duyong mac
3ab87c045b
grpc
|
2 months ago | |
|---|---|---|
| .. | ||
| ca | 2 months ago | |
| client | 2 months ago | |
| conf | 2 months ago | |
| server | 2 months ago | |
| .srl | 2 months ago | |
| readme.md | 2 months ago | |
readme.md
SAN(Subject Alternative Name)是 SSL 标准 x509 中定义的一个扩展。使用了 SAN 字段的 SSL 证书,可以扩
展此证书支持的域名,使得一个证书可以支持多个不同域名的解析。接下来我们重新利用配置文件生成CA证书,
再利用ca相关去生成服务端的证书。
生成根证书
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = ShanXi localityName = Locality Name (eg, city) localityName_default = TaiYuan organizationName = Organization Name (eg, company) organizationName_default = Step commonName = CommonName (e.g. server FQDN or YOUR name) commonName_max = 64 commonName_default = localhostcd ssl # 生成ca秘钥,得到ca.key openssl genrsa -out ./ca/ca.key 4096 # 生成ca证书签发请求,得到ca.csr openssl req -new -sha256 -out ./ca/ca.csr -key ./ca/ca.key -config ./conf/ca.conf # 成ca根证书,得到ca.pem openssl x509 -req -sha256 -days 3650 -in ./ca/ca.csr -signkey ./ca/ca.key -out ./ca/ca.pem生成服务端证书
#req 总配置 [ req ] default_bits = 2048 distinguished_name = req_distinguished_name #使用 req_distinguished_name配置模块 req_extensions = req_ext #使用 req_ext配置模块 [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = ShanXi localityName = Locality Name (eg, city) localityName_default = TaiYuan organizationName = Organization Name (eg, company) organizationName_default = DuYong commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 commonName_default = localhost #这里的Common Name 写主要域名即可(注意:这个域名也要在alt_names的DNS.x里) 此处尤为重要,需要用该服务名字填写到客户端的代码中 [ req_ext ] subjectAltName = @alt_names #使用 alt_names配置模块 [alt_names] DNS.1 = localhost DNS.2 = tyduyong.com DNS.3 = www.tyduyong.com IP = 127.0.0.1# 生成秘钥,得到server.key openssl genrsa -out ./server/server.key 2048 # 生成证书签发请求,得到server.csr openssl req -new -sha256 -out ./server/server.csr -key ./server/server.key -config ./conf/server.conf # 用CA证书生成服务端证书,得到server.pem openssl x509 -req -sha256 -days 3650 -CA ./ca/ca.pem -CAkey ./ca/ca.key -CAcreateserial -in ./server/server.csr -out ./server/server.pem -extensions req_ext -extfile ./conf/server.conf生成客户端证书
#req 总配置 [ req ] default_bits = 2048 distinguished_name = req_distinguished_name #使用 req_distinguished_name配置模块 req_extensions = req_ext #使用 req_ext配置模块 [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = ShanXi localityName = Locality Name (eg, city) localityName_default = TaiYuan organizationName = Organization Name (eg, company) organizationName_default = DuYong commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 commonName_default = localhost #这里的Common Name 写主要域名即可(注意:这个域名也要在alt_names的DNS.x里) 此处尤为重要,需要用该服务名字填写到客户端的代码中 [ req_ext ] subjectAltName = @alt_names #使用 alt_names配置模块 [alt_names] DNS.1 = localhost DNS.2 = tyduyong.com DNS.3 = www.tyduyong.com IP = 127.0.0.1# 生成秘钥,得到client.key openssl ecparam -genkey -name secp384r1 -out ./client/client.key # 生成证书签发请求,得到client.csr openssl req -new -sha256 -out ./client/client.csr -key ./client/client.key -config ./conf/client.conf # 用CA证书生成客户端证书,得到client.pem openssl x509 -req -sha256 -days 3650 -CA ./ca/ca.pem -CAkey ./ca/ca.key -CAcreateserial -in ./client/client.csr -out ./client/client.pem -extensions req_ext -extfile ./conf/client.conf