自建CA使用SAN签发证书

CA证书生成h2

首先创建CA配置文件:

cat > ca.conf << EOF
[ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn

[ dn ]
C = CN
ST = Beijing
L = Beijing
O = Dev
OU = Dev Root CA
CN = Dev Root CA
emailAddress = admin@domain.dev
EOF

生成CA证书:

# CA机构名称
# 生成CA私钥和证书
openssl ecparam -out ca.key -name prime256v1 -genkey
openssl req -new -sha256 -key ca.key -out ca.csr -config ca.conf
openssl x509 -req -sha256 -days 3650 -in ca.csr -signkey ca.key -out ca.crt

签发SAN证书h2

创建证书配置文件:

cat > domain.conf << EOF
[ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = v3_req

[ dn ]
C = CN
ST = Beijing
L = Beijing
O = Organization
OU = Dev Team
CN = domain.dev
emailAddress = admin@domain.dev

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = domain.dev
DNS.2 = *.domain.dev
EOF

签发证书:

# 生成域名私钥和CSR
openssl genrsa -out domain.dev.key 2048
openssl req -new -nodes -key domain.dev.key -out domain.dev.csr -config domain.conf

# 使用CA签发证书
openssl x509 -req -in domain.dev.csr \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -out domain.dev.crt -days 3650 -sha256 \
    -extensions v3_req -extfile domain.conf

# 验证证书
openssl x509 -in domain.dev.crt -text -noout

补全完整的证书链

cat domain.dev.crt ca.crt > domain.dev.fullchain.crt

介绍每个文件的作用

ca.conf: CA配置文件
ca.key: CA私钥
ca.crt: CA证书
domain.conf: 域名配置文件
domain.dev.key: 域名私钥
domain.dev.csr: 域名CSR
domain.dev.crt: 域名证书
domain.dev.fullchain.crt: 完整证书链
domain.dev.key: 域名私钥