Use OpenSSL to sign multi-domain certificates

OpenSSL self-built ca signs a Single Domain Name Certificate by default, because a single server has multiple HTTPS domain names, it is much easier to sign a multi-domain certificate, today I have been looking for a long time, except for some websites that sell certificates that have SCR tools that can add "User backup names", no OpenSSL-related method was found.

Next, let's look at OpenSSL. CNF and find a method. Here we record it:

!! This method is too cumbersome. If you have other methods, please leave me a message. Thank you very much.

Major changesIn OpenSSL. CNF

Convert the original

CommonName = common name (eg, your name or your server \'s hostname)

Commonname_max = 64

Change

0. CommonName = common name (eg, your name or your server \'s hostname)
0. commonname_max = 64

Add "0." To the front. If you want to add other domain names, you only need to add the same record, and the previous sequence number increases sequentially:

0. CommonName = common name (eg, your name or your server \'s hostname)
0. commonname_max = 64
1. CommonName = Other common name

1. commonname_max = 64

......

Other steps:

Some files and directories are required to exist in OpenSSL. CNF:

[[Email protected] # mkdir-p ca/{certs, CRL, newcerts, private}

[[Email protected] # Touch Ca/index.txt

[[Email protected] # echo 00> Ca/serial

1. Generate ca. Key and self-signed

OpenSSL req-New-X509-days 3650-keyout ca. Key-out ca. CRT-config OpenSSL. CNF

2. Generate server. Key (name is not important)

OpenSSL genrsa-out server. Key 2048

3. Generate a Certificate Signature request
OpenSSL req-New-key server. Key-out server. CSR-config OpenSSL. CNF

The common name is entered in this step. If there are not so many common names each time, press Enter.

4. Use self-Signed CA to sign server. scr

OpenSSL ca-in server. CSR-out server. CRT-Cert CA. CRT-Keyfile ca. Key-config OpenSSL. CNF
# Enter the password set in step 1 and Press Y.

Server. CRT server. Key is the file used in the web server.

Nginx two-way authentication

If you want to verify the nginx client certificate, Repeat 2, 3, and 4, and execute the following command to generate a personal certificate

OpenSSL PKCS12-export-inkey server. Key-in server. CRT-out server. p12

Import the personal certificate to the PC and add the settings based on nginx SSL:

Ssl_verify_client on;
Ssl_client_certificate ca. CRT;

This article from the "discretion" blog, please be sure to keep this source http://colinzhouyj.blog.51cto.com/2265679/1564916

Use OpenSSL to sign multi-domain certificates