发现chrome验证证书很严格,必须带有Subject Alternative Name.
签发csr时,修改openssl.cnf
在
[ req ]节添加
req_extetions = v3_req
生成 CSR 文件时读取名叫 v3_req 的节的配置,
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
在alt_names添加域名
DNS.1 = 1.1.1.1DNS.2 = 2.2.2.2
生成csr
openssl req -new -nodes -keyout server.key -out server.csr -config openssl.cnf
查看证书请求文件的内容:
openssl req -text -noout -in server.csr
带有Subject Alternative Names 字段
生成公钥
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt-extensions v3_req -extfile openssl.cnf
查看公钥
openssl x509 -text -noout -in server.crt
相比之下,还是strongswan的命令行简单
阅读(7701) | 评论(1) | 转发(0) |