SSL/TLS深度解析--在Nginx上配置证书链及多域名证书

生成私钥与自签根证书(这次使用aes256加密,密码是redhat)

# 进行简单处理
[root@www ~]# cd /usr/local/openssl/
[root@www openssl]# mkdir root-CA sub-CA
[root@www openssl]# cp -rf CA/* root-CA/
[root@www root-CA]# rm -rf root_cacert_ecc.pem crlnumber.old index.txt.old index.txt.attr.old serial.old private/root_prikey_ecdsa.pem newcerts/*
[root@www root-CA]# > crl.pem
[root@www root-CA]# > index.txt
[root@www root-CA]# openssl rand -hex 16 > crlnumber 
[root@www root-CA]# openssl rand -hex 16 > serial

[root@www root-CA]# vim root-ca.cnf
[default]
name = root-ca
domain_suffix = a-company.com
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9080
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align

[ca_dn]
countryName = "CN"
organizationName = "A-company"
commonName = "root-CA"

[ca_default]
home = /usr/local/openssl/root-CA/
database = $home/index.txt
serial = $home/serial
crlnumber = $home/crlnumber
certificate = $home/root_cacert.crt
private_key = $home/private/root_cakey_ecdsa.pem
#RANDFILE = $home/private/random
new_certs_dir = $home/newcerts
unique_subject = no
copy_extensions = none
default_days = 3650
default_crl_days = 60
default_md = sha384
policy = policy_rootCA_match

[policy_rootCA_match]
countryName = match
stateOrProvinceName = optional
localityName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[req]
default_bits = 4096
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
req_extensions = ca_ext

[ca_ext]
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash

[subca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:true,pathlen:0
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,keyCertSign,cRLSign
nameConstraints = @name_constraints
subjectKeyIdentifier = hash

[crl_info]
URI.0 = $crl_url
[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url

[name_constraints]
permitted;DNS.0=test05.com
permitted;DNS.1=test.org
excluded;IP.0=0.0.0.0/0.0.0.0
excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
[root@www root-CA]# mkdir test
[root@www root-CA]# cd test
[root@www test]# openssl ecparam -genkey -name prime256v1 -out root_cakey_ecdsa.pem
[root@www test]# ll
总用量 4
-rw-------. 1 root root 302 11月 24 23:12 root_cakey_ecdsa.pem
[root@www test]# openssl ec -aes256 -in root_cakey_ecdsa.pem -out root_cakey_ecdsa.pem 
read EC key
writing EC key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
[root@www test]# ll
总用量 4
-rw-------. 1 root root 314 11月 24 23:13 root_cakey_ecdsa.pem
[root@www test]# openssl req -new -x509 -sha384 -config /usr/local/openssl/root-CA/root-ca.cnf  -extensions ca_ext  -key root_cakey_ecdsa.pem -out  root_cacert.crt -days 3650 -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=rootca/CN=rootCA/emailAddress=adm@test.com
Enter pass phrase for root_cakey_ecdsa.pem:
[root@www test]# ll
总用量 8
-rw-r--r--. 1 root root 859 11月 24 23:26 root_cacert.crt
-rw-------. 1 root root 314 11月 24 23:13 root_cakey_ecdsa.pem
[root@www test]# mv root_cacert.crt ../
[root@www test]# mv root_cakey_ecdsa.pem ../private/
#查看根证书
[root@www root-CA]# openssl x509 -in root_cacert.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0f:b1:e8:38:74:1f:2a:2a:fd:8b:cf:b5:27:c0:20:51:a8:54:ad:ce
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C = CN, ST = BeiJing, L = BeiJing, O = A_company, OU = rootca, CN = rootCA, emailAddress = adm@test.com
        Validity
            Not Before: Nov 24 15:26:12 2018 GMT
            Not After : Nov 21 15:26:12 2028 GMT
        Subject: C = CN, ST = BeiJing, L = BeiJing, O = A_company, OU = rootca, CN = rootCA, emailAddress = adm@test.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:cc:8f:71:cc:11:fe:bb:a9:b0:86:b7:8f:50:89:
                    3c:65:63:ed:ee:37:4b:6e:3b:e3:d6:77:51:a7:15:
                    be:99:70:ea:45:0f:e3:46:53:dd:46:2d:8d:4b:57:
                    31:5b:30:e8:91:47:b2:41:a7:54:c8:44:f6:75:37:
                    a3:29:ac:81:ea
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                76:79:14:46:B7:7C:E5:8A:E8:47:77:F5:B6:2B:B3:17:BC:2D:05:02
    Signature Algorithm: ecdsa-with-SHA384
         30:45:02:21:00:ac:7f:fb:04:23:ea:c7:77:eb:e8:d3:a4:16:
         a6:f7:9a:6a:ee:d1:ce:9c:4e:16:ec:2b:dd:86:4e:56:af:2d:
         cd:02:20:5f:a1:3b:d1:50:a8:4a:30:05:ed:59:1e:1e:99:68:
         d4:92:af:19:d5:a1:46:e5:ad:4b:d2:f4:0a:dd:89:5d:4d
-----BEGIN CERTIFICATE-----
MIICTjCCAfSgAwIBAgIUD7HoOHQfKir9i8+1J8AgUahUrc4wCgYIKoZIzj0EAwMw
gYQxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlKaW5nMRAwDgYDVQQHDAdCZWlK
aW5nMRIwEAYDVQQKDAlBX2NvbXBhbnkxDzANBgNVBAsMBnJvb3RjYTEPMA0GA1UE
AwwGcm9vdENBMRswGQYJKoZIhvcNAQkBFgxhZG1AdGVzdC5jb20wHhcNMTgxMTI0
MTUyNjEyWhcNMjgxMTIxMTUyNjEyWjCBhDELMAkGA1UEBhMCQ04xEDAOBgNVBAgM
B0JlaUppbmcxEDAOBgNVBAcMB0JlaUppbmcxEjAQBgNVBAoMCUFfY29tcGFueTEP
MA0GA1UECwwGcm9vdGNhMQ8wDQY