域名證書文件包含兩段證書
通過阿里雲生成一個單域名證書的文件
一、單域名證書文件
1.1、證書內容
pem]$ cat 2048227_www.xxx.com.cn.pem
-----BEGIN CERTIFICATE-----
MIIFmDCCBICgAwIBAgIQCEZS6MCdneB/9dgvdbLKLDANBgkqhkiG9w0BAQsFADBu
......
q9kYr+G8Ga0ILktc0/kgDeEEYCiMj0GCdKfAdEBCWsmSo9LFMqcSCr+zUSw=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAgIQAnmsRYvBskWr+YBTzSybsTANBgkqhkiG9w0BAQsFADBh
......
rMKWaBFLmfK/AHNF4ZihwPGOc7w6UHczBZXH5RFzJNnww+WnKuTPI0HfnVH8lg==
-----END CERTIFICATE-----
1.2、將這兩段證書分別寫入到文件查看
第一段證書
這段證書是Encryption Everywhere DV TLS CA - G1頒發給www.xxx.com.cn的
pem]$ openssl x509 -in 1.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
......
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G1
Validity
Not Before: Apr 11 00:00:00 2019 GMT
Not After : Apr 10 12:00:00 2020 GMT
Subject: CN = www.xxx.com.cn
Subject Public Key Info:
......
X509v3 extensions:
......
Signature Algorithm: sha256WithRSAEncryption
......
第二段證書
這段證書是DigiCert Global Root CA頒發給Encryption Everywhere DV TLS CA - G1的
pem]$ openssl x509 -in 2.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:79:ac:45:8b:c1:b2:45:ab:f9:80:53:cd:2c:9b:b1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Validity
Not Before: Nov 27 12:46:10 2017 GMT
Not After : Nov 27 12:46:10 2027 GMT
Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G1
Subject Public Key Info:
......
X509v3 extensions:
......
Signature Algorithm: sha256WithRSAEncryption
......
1.3、所以
所以DigiCert Global Root CA是根CA;Encryption Everywhere DV TLS CA - G1是小弟,中級CA;中級CA給www.xxx.com.cn域名辦法域名證書
二、通配域名證書文件
使用letsencrypt生成的通配證書:xxx.com *.xxx.com
2.1、證書內容
也是兩段證書
-----BEGIN CERTIFICATE-----
MIIFXjCCBEagAwIBAgISAybDGjCLRsJDjUnQ1qNen2QbMA0GCSqGSIb3DQEBCwUA
......
kbCSfpYWgkJhFbHnVsP8LKn9ftgudQEKJRfEEGzLwEbw9w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
......
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
2.2將這兩段證書分別寫入文件查看
第一段證書
Let's Encrypt Authority X3給xxx.com頒發的
[root@ubuntu ~]$ openssl x509 -in 1.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
......
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: Jun 22 22:32:16 2020 GMT
Not After : Sep 20 22:32:16 2020 GMT
Subject: CN = xxx.com
Subject Public Key Info:
......
X509v3 extensions:
......
Signature Algorithm: sha256WithRSAEncryption
......
第二段
DST Root CA X3給Let's Encrypt Authority X3頒發的中間CA
[root@ubuntu ~]$ openssl x509 -in 2.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Validity
Not Before: Mar 17 16:40:46 2016 GMT
Not After : Mar 17 16:40:46 2021 GMT
Subject: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Subject Public Key Info:
......
X509v3 extensions:
......
Signature Algorithm: sha256WithRSAEncryption
......
1.3、所以
所以DST Root CA X3是根CA,它給Let's Encrypt Authority X3頒發的中間CA,Let's Encrypt Authority X3給xxx.com頒發證書
三、所以
每個域名證書里面都要有中間CA證書證書那一段