【HTTPS】使用OpenSSL生成带有SubjectAltName的自签名证书

操作步骤

首先新建一个配置文件 ssl.conf如下:

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = GB
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = England
localityName                = Locality Name (eg, city)
localityName_default        = Brighton
organizationName            = Organization Name (eg, company)
organizationName_default    = Hallmarkdesign
organizationalUnitName            = Organizational Unit Name (eg, section)
organizationalUnitName_default    = IT
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = localhost

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
IP.1    = 192.168.1.8
DNS.1   = your-website.dev
DNS.2   = another-website.dev
  1. 生成私钥
openssl genrsa -out private.key 4096
  1. 生成证书请求文件(CSR)
    CSR是Certificate Signing Request的英文缩写,即证书请求文件,也就是证书申请者在申请数字证书时由CSP(加密服务提供者)在生成私钥的同时也生成证书请求文件,证书申请者只要把CSR文件提交给证书颁发机构后,证书颁发机构使用其根证书私钥签名就生成了证书公钥文件,也就是颁发给用户的证书。
openssl req -new -sha256 \
    -out private.csr \
    -key private.key \
    -config ssl.conf 

这里会要求输入一系列参数,可以选择不填直接回车。
可以使用下面的命令是查看证书内容:

openssl req -text -noout -in private.csr

应该可以看到:

X509v3 Subject Alternative Name: DNS:my-project.site and Signature Algorithm: sha256WithRSAEncryption

  1. 生成证书

然后生成证书命令如下:

openssl x509 -req \
    -days 3650 \
    -in private.csr \
    -signkey private.key \
    -out private.crt \
    -extensions req_ext \
    -extfile ssl.conf

参考资料

  • Generate ssl certificates with Subject Alt Names on OSX

你可能感兴趣的:(Web)