使用OpenSSL自签发SSL证书,支持chrome识别
在网上经常看到自建CA和自签证书文档,但是发现自己生成之后,将ca证书导入客户端之后,Chrome访问网站总是会出现如下错误:
NET::ERR_CERT_COMMON_NAME_INVALID
此服务器无法证实它就是 domain.com - 它的安全证书没有指定主题备用名称。这可能是因为某项配置有误或某个攻击者拦截了您的连接。一直以为是Chrome浏览器安全强度太高导致的,因为发现Firefox和IE没有这个问题,但是后来才发现自签证书有缺陷。
一、安装openssl
[root@server ~]# sudo apt-get install openssl
二、创建根证书
# 创建生成本地根证书的目录
[root@server ~]# mkdir -p certs/local && cd certs
# 生成根密钥
[root@server ~/certs]# openssl genrsa -out local/boot.key 2048
Generating RSA private key, 2048 bit long modulus
.................................+++
.......................................+++
e is 65537 (0x10001)
# 生成根CA证书:-days 选项指定时间(单位:天)
[root@server ~/certs]# openssl req -x509 -new -key local/boot.key -out local/boot.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) []:Steeze
Organizational Unit Name (eg, section) []:https://www.steeze.cn
Common Name (eg, fully qualified host name) []:Steeze
Email Address []:402085437@qq.com
生成完成后,将根证书文件 local/boot.pem 导入到浏览器和系统中
三、颁发应用证书
1. 创建应用证书请求
# 生成应用证书目录 [root@server ~/certs]# mkdir web # 生成应用证书的密钥 [root@server ~/certs]# openssl genrsa -out web/app.key 2048 Generating RSA private key, 2048 bit long modulus .........................................................................................................+++ .....................+++ e is 65537 (0x10001) # 生成证书颁发请求 [root@server ~/certs]# openssl req -new -key web/app.key -out web/app.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:CN State or Province Name (full name) []:Chongqing Locality Name (eg, city) []:Chongqing Organization Name (eg, company) []:Steeze app Organizational Unit Name (eg, section) []:https://www.app.com Common Name (eg, fully qualified host name) []:App of steeze Email Address []:spring.wind2006@163.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456
2. 创建证书附加用途文件
用于解决Chrome不能识别证书通用名称NET::ERR_CERT_COMMON_NAME_INVALID错误,签发基于IP地址证书和基于域名的证书的使用的文件格式不一样:
(1). 基于IP地址的证书
[root@server ~/certs]# vim web/app.ext keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName=@SubjectAlternativeName [ SubjectAlternativeName ] IP.1=192.168.1.1 IP.2=192.168.1.2
(2). 基于域名的证书(可以使用通配符"*")
[root@server ~/certs]# vim web/app.ext keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName=@SubjectAlternativeName [ SubjectAlternativeName ] DNS.1=app.com DNS.2=*.app.com DNS.3=test.com DNS.4=*.test.com
extendedKeyUsage 可以指定证书目的,即用途,一般有:
serverAuth:保证远程计算机的身份
clientAuth:向远程计算机证明你的身份
codeSigning:确保软件来自软件发布者,保护软件在发行后不被更改
emailProtection:保护电子邮件消息
timeStamping:允许用当前时间签名数据
如果不指定,则默认为 所有应用程序策略
3. 签发证书
[root@server ~/certs]# openssl x509 -req -in web/app.csr -CA local/boot.pem -CAkey local/boot.key -CAcreateserial -out web/app.crt -days 3650 -sha256 -extfile web/app.ext Signature ok subject=/C=CN/ST=Chongqing/L=Chongqing/O=Steeze app/OU=https://www.app.com/CN=App of steeze/emailAddress=spring.wind2006@163.com Getting CA Private Key
4. 部署应用证书
将web目录生成的应用证书app.crt和应用证书密钥app.key上传到服务器,然后配置服务器https访问。
nginx 服务器配置范例:
server {
listen 443 ssl;
server_name test.app.com;
root /www/public;
ssl_certificate "/usr/local/nginx/conf/cert/app.crt";
ssl_certificate_key "/usr/local/nginx/conf/cert/app.key";
}
参考文章: https://www.cnblogs.com/will-space/p/11913744.html
谢谢您的来访,欢迎关注交流!以下是我的个人联系方式
电子邮箱:spring.wind2006@163.com,QQ:402085437,微信号:tm402085437
