WEB Server CA Certificate signing steps and self-signed tests, supporting multi-domain names

Web Server supports HTTPS access requiring two files, private keys, and certificates. The private key and certificate are placed on the server, the private key is used to encrypt the data, and the certificate is passed to the client. Your own signed certificate is passed to the browser, because the certificate is not trusted, so the connection is not secure, general point advanced, continue to browse, or you can access the Web page. If our certificate has been signed by the root certificate vendor, it will not pop up unsafe prompts, the browser address bar generally also has a small green lock logo. Here's how to build a certificate step-by-step.

1. Use OpenSSL to generate the private key file Server.key, the following steps are used on Ubuntu on the use of OpenSSL, you need to pay attention to Ubuntu system time, do not make out the certificate is out of date.

OpenSSL genrsa-out Server.key 2048

2.1 Modify OPENSSL.CNF, because I was in this part of the time, the certificate needs to support multiple domain names and IPs, so this step is required, make a single domain certificate can not modify the configuration file.

2.2 Copy openssl.cnf to current directory

Cp/etc/ssl/openssl.cnf./

2.3 Modify the copied configuration file as follows:

1> Uncomment line under [req] Block req_extensions = V3_req

2> Make sure there are no 0.xxx tags under [req_distinguished_name], and some say 0.xxx of 0. Remove

3> add a line under [v3_req] block subjectaltname = @alt_names

4> Add the following information at the end of the file:

[Alt_names]

Dns.1 = www.liqingjht.com

Dns.2 = liqingjht.com

IP.1 = 192.168.1.105

IP.2 = 192.168.1.107

4>tip> Note that there is no www is not the same domain name, I do the certificate request CSR file, there is the need for IP, but in the hand to the vendor signature, the manufacturers suggest not to join the IP, said the current standard gradually does not support this practice, so I did not add IP, if the manufacturer support , it should be possible to do so, because I have signed a test.

3.1 Using the private key and configuration file to generate a certificate request for the CSR file SERVER.CSR, there are no parameters to modify the configuration file without the write configuration file

OpenSSL req-new-key server.key-out server.csr-config./openssl.cnf

3.2 Generate the CSR file need to fill in some information, Common name to fill in the main domain name, the domain name in dns.xx

Country name (2 letter code) [Au]:cnstate or province name (full name) [some-state]:fujianlocality name (eg, city) []:xiam Enorganization name (eg, company) [Internet widgits Pty ltd]:cnblogsorganizational Unit Name (eg, section) []:cnblogscommo n Name (e.g. server FQDN or YOUR Name) []:www.liqingjht.comemail Address []:[email protected]

3>tip> SERVER.CSR This file is to be signed to the CA manufacturer, Server.key This private key file to save itself. The manufacturer will use the CSR file in front of their root certificate to generate your server available certificate to you, before which we can test it ourselves as a CA vendor.

4.1 To generate the root certificate used for the previous CSR file, first create the CA directory

mkdir./democamkdir Democa/newcertstouch democa/index.txtecho > Democa/serial

4.2 Generate Ca.key, and self-signed generate CA.CRT certificate, need to fill in the password two times, such as 1234, fill in the common name to be the same as the above generated CSR file. As with the other steps, it is recommended that you fill in the CSR file as well. The time here can be seen signed for two years.

OpenSSL req-new-x509-days 3650-keyout ca.key-out ca.crt-config./openssl.cnf

5. Sign the server CSR certificate request with the self-signed CA certificate, enter the password, and press Y all the time:

OpenSSL ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.key-extensions v3_req-config openssl.cnf

6. At this time the current directory has these files: Ca.key ca.crt server.key server.crt SERVER.CSR, where Server.key server.crt is to be placed on the server, Ca.key equivalent to the computer's built-in root certificate. Download the CA.CRT to the PC, in the browser management certificate, cut to the root certificate that column, the CA.CRT import, this time you use HTTPS to access openssl.cnf filled in dns.xx or IP. XX will not jump out of unsafe hints. The CSR file is signed to the vendor because the manufacturer's CA certificate is built into the browser, so there will be no unsafe prompts even if it is not manually imported.

7.< to be continued, supplemented with DNSMASQ and Apache test certificates are available ...>

WEB Server CA Certificate signing steps and self-signed tests, supporting multi-domain names