使用 openssl 为家中服务器进行自签名证书且无域名

Question 1

我应该将什么作为通用名称？

您使用一个友好的名字通用名称 (CN)有两个原因。首先，它通过工具显示给用户，因此您需要类似示例小部件有限责任公司.二、主机名总是进入主题备用名称 (SAN)。IETF 和 CA/B 论坛均不赞成将主机名放置在 CN 中。

有关更多规则和原因，请参阅如何向证书颁发机构签署证书签名请求和如何使用 openssl 创建自签名证书？

那么，如何针对这种情况创建自签名证书？

使用该openssl实用程序和自定义配置文件。下面是一个示例。

您应该做两件事。首先，将 DNS 名称列表更改为username.noip.me和homeserver。其次，在更改证书中所需的名称后，运行以下命令：

openssl req -config example-com.conf -new -x509 -sha256 -newkey rsa:2048 -nodes \
    -keyout example-com.key.pem -days 365 -out example-com.cert.pem

显然，您可以将配置文件的名称更改为example-com.conf您想要的任何名称。

此外，在家里，我运行自己的 PKI。我有一个根 CA，可以在需要时为网络上的设备颁发证书。所有设备都安装了根 CA。我的内部域称为。home.pvt网络上的主机名为、、、、pine64.home.pvt等rpi3.home.pvt。一切solaris.home.pvt都windows10.home.pvt按预期运行。

示例配置文件

# Self Signed (note the addition of -x509):
#     openssl req -config example-com.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.cert.pem
# Signing Request (note the lack of -x509):
#     openssl req -config example-com.conf -new -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.req.pem
# Print it:
#     openssl x509 -in example-com.cert.pem -text -noout
#     openssl req -in example-com.req.pem -text -noout

[ req ]
default_bits        = 2048
default_keyfile     = server-key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
#   Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
countryName         = Country Name (2 letter code)
countryName_default     = US

stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = NY

localityName            = Locality Name (eg, city)
localityName_default        = New York

organizationName         = Organization Name (eg, company)
organizationName_default    = Example, LLC

# Use a friendly name here because its presented to the user. The server's DNS
#   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
#   by both IETF and CA/Browser Forums. If you place a DNS name here, then you 
#   must include the DNS name in the SAN too (otherwise, Chrome and others that
#   strictly follow the CA/Browser Baseline Requirements will fail).
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = Example Company

emailAddress            = Email Address
emailAddress_default        = [email protected]

# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
#  If RSA Key Transport bothers you, then remove keyEncipherment. TLS 1.3 is removing RSA
#  Key Transport in favor of exchanges with Forward Secrecy, like DHE and ECDHE.
[ x509_ext ]

subjectKeyIdentifier        = hash
authorityKeyIdentifier  = keyid,issuer

basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# extendedKeyUsage  = serverAuth, clientAuth

# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
[ req_ext ]

subjectKeyIdentifier        = hash

basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# extendedKeyUsage  = serverAuth, clientAuth

[ alternate_names ]

DNS.1       = example.com
DNS.2       = www.example.com
DNS.3       = mail.example.com
DNS.4       = ftp.example.com

# Add these if you need them. But usually you don't want them or
#   need them in production. You may need them for development.
# DNS.5       = localhost
# DNS.6       = localhost.localdomain
# DNS.7       = 127.0.0.1

# IPv6 localhost
# DNS.8     = ::1
# DNS.9     = fe80::1

Answer

我应该将什么作为通用名称？

您使用一个友好的名字通用名称 (CN)有两个原因。首先，它通过工具显示给用户，因此您需要类似示例小部件有限责任公司.二、主机名总是进入主题备用名称 (SAN)。IETF 和 CA/B 论坛均不赞成将主机名放置在 CN 中。

有关更多规则和原因，请参阅如何向证书颁发机构签署证书签名请求和如何使用 openssl 创建自签名证书？

那么，如何针对这种情况创建自签名证书？

使用该openssl实用程序和自定义配置文件。下面是一个示例。

您应该做两件事。首先，将 DNS 名称列表更改为username.noip.me和homeserver。其次，在更改证书中所需的名称后，运行以下命令：

openssl req -config example-com.conf -new -x509 -sha256 -newkey rsa:2048 -nodes \
    -keyout example-com.key.pem -days 365 -out example-com.cert.pem

显然，您可以将配置文件的名称更改为example-com.conf您想要的任何名称。

此外，在家里，我运行自己的 PKI。我有一个根 CA，可以在需要时为网络上的设备颁发证书。所有设备都安装了根 CA。我的内部域称为。home.pvt网络上的主机名为、、、、pine64.home.pvt等rpi3.home.pvt。一切solaris.home.pvt都windows10.home.pvt按预期运行。

示例配置文件

# Self Signed (note the addition of -x509):
#     openssl req -config example-com.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.cert.pem
# Signing Request (note the lack of -x509):
#     openssl req -config example-com.conf -new -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.req.pem
# Print it:
#     openssl x509 -in example-com.cert.pem -text -noout
#     openssl req -in example-com.req.pem -text -noout

[ req ]
default_bits        = 2048
default_keyfile     = server-key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
#   Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
countryName         = Country Name (2 letter code)
countryName_default     = US

stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = NY

localityName            = Locality Name (eg, city)
localityName_default        = New York

organizationName         = Organization Name (eg, company)
organizationName_default    = Example, LLC

# Use a friendly name here because its presented to the user. The server's DNS
#   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
#   by both IETF and CA/Browser Forums. If you place a DNS name here, then you 
#   must include the DNS name in the SAN too (otherwise, Chrome and others that
#   strictly follow the CA/Browser Baseline Requirements will fail).
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = Example Company

emailAddress            = Email Address
emailAddress_default        = [email protected]

# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
#  If RSA Key Transport bothers you, then remove keyEncipherment. TLS 1.3 is removing RSA
#  Key Transport in favor of exchanges with Forward Secrecy, like DHE and ECDHE.
[ x509_ext ]

subjectKeyIdentifier        = hash
authorityKeyIdentifier  = keyid,issuer

basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# extendedKeyUsage  = serverAuth, clientAuth

# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
[ req_ext ]

subjectKeyIdentifier        = hash

basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# extendedKeyUsage  = serverAuth, clientAuth

[ alternate_names ]

DNS.1       = example.com
DNS.2       = www.example.com
DNS.3       = mail.example.com
DNS.4       = ftp.example.com

# Add these if you need them. But usually you don't want them or
#   need them in production. You may need them for development.
# DNS.5       = localhost
# DNS.6       = localhost.localdomain
# DNS.7       = 127.0.0.1

# IPv6 localhost
# DNS.8     = ::1
# DNS.9     = fe80::1

Question 2

回答您的实际问题：

您需要查看主题备用名称。

这些允许为一个证书分配多个域名。

建议您将“通用名称”留空，并在“主题备用名称”中列出所有 FQDN。

或者，您可以将您的任一名称放在通用名称中，但仍必须在主题备用名称中列出它们全部。

Answer

回答您的实际问题：

您需要查看主题备用名称。

这些允许为一个证书分配多个域名。

建议您将“通用名称”留空，并在“主题备用名称”中列出所有 FQDN。

或者，您可以将您的任一名称放在通用名称中，但仍必须在主题备用名称中列出它们全部。

Question 3

建议您花费 10 美元或更少的钱购买域名并使用免费的让我们加密证书。您将遇到的问题会更少。您也可以使用该 noip.me 域名获取证书。

在受支持的 Linux 发行版上，使用 Apache/Nginx 设置 Let's Encrypt 相当容易，但您没有说明您使用的是什么操作系统。如果您编辑上面的帖子，我可能会提供更多指导。

Answer

建议您花费 10 美元或更少的钱购买域名并使用免费的让我们加密证书。您将遇到的问题会更少。您也可以使用该 noip.me 域名获取证书。

在受支持的 Linux 发行版上，使用 Apache/Nginx 设置 Let's Encrypt 相当容易，但您没有说明您使用的是什么操作系统。如果您编辑上面的帖子，我可能会提供更多指导。

Question 4

您可以应用一个技巧并对“*.noip.com”使用通配符证书。

这要求您使用“homeserver.noip.com”并让该地址指向您的本地 IP，您可以通过在使用“homeserver.noip.com”的机器上的 hosts 文件中添加一个条目来实现。

'username.noip.com' 仍将以通常的方式解析。

这是一种有点“肮脏的方法”，但看起来可以有效地满足您的需求。

Answer

您可以应用一个技巧并对“*.noip.com”使用通配符证书。

这要求您使用“homeserver.noip.com”并让该地址指向您的本地 IP，您可以通过在使用“homeserver.noip.com”的机器上的 hosts 文件中添加一个条目来实现。

'username.noip.com' 仍将以通常的方式解析。

这是一种有点“肮脏的方法”，但看起来可以有效地满足您的需求。

使用 openssl 为家中服务器进行自签名证书且无域名

答案1

答案2

答案3

答案4

相关内容