OpenSSL创建https多域名签名证书

【推荐】2019 Java 开发者跳槽指南.pdf(吐血整理) >>>

# 配置文件
[root@localhost cert]# cat etcd.conf
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req  #取消这行注释
[ req_distinguished_name ]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = 21.etcd.local
DNS.2 = 22.etcd.local
DNS.3 = 23.etcd.local
DNS.4 = 24.etcd.local
DNS.5 = 25.etcd.local

# 创建CA证书
[root@localhost cert]# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
....................................+++
......................................................................................................+++
e is 65537 (0x10001)

[root@localhost cert]# openssl req -new -x509 -days 36500 -key ca.key -out ca.crt -config /etc/pki/tls/openssl.cnf -subj "/C=CN/ST=BJ/L=BJ/O=etcd/OU=etcd/CN=etcd"

# 创建服务器证书
[root@localhost cert]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
......+++
............................................+++
e is 65537 (0x10001)

[root@localhost cert]# openssl req -new -out server.csr -key server.key -config etcd.conf -subj "/C=CN/ST=BJ/L=BJ/O=etcd/OU=etcd/CN=etcd"

[root@localhost cert]# openssl ca -days 36500 -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config /etc/pki/tls/openssl.cnf -extfile etcd.conf -extensions v3_req  -subj "/C=CN/ST=BJ/L=BJ/O=etcd/OU=etcd/CN=etcd"
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 10 (0xa)
        Validity
            Not Before: Dec 30 05:48:46 2018 GMT
            Not After : Dec  6 05:48:46 2118 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BJ
            organizationName          = etcd
            organizationalUnitName    = etcd
            commonName                = etcd
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:21.etcd.local, DNS:22.etcd.local, DNS:23.etcd.local, DNS:24.etcd.local, DNS:25.etcd.local
Certificate is to be certified until Dec  6 05:48:46 2118 GMT (36500 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

来源：oschina

链接：https://my.oschina.net/canghaidekongjian/blog/3146304