块
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = ShanXi
localityName = Locality Name (eg, city)
localityName_default = TaiYuan
organizationName = Organization Name (eg, company)
organizationName_default = DuYong
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = localhost #这里的Common Name 写主要域名即可(注意:这个域名也要在alt_names的DNS.x里) 此处尤为重要,需要用该服务名字填写到客户端的代码中
[ req_ext ]
subjectAltName = @alt_names #使用 alt_names配置模块
[alt_names]
DNS.1 = localhost
DNS.2 = tyduyong.com
DNS.3 = www.tyduyong.com
IP = 127.0.0.1
# 生成秘钥,得到server.key
openssl genrsa -out ./server/server.key 2048
# 生成证书签发请求,得到server.csr
openssl req -new -sha256 -out ./server/server.csr -key ./server/server.key -config ./conf/server.conf
# 用CA证书生成服务端证书,得到server.pem
openssl x509 -req -sha256 -days 3650 -CA ./ca/ca.pem -CAkey ./ca/ca.key -CAcreateserial -in ./server/server.csr -out ./server/server.pem -extensions req_ext -extfile ./conf/server.conf
生成客户端证书
#req 总配置
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name #使用 req_distinguished_name配置模块
req_extensions = req_ext #使用 req_ext配置模块
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = ShanXi
localityName = Locality Name (eg, city)
localityName_default = TaiYuan
organizationName = Organization Name (eg, company)
organizationName_default = DuYong
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = localhost #这里的Common Name 写主要域名即可(注意:这个域名也要在alt_names的DNS.x里) 此处尤为重要,需要用该服务名字填写到客户端的代码中
[ req_ext ]
subjectAltName = @alt_names #使用 alt_names配置模块
[alt_names]
DNS.1 = localhost
DNS.2 = tyduyong.com
DNS.3 = www.tyduyong.com
IP = 127.0.0.1
# 生成秘钥,得到client.key
openssl ecparam -genkey -name secp384r1 -out ./client/client.key
# 生成证书签发请求,得到client.csr
openssl req -new -sha256 -out ./client/client.csr -key ./client/client.key -config ./conf/client.conf
# 用CA证书生成客户端证书,得到client.pem
openssl x509 -req -sha256 -days 3650 -CA ./ca/ca.pem -CAkey ./ca/ca.key -CAcreateserial -in ./client/client.csr -out ./client/client.pem -extensions req_ext -extfile ./conf/client.conf