OpenSSL self-built ca signs a Single Domain Name Certificate by default, because a single server has multiple HTTPS domain names, it is much easier to sign a multi-domain certificate, today I have been looking for a long time, except for some websites that sell certificates that have SCR tools that can add "User backup names", no OpenSSL-related method was found.
Next, let's look at OpenSSL. CNF and find a method. Here we record it:
!! This method is too cumbersome. If you have other methods, please leave me a message. Thank you very much.
Major changesIn OpenSSL. CNF
Convert the original
CommonName = common name (eg, your name or your server \'s hostname)
Commonname_max = 64
Change
0. CommonName = common name (eg, your name or your server \'s hostname)
0. commonname_max = 64
Add "0." To the front. If you want to add other domain names, you only need to add the same record, and the previous sequence number increases sequentially:
0. CommonName = common name (eg, your name or your server \'s hostname)
0. commonname_max = 64
1. CommonName = Other common name
1. commonname_max = 64
......
Other steps:
Some files and directories are required to exist in OpenSSL. CNF:
[[Email protected] # mkdir-p ca/{certs, CRL, newcerts, private}
[[Email protected] # Touch Ca/index.txt
[[Email protected] # echo 00> Ca/serial
1. Generate ca. Key and self-signed
OpenSSL req-New-X509-days 3650-keyout ca. Key-out ca. CRT-config OpenSSL. CNF
2. Generate server. Key (name is not important)
OpenSSL genrsa-out server. Key 2048
3. Generate a Certificate Signature request
OpenSSL req-New-key server. Key-out server. CSR-config OpenSSL. CNF
The common name is entered in this step. If there are not so many common names each time, press Enter.
4. Use self-Signed CA to sign server. scr
OpenSSL ca-in server. CSR-out server. CRT-Cert CA. CRT-Keyfile ca. Key-config OpenSSL. CNF
# Enter the password set in step 1 and Press Y.
Server. CRT server. Key is the file used in the web server.
Nginx two-way authentication
If you want to verify the nginx client certificate, Repeat 2, 3, and 4, and execute the following command to generate a personal certificate
OpenSSL PKCS12-export-inkey server. Key-in server. CRT-out server. p12
Import the personal certificate to the PC and add the settings based on nginx SSL:
Ssl_verify_client on;
Ssl_client_certificate ca. CRT;
This article from the "discretion" blog, please be sure to keep this source http://colinzhouyj.blog.51cto.com/2265679/1564916
Use OpenSSL to sign multi-domain certificates