需要申请类似这样多域名证书,可以通过opessl命令生成csr和key文件。
vim创建openssl.cnf文件
[ req ]
default_bits = 2048
#default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
req_extensions = v3_req
[ v3_req ]
subjectAltName = @alt_names
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
[ alt_names ]
DNS.1 = domain1.com
DNS.2 = domain2.com
DNS.3 = domain3.com
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, fully qualified host name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
然后通过命令生成csr和key文件
openssl req -new -key domain.key -out domain.csr -config openssl.cnf
另一参考示例
# example.com.conf
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
# 生成v3版本带扩展属性的证书
req_extensions = v3_req# 设置默认域名
[ req_distinguished_name ]
# Minimum of 4 bytes are needed for common name
commonName = www.example.com
commonName_default = *.example.com
commonName_max = 64# 设置两位国家代码
# ISO2 country code only
countryName = China
countryName_default = CN# 设置州 或者 省的名字
# State is optional, no minimum limit
stateOrProvinceName = Province
stateOrProvinceName_default = Beijing# 设置城市的名字
# City is required
localityName = City
localityName_default = Beijing# 设置公司或组织机构名称
# Organization is optional
organizationName = Organization
organizationName_default = My Company# 设置部门名称
# Organization Unit is optional
organizationalUnitName = Department
organizationalUnitName_default = My Department# 设置联系邮箱
# Email is optional
emailAddress = Email
emailAddress_default = email@example.com# 拓展信息配置
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names# 要配置的域名
[alt_names]
DNS.1 = www.example.com
DNS.2 = *.example.com
openssl req -new -nodes -out mykonf.com.csr -key mykonf.com.key -config openssl.cnf
Country Name (2 letter code) []:CN // 输入国家代码,中国填写 CN
State or Province Name (full name) []:HangZhou // 输入省份,这里填写 HangZhou
Locality Name (eg, city) []:HangZhou // 输入城市,我们这里也填写 HangZhou
Organization Name (eg, company) []:tbj // 输入组织机构(或公司名,我这里随便写个tbj)
Organizational Unit Name (eg, section) []:tbj // 输入机构部门
Common Name (eg, fully qualified host name) []:*.abc.com // 输入域名,我这边是 (*.abc.com)
Email Address []:tugenhua0707@qq.com // 你的邮箱地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456 // 你的证书密码,如果不想设置密码,可以直接回车
使用以下命令查看生成的csr文件是否正确
openssl req -text -in mykonf.csr -noout
然后将csr文件交给证书颁布商即可