【HTTPS】使用OpenSSL生成帶有SubjectAltName的自簽名證書
阿新 • • 發佈:2018-12-18
操作步驟
首先新建一個配置檔案 ssl.conf
如下:
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
stateOrProvinceName = State or Province Name ( full name)
stateOrProvinceName_default = England
localityName = Locality Name (eg, city)
localityName_default = Brighton
organizationName = Organization Name (eg, company)
organizationName_default = Hallmarkdesign
organizationalUnitName = Organizational Unit Name ( eg, section)
organizationalUnitName_default = IT
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = localhost
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.1.8
DNS.1 = your-website.dev
DNS. 2 = another-website.dev
- 生成私鑰
openssl genrsa -out private.key 4096
- 生成證書請求檔案(CSR)
CSR是Certificate Signing Request的英文縮寫,即證書請求檔案,也就是證書申請者在申請數字證書時由CSP(加密服務提供者)在生成私鑰的同時也生成證書請求檔案,證書申請者只要把CSR檔案提交給證書頒發機構後,證書頒發機構使用其根證書私鑰簽名就生成了證書公鑰檔案,也就是頒發給使用者的證書。
openssl req -new -sha256 \
-out private.csr \
-key private.key \
-config ssl.conf
這裡會要求輸入一系列引數,可以選擇不填直接回車。
可以使用下面的命令是檢視證書內容:
openssl req -text -noout -in private.csr
應該可以看到:
X509v3 Subject Alternative Name: DNS:my-project.site
and Signature Algorithm: sha256WithRSAEncryption
- 生成證書
然後生成證書命令如下:
openssl x509 -req \
-days 3650 \
-in private.csr \
-signkey private.key \
-out private.crt \
-extensions req_ext \
-extfile ssl.conf