当前位置 : 主页 > 操作系统 > centos >

记录OPENSSL 以及SAN 扩展的方法

来源:互联网 收集:自由互联 发布时间:2022-06-20
  自建根CA 1.1方法1 openssl genrsa -out ca.key 2048 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3" 1.2方法2 openssl req -x509 -newkey rsa:4096 -keyout ca

 

自建根CA

1.1方法1
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"
1.2方法2
openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -nodes -days 3650 -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"
1.3方法3

or(x509自签,不会利用openssl的配置文件)

openssl req -new -keyout ca.key -nodes -out ca.csr -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"
openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
1.4方法4
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr   -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"
openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt

 

自建多域名多IP根CA证书

2.1新建ca目录
cd /tmp &&mkdir ca && cd ca
2.2新建配置文件san.cnf
cat > san.cnf <<EOF
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = v3_req
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = Common Name (e.g. server FQDN or YOUR name)
[ v3_req ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = www.netsarang.com
DNS.2   = localhost
IP.1                     = 127.0.0.1
IP.2                     = 192.168.14.37
EOF
2.3新建多域名证书

openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt   -extensions v3_req -config san.cnf -nodes -days 3650 -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"
2.4查看证书详情
openssl x509 -noout -text -in ca.crt | grep DNS

 

利用根CA签名多域名服务器证书

3.1新建ca目录
cd /tmp &&mkdir ca && cd ca
3.2新建server证书请求
openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=server1"
3.3填写扩展命令,主要是针对被认证服务器的。server生成csr不需要添加这一项
cat > v3.ext <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1   = www.netsarang.com
DNS.2   = localhost
IP.1   = 127.0.0.1
IP.2   = 192.168.14.37
EOF
3.4使用CA进行签发(参考自建CA )
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
3.5查看证书扩展选项
openssl x509 -noout -text -in server.crt | grep DNS

 

 

利用根CA签名多域名服务器证书(网上示例,出现bug场景)

4.1新建ca目录
cd /tmp &&mkdir ca && cd ca
4.2新建配置文件san.cnf
cat > san.cnf <<EOF
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = v3_req
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = Common Name (e.g. server FQDN or YOUR name)
[ v3_req ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = www.netsarang.com
DNS.2   = localhost
IP.1                     = 127.0.0.1
IP.2                     = 192.168.14.37
EOF
4.3.1新建服务器证书
openssl req -x509 -newkey rsa:4096 -keyout server.key -out ca.crt   -config san.cnf -nodes -days 365 -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"
4.3.2命令行添加服务证书

要求openssl version > 1.1.1

openssl req -new -subj "/C=GB/CN=foo" \
                -addext "subjectAltName = DNS:foo.co.uk" \
                -addext "certificatePolicies = 1.2.3.4" \
                -newkey rsa:2048 -keyout key.pem -out req.pem

 

4.4查看证书请求扩展选项(可以看到请求扩展选项)
openssl req -noout -text -in ca.crt | grep DNS
4.5使用CA进行签发

利用如下命令可能存在BUG,参考NO2解决。参考

openssl-issues3708

Missing X509 extensions with an openssl-generated certificate

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -out server.crt -CAcreateserial -days 365
4.6查看证书扩展选项(扩展选项直接失效)
openssl x509 -noout -text -in ca.crt | grep DNS

 

证书转换参考

openssl x509 -inform PEM -in xx.com.crt -out xxx.com.cert

 

密钥用法证书类型

证书用法

OpenSSL密钥用法:

数字签名 digitalSignature

认可签名 nonRepudiation

密钥加密 keyEncipherment

数据加密 dataEncipherment

密钥协商 keyAgreement

证书签名 keyCertSign

CRL 签名 cRLSign

仅仅加密 encipherOnly

仅仅解密 decipherOnly

 

参考

OPENSSL X509

[Provide subjectAltName to openssl directly on the command line](https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line)

上一篇:使用Apache服务部署静态网站
下一篇:没有了
网友评论
相关栏目
最近更新
热门文章