OpenSSL creates a certificate with SAN extension and performs CA self-signed

What is SAN

SAN (Subject Alternative Name) is an extension defined in the SSL standard x509. The SSL certificate that uses the SAN field can extend the domain name supported by this certificate, so that one certificate can support the resolution of multiple different domain names.

Let’s take a look at Baidu’s certificate. There are so many extension domain names for Baidu’s certificate, including *.hao123.com, so let’s take a look at the certificate of www.hao123.com.

I found that the previous Baidu certificate was indeed used

So the benefits of SAN can be seen, a certificate can be used under a variety of different domain names, no need to buy a certificate for a domain name.

Use OpenSSL to create a certificate

Because it is a local environment, directly use OpenSSL to issue a CA root certificate to the server for CA signing.
1. Generate CA key

openssl genrsa -des3 -out ca.key 2048

Generate CA Root Certificate

openssl req -sha256 -new -x509 -days 365 -key ca.key -out ca.crt \
    -subj "/C=CN/ST=GD/L=SZ/O=lee/OU=study/CN=testRoot"

Generate server key

openssl genrsa -des3 -out server.key 2048

Generate server certificate request file

openssl req -new \
    -sha256 \
    -key server.key \
    -subj "/C=CN/ST=GD/L=SZ/O=lee/OU=study/CN=bdstatic.com" \
    -reqexts SAN \
    -config <(cat /etc/pki/tls/openssl.cnf \
        <(printf "[SAN]\nsubjectAltName=DNS:*.bdstatic.com,DNS:*.baidu.com")) \
    -out server.csr

5. The CA signs the server certificate

openssl ca -in server.csr \
        -md sha256 \
        -keyfile ca.key \
    -cert ca.crt \
    -extensions SAN \
    -config <(cat /etc/pki/tls/openssl.cnf \
        <(printf "[SAN]\nsubjectAltName=DNS:*.bdstatic.com,DNS:*.baidu.com")) \
    -out server.crt

Then configure the generated server certificate and server key in the server (ngnix, tomcat), and import the ca.crt certificate into the trusted root certificate authority of the browser, there will be no access in the browser The red cross is crossed.

Precautions

-subj "/C=CN/ST=GD/L=SZ/O=lee/OU=study/CN=testRoot" is optional, and there will be commands to fill in relevant information interactively.

2. Do not use sha1 for the hashing algorithm, because the Chrome browser will prompt insecure, and sha256 is used above.
3. The /etc/pki/tls/openssl.cnf file is the default OpenSSL configuration file, and the path may be different in different environments.
4. The country, province, and city of the server certificate request file must be consistent with the CA certificate. This is specified in the default configuration of openssl.cnf and can be modified.

1. Regarding the encryption format of the private key, because the author uses the ssl protocol in netty, and netty only supports private keys in PKCS8 format (seehttp://netty.io/wiki/sslcontextbuilder-and-private-key.html), the key format needs to be converted

//Convert private key to PKCS8 format
openssl pkcs8 -topk8 -nocrypt -in server.key -out server_pri.pem

code show as below

SslContext serverSslCtx = SslContextBuilder.forServer(new File("E:/server.crt"),new File("E:/server_pri.pem")).build();

appendix

PKCS1 and PKCS8 format conversion

//Generate PKCS1 format PEM encoded private key by default
openssl genrsa -out ca.key 2048
 //Convert to PKCS8
openssl pkcs8 -topk8 -nocrypt -in ca.key -out ca_private.pem
 //PKCS8 is converted to PKCS1
openssl rsa -in ca_private.pem -out ca.key

Conversion between PEM and DER

//PEM to DER
openssl rsa -in ca.key -outform DER -out ca_private.der
openssl pkcs8 -topk8 -nocrypt -inform PEM -outform DER -in ca.key -out ca_private.der
//DER to PEM
openssl rsa -in ca_private.der -inform DER -outform PEM -out ca.key

PKCS7 to PKCS12 (tomcat certificate)

//Require password protection
openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -name tomcat -out server.p12

//springboot SSL configuration
server.port= 8443   //port
server.ssl.key-store=classpath:server.p12   //Certificate path
server.ssl.key-store-password= 123456   //p12 certificate password

reference

OpenSSL SAN certificate
Use OpenSSL to generate multi-domain self-signed certificate for HTTPS development and debugging
Use openssl to generate a certificate

Intelligent Recommendation

openssl self-signed certificate

1. Install nginx Check Nginx's SSL module Prepare private key and certificate Create a private key: cd /usr/local/nginx mkdir -p ssl cd ssl/ openssl genrsa -des3 -out server.key 1024 ll Issue certific...

OpenSSL use example creates a self-signed certificate Linux

In this article, I will share the steps of creating a self-signed certificate in Linux with OpenSSL. Steps required to create a self-signed certificate in Linux The steps to generate a self-signed cer...

Create a self-signed certificate CA

Create a self-signed certificate CA 1, create a private key CA server: Note: The private key is placed in the directory 2. Create a CA server self-signed certificate: 3, create a file: 4. Create a ser...

[CA] Issue a self-signed certificate

1. Generate a self-signed CA certificate 1.1 Generate CA private key 1.2 Generate CA self-signed certificate based on CA private key 2. Issue a certificate for the server through the CA self-signed ce...

CA self-signed certificate production

CA certificate introduction CA is the issuing authority of the certificate, it ispublic key infrastructure(Public Key Infrastructure, PKI) core. CA is the authority responsible for issuing certificate...