duyong mac 3ab87c045b grpc hace 5 meses
..
ca 3ab87c045b grpc hace 5 meses
client 3ab87c045b grpc hace 5 meses
conf 3ab87c045b grpc hace 5 meses
server 3ab87c045b grpc hace 5 meses
.srl 3ab87c045b grpc hace 5 meses
readme.md 3ab87c045b grpc hace 5 meses

readme.md

SAN(Subject Alternative Name)是 SSL 标准 x509 中定义的一个扩展。使用了 SAN 字段的 SSL 证书,可以扩

展此证书支持的域名,使得一个证书可以支持多个不同域名的解析。接下来我们重新利用配置文件生成CA证书,

再利用ca相关去生成服务端的证书。

  1. 生成根证书

    [ req ]
    default_bits       = 2048
    distinguished_name = req_distinguished_name
    
    [ req_distinguished_name ]
    countryName                 = Country Name (2 letter code)
    countryName_default         = CN
    stateOrProvinceName         = State or Province Name (full name)
    stateOrProvinceName_default = ShanXi
    localityName                = Locality Name (eg, city)
    localityName_default        = TaiYuan
    organizationName            = Organization Name (eg, company)
    organizationName_default    = Step
    commonName                  = CommonName (e.g. server FQDN or YOUR name)
    commonName_max              = 64
    commonName_default          = localhost
    
    cd ssl
    # 生成ca秘钥,得到ca.key
    openssl genrsa -out ./ca/ca.key 4096
    # 生成ca证书签发请求,得到ca.csr
    openssl req -new -sha256 -out ./ca/ca.csr -key ./ca/ca.key -config ./conf/ca.conf
    # 成ca根证书,得到ca.pem
    openssl x509 -req -sha256 -days 3650 -in ./ca/ca.csr -signkey ./ca/ca.key -out ./ca/ca.pem
    
  2. 生成服务端证书

    #req 总配置
    [ req ]
    default_bits       = 2048
    distinguished_name = req_distinguished_name  #使用 req_distinguished_name配置模块
    req_extensions     = req_ext  #使用 req_ext配置模块
    
    [ req_distinguished_name ]
    countryName                 = Country Name (2 letter code)
    countryName_default         = CN
    stateOrProvinceName         = State or Province Name (full name)
    stateOrProvinceName_default = ShanXi
    localityName                = Locality Name (eg, city)
    localityName_default        = TaiYuan
    organizationName            = Organization Name (eg, company)
    organizationName_default    = DuYong
    commonName                  = Common Name (e.g. server FQDN or YOUR name)
    commonName_max              = 64
    commonName_default          = localhost    #这里的Common Name 写主要域名即可(注意:这个域名也要在alt_names的DNS.x里) 此处尤为重要,需要用该服务名字填写到客户端的代码中
    
    [ req_ext ]
    subjectAltName = @alt_names #使用 alt_names配置模块
    
    [alt_names]
    DNS.1   = localhost
    DNS.2   = tyduyong.com
    DNS.3   = www.tyduyong.com
    IP      = 127.0.0.1
    
    # 生成秘钥,得到server.key
    openssl genrsa -out ./server/server.key 2048
    # 生成证书签发请求,得到server.csr
    openssl req -new -sha256 -out ./server/server.csr -key ./server/server.key -config ./conf/server.conf
    # 用CA证书生成服务端证书,得到server.pem
    openssl x509 -req -sha256 -days 3650 -CA ./ca/ca.pem -CAkey ./ca/ca.key -CAcreateserial -in ./server/server.csr -out ./server/server.pem -extensions req_ext -extfile ./conf/server.conf
    
  3. 生成客户端证书

    #req 总配置
    [ req ]
    default_bits       = 2048
    distinguished_name = req_distinguished_name  #使用 req_distinguished_name配置模块
    req_extensions     = req_ext  #使用 req_ext配置模块
    
    [ req_distinguished_name ]
    countryName                 = Country Name (2 letter code)
    countryName_default         = CN
    stateOrProvinceName         = State or Province Name (full name)
    stateOrProvinceName_default = ShanXi
    localityName                = Locality Name (eg, city)
    localityName_default        = TaiYuan
    organizationName            = Organization Name (eg, company)
    organizationName_default    = DuYong
    commonName                  = Common Name (e.g. server FQDN or YOUR name)
    commonName_max              = 64
    commonName_default          = localhost    #这里的Common Name 写主要域名即可(注意:这个域名也要在alt_names的DNS.x里) 此处尤为重要,需要用该服务名字填写到客户端的代码中
    
    [ req_ext ]
    subjectAltName = @alt_names #使用 alt_names配置模块
    
    [alt_names]
    DNS.1   = localhost
    DNS.2   = tyduyong.com
    DNS.3   = www.tyduyong.com
    IP      = 127.0.0.1
    
    # 生成秘钥,得到client.key
    openssl ecparam -genkey -name secp384r1 -out ./client/client.key
    # 生成证书签发请求,得到client.csr
    openssl req -new -sha256 -out ./client/client.csr -key ./client/client.key -config ./conf/client.conf
    # 用CA证书生成客户端证书,得到client.pem
    openssl x509 -req -sha256 -days 3650 -CA ./ca/ca.pem -CAkey ./ca/ca.key -CAcreateserial -in ./client/client.csr -out ./client/client.pem -extensions req_ext -extfile ./conf/client.conf