数字证书系列--将证书绑定到多个URL以及IP

[root@localhost new_ca]# openssl genrsa -out CA_Key.key  2048
Generating RSA private key, 2048 bit long modulus
....................+++
..+++
e is 65537 (0x10001)
[root@localhost new_ca]# ls
CA_Key.key

[root@localhost new_ca]# openssl req -new -x509 -key CA_Key.key  -out CA_Cert.pem                                                      You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:Alone
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@localhost new_ca]#

[root@localhost new_ca]# openssl genrsa -out server.key  2048
Generating RSA private key, 2048 bit long modulus
...+++
..+++
e is 65537 (0x10001)
[root@localhost new_ca]#

#这里是一个Organization不匹配，导致用CA签名时候报错的例子；
[root@localhost new_ca]#  openssl ca -in ./server.csr  -out ./my.crt -days 365 -cert ./CA_Cert.pem  -keyfile ./CA_Key.key  #这个命令是用来签名的
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (Alone) and the request (Alne)

#生成正确的csr 文件， CN （COMMON NAME）就是证书会被绑定的地址，这里使用IP，而不是URL；
[root@localhost new_ca]# openssl req -new -key server.key -subj "/C=CN/ST=GuangDong/O=Alone/CN=127.0.0.1/CN=192.168.0.110/CN=www.my.com/CN=www.alone.com" -out server.csr
[root@localhost new_ca]#

#创建文件extfile.cnf, 内容如下，其要和前面的csr文件中对应的CN(common name)信息相互一致：
[root@localhost new_ca]# cat extfile.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.my.com
DNS.2 = www.alone.com
IP.1 = 192.168.0.110
IP.2 = 127.0.0.1
[root@localhost new_ca]#
[root@localhost new_ca]#  openssl x509 -req -in server.csr -CA CA_Cert.pem -CAkey CA_Key.key -CAcreateserial  -extfile extfile.cnf -out server.crt
Signature ok
subject=/C=CN/ST=GuangDong/O=Alone/CN=127.0.0.1/CN=192.168.0.110/CN=www.my.com/CN=www.alone.com
Getting CA Private Key
[root@localhost new_ca]# 
[root@localhost new_ca]# ls
CA_Cert.pem  CA_Cert.srl  CA_Key.key  extfile.cnf  server.crt  server.csr  server.key
[root@localhost new_ca]#

[root@localhost new_ca]# openssl x509 -in ./server.crt  -subject
subject= /C=CN/ST=GuangDong/O=Alone/CN=127.0.0.1/CN=192.168.0.110/CN=www.my.com/CN=www.alone.com       
-----BEGIN CERTIFICATE-----
MIIDkzCCAnugAwIBAgIJANy5Ydsd+Ud5MA0GCSqGSIb3DQEBCwUAMFExCzAJBgNV
BAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxETAPBgNVBAcMCFNoZW5aaGVuMQ4w
DAYDVQQKDAVBbG9uZTELMAkGA1UECwwCSVQwHhcNMTkxMDA2MTAyOTA1WhcNMTkx
MTA1MTAyOTA1WjCBijELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5nRG9uZzEO
MAwGA1UECgwFQWxvbmUxEjAQBgNVBAMMCTEyNy4wLjAuMTEWMBQGA1UEAwwNMTky
LjE2OC4wLjExMDETMBEGA1UEAwwKd3d3Lm15LmNvbTEWMBQGA1UEAwwNd3d3LmFs
b25lLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPQcGlkT+SX9
+jt5FUjx2I4ztCpDthl4hBu3es4uqHzVZaNyUb/BcESv5s7ESxIQTr9DON1nV2k/
d/MO0NAYgIQJ/4TsfA4fch/J0LuubKAIwarvOnVQLX3S3rvrhOr6ZUx5AcSi7qve
Vspx/EGqwKnwfzrq3xFPl2nJ8gTd+7ROoMe3e4g+ZUiVH1qI2tve41wCFOk49ppt
3S1dtOvM06+t+Y26tP2jc/9kSXoY44++VL9RHuJ/82zzm9huCUwcn+DB901j9AGh
+Xu1xCwXkH5D+ZXfaGvCroiahsCujxyzmYufJRGDFoRaPAM/PbcTR5tHcuy0nClI
Iyvxopb1xdkCAwEAAaM0MDIwMAYDVR0RBCkwJ4IKd3d3Lm15LmNvbYINd3d3LmFs
b25lLmNvbYcEwKgAbocEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAPiIPUsX8rEQ0
0Uz5jgY528leJ6Zlh1yiFfv2AExgWDDRU3d3tzrdZD4n2CTM5yV7VMjhyNTTZ3y5
5OrnkagaEFU6qmxH9RJz4I30hMAr/02LjgFAaQpMSeZYXpkyOAEQbGC1bmgIqF+C
4nH8zI9R/6wSfHTRdhTF7G5vR1iWtKywBj/UX6KgkTmJWbLeoSmoTvobSQ5FxuYR
bIdtXhZkMJmkOHsw/qv4sibvg2VDhWVPed/79/at+VNTE6NWgQ5n1TCih0XyS9XF
L24+wVtrU/eXmDKLbYkm6pJT5jGu9b5IuAo8/1KwV5iB3M2sCr7Ygq1HgAEhLRko
30VEHxVkgg==
-----END CERTIFICATE-----
[root@localhost new_ca]#