使用OpenSSL天生SANs证书实操

当初：
原来的x.509证书，天生绩一行代码，非常方便：

1. openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem

复制代码

然后按照提示输入机构和dns信息即可。 
 
然而：
最近在开发一个websocket项目时，需要将原来的ws协议升级为wss协议。代码在机器A（win7）上调试没问题，在机器B（win10+go1.22.3）上调试，报错：

1. <strong>PS E:\zjw\golang\ws> go run ws/server1wss/client
2. </strong>2024/10/30 15:45:37 Error connecting to server: x509: certificate relies on legacy Common Name field, use SANs instead　

复制代码

经查，go1.15以后的版本废弃了依赖Common Name字段的x509证书，必须使用SANs证书。SANs是Subject Alternate Names的简称，它支持添加多个域名，允许将多个域名写入同一个证书中，这样就可以保护多个域名，从而低落了运维职员的管理成本，进步了证书管理效率。
采用如下方法创建证书：
1.首先安装openssl。步骤略。
2.创建私钥：

1. <strong>PS E:\zjw\ca_fsd>  openssl genrsa -des3 -out fusude.com.key 2048</strong>

复制代码

3. 天生CSR。按照提示输入信息即可。

1. <strong>PS E:\zjw\ca_fsd> openssl req -new -key fusude.com.key -</strong><strong>out fusude.com.csr</strong>
2. Enter pass phrase for fusude.com.key:
3. You are about to be asked to enter information that will be incorporated
4. into your certificate request.
5. What you are about to enter is what is called a Distinguished Name or a DN.
6. There are quite a few fields but you can leave some blank
7. For some fields there will be a default value,
8. If you enter '.', the field will be left blank.
9. -----
10. Country Name (2 letter code) [AU]:CN
11. State or Province Name (full name) [Some-State]:hebei
12. Locality Name (eg, city) []:shijiazhuang
13. Organization Name (eg, company) [Internet Widgits Pty Ltd]:fusude
14. Organizational Unit Name (eg, section) []:dept
15. Common Name (e.g. server FQDN or YOUR name) []:zjw
16. Email Address []:zjw@fusude.com
18. Please enter the following 'extra' attributes
19. to be sent with your certificate request
20. A challenge password []:*********
21. An optional company name []:fusude

复制代码

4. 从秘钥中删除密码（特别提示：密码要用到，另外记好！）

1. <strong>PS E:\zjw\ca_fsd> cp fusude.com.key fusude.com.key.org
2. PS E:\zjw\ca_fsd> openssl rsa -in fusude.com.key.org -out fusude.com.key</strong>

复制代码

5. 为SAN证书创建config file，名字无所谓，例如叫v3.txt，内容如下。留意subjectAltName里，设置你需要的DNS Name

1. subjectKeyIdentifier = hash
2. authorityKeyIdentifier = keyid:always,issuer:always
3. basicConstraints = CA:TRUE
4. keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
5. subjectAltName = DNS:fusude.com, DNS:*.fusude.com
6. issuerAltName = issuer:copy

复制代码

6. 创建自签名证书，天生的crt文件即为我们需要的SANs证书：

1. <strong>PS E:\zjw\ca_fsd> openssl x509 -req -in fusude.com.csr -signkey fusude.com.key -out fusude.com.crt -days 3650 -sha256 -</strong><strong>extfile v3.txt</strong>
2. Signature ok
3. subject=C = CN, ST = hebei, L = shijiazhuang, O = fusude, OU = dept, CN = zjw, emailAddress = zjw@fusude.com
4. Getting Private keys

复制代码

7. 还可以转换为pfx或pem格式：

1. <strong>PS E:\zjw\ca_fsd> openssl pkcs12 -export -out fusude.com.pfx -inkey fusude.com.key -in</strong><strong> fusude.com.crt</strong>
2. Enter Export Password:
3. Verifying - Enter Export Password:
5. <strong>PS E:\zjw\ca_fsd</strong><strong>> openssl pkcs12 -export -out fusude.com.pem -inkey fusude.com.key -in</strong><strong> fusude.com.crt</strong>
6. Enter Export Password:
7. Verifying - Enter Export Password:

复制代码

8. 证书的使用不展开论述。感谢观看。
　　
感谢Azure Lei Zhang的博客  ： Azure Application Gateway (6) 使用OpenSSL创建SAN证书

 

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。