Use OpenSSL to sign multi-domain certificates

Source: Internet
Author: User
Tags nginx ssl

OpenSSL self-built ca signs a Single Domain Name Certificate by default, because a single server has multiple HTTPS domain names, it is much easier to sign a multi-domain certificate, today I have been looking for a long time, except for some websites that sell certificates that have SCR tools that can add "User backup names", no OpenSSL-related method was found.

Next, let's look at OpenSSL. CNF and find a method. Here we record it:

!! This method is too cumbersome. If you have other methods, please leave me a message. Thank you very much.

Major changesIn OpenSSL. CNF

Convert the original

CommonName = common name (eg, your name or your server \'s hostname)

Commonname_max = 64

Change

0. CommonName = common name (eg, your name or your server \'s hostname)
0. commonname_max = 64

Add "0." To the front. If you want to add other domain names, you only need to add the same record, and the previous sequence number increases sequentially:

0. CommonName = common name (eg, your name or your server \'s hostname)
0. commonname_max = 64
1. CommonName = Other common name

1. commonname_max = 64

......


Other steps:

Some files and directories are required to exist in OpenSSL. CNF:

[[Email protected] # mkdir-p ca/{certs, CRL, newcerts, private}

[[Email protected] # Touch Ca/index.txt

[[Email protected] # echo 00> Ca/serial


1. Generate ca. Key and self-signed

OpenSSL req-New-X509-days 3650-keyout ca. Key-out ca. CRT-config OpenSSL. CNF


2. Generate server. Key (name is not important)

OpenSSL genrsa-out server. Key 2048

3. Generate a Certificate Signature request
OpenSSL req-New-key server. Key-out server. CSR-config OpenSSL. CNF

The common name is entered in this step. If there are not so many common names each time, press Enter.


4. Use self-Signed CA to sign server. scr

OpenSSL ca-in server. CSR-out server. CRT-Cert CA. CRT-Keyfile ca. Key-config OpenSSL. CNF
# Enter the password set in step 1 and Press Y.


Server. CRT server. Key is the file used in the web server.


Nginx two-way authentication

If you want to verify the nginx client certificate, Repeat 2, 3, and 4, and execute the following command to generate a personal certificate

OpenSSL PKCS12-export-inkey server. Key-in server. CRT-out server. p12

Import the personal certificate to the PC and add the settings based on nginx SSL:

Ssl_verify_client on;
Ssl_client_certificate ca. CRT;



This article from the "discretion" blog, please be sure to keep this source http://colinzhouyj.blog.51cto.com/2265679/1564916

Use OpenSSL to sign multi-domain certificates

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.