我正在努力确保两者裸域名和 www 域名(https://example.com和https://www.example.com)与 positivessl
对于此服务器 cmd 将是
openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
或者是别的什么?
- 当服务器要求输入通用名称时,为了保护裸域名和 www 域名的安全:我们应该输入什么?example.com 还是 *example.com
服务器是 Ubuntu 18.04 和 Ngnix + Apache,谢谢
答案1
您已经接近目标了:使用通配符方法并增加密钥大小
openssl req -new -newkey rsa:4096 -nodes -out star_friends.com.csr -keyout star_friends.com.key -subj "/C=GH/ST=Greater-Accra/L=Accra/O=Friends LTD./CN=*.friends.com"
答案2
创建一个包含以下内容的文件(修改以适合您的名称)并将其保存为(例如)example.cnf您选择的目录中:
[ req ]
prompt = no
string_mask = default
# The size of the keys in bits:
default_bits = 2048
distinguished_name = req_dn
req_extensions = req_ext
[ req_dn ]
# Note that the following are in 'reverse order' to what you'd expect to see in
# Windows and the numbering is irrelevant as long as each line's number differs.
# Domain Components style:
# Server name:
# 2.DC = com
# 1.DC = example
# commonName = Acme Web Server
# Locality style:
# countryName = GB
# stateOrProvinceName = London
# localityName = Letsby Avenue
# organizationName = Acme
# 1.organizationalUnitName = IT Dept
# 2.organizationalUnitName = Web Services
# commonName = Acme Web Server
# Or traditional org style:
countryName = GB
organizationName = Acme
1.organizationalUnitName = IT Dept
2.organizationalUnitName = Web Services
commonName = Acme Web Server
# Or:
# commonName = www.example.com
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
# To automatically copy the CN (in the case of a DNS name in the CN) use:
# DNS.1 = ${req_dn::commonName}
DNS.1 = www.example.com
DNS.2 = example.com
运行以下命令来创建您的 CSR:
openssl req -nodes -new -keyout example.key -out example.csr -config example.cnf
请注意,这会将私钥以纯文本形式保留在您的系统中。根据您使用此密钥的服务,您可能需要考虑通过从-nodes命令中删除动词来对其进行密码保护。