域名证书文件包含两段证书
通过阿里云生成一个单域名证书的文件
一、单域名证书文件
1.1、证书内容
pem]$ cat 2048227_www.xxx.com.cn.pem
-----BEGIN CERTIFICATE-----
MIIFmDCCBICgAwIBAgIQCEZS6MCdneB/9dgvdbLKLDANBgkqhkiG9w0BAQsFADBu
......
q9kYr+G8Ga0ILktc0/kgDeEEYCiMj0GCdKfAdEBCWsmSo9LFMqcSCr+zUSw=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAgIQAnmsRYvBskWr+YBTzSybsTANBgkqhkiG9w0BAQsFADBh
......
rMKWaBFLmfK/AHNF4ZihwPGOc7w6UHczBZXH5RFzJNnww+WnKuTPI0HfnVH8lg==
-----END CERTIFICATE-----
1.2、将这两段证书分别写入到文件查看
第一段证书
这段证书是Encryption Everywhere DV TLS CA - G1颁发给www.xxx.com.cn的
pem]$ openssl x509 -in 1.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
......
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G1
Validity
Not Before: Apr 11 00:00:00 2019 GMT
Not After : Apr 10 12:00:00 2020 GMT
Subject: CN = www.xxx.com.cn
Subject Public Key Info:
......
X509v3 extensions:
......
Signature Algorithm: sha256WithRSAEncryption
......
第二段证书
这段证书是DigiCert Global Root CA颁发给Encryption Everywhere DV TLS CA - G1的
pem]$ openssl x509 -in 2.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:79:ac:45:8b:c1:b2:45:ab:f9:80:53:cd:2c:9b:b1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Validity
Not Before: Nov 27 12:46:10 2017 GMT
Not After : Nov 27 12:46:10 2027 GMT
Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G1
Subject Public Key Info:
......
X509v3 extensions:
......
Signature Algorithm: sha256WithRSAEncryption
......
1.3、所以
所以DigiCert Global Root CA是根CA;Encryption Everywhere DV TLS CA - G1是小弟,中级CA;中级CA给www.xxx.com.cn域名办法域名证书
二、通配域名证书文件
使用letsencrypt生成的通配证书:xxx.com *.xxx.com
2.1、证书内容
也是两段证书
-----BEGIN CERTIFICATE-----
MIIFXjCCBEagAwIBAgISAybDGjCLRsJDjUnQ1qNen2QbMA0GCSqGSIb3DQEBCwUA
......
kbCSfpYWgkJhFbHnVsP8LKn9ftgudQEKJRfEEGzLwEbw9w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
......
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
2.2将这两段证书分别写入文件查看
第一段证书
Let's Encrypt Authority X3给xxx.com颁发的
[root@ubuntu ~]$ openssl x509 -in 1.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
......
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: Jun 22 22:32:16 2020 GMT
Not After : Sep 20 22:32:16 2020 GMT
Subject: CN = xxx.com
Subject Public Key Info:
......
X509v3 extensions:
......
Signature Algorithm: sha256WithRSAEncryption
......
第二段
DST Root CA X3给Let's Encrypt Authority X3颁发的中间CA
[root@ubuntu ~]$ openssl x509 -in 2.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Validity
Not Before: Mar 17 16:40:46 2016 GMT
Not After : Mar 17 16:40:46 2021 GMT
Subject: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Subject Public Key Info:
......
X509v3 extensions:
......
Signature Algorithm: sha256WithRSAEncryption
......
1.3、所以
所以DST Root CA X3是根CA,它给Let's Encrypt Authority X3颁发的中间CA,Let's Encrypt Authority X3给xxx.com颁发证书
三、所以
每个域名证书里面都要有中间CA证书证书那一段