环境:

CentOS 6.8 x86_64

安装

openssl openssl-devel


cp /etc/pki/tls/openssl.cnf openssl.cnf

修改openssl.cnf

[ req ]

distinguished_name = req_distinguished_name

default_md = sha256 #将sha1改为sha256

req_extensions = v3_req  #取消这行注释


# 确保req_distinguished_name下没有 0.xxx 的标签,有的话把0.xxx的0. 去掉

[ req_distinguished_name ]

countryName              = Country Name (2 letter code)

countryName_default = CN

stateOrProvinceName             = State or Province Name (full name)

stateOrProvinceName_default = GuangDong

localityName              = Locality Name (eg, city)

localityName_default = ShenZhen

organizationalUnitName             = Organizational Unit Name (eg, section)

organizationalUnitName_default = 303 IT Lab

commonName         = IT Lab

commonName_max = 64



[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names    #增加这行


# 新增以下部分

[ alt_names ]

DNS.1 = abc.com

DNS.2 = *.abc.com

DNS.3 = xyz.com

DNS.4 = *.xyz.com

可以自行增加多域名


创建相关目录及文件

mkdir -p CA/{certs,crl,newcerts,private}

touch CA/index.txt

echo 00 > CA/serial


1.生成ca.key并自签署

openssl req -utf8 -sha256 -new -x509 -days 3650 -keyout ca.key -out ca.crt -config openssl.cnf

2.生成server.key

openssl genrsa -out server.key 2048

3.生成证书签名请求

openssl req -utf8 -new -sha256 -key server.key -out server.csr -config openssl.cnf

Common Name 就是在这一步填写 *.abc.com  common name一定要在alt_names中包含


4.查看签名请求文件信息

openssl req -in server.csr -text

检查 Signature Algorithm 是不是sha256WithRSAEncryptio

5.使用自签署的CA,签署server.scr

openssl ca -in server.csr -md sha256  -out server.crt -cert ca.crt -keyfile ca.key -extensions v3_req -config openssl.cnf

注意:即便是你前面是sha256的根证书和sha256的请求文件,如果不加-md sha256,默认是按照sha1进行签名的

6.查看证书

openssl x509 -in server.crt -text

同样检查 Signature Algorithm 是不是sha256WithRSAEncryptio