Add "User backup name (DNS)" to the SSL certificate using OpenSSL )"

Source: Internet
Author: User
Tags ssl certificate nginx ssl

In the previous article, we talked about the Signing Method of Multi-CN using OpenSSL to sign multi-domain name certificates. In actual use, we encountered a problem. In Android, the browser does not recognize multi-CN domain names, "The certificate name does not match the server name" will be reported. I thought it was a self-Signed ca problem. It would be normal after I changed it to a single CN. No way, I can only change it to another method, after a long time, Google found the method:


Mainly modified in OpenSSL. CNF


# Make sure there are the following two rows under req (the first row is yes by default, and the second row is commented out)
[Req]
Distinguished_name = req_distinguished_name
Req_extensions = v3_req


# Make sure that there is no 0.xxx label in req_distinguished_name. If yes, remove 0. XXX from 0. xxx.
[Req_distinguished_name]
Countryname = Country name (2 letter code)
Countryname_default = Cn
Stateorprovincename = state or province name (full name)
Stateorprovincename_default = Shanghai
Localityname = locality name (eg, city)
Localityname_default = Shanghai
Organizationalunitname = organizational unit name (eg, Section)
Organizationalunitname_default = domain control validated
CommonName = Internet widgits Ltd
Commonname_max = 64


# Add subjectaltname = @ alt_names (the first two rows exist by default)
[V3_req]
# Extensions to add to a certificate request
Basicconstraints = Ca: false
Keyusage = nonrepudiation, digitalsignature, keyencipherment
Subjectaltname = @ alt_names


# Add alt_names. Note the spaces before and after parentheses. You can add the number of DNS. X by yourself.
[Alt_names]
Dns.1 = abc.example.com
Dns.2 = dfe.example.org
Dns.3 = ex.abcexpale.net


Other steps:

Some files and directories are required to exist in OpenSSL. CNF:

[[Email protected] # mkdir-p ca/{certs, CRL, newcerts, private}

[[Email protected] # Touch Ca/index.txt

[[Email protected] # echo 00> Ca/serial


1. Generate ca. Key and self-signed

OpenSSL req-New-X509-days 3650-keyout ca. Key-out ca. CRT-config OpenSSL. CNF


2. Generate server. Key (name is not important)
OpenSSL genrsa-out server. Key 2048

3. Generate a Certificate Signature request
OpenSSL req-New-key server. Key-out server. CSR-config OpenSSL. CNF
Just write the primary domain name "common name ".

4. view the request file
OpenSSL req-text-noout-in server. CSR
You can see the following content:
Certificate request:
Data:
Version: 0 (0x0)
Subject: c = us, St = Texas, L = Fort Worth, O = my company, ou = my department, Cn = server. Example
Subject Public Key info: Public Key algorithm: rsaencryption RSA public key: (2048 bit)
Modulus (2048 bit): blahblahblah
Exponent: 65537 (0x10001)
Attributes:
Requested extensions: x509v3
Basic constraints: CA: false
X509v3 Key Usage: digital signature, non repudiation, Key Encipherment
X509v3 subject alternative name: DNS: domain.example.com, DNS: xxx.example.com
Signature Algorithm: sha1withrsaencryption
 

5. Use self-Signed CA to sign server. scr
OpenSSL ca-in server. CSR-out server. CRT-Cert CA. CRT-Keyfile ca. Key-extensions v3_req-config OpenSSL. CNF
# Enter the password set in step 1 and Press Y.


Server. CRT server. Key is the file used in the web server.

Nginx two-way authentication

If you want to verify the nginx client certificate, Repeat 2, 3, and 4, and execute the following command to generate a personal certificate
5. Generate a personal certificate
OpenSSL PKCS12-export-inkey XXX. Key-in XXX. CRT-out XXX. p12

Import the personal certificate to the PC and add the settings based on nginx SSL:
Ssl_verify_client on;
Ssl_client_certificate ca. CRT;


This article from the "discretion" blog, please be sure to keep this source http://colinzhouyj.blog.51cto.com/2265679/1566438

Add "User backup name (DNS)" to the SSL certificate using OpenSSL )"

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.