西户网|西户社区网|官网|户县网站新闻!

西户网/西户社区网(官网)
户县本土 便民 公益 互助  XHUME.CC

 找回密码
 注册会员

QQ登录

只需一步,快速开始

扫描二维码登录本站

户县新闻文章详情

使用Openssl生成多域名(SAN)csr文件和证书

2020-05-10阅读 50 鄠邑林业

1.创建一个多域名的配置文件

随便找一个地方创建配置文件example.com.conf

# example.com.conf

[ req ]

default_bits = 2048

default_keyfile = privkey.pem

distinguished_name = req_distinguished_name

# 生成v3版本带扩展属性的证书

req_extensions = v3_req


# 设置默认域名

[ req_distinguished_name ]

# Minimum of 4 bytes are needed for common name

commonName         = www.example.com

commonName_default = *.example.com

commonName_max     = 64


# 设置两位国家代码

# ISO2 country code only

countryName         = China

countryName_default = CN


# 设置州 或者 省的名字

# State is optional, no minimum limit

stateOrProvinceName         = Province

stateOrProvinceName_default = Beijing


# 设置城市的名字

# City is required

localityName         = City

localityName_default = Beijing


# 设置公司或组织机构名称

# Organization is optional

organizationName         = Organization

organizationName_default = My Company


# 设置部门名称

# Organization Unit is optional

organizationalUnitName         = Department

organizationalUnitName_default = My Department


# 设置联系邮箱

# Email is optional

emailAddress         = Email

emailAddress_default = email@example.com


# 拓展信息配置

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names


# 要配置的域名

[alt_names]

DNS.1 = www.example.com

DNS.2 = *.example.com



2. 生成csr文件

创建私钥

openssl genrsa -out example.com.key 2048

生成csr文件

openssl req -new -nodes -out example.com.csr -key example.com.key -config  example.com.conf输出内容

Generating a RSA private key

...................+++++

.......................+++++

writing new private key to 'privkey.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

# 设置默认的域名

www.example.com [*.example.com]:www.example.com

# 其它选项使用配置文件中的设置,可以不输入

China [CN]:

Province [Beijing]:

City [Beijing]:

Organization [My Company]:

Department [My Department]:

Email [email@example.com]:

 

然后在当前文件下就会生成两个文件example.com.csrprivkey.pem


检查生成的csr文件

openssl req -text -noout -in example.com.csr

可以看到csr文件的信息

Certificate Request:

    Data:

        Version: 1 (0x0)

        Subject: CN = www.example.com, C = CN, ST = Beijing, L = Beijing, O = My Company, OU = My Department, emailAddress = email@example.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                RSA Public-Key: (2048 bit)

                Modulus:

                    00:c0:45:be:09:c9:11:4f:73:5f:ac:09:cb:f5:08:

                    7d:d3:be:db:e2:13:fd:37:fd:e3:24:3c:91:dc:91:

                    25:dd:ff:c6:8e:fe:c5:53:2c:78:14:93:b0:0e:bd:

                    da:8a:81:e7:f0:d2:8c:b6:26:c9:37:ba:18:4e:6a:

                    5b:0b:b6:c3:c0:7d:05:88:34:70:bf:28:d8:04:14:

                    f9:4e:1a:56:1e:25:78:23:9e:eb:67:59:87:2c:12:

                    c6:d2:02:36:72:2b:bd:b8:aa:c0:f2:12:02:eb:93:

                    f7:1a:28:52:11:20:b8:90:3e:79:f7:82:49:1b:63:

                    3c:4c:4e:83:ba:1a:0a:c3:8c:ab:dc:4f:f4:7d:81:

                    9e:24:7d:4e:3c:b6:72:dd:ab:59:59:eb:c7:1a:61:

                    3c:0a:f1:03:57:55:43:fe:85:db:45:55:8c:ad:65:

                    0c:32:0b:39:3e:13:e0:ad:f7:e6:43:79:ba:16:42:

                    f0:f7:5a:1d:94:cd:cd:34:c8:0c:c9:5c:59:02:c1:

                    09:3a:74:a8:be:cf:55:d4:bd:aa:bb:26:f8:9e:13:

                    60:12:e5:b9:40:02:ca:ba:95:37:23:a6:3b:96:0a:

                    31:4d:b5:d7:10:4a:23:ce:46:d7:f4:75:17:70:88:

                    b8:72:19:ae:e7:2b:31:8c:7d:6b:9b:28:42:07:29:

                    ee:67

                Exponent: 65537 (0x10001)

        Attributes:

        Requested Extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            X509v3 Key Usage:

                Digital Signature, Non Repudiation, Key Encipherment

            X509v3 Subject Alternative Name:

                DNS:www.example.com, DNS:*.example.com

    Signature Algorithm: sha256WithRSAEncryption

         79:fb:5c:41:7e:c8:e7:ad:a4:76:cd:08:a9:47:fc:15:66:96:

         35:24:0e:22:50:16:20:63:a5:05:3f:e3:2f:bd:e8:05:f8:d8:

         1d:57:ef:70:dc:ee:d0:97:05:2a:0c:78:27:53:3c:13:b5:52:

         67:5f:4d:e6:cc:c3:6b:33:13:df:a2:b4:c3:f8:1d:20:f7:91:

         54:ab:51:bc:1a:3d:80:99:f7:21:5b:a3:81:8c:a5:f8:f4:20:

         ad:f2:37:50:5e:d8:11:49:df:66:95:97:42:db:16:83:96:27:

         e6:aa:80:f5:9a:4d:88:c3:1e:ce:76:74:6c:9e:c2:85:5a:a5:

         6d:04:f2:55:2a:a4:08:a4:25:0d:ae:ea:ec:a9:ee:8d:f2:5d:

         9e:12:bb:a5:cc:40:a1:90:bb:ae:fc:58:58:d9:82:97:d1:13:

         02:b4:2a:42:85:64:fc:da:09:1b:f7:ed:45:68:12:24:37:72:

         8d:b8:a7:c3:79:db:e0:3c:cd:62:cb:53:62:53:93:ca:c8:a8:

         a5:91:cb:b9:6f:a0:99:79:43:7c:7b:80:0c:b8:3e:97:c4:59:

         d3:ba:e0:1f:8b:b1:fe:5e:9d:28:5c:d5:52:fb:01:8f:fd:7e:

         94:10:38:43:40:bf:3e:9f:64:e4:47:f0:ba:c9:d9:65:02:dd:

         14:87:1b:7d


3. 生成自签名证书

创建证书

# -days 设置证书过期时间

openssl x509 -req -days 3650 -in example.com.csr -signkey example.com.key -out example.com.cert -extensions v3_req -extfile example.com.conf

这样就生成了一个www.example.com、*.example.comd都可以使用的证书文件。

查看证书信息

openssl x509 -text -noout -in example.com.cert

可以看到2030年才过期

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            6f:b3:78:c9:09:f2:4f:f5:20:df:a5:60:be:71:13:f5:e8:9c:c6:3f

        Signature Algorithm: sha256WithRSAEncryption

        Issuer: CN = www.example.com, C = CN, ST = Beijing, L = Beijing, O = My Company, OU = My Department, emailAddress = email@example.com

        Validity

            Not Before: Apr 21 12:50:47 2020 GMT

            Not After : Apr 19 12:50:47 2030 GMT

        Subject: CN = www.example.com, C = CN, ST = Beijing, L = Beijing, O = My Company, OU = My Department, emailAddress = email@example.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                RSA Public-Key: (2048 bit)

                Modulus:

                    00:c0:45:be:09:c9:11:4f:73:5f:ac:09:cb:f5:08:

                    7d:d3:be:db:e2:13:fd:37:fd:e3:24:3c:91:dc:91:

                    25:dd:ff:c6:8e:fe:c5:53:2c:78:14:93:b0:0e:bd:

                    da:8a:81:e7:f0:d2:8c:b6:26:c9:37:ba:18:4e:6a:

                    5b:0b:b6:c3:c0:7d:05:88:34:70:bf:28:d8:04:14:

                    f9:4e:1a:56:1e:25:78:23:9e:eb:67:59:87:2c:12:

                    c6:d2:02:36:72:2b:bd:b8:aa:c0:f2:12:02:eb:93:

                    f7:1a:28:52:11:20:b8:90:3e:79:f7:82:49:1b:63:

                    3c:4c:4e:83:ba:1a:0a:c3:8c:ab:dc:4f:f4:7d:81:

                    9e:24:7d:4e:3c:b6:72:dd:ab:59:59:eb:c7:1a:61:

                    3c:0a:f1:03:57:55:43:fe:85:db:45:55:8c:ad:65:

                    0c:32:0b:39:3e:13:e0:ad:f7:e6:43:79:ba:16:42:

                    f0:f7:5a:1d:94:cd:cd:34:c8:0c:c9:5c:59:02:c1:

                    09:3a:74:a8:be:cf:55:d4:bd:aa:bb:26:f8:9e:13:

                    60:12:e5:b9:40:02:ca:ba:95:37:23:a6:3b:96:0a:

                    31:4d:b5:d7:10:4a:23:ce:46:d7:f4:75:17:70:88:

                    b8:72:19:ae:e7:2b:31:8c:7d:6b:9b:28:42:07:29:

                    ee:67

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            X509v3 Key Usage:

                Digital Signature, Non Repudiation, Key Encipherment

            X509v3 Subject Alternative Name:

                DNS:www.example.com, DNS:*.example.com

    Signature Algorithm: sha256WithRSAEncryption

         56:d8:e0:bf:c8:c4:92:f3:51:6a:9d:b6:d8:0a:b5:b3:73:46:

         0e:25:00:49:cd:52:9c:14:c0:4c:41:ce:c0:a8:a7:35:11:76:

         f3:03:24:ab:e7:b4:f0:ec:5f:a5:52:c9:e8:58:61:7b:65:50:

         09:21:9f:87:d1:b6:d1:8c:a9:2a:eb:7e:46:f8:ca:9b:cf:52:

         db:87:0f:26:d1:45:4e:1b:38:ff:77:4a:d0:44:9c:5f:ff:c8:

         43:d4:fb:4e:56:b6:5c:e6:0d:07:65:5e:32:df:b8:14:ae:ab:

         92:40:5d:41:9f:49:25:82:b9:41:9d:02:c7:9b:0a:6c:1e:a8:

         7a:52:ec:68:52:b4:4f:36:0a:a2:ea:14:9b:95:7e:14:64:d1:

         79:e0:e4:b5:20:47:df:35:91:71:fc:2e:cd:4e:fd:b9:b5:c0:

         78:72:ac:71:af:48:fe:92:17:f9:4c:de:5c:5f:59:d0:2f:58:

         dc:74:9a:b5:02:2e:67:f7:99:27:af:fa:6e:66:23:6e:63:92:

         4c:9a:c4:9f:85:bc:86:9b:28:af:d9:06:36:cf:4c:21:8c:e5:

         9e:ea:b2:f4:db:a7:9a:ef:9f:99:6d:71:64:83:79:21:24:ca:

         58:37:0d:7d:d7:1e:30:74:33:b4:5c:3a:90:a2:1e:6f:09:24:

         eb:b0:d6:4d

 

4.私钥/CSR/证书匹配校验

分别输入

openssl x509 -noout -modulus -in example.com.cert  

openssl rsa -noout -modulus -in example.com.key

openssl req -noout -modulus -in  example.com.csr 

 

输出完全相同

Modulus=C045BE09C9114F735FAC09CBF5087DD3BEDBE213FD37FDE3243C91DC9125DDFFC68EFEC5532C781493B00EBDDA8A81E7F0D28CB626C937BA184E6A5B0BB6C3C07D05883470BF28D80414F94E1A561E2578239EEB6759872C12C6D20236722BBDB8AAC0F21202EB93F71A28521120B8903E79F782491B633C4C4E83BA1A0AC38CABDC4FF47D819E247D4E3CB672DDAB5959EBC71A613C0AF103575543FE85DB45558CAD650C320B393E13E0ADF7E64379BA1642F0F75A1D94CDCD34C80CC95C5902C1093A74A8BECF55D4BDAABB26F89E136012E5B94002CABA953723A63B960A314DB5D7104A23CE46D7F475177088B87219AEE72B318C7D6B9B28420729EE67



5. 如果只生成单域名证书

生成单域名证书比较简单,不需要配置文件

生成csr和私钥

openssl req -new -nodes -out example.com.single.csr # 根据提示输入各种信息...

生成csr文件example.com.single.csr和私钥private.pem

生成证书文件

openssl x509 -req -days 3650 -in example.com.csr -signkey  privkey.pem -out example.com.single.cert









上一篇:今日交易公告(政府采购项目2020.05.07)

下一篇:JetBrains教育许可申请链接207个

分享到:

相关文章

西户网/西户社区网 XHUME.CC 版权所有  陕ICP备11003684号  

本站信息均由会员发表,不代表西户立场,如侵犯了您的权利请发帖投诉 |赞助我们  

平平安安

本站信息均由会员发表,不代表西户网/西户社区网 XHUME.CC 立场,如侵犯了您的权利请===>>>发帖投诉

陕公网安备 61012502000141号

返回顶部