在網上經常看到自建CA和自簽證書文檔,但是發現自己生成之后,將ca證書導入客戶端之后,Chrome訪問網站總是會出現如下錯誤:
NET::ERR_CERT_COMMON_NAME_INVALID
此服務器無法證實它就是 domain.com - 它的安全證書沒有指定主題備用名稱。這可能是因為某項配置有誤或某個攻擊者攔截了您的連接。一直以為是Chrome瀏覽器安全強度太高導致的,因為發現Firefox和IE沒有這個問題,但是后來才發現自簽證書有缺陷。
一、安裝openssl
[root@server ~]# sudo apt-get install openssl
二、創建根證書
# 創建生成本地根證書的目錄
[root@server ~]# mkdir -p certs/local && cd certs
# 生成根密鑰
[root@server ~/certs]# openssl genrsa -out local/boot.key 2048
Generating RSA private key, 2048 bit long modulus
.................................+++
.......................................+++
e is 65537 (0x10001)
# 生成根CA證書:-days 選項指定時間(單位:天)
[root@server ~/certs]# openssl req -x509 -new -key local/boot.key -out local/boot.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) []:Steeze
Organizational Unit Name (eg, section) []:https://www.steeze.cn
Common Name (eg, fully qualified host name) []:Steeze
Email Address []:402085437@qq.com
生成完成后,將根證書文件 local/boot.pem 導入到瀏覽器和系統中
三、頒發應用證書
1. 創建應用證書請求
# 生成應用證書目錄 [root@server ~/certs]# mkdir web # 生成應用證書的密鑰 [root@server ~/certs]# openssl genrsa -out web/app.key 2048 Generating RSA private key, 2048 bit long modulus .........................................................................................................+++ .....................+++ e is 65537 (0x10001) # 生成證書頒發請求 [root@server ~/certs]# openssl req -new -key web/app.key -out web/app.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:CN State or Province Name (full name) []:Chongqing Locality Name (eg, city) []:Chongqing Organization Name (eg, company) []:Steeze app Organizational Unit Name (eg, section) []:https://www.app.com Common Name (eg, fully qualified host name) []:App of steeze Email Address []:spring.wind2006@163.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456
2. 創建證書附加用途文件
用於解決Chrome不能識別證書通用名稱NET::ERR_CERT_COMMON_NAME_INVALID錯誤,簽發基於IP地址證書和基於域名的證書的使用的文件格式不一樣:
(1). 基於IP地址的證書
[root@server ~/certs]# vim web/app.ext keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName=@SubjectAlternativeName [ SubjectAlternativeName ] IP.1=192.168.1.1 IP.2=192.168.1.2
(2). 基於域名的證書(可以使用通配符"*")
[root@server ~/certs]# vim web/app.ext keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName=@SubjectAlternativeName [ SubjectAlternativeName ] DNS.1=app.com DNS.2=*.app.com DNS.3=test.com DNS.4=*.test.com
extendedKeyUsage 可以指定證書目的,即用途,一般有:
serverAuth:保證遠程計算機的身份
clientAuth:向遠程計算機證明你的身份
codeSigning:確保軟件來自軟件發布者,保護軟件在發行后不被更改
emailProtection:保護電子郵件消息
timeStamping:允許用當前時間簽名數據
如果不指定,則默認為 所有應用程序策略
3. 簽發證書
[root@server ~/certs]# openssl x509 -req -in web/app.csr -CA local/boot.pem -CAkey local/boot.key -CAcreateserial -out web/app.crt -days 3650 -sha256 -extfile web/app.ext Signature ok subject=/C=CN/ST=Chongqing/L=Chongqing/O=Steeze app/OU=https://www.app.com/CN=App of steeze/emailAddress=spring.wind2006@163.com Getting CA Private Key
4. 部署應用證書
將web目錄生成的應用證書app.crt和應用證書密鑰app.key上傳到服務器,然后配置服務器https訪問。
nginx 服務器配置范例:
server {
listen 443 ssl;
server_name test.app.com;
root /www/public;
ssl_certificate "/usr/local/nginx/conf/cert/app.crt";
ssl_certificate_key "/usr/local/nginx/conf/cert/app.key";
}
參考文章: https://www.cnblogs.com/will-space/p/11913744.html