zoukankan      html  css  js  c++  java
  • 使用OpenSSL自签发SSL证书,支持chrome识别

      在网上经常看到自建CA和自签证书文档,但是发现自己生成之后,将ca证书导入客户端之后,Chrome访问网站总是会出现如下错误:
    NET::ERR_CERT_COMMON_NAME_INVALID
      此服务器无法证实它就是 domain.com - 它的安全证书没有指定主题备用名称。这可能是因为某项配置有误或某个攻击者拦截了您的连接。一直以为是Chrome浏览器安全强度太高导致的,因为发现Firefox和IE没有这个问题,但是后来才发现自签证书有缺陷。

    一、安装openssl

    [root@server ~]# sudo apt-get install openssl

     

    二、创建根证书

    
    

    # 创建生成本地根证书的目录
    [root@server ~]# mkdir -p certs/local && cd certs

    
    

    # 生成根密钥
    [root@server ~/certs]# openssl genrsa -out local/boot.key 2048
    Generating RSA private key, 2048 bit long modulus
    .................................+++
    .......................................+++
    e is 65537 (0x10001)

    
    

    # 生成根CA证书:-days 选项指定时间(单位:天)
    [root@server ~/certs]# openssl req -x509 -new -key local/boot.key -out local/boot.pem -days 3650
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) []:CN
    State or Province Name (full name) []:Beijing
    Locality Name (eg, city) []:Beijing
    Organization Name (eg, company) []:Steeze
    Organizational Unit Name (eg, section) []:https://www.steeze.cn
    Common Name (eg, fully qualified host name) []:Steeze
    Email Address []:402085437@qq.com

    生成完成后,将根证书文件 local/boot.pem 导入到浏览器和系统中

    三、颁发应用证书

    1. 创建应用证书请求

    # 生成应用证书目录
    [root@server ~/certs]# mkdir web
    
    # 生成应用证书的密钥
    [root@server ~/certs]# openssl genrsa -out web/app.key 2048
    Generating RSA private key, 2048 bit long modulus
    .........................................................................................................+++
    .....................+++
    e is 65537 (0x10001)
    
    # 生成证书颁发请求
    [root@server ~/certs]# openssl req -new -key  web/app.key -out web/app.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) []:CN
    State or Province Name (full name) []:Chongqing
    Locality Name (eg, city) []:Chongqing
    Organization Name (eg, company) []:Steeze app 
    Organizational Unit Name (eg, section) []:https://www.app.com
    Common Name (eg, fully qualified host name) []:App of steeze
    Email Address []:spring.wind2006@163.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:123456

    2. 创建证书附加用途文件

    用于解决Chrome不能识别证书通用名称NET::ERR_CERT_COMMON_NAME_INVALID错误,签发基于IP地址证书和基于域名的证书的使用的文件格式不一样:

    (1). 基于IP地址的证书

    [root@server ~/certs]# vim web/app.ext
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectAltName=@SubjectAlternativeName
    
    [ SubjectAlternativeName ]
    IP.1=192.168.1.1
    IP.2=192.168.1.2

    (2). 基于域名的证书(可以使用通配符"*")

    [root@server ~/certs]# vim web/app.ext
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectAltName=@SubjectAlternativeName
    
    [ SubjectAlternativeName ]
    DNS.1=app.com
    DNS.2=*.app.com
    DNS.3=test.com
    DNS.4=*.test.com

    extendedKeyUsage 可以指定证书目的,即用途,一般有:
    serverAuth:保证远程计算机的身份
    clientAuth:向远程计算机证明你的身份
    codeSigning:确保软件来自软件发布者,保护软件在发行后不被更改
    emailProtection:保护电子邮件消息
    timeStamping:允许用当前时间签名数据
    如果不指定,则默认为 所有应用程序策略

     

    3. 签发证书

    [root@server ~/certs]# openssl x509 -req -in web/app.csr -CA local/boot.pem -CAkey local/boot.key -CAcreateserial -out web/app.crt -days 3650 -sha256 -extfile web/app.ext
    Signature ok
    subject=/C=CN/ST=Chongqing/L=Chongqing/O=Steeze app/OU=https://www.app.com/CN=App of steeze/emailAddress=spring.wind2006@163.com
    Getting CA Private Key

    4. 部署应用证书

    将web目录生成的应用证书app.crt和应用证书密钥app.key上传到服务器,然后配置服务器https访问。

    nginx 服务器配置范例:

    server {
         listen 443 ssl;
         server_name test.app.com;
         root /www/public;
         ssl_certificate "/usr/local/nginx/conf/cert/app.crt";
         ssl_certificate_key "/usr/local/nginx/conf/cert/app.key";
    }

    参考文章: https://www.cnblogs.com/will-space/p/11913744.html

  • 相关阅读:
    Python 模块 itertools
    Python 字符串的encode与decode
    python 模块 hashlib(提供多个不同的加密算法)
    暴力尝试安卓gesture.key
    hdu 1300 Pearls(DP)
    hdu 1232 畅通工程(并查集)
    hdu 1856 More is better(并查集)
    hdu 1198 Farm Irrigation(并查集)
    hdu 3635 Dragon Balls(并查集)
    hdu 3038 How Many Answers Are Wrong(并查集)
  • 原文地址:https://www.cnblogs.com/springwind2006/p/14273387.html
Copyright © 2011-2022 走看看