记录OPENSSL 以及SAN 扩展的方法


自建根CA

1.1方法1
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"
1.2方法2
openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt  -nodes -days 3650  -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"
1.3方法3

or(x509自签,不会利用openssl的配置文件)

openssl req -new -keyout ca.key  -nodes  -out ca.csr  -subj  "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"
openssl x509 -req  -days  3650 -in ca.csr  -signkey ca.key -out ca.crt
1.4方法4
openssl genrsa -out ca.key 2048
openssl req -new  -key ca.key -out ca.csr   -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"
openssl x509 -req  -days  3650 -in ca.csr  -signkey ca.key -out ca.crt

自建多域名多IP根CA证书

2.1新建ca目录
cd /tmp &&mkdir ca  && cd ca
2.2新建配置文件san.cnf
cat > san.cnf <<EOF
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = v3_req 
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = Common Name (e.g. server FQDN or YOUR name)
[ v3_req ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = www.netsarang.com
DNS.2   = localhost
IP.1                      = 127.0.0.1
IP.2                      = 192.168.14.37
EOF
2.3新建多域名证书
openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt   -extensions v3_req  -config san.cnf  -nodes -days 3650  -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"
2.4查看证书详情
openssl x509 -noout -text -in ca.crt  | grep DNS

利用根CA签名多域名服务器证书

3.1新建ca目录
cd /tmp &&mkdir ca  && cd ca
3.2新建server证书请求
openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key  -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=server1"
3.3填写扩展命令,主要是针对被认证服务器的。server生成csr不需要添加这一项
cat > v3.ext <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1   = www.netsarang.com
DNS.2   = localhost
IP.1    = 127.0.0.1
IP.2    = 192.168.14.37
EOF
3.4使用CA进行签发(参考自建CA )
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
3.5查看证书扩展选项
openssl x509 -noout -text -in server.crt  | grep DNS

利用根CA签名多域名服务器证书(网上示例,出现bug场景)

4.1新建ca目录
cd /tmp &&mkdir ca  && cd ca
4.2新建配置文件san.cnf
cat > san.cnf <<EOF
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = v3_req 
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = Common Name (e.g. server FQDN or YOUR name)
[ v3_req ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = www.netsarang.com
DNS.2   = localhost
IP.1                      = 127.0.0.1
IP.2                      = 192.168.14.37
EOF
4.3.1新建服务器证书
openssl req -x509 -newkey rsa:4096 -keyout server.key -out ca.crt   -config san.cnf  -nodes -days 365  -subj "/C=CN/ST=GD/L=SZ/O=TESTONE/CN=domain1/CN=domain2/CN=domain3"
4.3.2命令行添加服务证书

要求openssl version > 1.1.1

openssl req -new -subj "/C=GB/CN=foo" \
                  -addext "subjectAltName = DNS:foo.co.uk" \
                  -addext "certificatePolicies = 1.2.3.4" \
                  -newkey rsa:2048 -keyout key.pem -out req.pem
4.4查看证书请求扩展选项(可以看到请求扩展选项)
openssl req -noout -text -in ca.crt  | grep DNS
4.5使用CA进行签发

利用如下命令可能存在BUG,参考NO2解决。参考

openssl-issues3708

Missing X509 extensions with an openssl-generated certificate

openssl x509 -req -in server.csr  -CA ca.crt -CAkey ca.key -out server.crt -CAcreateserial -days 365
4.6查看证书扩展选项(扩展选项直接失效)
openssl x509 -noout -text -in ca.crt  | grep DNS

证书转换参考

openssl x509 -inform PEM -in xx.com.crt -out xxx.com.cert

密钥用法证书类型

证书用法

OpenSSL密钥用法:

数字签名 digitalSignature

认可签名 nonRepudiation

密钥加密 keyEncipherment

数据加密 dataEncipherment

密钥协商 keyAgreement

证书签名 keyCertSign

CRL 签名 cRLSign

仅仅加密 encipherOnly

仅仅解密 decipherOnly

参考

OPENSSL X509

Provide subjectAltName to openssl directly on the command line