目标:
生成有效期为
- 域名1.com
- *.domain1.com
- 域名2.com
- *.domain2.com
让它自签名或本地生成的 CA 签名。
场景 1
# ssl.conf
[ req ]
default_bits = 1024
default_keyfile = server.key
distinguished_name = req_distinguished_name
req_extensions = req_ext # The extentions to add to the self signed cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Connecticut
localityName = Locality Name (eg, city)
localityName_default = Stamford
organizationName = Organization Name (eg, company)
organizationName_default = Example, Inc.
commonName = Common Name (eg, YOUR name)
commonName_max = 64
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.domain1.com
DNS.2 = *.domain2.com
csr 生成时输入的 CN:
*.domain1.com
domain2.com 上的 Firefox 错误
domain2.com uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
The certificate is only valid for *.domain1.com
(Error code: sec_error_untrusted_issuer)
SSL 证书纯文本格式:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
e9:59:8a:31:8e:29:df:bf
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=*.domain1.com
Validity
Not Before: Oct 27 06:18:28 2010 GMT
Not After : Oct 24 06:18:28 2020 GMT
Subject: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=*.domain1.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c9:9c:50:52:be:35:64:98:7a:b9:49:8a:f3:f0:
af:52:62:49:2f:d3:a1:a3:d7:78:b1:88:14:e9:b2:
52:f1:2a:04:71:76:14:a3:17:d8:15:61:da:de:50:
5b:dd:66:74:12:8d:d6:6b:15:94:35:20:7b:cf:e7:
32:31:33:d5:f5:b9:12:a5:dc:a6:7d:08:1f:c9:f6:
9f:35:4d:46:1d:a0:a9:6e:90:35:0f:21:7d:76:d2:
96:41:7c:c9:4a:fd:9d:81:be:89:f6:f4:70:eb:52:
56:5d:0c:d5:62:2b:d5:fc:7f:21:0a:9c:e9:19:d5:
ad:dc:6b:2b:12:3e:47:3a:ed
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
a1:1f:4f:85:ae:82:52:d0:7e:47:59:fb:d2:17:5c:04:2a:a9:
28:82:84:71:70:41:8d:61:51:3d:89:a9:0c:b3:a2:fd:f9:ff:
c6:e4:aa:3a:5b:0f:c5:17:f3:62:4a:78:78:10:bf:45:e6:f4:
f3:43:3b:dc:26:fd:86:17:fc:f5:e2:1a:ee:fe:76:6e:59:7f:
b1:38:ad:d8:6d:8e:23:55:39:bc:47:20:c9:a0:f4:db:64:ed:
5b:b2:bf:44:a6:a9:82:fb:76:b9:87:6c:92:07:42:f6:a3:00:
c1:58:86:b2:2b:0e:6f:f1:74:4a:08:6f:37:80:02:65:4b:e5:
0d:a9
场景 2:
[ req ]
default_bits = 1024
default_keyfile = server.key
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Connecticut
localityName = Locality Name (eg, city)
localityName_default = Stamford
organizationName = Organization Name (eg, company)
organizationName_default = Example, Inc.
0.commonName = Common Name (eg, YOUR name)
0.commonName_default = *.domain1.com
0.commonName_max = 64
1.commonName = Common Name (eg, YOUR name)
1.commonName_default = *.domain2.com
1.commonName_max = 64
在这种情况下,FirefoxOutput:
domain1.com uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
The certificate is only valid for *.domain2.com
纯文本 SSL 证书输出:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
80:b5:78:8a:27:0e:e5:b8
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=*.domain1.com, CN=*.domain2.com
Validity
Not Before: Oct 27 06:05:40 2010 GMT
Not After : Oct 24 06:05:40 2020 GMT
Subject: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=*.domain1.com, CN=*.domain2.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:e8:f6:a6:ef:a7:68:cd:5d:99:d8:5a:7d:9e:23:
4e:9f:67:f8:e0:20:8a:5c:ad:5f:1f:71:63:66:cf:
34:7d:c8:21:86:65:3b:07:ed:27:4c:f8:55:08:7e:
67:5e:c3:e9:53:0c:44:3f:1f:e8:f9:85:24:6e:60:
c6:98:b4:f0:13:85:46:23:c3:bf:ec:3c:5b:0d:cb:
bd:8a:67:c3:a6:fe:d2:27:de:38:60:23:fd:12:9d:
95:1a:38:c6:bc:81:57:bb:c1:1a:60:1a:79:c9:f1:
d9:e4:a0:2d:a1:6e:c6:12:e7:2a:e2:76:d7:56:89:
a9:77:ce:7e:d1:d6:b8:28:1b
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
41:82:a7:c1:f2:11:e6:04:a8:7b:58:3c:47:ac:af:d9:46:48:
87:24:c4:f2:fe:94:94:5f:6c:54:17:51:26:73:0b:fb:97:74:
82:47:1d:7f:b8:63:ca:6c:49:e6:36:86:bf:7d:60:7a:74:c0:
41:43:2a:35:7a:67:11:2b:cc:91:4e:5e:d4:23:9e:2b:a7:ad:
35:af:90:82:7e:33:ac:36:f7:c4:46:fc:81:55:f4:3f:75:04:
67:07:cb:8f:2b:3c:07:c0:a2:61:bc:f1:aa:fe:b3:26:c9:dc:
a1:a1:6a:e6:81:95:1f:a9:36:33:bb:b0:04:45:69:cf:51:9d:
8d:45
虚拟主机
<VirtualHost 127.0.1.3:443>
ServerName domain1.com
ServerAlias www.domain1.com
ServerAlias www1.domain1.com
ServerAlias www2.domain1.com
ServerAdmin [email protected]
DocumentRoot /var/www/ssltest/domain1/
SSLEngine on
SSLCertificateFile /etc/apache2/ssl-files/server.crt
SSLCertificateKeyFile /etc/apache2/ssl-files/server.key
ErrorLog /var/log/apache2/domain1.com-error_log
CustomLog /var/log/apache2/domain1.com-access_log common
</VirtualHost>
<VirtualHost 127.0.1.2:443>
ServerName domain2.com
ServerAlias www.domain2.com
ServerAlias www1.domain2.com
ServerAlias www2.domain2.com
ServerAdmin [email protected]
DocumentRoot /var/www/ssltest/domain2/
SSLEngine on
SSLCertificateFile /etc/apache2/ssl-files/server.crt
SSLCertificateKeyFile /etc/apache2/ssl-files/server.key
ErrorLog /var/log/apache2/domain2.com-error_log
CustomLog /var/log/apache2/domain2.com-access_log common
</VirtualHost>
此外,在每种情况下,Firefox 都会抱怨:
domain1.com 使用无效的安全证书。
The certificate is not trusted because it is self-signed.
The certificate is only valid for *.domain1.com
(Error code: sec_error_untrusted_issuer)
如果我访问https://domain1.com而不是 vhost 配置中的 ServerAliases
答案1
如果我遗漏了一些细节导致本文完全错误,我深表歉意(我现在时间有限,稍后我会详细阅读所有内容)。看起来您正在尝试颁发带有多个通配符的证书;这对几乎所有浏览器来说都是无效的。