欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

使用Openssl生成多域名csr文件和证书

程序员文章站 2022-07-12 21:55:34
...

1.创建一个多域名的配置文件

随便找一个地方创建配置文件example.com.conf

# example.com.conf
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
# 生成v3版本带扩展属性的证书
req_extensions = v3_req


# 设置默认域名
[ req_distinguished_name ]
# Minimum of 4 bytes are needed for common name
commonName         = www.example.com
commonName_default = *.example.com
commonName_max     = 64

# 设置两位国家代码
# ISO2 country code only
countryName         = China
countryName_default = CN

# 设置州 或者 省的名字
# State is optional, no minimum limit
stateOrProvinceName         = Province
stateOrProvinceName_default = Beijing

# 设置城市的名字
# City is required
localityName         = City
localityName_default = Beijing

# 设置公司或组织机构名称
# Organization is optional
organizationName         = Organization
organizationName_default = My Company

# 设置部门名称
# Organization Unit is optional
organizationalUnitName         = Department
organizationalUnitName_default = My Department

# 设置联系邮箱
# Email is optional
emailAddress         = Email
emailAddress_default = [email protected]

# 拓展信息配置
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

# 要配置的域名
[alt_names]
DNS.1 = www.example.com
DNS.2 = *.example.com

2. 生成csr文件

创建私钥

openssl genrsa -out example.com.key 2048

生成csr文件

openssl req -new -nodes -out example.com.csr -key example.com.key -config  example.com.conf

输出内容

Generating a RSA private key
...................+++++
.......................+++++
writing new private key to 'privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
# 设置默认的域名
www.example.com [*.example.com]:www.example.com
# 其它选项使用配置文件中的设置,可以不输入
China [CN]:
Province [Beijing]:
City [Beijing]:
Organization [My Company]:
Department [My Department]:
Email [[email protected]]:

然后在当前文件下就会生成两个文件example.com.csrprivkey.pem

检查生成的csr文件

openssl req -text -noout -in example.com.csr

可以看到csr文件的信息

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = www.example.com, C = CN, ST = Beijing, L = Beijing, O = My Company, OU = My Department, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c0:45:be:09:c9:11:4f:73:5f:ac:09:cb:f5:08:
                    7d:d3:be:db:e2:13:fd:37:fd:e3:24:3c:91:dc:91:
                    25:dd:ff:c6:8e:fe:c5:53:2c:78:14:93:b0:0e:bd:
                    da:8a:81:e7:f0:d2:8c:b6:26:c9:37:ba:18:4e:6a:
                    5b:0b:b6:c3:c0:7d:05:88:34:70:bf:28:d8:04:14:
                    f9:4e:1a:56:1e:25:78:23:9e:eb:67:59:87:2c:12:
                    c6:d2:02:36:72:2b:bd:b8:aa:c0:f2:12:02:eb:93:
                    f7:1a:28:52:11:20:b8:90:3e:79:f7:82:49:1b:63:
                    3c:4c:4e:83:ba:1a:0a:c3:8c:ab:dc:4f:f4:7d:81:
                    9e:24:7d:4e:3c:b6:72:dd:ab:59:59:eb:c7:1a:61:
                    3c:0a:f1:03:57:55:43:fe:85:db:45:55:8c:ad:65:
                    0c:32:0b:39:3e:13:e0:ad:f7:e6:43:79:ba:16:42:
                    f0:f7:5a:1d:94:cd:cd:34:c8:0c:c9:5c:59:02:c1:
                    09:3a:74:a8:be:cf:55:d4:bd:aa:bb:26:f8:9e:13:
                    60:12:e5:b9:40:02:ca:ba:95:37:23:a6:3b:96:0a:
                    31:4d:b5:d7:10:4a:23:ce:46:d7:f4:75:17:70:88:
                    b8:72:19:ae:e7:2b:31:8c:7d:6b:9b:28:42:07:29:
                    ee:67
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:www.example.com, DNS:*.example.com
    Signature Algorithm: sha256WithRSAEncryption
         79:fb:5c:41:7e:c8:e7:ad:a4:76:cd:08:a9:47:fc:15:66:96:
         35:24:0e:22:50:16:20:63:a5:05:3f:e3:2f:bd:e8:05:f8:d8:
         1d:57:ef:70:dc:ee:d0:97:05:2a:0c:78:27:53:3c:13:b5:52:
         67:5f:4d:e6:cc:c3:6b:33:13:df:a2:b4:c3:f8:1d:20:f7:91:
         54:ab:51:bc:1a:3d:80:99:f7:21:5b:a3:81:8c:a5:f8:f4:20:
         ad:f2:37:50:5e:d8:11:49:df:66:95:97:42:db:16:83:96:27:
         e6:aa:80:f5:9a:4d:88:c3:1e:ce:76:74:6c:9e:c2:85:5a:a5:
         6d:04:f2:55:2a:a4:08:a4:25:0d:ae:ea:ec:a9:ee:8d:f2:5d:
         9e:12:bb:a5:cc:40:a1:90:bb:ae:fc:58:58:d9:82:97:d1:13:
         02:b4:2a:42:85:64:fc:da:09:1b:f7:ed:45:68:12:24:37:72:
         8d:b8:a7:c3:79:db:e0:3c:cd:62:cb:53:62:53:93:ca:c8:a8:
         a5:91:cb:b9:6f:a0:99:79:43:7c:7b:80:0c:b8:3e:97:c4:59:
         d3:ba:e0:1f:8b:b1:fe:5e:9d:28:5c:d5:52:fb:01:8f:fd:7e:
         94:10:38:43:40:bf:3e:9f:64:e4:47:f0:ba:c9:d9:65:02:dd:
         14:87:1b:7d

如果是生成单域名csr文件可以不用配置文件

3. 生成自签名证书

创建证书

# -days 设置证书过期时间
openssl x509 -req -days 3650 -in example.com.csr -signkey example.com.key -out example.com.cert -extensions v3_req -extfile example.com.conf

这样就生成了一个www.example.com、*.example.comd都可以使用的证书文件。

查看证书信息

openssl x509 -text -noout -in example.com.cert

可以看到2030年才过期

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6f:b3:78:c9:09:f2:4f:f5:20:df:a5:60:be:71:13:f5:e8:9c:c6:3f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = www.example.com, C = CN, ST = Beijing, L = Beijing, O = My Company, OU = My Department, emailAddress = [email protected]
        Validity
            Not Before: Apr 21 12:50:47 2020 GMT
            Not After : Apr 19 12:50:47 2030 GMT
        Subject: CN = www.example.com, C = CN, ST = Beijing, L = Beijing, O = My Company, OU = My Department, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c0:45:be:09:c9:11:4f:73:5f:ac:09:cb:f5:08:
                    7d:d3:be:db:e2:13:fd:37:fd:e3:24:3c:91:dc:91:
                    25:dd:ff:c6:8e:fe:c5:53:2c:78:14:93:b0:0e:bd:
                    da:8a:81:e7:f0:d2:8c:b6:26:c9:37:ba:18:4e:6a:
                    5b:0b:b6:c3:c0:7d:05:88:34:70:bf:28:d8:04:14:
                    f9:4e:1a:56:1e:25:78:23:9e:eb:67:59:87:2c:12:
                    c6:d2:02:36:72:2b:bd:b8:aa:c0:f2:12:02:eb:93:
                    f7:1a:28:52:11:20:b8:90:3e:79:f7:82:49:1b:63:
                    3c:4c:4e:83:ba:1a:0a:c3:8c:ab:dc:4f:f4:7d:81:
                    9e:24:7d:4e:3c:b6:72:dd:ab:59:59:eb:c7:1a:61:
                    3c:0a:f1:03:57:55:43:fe:85:db:45:55:8c:ad:65:
                    0c:32:0b:39:3e:13:e0:ad:f7:e6:43:79:ba:16:42:
                    f0:f7:5a:1d:94:cd:cd:34:c8:0c:c9:5c:59:02:c1:
                    09:3a:74:a8:be:cf:55:d4:bd:aa:bb:26:f8:9e:13:
                    60:12:e5:b9:40:02:ca:ba:95:37:23:a6:3b:96:0a:
                    31:4d:b5:d7:10:4a:23:ce:46:d7:f4:75:17:70:88:
                    b8:72:19:ae:e7:2b:31:8c:7d:6b:9b:28:42:07:29:
                    ee:67
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:www.example.com, DNS:*.example.com
    Signature Algorithm: sha256WithRSAEncryption
         56:d8:e0:bf:c8:c4:92:f3:51:6a:9d:b6:d8:0a:b5:b3:73:46:
         0e:25:00:49:cd:52:9c:14:c0:4c:41:ce:c0:a8:a7:35:11:76:
         f3:03:24:ab:e7:b4:f0:ec:5f:a5:52:c9:e8:58:61:7b:65:50:
         09:21:9f:87:d1:b6:d1:8c:a9:2a:eb:7e:46:f8:ca:9b:cf:52:
         db:87:0f:26:d1:45:4e:1b:38:ff:77:4a:d0:44:9c:5f:ff:c8:
         43:d4:fb:4e:56:b6:5c:e6:0d:07:65:5e:32:df:b8:14:ae:ab:
         92:40:5d:41:9f:49:25:82:b9:41:9d:02:c7:9b:0a:6c:1e:a8:
         7a:52:ec:68:52:b4:4f:36:0a:a2:ea:14:9b:95:7e:14:64:d1:
         79:e0:e4:b5:20:47:df:35:91:71:fc:2e:cd:4e:fd:b9:b5:c0:
         78:72:ac:71:af:48:fe:92:17:f9:4c:de:5c:5f:59:d0:2f:58:
         dc:74:9a:b5:02:2e:67:f7:99:27:af:fa:6e:66:23:6e:63:92:
         4c:9a:c4:9f:85:bc:86:9b:28:af:d9:06:36:cf:4c:21:8c:e5:
         9e:ea:b2:f4:db:a7:9a:ef:9f:99:6d:71:64:83:79:21:24:ca:
         58:37:0d:7d:d7:1e:30:74:33:b4:5c:3a:90:a2:1e:6f:09:24:
         eb:b0:d6:4d

4.私钥/CSR/证书匹配校验

分别输入

openssl x509 -noout -modulus -in example.com.cert  
openssl rsa -noout -modulus -in example.com.key
openssl req -noout -modulus -in  example.com.csr  

输出完全相同

Modulus=C045BE09C9114F735FAC09CBF5087DD3BEDBE213FD37FDE3243C91DC9125DDFFC68EFEC5532C781493B00EBDDA8A81E7F0D28CB626C937BA184E6A5B0BB6C3C07D05883470BF28D80414F94E1A561E2578239EEB6759872C12C6D20236722BBDB8AAC0F21202EB93F71A28521120B8903E79F782491B633C4C4E83BA1A0AC38CABDC4FF47D819E247D4E3CB672DDAB5959EBC71A613C0AF103575543FE85DB45558CAD650C320B393E13E0ADF7E64379BA1642F0F75A1D94CDCD34C80CC95C5902C1093A74A8BECF55D4BDAABB26F89E136012E5B94002CABA953723A63B960A314DB5D7104A23CE46D7F475177088B87219AEE72B318C7D6B9B28420729EE67

5. 如果只生成单域名证书

生成单域名证书比较简单,不需要配置文件

生成csr和私钥

openssl req -new -nodes -out example.com.single.csr 
# 根据提示输入各种信息...

生成csr文件example.com.single.csr和私钥private.pem

生成证书文件

openssl x509 -req -days 3650 -in example.com.csr -signkey  privkey.pem -out example.com.single.cert