使用Openssl生成多域名csr文件和证书
程序员文章站
2022-07-12 21:55:34
...
1.创建一个多域名的配置文件
随便找一个地方创建配置文件example.com.conf
# example.com.conf
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
# 生成v3版本带扩展属性的证书
req_extensions = v3_req
# 设置默认域名
[ req_distinguished_name ]
# Minimum of 4 bytes are needed for common name
commonName = www.example.com
commonName_default = *.example.com
commonName_max = 64
# 设置两位国家代码
# ISO2 country code only
countryName = China
countryName_default = CN
# 设置州 或者 省的名字
# State is optional, no minimum limit
stateOrProvinceName = Province
stateOrProvinceName_default = Beijing
# 设置城市的名字
# City is required
localityName = City
localityName_default = Beijing
# 设置公司或组织机构名称
# Organization is optional
organizationName = Organization
organizationName_default = My Company
# 设置部门名称
# Organization Unit is optional
organizationalUnitName = Department
organizationalUnitName_default = My Department
# 设置联系邮箱
# Email is optional
emailAddress = Email
emailAddress_default = [email protected]
# 拓展信息配置
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
# 要配置的域名
[alt_names]
DNS.1 = www.example.com
DNS.2 = *.example.com
2. 生成csr文件
创建私钥
openssl genrsa -out example.com.key 2048
生成csr文件
openssl req -new -nodes -out example.com.csr -key example.com.key -config example.com.conf
输出内容
Generating a RSA private key
...................+++++
.......................+++++
writing new private key to 'privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
# 设置默认的域名
www.example.com [*.example.com]:www.example.com
# 其它选项使用配置文件中的设置,可以不输入
China [CN]:
Province [Beijing]:
City [Beijing]:
Organization [My Company]:
Department [My Department]:
Email [[email protected]]:
然后在当前文件下就会生成两个文件example.com.csr
和privkey.pem
检查生成的csr文件
openssl req -text -noout -in example.com.csr
可以看到csr文件的信息
Certificate Request:
Data:
Version: 1 (0x0)
Subject: CN = www.example.com, C = CN, ST = Beijing, L = Beijing, O = My Company, OU = My Department, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c0:45:be:09:c9:11:4f:73:5f:ac:09:cb:f5:08:
7d:d3:be:db:e2:13:fd:37:fd:e3:24:3c:91:dc:91:
25:dd:ff:c6:8e:fe:c5:53:2c:78:14:93:b0:0e:bd:
da:8a:81:e7:f0:d2:8c:b6:26:c9:37:ba:18:4e:6a:
5b:0b:b6:c3:c0:7d:05:88:34:70:bf:28:d8:04:14:
f9:4e:1a:56:1e:25:78:23:9e:eb:67:59:87:2c:12:
c6:d2:02:36:72:2b:bd:b8:aa:c0:f2:12:02:eb:93:
f7:1a:28:52:11:20:b8:90:3e:79:f7:82:49:1b:63:
3c:4c:4e:83:ba:1a:0a:c3:8c:ab:dc:4f:f4:7d:81:
9e:24:7d:4e:3c:b6:72:dd:ab:59:59:eb:c7:1a:61:
3c:0a:f1:03:57:55:43:fe:85:db:45:55:8c:ad:65:
0c:32:0b:39:3e:13:e0:ad:f7:e6:43:79:ba:16:42:
f0:f7:5a:1d:94:cd:cd:34:c8:0c:c9:5c:59:02:c1:
09:3a:74:a8:be:cf:55:d4:bd:aa:bb:26:f8:9e:13:
60:12:e5:b9:40:02:ca:ba:95:37:23:a6:3b:96:0a:
31:4d:b5:d7:10:4a:23:ce:46:d7:f4:75:17:70:88:
b8:72:19:ae:e7:2b:31:8c:7d:6b:9b:28:42:07:29:
ee:67
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:www.example.com, DNS:*.example.com
Signature Algorithm: sha256WithRSAEncryption
79:fb:5c:41:7e:c8:e7:ad:a4:76:cd:08:a9:47:fc:15:66:96:
35:24:0e:22:50:16:20:63:a5:05:3f:e3:2f:bd:e8:05:f8:d8:
1d:57:ef:70:dc:ee:d0:97:05:2a:0c:78:27:53:3c:13:b5:52:
67:5f:4d:e6:cc:c3:6b:33:13:df:a2:b4:c3:f8:1d:20:f7:91:
54:ab:51:bc:1a:3d:80:99:f7:21:5b:a3:81:8c:a5:f8:f4:20:
ad:f2:37:50:5e:d8:11:49:df:66:95:97:42:db:16:83:96:27:
e6:aa:80:f5:9a:4d:88:c3:1e:ce:76:74:6c:9e:c2:85:5a:a5:
6d:04:f2:55:2a:a4:08:a4:25:0d:ae:ea:ec:a9:ee:8d:f2:5d:
9e:12:bb:a5:cc:40:a1:90:bb:ae:fc:58:58:d9:82:97:d1:13:
02:b4:2a:42:85:64:fc:da:09:1b:f7:ed:45:68:12:24:37:72:
8d:b8:a7:c3:79:db:e0:3c:cd:62:cb:53:62:53:93:ca:c8:a8:
a5:91:cb:b9:6f:a0:99:79:43:7c:7b:80:0c:b8:3e:97:c4:59:
d3:ba:e0:1f:8b:b1:fe:5e:9d:28:5c:d5:52:fb:01:8f:fd:7e:
94:10:38:43:40:bf:3e:9f:64:e4:47:f0:ba:c9:d9:65:02:dd:
14:87:1b:7d
如果是生成单域名csr文件可以不用配置文件
3. 生成自签名证书
创建证书
# -days 设置证书过期时间
openssl x509 -req -days 3650 -in example.com.csr -signkey example.com.key -out example.com.cert -extensions v3_req -extfile example.com.conf
这样就生成了一个www.example.com、*.example.comd都可以使用的证书文件。
查看证书信息
openssl x509 -text -noout -in example.com.cert
可以看到2030年才过期
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6f:b3:78:c9:09:f2:4f:f5:20:df:a5:60:be:71:13:f5:e8:9c:c6:3f
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = www.example.com, C = CN, ST = Beijing, L = Beijing, O = My Company, OU = My Department, emailAddress = [email protected]
Validity
Not Before: Apr 21 12:50:47 2020 GMT
Not After : Apr 19 12:50:47 2030 GMT
Subject: CN = www.example.com, C = CN, ST = Beijing, L = Beijing, O = My Company, OU = My Department, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c0:45:be:09:c9:11:4f:73:5f:ac:09:cb:f5:08:
7d:d3:be:db:e2:13:fd:37:fd:e3:24:3c:91:dc:91:
25:dd:ff:c6:8e:fe:c5:53:2c:78:14:93:b0:0e:bd:
da:8a:81:e7:f0:d2:8c:b6:26:c9:37:ba:18:4e:6a:
5b:0b:b6:c3:c0:7d:05:88:34:70:bf:28:d8:04:14:
f9:4e:1a:56:1e:25:78:23:9e:eb:67:59:87:2c:12:
c6:d2:02:36:72:2b:bd:b8:aa:c0:f2:12:02:eb:93:
f7:1a:28:52:11:20:b8:90:3e:79:f7:82:49:1b:63:
3c:4c:4e:83:ba:1a:0a:c3:8c:ab:dc:4f:f4:7d:81:
9e:24:7d:4e:3c:b6:72:dd:ab:59:59:eb:c7:1a:61:
3c:0a:f1:03:57:55:43:fe:85:db:45:55:8c:ad:65:
0c:32:0b:39:3e:13:e0:ad:f7:e6:43:79:ba:16:42:
f0:f7:5a:1d:94:cd:cd:34:c8:0c:c9:5c:59:02:c1:
09:3a:74:a8:be:cf:55:d4:bd:aa:bb:26:f8:9e:13:
60:12:e5:b9:40:02:ca:ba:95:37:23:a6:3b:96:0a:
31:4d:b5:d7:10:4a:23:ce:46:d7:f4:75:17:70:88:
b8:72:19:ae:e7:2b:31:8c:7d:6b:9b:28:42:07:29:
ee:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:www.example.com, DNS:*.example.com
Signature Algorithm: sha256WithRSAEncryption
56:d8:e0:bf:c8:c4:92:f3:51:6a:9d:b6:d8:0a:b5:b3:73:46:
0e:25:00:49:cd:52:9c:14:c0:4c:41:ce:c0:a8:a7:35:11:76:
f3:03:24:ab:e7:b4:f0:ec:5f:a5:52:c9:e8:58:61:7b:65:50:
09:21:9f:87:d1:b6:d1:8c:a9:2a:eb:7e:46:f8:ca:9b:cf:52:
db:87:0f:26:d1:45:4e:1b:38:ff:77:4a:d0:44:9c:5f:ff:c8:
43:d4:fb:4e:56:b6:5c:e6:0d:07:65:5e:32:df:b8:14:ae:ab:
92:40:5d:41:9f:49:25:82:b9:41:9d:02:c7:9b:0a:6c:1e:a8:
7a:52:ec:68:52:b4:4f:36:0a:a2:ea:14:9b:95:7e:14:64:d1:
79:e0:e4:b5:20:47:df:35:91:71:fc:2e:cd:4e:fd:b9:b5:c0:
78:72:ac:71:af:48:fe:92:17:f9:4c:de:5c:5f:59:d0:2f:58:
dc:74:9a:b5:02:2e:67:f7:99:27:af:fa:6e:66:23:6e:63:92:
4c:9a:c4:9f:85:bc:86:9b:28:af:d9:06:36:cf:4c:21:8c:e5:
9e:ea:b2:f4:db:a7:9a:ef:9f:99:6d:71:64:83:79:21:24:ca:
58:37:0d:7d:d7:1e:30:74:33:b4:5c:3a:90:a2:1e:6f:09:24:
eb:b0:d6:4d
4.私钥/CSR/证书匹配校验
分别输入
openssl x509 -noout -modulus -in example.com.cert
openssl rsa -noout -modulus -in example.com.key
openssl req -noout -modulus -in example.com.csr
输出完全相同
Modulus=C045BE09C9114F735FAC09CBF5087DD3BEDBE213FD37FDE3243C91DC9125DDFFC68EFEC5532C781493B00EBDDA8A81E7F0D28CB626C937BA184E6A5B0BB6C3C07D05883470BF28D80414F94E1A561E2578239EEB6759872C12C6D20236722BBDB8AAC0F21202EB93F71A28521120B8903E79F782491B633C4C4E83BA1A0AC38CABDC4FF47D819E247D4E3CB672DDAB5959EBC71A613C0AF103575543FE85DB45558CAD650C320B393E13E0ADF7E64379BA1642F0F75A1D94CDCD34C80CC95C5902C1093A74A8BECF55D4BDAABB26F89E136012E5B94002CABA953723A63B960A314DB5D7104A23CE46D7F475177088B87219AEE72B318C7D6B9B28420729EE67
5. 如果只生成单域名证书
生成单域名证书比较简单,不需要配置文件
生成csr和私钥
openssl req -new -nodes -out example.com.single.csr
# 根据提示输入各种信息...
生成csr文件example.com.single.csr
和私钥private.pem
生成证书文件
openssl x509 -req -days 3650 -in example.com.csr -signkey privkey.pem -out example.com.single.cert