In the previous article, we talked about the Signing Method of Multi-CN using OpenSSL to sign multi-domain name certificates. In actual use, we encountered a problem. In Android, the browser does not recognize multi-CN domain names, "The certificate name does not match the server name" will be reported. I thought it was a self-Signed ca problem. It would be normal after I changed it to a single CN. No way, I can only change it to another method, after a long time, Google found the method:
Mainly modified in OpenSSL. CNF
# Make sure there are the following two rows under req (the first row is yes by default, and the second row is commented out)
[Req]
Distinguished_name = req_distinguished_name
Req_extensions = v3_req
# Make sure that there is no 0.xxx label in req_distinguished_name. If yes, remove 0. XXX from 0. xxx.
[Req_distinguished_name]
Countryname = Country name (2 letter code)
Countryname_default = Cn
Stateorprovincename = state or province name (full name)
Stateorprovincename_default = Shanghai
Localityname = locality name (eg, city)
Localityname_default = Shanghai
Organizationalunitname = organizational unit name (eg, Section)
Organizationalunitname_default = domain control validated
CommonName = Internet widgits Ltd
Commonname_max = 64
# Add subjectaltname = @ alt_names (the first two rows exist by default)
[V3_req]
# Extensions to add to a certificate request
Basicconstraints = Ca: false
Keyusage = nonrepudiation, digitalsignature, keyencipherment
Subjectaltname = @ alt_names
# Add alt_names. Note the spaces before and after parentheses. You can add the number of DNS. X by yourself.
[Alt_names]
Dns.1 = abc.example.com
Dns.2 = dfe.example.org
Dns.3 = ex.abcexpale.net
Other steps:
Some files and directories are required to exist in OpenSSL. CNF:
[[Email protected] # mkdir-p ca/{certs, CRL, newcerts, private}
[[Email protected] # Touch Ca/index.txt
[[Email protected] # echo 00> Ca/serial
1. Generate ca. Key and self-signed
OpenSSL req-New-X509-days 3650-keyout ca. Key-out ca. CRT-config OpenSSL. CNF
2. Generate server. Key (name is not important)
OpenSSL genrsa-out server. Key 2048
3. Generate a Certificate Signature request
OpenSSL req-New-key server. Key-out server. CSR-config OpenSSL. CNF
Just write the primary domain name "common name ".
4. view the request file
OpenSSL req-text-noout-in server. CSR
You can see the following content:
Certificate request:
Data:
Version: 0 (0x0)
Subject: c = us, St = Texas, L = Fort Worth, O = my company, ou = my department, Cn = server. Example
Subject Public Key info: Public Key algorithm: rsaencryption RSA public key: (2048 bit)
Modulus (2048 bit): blahblahblah
Exponent: 65537 (0x10001)
Attributes:
Requested extensions: x509v3
Basic constraints: CA: false
X509v3 Key Usage: digital signature, non repudiation, Key Encipherment
X509v3 subject alternative name: DNS: domain.example.com, DNS: xxx.example.com
Signature Algorithm: sha1withrsaencryption
5. Use self-Signed CA to sign server. scr
OpenSSL ca-in server. CSR-out server. CRT-Cert CA. CRT-Keyfile ca. Key-extensions v3_req-config OpenSSL. CNF
# Enter the password set in step 1 and Press Y.
Server. CRT server. Key is the file used in the web server.
Nginx two-way authentication
If you want to verify the nginx client certificate, Repeat 2, 3, and 4, and execute the following command to generate a personal certificate
5. Generate a personal certificate
OpenSSL PKCS12-export-inkey XXX. Key-in XXX. CRT-out XXX. p12
Import the personal certificate to the PC and add the settings based on nginx SSL:
Ssl_verify_client on;
Ssl_client_certificate ca. CRT;
This article from the "discretion" blog, please be sure to keep this source http://colinzhouyj.blog.51cto.com/2265679/1566438
Add "User backup name (DNS)" to the SSL certificate using OpenSSL )"