使用OpenSSL生成SANs证书实操

当初：

原来的x.509证书，生成就一行代码，非常方便：

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem

然后按照提示输入机构和dns信息即可。 

然而：

最近在开发一个websocket项目时，需要使用wss协议，在机器A（win7）上调试没问题，在机器B（win10+go1.22.3）上调试，报错：

PS E:\zjw\golang\ws> go run ws/server1wss/client
2024/10/30 15:45:37 Error connecting to server: x509: certificate relies on legacy Common Name field, use SANs instead　

经查，go1.15以后的版本废弃了依赖Common Name字段的x509证书，必须使用SANs证书。SANs是Subject Alternate Names的简称，它支持添加多个域名，允许将多个域名写入同一个证书中，这样就可以保护多个域名，从而降低了运维人员的管理成本，提高了证书管理效率。

采用如下方法创建证书：

1.首先安装openssl。步骤略。

2.创建私钥：

PS E:\zjw\ca_fsd>  openssl genrsa -des3 -out fusude.com.key 2048

3. 生成CSR

PS E:\zjw\ca_fsd> openssl req -new -key fusude.com.key -out fusude.com.csr
Enter pass phrase for fusude.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:hebei
Locality Name (eg, city) []:shijiazhuang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:fusude
Organizational Unit Name (eg, section) []:dept
Common Name (e.g. server FQDN or YOUR name) []:zjw
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:*********
An optional company name []:fusude

4. 从秘钥中删除密码（特别提示：密码要用到，另外记好！）

PS E:\zjw\ca_fsd> cp fusude.com.key fusude.com.key.org
PS E:\zjw\ca_fsd> openssl rsa -in fusude.com.key.org -out fusude.com.key

5. 为SAN证书创建config file，名字无所谓，例如叫v3.txt，内容如下。注意subjectAltName里，设置你需要的DNS Name

subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:TRUE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName = DNS:fusude.com, DNS:*.fusude.com
issuerAltName = issuer:copy

6. 创建自签名证书：

PS E:\zjw\ca_fsd> openssl x509 -req -in fusude.com.csr -signkey fusude.com.key -out fusude.com.crt -days 3650 -sha256 -extfile v3.txt
Signature ok
subject=C = CN, ST = hebei, L = shijiazhuang, O = fusude, OU = dept, CN = zjw, emailAddress = [email protected]
Getting Private keys

生成的文件fusude.com.crt即为我们需要的SANs证书。

7. 还可以转换为pfx或pem格式：

PS E:\zjw\ca_fsd> openssl pkcs12 -export -out fusude.com.pfx -inkey fusude.com.key -in fusude.com.crt
Enter Export Password:
Verifying - Enter Export Password:

PS E:\zjw\ca_fsd> openssl pkcs12 -export -out fusude.com.pem -inkey fusude.com.key -in fusude.com.crt
Enter Export Password:
Verifying - Enter Export Password:

8. 证书的使用不展开论述。感谢观看。

感谢Azure Lei Zhang的博客  ： Azure Application Gateway (6) 使用OpenSSL创建SAN证书