SSL/TLS深度解析--在Nginx上配置证书链及多域名证书
发表于:2025-12-02 作者:千家信息网编辑
千家信息网最后更新 2025年12月02日,生成私钥与自签根证书(这次使用aes256加密,密码是redhat)# 进行简单处理[root@www ~]# cd /usr/local/openssl/[root@www openssl]# mk
千家信息网最后更新 2025年12月02日SSL/TLS深度解析--在Nginx上配置证书链及多域名证书
生成私钥与自签根证书(这次使用aes256加密,密码是redhat)
# 进行简单处理[root@www ~]# cd /usr/local/openssl/[root@www openssl]# mkdir root-CA sub-CA[root@www openssl]# cp -rf CA/* root-CA/[root@www root-CA]# rm -rf root_cacert_ecc.pem crlnumber.old index.txt.old index.txt.attr.old serial.old private/root_prikey_ecdsa.pem newcerts/*[root@www root-CA]# > crl.pem[root@www root-CA]# > index.txt[root@www root-CA]# openssl rand -hex 16 > crlnumber [root@www root-CA]# openssl rand -hex 16 > serial[root@www root-CA]# vim root-ca.cnf[default]name = root-cadomain_suffix = a-company.comaia_url = http://$name.$domain_suffix/$name.crtcrl_url = http://$name.$domain_suffix/$name.crlocsp_url = http://ocsp.$name.$domain_suffix:9080default_ca = ca_defaultname_opt = utf8,esc_ctrl,multiline,lname,align[ca_dn]countryName = "CN"organizationName = "A-company"commonName = "root-CA"[ca_default]home = /usr/local/openssl/root-CA/database = $home/index.txtserial = $home/serialcrlnumber = $home/crlnumbercertificate = $home/root_cacert.crtprivate_key = $home/private/root_cakey_ecdsa.pem#RANDFILE = $home/private/randomnew_certs_dir = $home/newcertsunique_subject = nocopy_extensions = nonedefault_days = 3650default_crl_days = 60default_md = sha384policy = policy_rootCA_match[policy_rootCA_match]countryName = matchstateOrProvinceName = optionallocalityName = optionalorganizationName = matchorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional[req]default_bits = 4096encrypt_key = yesdefault_md = sha256utf8 = yesstring_mask = utf8onlyprompt = nodistinguished_name = ca_dnreq_extensions = ca_ext[ca_ext]basicConstraints = critical,CA:truekeyUsage = critical,keyCertSign,cRLSignsubjectKeyIdentifier = hash[subca_ext]authorityInfoAccess = @issuer_infoauthorityKeyIdentifier = keyid:alwaysbasicConstraints = critical,CA:true,pathlen:0crlDistributionPoints = @crl_infoextendedKeyUsage = clientAuth,serverAuthkeyUsage = critical,keyCertSign,cRLSignnameConstraints = @name_constraintssubjectKeyIdentifier = hash[crl_info]URI.0 = $crl_url[issuer_info]caIssuers;URI.0 = $aia_urlOCSP;URI.0 = $ocsp_url[name_constraints]permitted;DNS.0=test05.compermitted;DNS.1=test.orgexcluded;IP.0=0.0.0.0/0.0.0.0excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0[ocsp_ext]authorityKeyIdentifier = keyid:alwaysbasicConstraints = critical,CA:falseextendedKeyUsage = OCSPSigningkeyUsage = critical,digitalSignaturesubjectKeyIdentifier = hash[root@www root-CA]# mkdir test[root@www root-CA]# cd test[root@www test]# openssl ecparam -genkey -name prime256v1 -out root_cakey_ecdsa.pem[root@www test]# ll总用量 4-rw-------. 1 root root 302 11月 24 23:12 root_cakey_ecdsa.pem[root@www test]# openssl ec -aes256 -in root_cakey_ecdsa.pem -out root_cakey_ecdsa.pem read EC keywriting EC keyEnter PEM pass phrase:Verifying - Enter PEM pass phrase:[root@www test]# ll总用量 4-rw-------. 1 root root 314 11月 24 23:13 root_cakey_ecdsa.pem[root@www test]# openssl req -new -x509 -sha384 -config /usr/local/openssl/root-CA/root-ca.cnf -extensions ca_ext -key root_cakey_ecdsa.pem -out root_cacert.crt -days 3650 -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=rootca/CN=rootCA/emailAddress=adm@test.comEnter pass phrase for root_cakey_ecdsa.pem:[root@www test]# ll总用量 8-rw-r--r--. 1 root root 859 11月 24 23:26 root_cacert.crt-rw-------. 1 root root 314 11月 24 23:13 root_cakey_ecdsa.pem[root@www test]# mv root_cacert.crt ../[root@www test]# mv root_cakey_ecdsa.pem ../private/#查看根证书[root@www root-CA]# openssl x509 -in root_cacert.crt -textCertificate: Data: Version: 3 (0x2) Serial Number: 0f:b1:e8:38:74:1f:2a:2a:fd:8b:cf:b5:27:c0:20:51:a8:54:ad:ce Signature Algorithm: ecdsa-with-SHA384 Issuer: C = CN, ST = BeiJing, L = BeiJing, O = A_company, OU = rootca, CN = rootCA, emailAddress = adm@test.com Validity Not Before: Nov 24 15:26:12 2018 GMT Not After : Nov 21 15:26:12 2028 GMT Subject: C = CN, ST = BeiJing, L = BeiJing, O = A_company, OU = rootca, CN = rootCA, emailAddress = adm@test.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:cc:8f:71:cc:11:fe:bb:a9:b0:86:b7:8f:50:89: 3c:65:63:ed:ee:37:4b:6e:3b:e3:d6:77:51:a7:15: be:99:70:ea:45:0f:e3:46:53:dd:46:2d:8d:4b:57: 31:5b:30:e8:91:47:b2:41:a7:54:c8:44:f6:75:37: a3:29:ac:81:ea ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 76:79:14:46:B7:7C:E5:8A:E8:47:77:F5:B6:2B:B3:17:BC:2D:05:02 Signature Algorithm: ecdsa-with-SHA384 30:45:02:21:00:ac:7f:fb:04:23:ea:c7:77:eb:e8:d3:a4:16: a6:f7:9a:6a:ee:d1:ce:9c:4e:16:ec:2b:dd:86:4e:56:af:2d: cd:02:20:5f:a1:3b:d1:50:a8:4a:30:05:ed:59:1e:1e:99:68: d4:92:af:19:d5:a1:46:e5:ad:4b:d2:f4:0a:dd:89:5d:4d-----BEGIN CERTIFICATE-----MIICTjCCAfSgAwIBAgIUD7HoOHQfKir9i8+1J8AgUahUrc4wCgYIKoZIzj0EAwMwgYQxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlKaW5nMRAwDgYDVQQHDAdCZWlKaW5nMRIwEAYDVQQKDAlBX2NvbXBhbnkxDzANBgNVBAsMBnJvb3RjYTEPMA0GA1UEAwwGcm9vdENBMRswGQYJKoZIhvcNAQkBFgxhZG1AdGVzdC5jb20wHhcNMTgxMTI0MTUyNjEyWhcNMjgxMTIxMTUyNjEyWjCBhDELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB0JlaUppbmcxEjAQBgNVBAoMCUFfY29tcGFueTEPMA0GA1UECwwGcm9vdGNhMQ8wDQYDVQQDDAZyb290Q0ExGzAZBgkqhkiG9w0BCQEWDGFkbUB0ZXN0LmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMyPccwR/rupsIa3j1CJPGVj7e43S24749Z3UacVvplw6kUP40ZT3UYtjUtXMVsw6JFHskGnVMhE9nU3oymsgeqjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR2eRRGt3zliuhHd/W2K7MXvC0FAjAKBggqhkjOPQQDAwNIADBFAiEArH/7BCPqx3fr6NOkFqb3mmru0c6cThbsK92GTlavLc0CIF+hO9FQqEowBe1ZHh7ZaN***xnVoUblrUvS9ArdiV1N-----END CERTIFICATE-----
签发私有二级CA
[root@www openssl]# cp -rf root-CA/* sub-CA/[root@www openssl]# cd sub-CA/[root@www sub-CA]# rm -rf root-ca.cnf private/* root_cacert.crt[root@www sub-CA]# vim sub-ca.cnf[default]name = sub-cadomain_suffix = a-company.comaia_url = http://$name.$domain_suffix/$name.crtcrl_url = http://$name.$domain_suffix/$name.crlocsp_url = http://ocsp.$name.$domain_suffix:9081default_ca = ca_defaultname_opt = utf8,esc_ctrl,multiline,lname,align[ca_dn]countryName = "CN"organizationName = "A-company"commonName = "sub-CA"[ca_default]home = /usr/local/openssl/sub-CAdatabase = $home/index.txtserial = $home/serialcrlnumber = $home/crlnumbercertificate = $home/second_cacert.crtprivate_key = $home/private/second_cakey_ecdsa.pem#RANDFILE = $home/private/randomnew_certs_dir = $home/newcertsunique_subject = nocopy_extensions = copydefault_days = 365default_crl_days = 30default_md = sha256policy = policy_subCA_match[policy_subCA_match]countryName = matchstateOrProvinceName = optionallocalityName = optionalorganizationName = matchorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional[req]default_bits = 4096encrypt_key = yesdefault_md = sha256utf8 = yesstring_mask = utf8onlyprompt = nodistinguished_name = ca_dn#req_extensions = ca_ext[crl_info]URI.0 = $crl_url[issuer_info]caIssuers;URI.0 = $aia_urlOCSP;URI.0 = $ocsp_url[ocsp_ext]authorityKeyIdentifier = keyid:alwaysbasicConstraints = critical,CA:falseextendedKeyUsage = OCSPSigningkeyUsage = critical,digitalSignaturesubjectKeyIdentifier = hash[server_ext]authorityInfoAccess = @issuer_infoauthorityKeyIdentifier = keyid:alwaysbasicConstraints = critical,CA:falsecrlDistributionPoints = @crl_infoextendedKeyUsage = clientAuth,serverAuthkeyUsage = critical,digitalSignature,keyEnciphermentsubjectKeyIdentifier = hash[client_ext]authorityInfoAccess = @issuer_infoauthorityKeyIdentifier = keyid:alwaysbasicConstraints = critical,CA:falsecrlDistributionPoints = @crl_infoextendedKeyUsage = clientAuthkeyUsage = critical,digitalSignaturesubjectKeyIdentifier = hash[root@www sub-CA]# cd test# 生成二级CA私钥[root@www test]# openssl ecparam -genkey -name prime256v1 -out second_cakey_ecdsa.pem# AES256加密(密码redhat)[root@www test]# openssl ec -aes256 -in second_cakey_ecdsa.pem -out second_cakey_ecdsa.pem read EC keywriting EC keyEnter PEM pass phrase:Verifying - Enter PEM pass phrase:# 生成二级CA的证书申请[root@www test]# openssl req -new -config /usr/local/openssl/sub-CA/sub-ca.cnf -key second_cakey_ecdsa.pem -out second_cacert.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=subca/CN=sub01_CA/emailAddress=sub01adm@test.com Enter pass phrase for second_cakey_ecdsa.pem:# 使用根证书签署二级CA证书[root@www test]# openssl ca -config /usr/local/openssl/root-CA/root-ca.cnf -extensions subca_ext -days 730 -in second_cacert.csr -out second_cacert.crt -batch -notextUsing configuration from /usr/local/openssl/root-CA/root-ca.cnfEnter pass phrase for /usr/local/openssl/root-CA//private/root_cakey_ecdsa.pem:Check that the request matches the signatureSignature okCertificate Details:Certificate: Data: Version: 3 (0x2) Serial Number: 88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:ad Issuer: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = rootca commonName = rootCA emailAddress = adm@test.com Validity Not Before: Nov 28 13:18:46 2018 GMT Not After : Nov 27 13:18:46 2020 GMT Subject: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = subca commonName = sub01_CA emailAddress = sub01adm@test.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:d7:e4:9d:be:12:50:5b:c4:05:c3:d5:e7:b9:7c: 18:c1:9b:31:a8:c2:8e:08:a7:4b:9c:62:02:25:f9: df:dc:c1:74:64:0e:70:5d:74:22:2e:22:83:06:c0: 7a:70:5e:4b:d5:87:c7:c9:8a:3b:bb:bd:77:91:76: 97:56:c3:2c:e4 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: Authority Information Access: CA Issuers - URI:http://root-ca.a-company.com/root-ca.crt OCSP - URI:http://ocsp.root-ca.a-company.com:9080 X509v3 Authority Key Identifier: keyid:76:79:14:46:B7:7C:E5:8A:E8:47:77:F5:B6:2B:B3:17:BC:2D:05:02 X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 CRL Distribution Points: Full Name: URI:http://root-ca.a-company.com/root-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Name Constraints: Permitted: DNS:test05.com DNS:test.org Excluded: IP:0.0.0.0/0.0.0.0 IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0 X509v3 Subject Key Identifier: 9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94Certificate is to be certified until Nov 27 13:18:46 2020 GMT (730 days)Write out database with 1 new entriesData Base Updated[root@www test]# mv second_cakey_ecdsa.pem ../private/[root@www test]# mv second_cacert.crt ../使用二级CA签发服务器端证书
# 生成私钥和申请(注意这里没加密私钥)[root@www test]# openssl ecparam -genkey -name prime256v1 -out server_ecdsa.key[root@www test]# openssl req -new -key server_ecdsa.key -config ../sub-ca.cnf -out server.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=server/CN=www.test05.com/emailAddress=test05adm@test.com[root@www test]# openssl ca -config ../sub-ca.cnf -in server.csr -out server.crt -extensions server_ext -batch -notextUsing configuration from ../sub-ca.cnfEnter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:Check that the request matches the signatureSignature okCertificate Details:Certificate: Data: Version: 3 (0x2) Serial Number: 88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:ad Issuer: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = subca commonName = sub01_CA emailAddress = sub01adm@test.com Validity Not Before: Nov 28 13:40:52 2018 GMT Not After : Nov 28 13:40:52 2019 GMT Subject: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = server commonName = www.test05.com emailAddress = test05adm@test.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:cb:0a:18:1e:3f:9f:09:a6:85:1c:a9:26:7b:ee: 41:37:68:5b:e5:89:84:12:93:14:6b:d0:bd:5e:d8: ff:27:e6:dd:f3:43:57:70:0e:ac:43:69:d1:29:9a: 3a:2e:e2:b3:b4:2c:ff:7f:c1:60:c0:6b:de:2a:bd: 72:08:f5:7c:00 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: Authority Information Access: CA Issuers - URI:http://sub-ca.a-company.com/sub-ca.crt OCSP - URI:http://ocsp.sub-ca.a-company.com:9081 X509v3 Authority Key Identifier: keyid:9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94 X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name: URI:http://sub-ca.a-company.com/sub-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Key Identifier: 86:F3:C8:69:7C:0A:00:7E:FF:F6:0C:61:05:6B:83:45:9D:86:40:4BCertificate is to be certified until Nov 28 13:40:52 2019 GMT (365 days)Write out database with 1 new entriesData Base Updated使用server.crt 与 second_cacert.crt 合成一个证书链
# 要注意顺序,服务器端的证书是放在第一个,二级CA的证书在其后面;如果还有一层三级CA,那么是先追加三级CA证书,再追加二级CA证书。[root@www test]# cat server.crt ../second_cacert.crt > chain.crt[root@www test]# ll chain.crt -rw-r--r--. 1 root root 2534 11月 28 21:50 chain.crt[root@www test]# cp chain.crt server_ecdsa.key /project/nginx1.15.0/conf/certs/[root@www test]# cd /project/nginx1.15.0/conf/[root@www conf]# vim nginx.conf......server_name www.linuxplus.com www.test05.com;ssl_certificate certs/chain.crt;ssl_certificate_key certs/server_ecdsa.key;[root@www conf]# ../sbin/nginx -tnginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is oknginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful[root@www conf]# ../sbin/nginx -s reload[root@www ~]# cd /usr/local/openssl/root-CA[root@www root-CA]# sz -y root_cacert.crt使用二级CA签发客户端证书
[root@www ~]# cd /usr/local/openssl/sub-CA/test/[root@www test]# openssl ecparam -genkey -name prime256v1 -out client01_ecdsa.key# 生成申请[root@www test]# openssl req -new -key client01_ecdsa.key -out client01.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=client01/CN=www.test05.com/emailAddress=clientadm@test.com# 签发客户端证书[root@www test]# openssl ca -config ../sub-ca.cnf -days 60 -in client01.csr -out client01.crt -extensions client_ext -batch -notext Using configuration from ../sub-ca.cnfEnter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:Check that the request matches the signatureSignature okCertificate Details:Certificate: Data: Version: 3 (0x2) Serial Number: 88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:ae Issuer: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = subca commonName = sub01_CA emailAddress = sub01adm@test.com Validity Not Before: Nov 30 15:17:31 2018 GMT Not After : Jan 29 15:17:31 2019 GMT Subject: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = client01 commonName = www.test05.com emailAddress = clientadm@test.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:e5:30:48:de:2b:2d:fc:6b:89:d1:9a:fd:f8:62: 72:72:26:e6:ca:82:2b:fd:c0:c5:c2:ce:8d:dc:ba: d0:e0:52:84:75:6b:6a:78:64:c3:09:9b:c8:9d:fe: e1:af:5c:85:b1:c3:a5:6c:6d:fe:b0:57:5a:37:d5: ec:d4:b6:56:2a ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: Authority Information Access: CA Issuers - URI:http://sub-ca.a-company.com/sub-ca.crt OCSP - URI:http://ocsp.sub-ca.a-company.com:9081 X509v3 Authority Key Identifier: keyid:9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94 X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name: URI:http://sub-ca.a-company.com/sub-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: critical Digital Signature X509v3 Subject Key Identifier: 29:44:F5:60:40:8C:DD:ED:D2:D0:0E:E8:E7:D5:5C:67:6D:CF:12:9ECertificate is to be certified until Jan 29 15:17:31 2019 GMT (60 days)Write out database with 1 new entriesData Base Updated# 格式转换成pkcs12[root@www test]# openssl pkcs12 -export -clcerts -passout pass:123456 -in client01.crt -inkey client01_ecdsa.key -out client01.p12[root@www test]# cd ..[root@www sub-CA]# openssl ca -config sub-ca.cnf -gencrl -out crl.pem Using configuration from sub-ca.cnfEnter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:[root@www test]# cd [root@www ~]# cd /project/nginx1.15.0/conf/[root@www conf]# vim nginx.conf# 开启客户端身份验证ssl_verify_client on;# 指定客户端证书到根证书的深度ssl_verify_depth 2;# 指定签发客户端证书的CA证书ssl_client_certificate /usr/local/openssl/sub-CA/second_cacert.crt;# 完整证书链中需要包含的其他CA证书ssl_trusted_certificate /usr/local/openssl/root-CA/root_cacert.crt;# 证书吊销列表,有更新时Nginx需要重新加载ssl_crl /usr/local/openssl/sub-CA/crl.pem;[root@www conf]# ../sbin/nginx -tnginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is oknginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful[root@www conf]# ../sbin/nginx -s reload注意:
在nginx配置文件那里开启客户端证书验证,将证书安装在客户端就可以正常访问站点。
nginx中的 ssl_crl 这个配置要注意,如果是使用二级CA签署的crl与客户端证书 ,那么ssl_crl 也必须包含根证书签的 crl 列表,与证书链的概念类似, ssl_client_certificate 配置可以是证书链也可以是二级CA(如果只配置二级CA的话 ssl_trusted_certificate 要配置根证书)。
cat ..xx/sub-ca/crl.pem ..xx/root-CA/crl.pem > crl_chain.pem
ssl_crl ....xx/xx/crl_chain.pem;
[root@www sub-CA]# cd ..[root@www openssl]# cd root-CA/[root@www root-CA]# openssl ca -config root-ca.cnf -gencrl -out crl.pem Using configuration from root-ca.cnfEnter pass phrase for /usr/local/openssl/root-CA//private/root_cakey_ecdsa.pem:[root@www root-CA]# cd ..[root@www openssl]# cd sub-CA/[root@www sub-CA]# cat crl.pem ../root-CA/crl.pem > crl_chain.pem# 修改Nginx配置# 证书吊销列表,有更新时Nginx需要重新加载ssl_crl /usr/local/openssl/sub-CA/crl_chain.pem;多域名证书与泛域名证书
多域名
[root@www ~]# cd /usr/local/openssl/sub-CA/[root@www sub-CA]# vim sub-ca.cnf......[req]default_bits = 4096encrypt_key = yesdefault_md = sha256utf8 = yesstring_mask = utf8onlyprompt = nodistinguished_name = ca_dn#req_extensions = ca_extreq_extensions = dns_ext #修改内容#增加内容[ dns_ext ]subjectAltName = @alt_names[alt_names]DNS.0=list.test05.comDNS.1=login.test05.comDNS.2=admin.test05.com......[root@www sub-CA]# cd test# 生成私钥[root@www test]# openssl ecparam -name prime256v1 -genkey -out server01_ecdsa.key[root@www test]# openssl req -new -config ../sub-ca.cnf -key server01_ecdsa.key -out server01.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=server01/CN=server01_multi/emailAddress=server01adm@test.com# 使用二级CA签署多域名证书[root@www test]# openssl ca -config ../sub-ca.cnf -in server01.csr -out server01.crt -extensions server_ext -batch -notext Using configuration from ../sub-ca.cnfEnter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:Check that the request matches the signatureSignature okCertificate Details:Certificate: Data: Version: 3 (0x2) Serial Number: 88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:af Issuer: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = subca commonName = sub01_CA emailAddress = sub01adm@test.com Validity Not Before: Dec 1 06:38:21 2018 GMT Not After : Dec 1 06:38:21 2019 GMT Subject: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = server01 commonName = server01_multi emailAddress = server01adm@test.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:7f:67:e9:70:07:08:0f:0d:0b:a9:46:03:db:35: 16:72:fa:e3:18:2e:40:ee:f4:1a:78:2e:31:30:ce: 55:d4:e5:7c:10:73:67:57:17:01:e2:8b:5c:64:24: 07:da:7b:46:64:25:21:03:a3:d3:3f:7d:30:24:da: d5:e2:76:40:5e ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: Authority Information Access: CA Issuers - URI:http://sub-ca.a-company.com/sub-ca.crt OCSP - URI:http://ocsp.sub-ca.a-company.com:9081 X509v3 Authority Key Identifier: keyid:9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94 X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name: URI:http://sub-ca.a-company.com/sub-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Key Identifier: 86:75:3A:EA:E0:E4:5E:6D:80:AC:5B:FD:56:7C:E0:49:A1:96:05:A6 X509v3 Subject Alternative Name: DNS:list.test05.com, DNS:login.test05.com, DNS:admin.test05.comCertificate is to be certified until Dec 1 06:38:21 2019 GMT (365 days)Write out database with 1 new entriesData Base Updated[root@www test]# cat server01.crt ../second_cacert.crt > chain2.crt[root@www test]# cp chain2.crt server01_ecdsa.key /project/nginx1.15.0/conf/certs/[root@www ~]# cd /project/nginx1.15.0/conf/[root@www conf]# vim nginx.conf......server_name *.test05.com;ssl_certificate certs/chain2.crt;ssl_certificate_key certs/server01_ecdsa.key;[root@www conf]# ../sbin/nginx -tnginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is oknginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful[root@www conf]# ../sbin/nginx -s reload- 数据库文件 index.txt 说明
[root@www CA]# cat index.txtV 190901132740Z 92F43BDFF9AC3B5CAA3189D661C69AFA unknown /C=CN/ST=ShanDong/L=QingDao/O=Devops/OU=Devops/CN=www.linuxplus.com/emailAddress=admin@linuxplus.comV 191110141723Z 92F43BDFF9AC3B5CAA3189D661C69AFB unknown /C=CN/ST=ShanXi/L=XiAn/O=Devops01/OU=DevOps01/CN=www.linuxplus01.com/emailAddress=admin@linuxplus.comV 191110143215Z 92F43BDFF9AC3B5CAA3189D661C69AFC unknown /C=CN/ST=ShanDong/L=QingDao/O=Devops/OU=Devops/CN=www.linuxplus.com/emailAddress=admin@linuxplus.comR 191111060653Z 181111142637Z 92F43BDFF9AC3B5CAA3189D661C69AFD unknown /C=CN/ST=ShanXi/L=XiAn/O=Devops01/OU=Devops01/CN=www.linuxplus.com/emailAddress=adm@linuxplus.comV 191111140018Z 92F43BDFF9AC3B5CAA3189D661C69AFE unknown /C=CN/ST=ShanXi/L=XiAn/O=Devops02/OU=Devops02/CN=www.linuxplus.com/emailAddress=adm@linuxplus.com每一行包括6个以制表符分隔的值
(1) 状态标记: V 表示有效 valid, R 表示已吊销 revoked, E 表示已过期 expired
(2) 过期时间(以 YYMMDDHHMMSSZ 格式表示)
(3) 吊销日期,如果没有被吊销则为空
(4) 序列号(十六进制)
(5) 文件路径(如果不知道就显示 unknown )
(6) subject (所有者)
名称约束
在根证书配置文件里有一个名称约束 nameConstraints nameConstraints = @name_constraints 名称约束,表示签发的二级CA所签发的证书的CN要符合名称约束的规则, permitted;DNS.0=test05.com 表示所签署的证书的CN 要符合 xxxxtest05.com,例如 www.test05.com 或 abc.test05.com ,而不能是 test05.com.xxx 。也不能使用通配符 ; 如果名称约束是 .test05.com , 那么 www.test05.com 也是不行的;而www.*.test05.com 是可以的,也就是CN的后面必须是名称约束所给定的字符串。
如果是签发客户端证书,名称约束不是非要使用域名,可以自定义一个字符串,例如 cli-admin.a.company 等。
如果是给服务器端签发证书,就要注意签发的证书要在名称约束以内,并且是域名的格式。
[name_constraints]
permitted;DNS.0=test05.com
permitted;DNS.1=test.org
excluded;IP.0=0.0.0.0/0.0.0.0
excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
证书
客户
客户端
名称
配置
生成
文件
多域名
域名
服务器
格式
用量
加密
服务
内容
字符
字符串
密码
更新
验证
数据库的安全要保护哪些东西
数据库安全各自的含义是什么
生产安全数据库录入
数据库的安全性及管理
数据库安全策略包含哪些
海淀数据库安全审计系统
建立农村房屋安全信息数据库
易用的数据库客户端支持安全管理
连接数据库失败ssl安全错误
数据库的锁怎样保障安全
数据库 矢量图
网络安全工作室布置
数据库核心是
材料数据库应用
连接账号服务器错误代码67
yakit网络安全单兵
如何用二维码建立数据库
服务器安全狗sdui
长沙市岳麓区阿秋网络技术服务部
网络安全答题100题
自我鉴定网络技术有限公司
小学生我与网络安全微视频
mpp数据库数据调用算法
永川 网络安全
热点缓存如何更新数据库
2核4g云服务器相当于什么配置
肇庆通信软件开发
数据库系统原理第4版答案
网络安全属于什么专业类别
卡片数据库
网络安全与信息化下载
中正服务器
山东春考网络技术可以报的学校
网络技术的发展促进人际关系
彭州网络安全中奖名单
车载网络技术发展趋势
工科论文查找常用数据库
oracle数据库单核多核
公安部 网络技术研究室
中山电脑软件开发要多少钱
