SSL 为IP签发证书

lxmuyu

已于 2022-02-22 15:47:39 修改

阅读量2.2k

点赞数 1

分类专栏： NodeRed 文章标签： ssl https mqtts

于 2020-10-22 09:41:21 首次发布

本文链接：https://blog.csdn.net/lxmuyu/article/details/109215460

版权

NodeRed 专栏收录该内容

31 篇文章 26 订阅

订阅专栏

博客讲述了公网与私有IP地址申请SSL证书的差异，公网IP可申请DVSSL和OVSSL，需验证IP管理和企业身份。私有IP则可通过自签名证书在本地生成。详细步骤包括配置openssl脚本，创建CA，为服务器和客户端颁发证书。

摘要由CSDN通过智能技术生成

博客迁移

不恰饭的小站

概述

引用：https://stackoverflow.com/questions/1095780/are-ssl-certificates-bound-to-the-servers-ip-address

An SSL certificate cannot be issued for Reserved IP addresses (RFC
1918 and RFC 4193 range)/ private IP addresses (IPv4, IPv6), Intranet
for Internal Server Name, local server name with a non-public domain
name suffix.(不能为保留的IP地址(RFC 1918和RFC 4193范围)/私有IP地址(IPv4,
IPv6)、内部网用于内部服务器名、带有非公共域名后缀的本地服务器名颁发SSL证书。)

A certificate can be bound to an IP address . You can issue a
self-signed certificate to a private address, but a trusted CA will
not issue a certificate to a private address because it can not verify
its
identity.(证书可以绑定到一个IP地址。您可以向私有地址颁发自签名证书，但受信任的CA不会向私有地址颁发证书，因为它无法验证其身份。)

For example a certificate issued to 192.168.0.1 would be theoretically
valid in any context, and this should not be allowed by a trusted
CA(例如，发给192.168.0.1的证书理论上在任何上下文中都是有效的，而受信任的CA不应该允许这样做)

为公网IP签发证书

引用：https://blog.csdn.net/u012912380/article/details/93173058

IP的SSL证书有两种，一种是DVSSL，另外一种是OVSSL：

DVSSL：
这种证书无论是企业还是个人均可申请，只需要验证IP地址的管理权限。同时支持多个IP绑定在一起。颁发只需要30分钟左右。
OVSSL
这种证书只能企业等单位性质的用户才能申请，除了验证IP的管理权限之外，还需要验证企业的身份。当然得到的证书和上面的DVSSL也是不一样的。颁发需要1-3工作日

IP地址申请SSL证书需要满足以下条件：

IP必须是公网IP；
申请者对申请SSL证书的IP具有管理权限；
申请者可以是企业，组织机构，也可以是个人；
IP可以申请OVSSL（企业型SSL证书）或DVSSL证书（基础验证级证书）；
IP只能申请单个IP，或者多个IP绑在一起的SSL证书，目前不支持IP段的通配。审核流程与企业型SSL证书和域名型SSL证书基本一致。

为私有IP签发证书

引用：https://blog.csdn.net/ustccw/article/details/76691248

本地生成SSL相关文件
3.1 证书生成脚本我们自己本地使用 makefile.sh 脚本建立一个CA(ca.crt + ca.key)，用这个CA给server和client分别颁发证书。

makefile.sh ```

* Redistributions in binary form must reproduce the above copyright

notice, this list of conditions and the following disclaimer in the

documentation and/or other materials provided with the distribution.

* Neither the name of the axTLS project nor the names of its

contributors may be used to endorse or promote products derived

from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS

“AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT

LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR

A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR

CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED

TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY

OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING

NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Generate the certificates and keys for testing.

PROJECT_NAME=“TLS Project”

Generate the openssl configuration files. cat > ca_cert.conf << EOF [ req ] distinguished_name = req_distinguished_name prompt

= no

[ req_distinguished_name ] O = $PROJECT_NAME
Dodgy Certificate Authority EOF

cat > server_cert.conf << EOF [ req ] distinguished_name =
req_distinguished_name prompt = no

[ req_distinguished_name ] O = $PROJECT_NAME CN
= 192.168.111.100 EOF

cat > client_cert.conf << EOF [ req ] distinguished_name =
req_distinguished_name prompt = no

[ req_distinguished_name ] O = $PROJECT_NAME
Device Certificate CN = 192.168.111.101 EOF

mkdir ca mkdir server mkdir client mkdir certDER

private key generation openssl genrsa -out ca.key 1024 openssl genrsa -out server.key 1024 openssl genrsa -out client.key 1024

cert requests openssl req -out ca.req -key ca.key -new \
        -config ./ca_cert.conf openssl req -out server.req -key server.key -new \
        -config ./server_cert.conf  openssl req -out client.req -key client.key -new \
        -config ./client_cert.conf 
generate the actual certs. openssl x509 -req -in ca.req -out ca.crt \
        -sha1 -days 5000 -signkey ca.key openssl x509 -req -in server.req -out server.crt \
        -sha1 -CAcreateserial -days 5000 \
        -CA ca.crt -CAkey ca.key openssl x509 -req -in client.req -out client.crt \
        -sha1 -CAcreateserial -days 5000 \
        -CA ca.crt -CAkey ca.key
openssl x509 -in ca.crt -outform DER -out ca.der openssl x509 -in
server.crt -outform DER -out server.der openssl x509 -in client.crt
-outform DER -out client.der

mv ca.crt ca.key ca/ mv server.crt server.key server/ mv client.crt
client.key client/

mv ca.der server.der client.der certDER/

rm *.conf rm *.req rm *.srl ```