• Azure Application Gateway (6) 使用OpenSSL创建SAN证书


      《Windows Azure Platform 系列文章目录

      Azure Application Gateway可以使用SAN证书,创建多站点域名。

      SANs是Subject Alternate Names的简称,SANs证书是一种SSL证书,它支持添加多个域名,允许将多个域名写入同一个证书中,这样就可以保护多个域名,从而降低了运维人员的管理成本,提高了证书管理效率

      比如www.bing.com的证书,如下图:

      

      我们首先需要准备一下pfx证书,具体步骤如下:

      1.首先安装openssl。步骤略

      2.创建私钥:

    openssl genrsa -des3 -out example.com.key 2048

      3.生成CSR

    openssl req -new -key example.com.key -out example.com.csr
    Enter pass phrase for example.com.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:XX
    State or Province Name (full name) []:State
    Locality Name (eg, city) [Default City]:City
    Organization Name (eg, company) [Default Company Ltd]:Company
    Organizational Unit Name (eg, section) []:BU
    Common Name (eg, your name or your server's hostname) []:*.example.com
    Email Address []:admin@example.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

     

      

      3.从秘钥中删除密码

    cp example.com.key example.com.key.org
    openssl rsa -in example.com.key.org -out example.com.key

      4.为SAN证书创建config file

    touch v3.ext

      在文件里,保存如下信息:

    subjectKeyIdentifier   = hash
    authorityKeyIdentifier = keyid:always,issuer:always
    basicConstraints       = CA:TRUE
    keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
    subjectAltName         = DNS:example.com, DNS:*.example.com
    issuerAltName          = issuer:copy

      注意subjectAltName里,设置你需要的DNS Name

      我这里设置如下:

    subjectKeyIdentifier   = hash
    authorityKeyIdentifier = keyid:always,issuer:always
    basicConstraints       = CA:TRUE
    keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
    subjectAltName         = DNS:leicorp.biz, DNS:*.leicorp.biz, DNS:leidemo.biz, DNS:*.leidemo.biz
    issuerAltName          = issuer:copy

      5.创建自签名证书:

    openssl x509 -req -in example.com.csr -signkey example.com.key -out example.com.crt -days 3650 -sha256 -extfile v3.ext

      6.把crt证书转换为pfx证书

    openssl pkcs12 -export -out certificate.pfx -inkey example.com.key -in example.com.crt

      如果要导出pem证书,请按照下面操作:

    openssl pkcs12 -export -out certificate.pem -inkey example.com.key -in example.com.crt

      7.把certificate.pfx证书下载到本地

      8.创建Azure Application Gateway v2,创建basic listener,上传pfx证书。

      这里一个SAN证书包含多个域名,只需要创建一个listener即可。

      

      

      9.设置Application Gateway Rule。

      

      10.修改DNS指向,或者修改windows的host文件

      11.登录域名,查看证书效果:

      

  • 相关阅读:
    python中可变类型和不可变类型
    python PEP8开发规范
    pandas之——Series常用总结
    python os 模块的使用
    Markdown语法
    HttpClient连接池抛出大量ConnectionPoolTimeoutException: Timeout waiting for connection异常排查
    MySQL union all排序问题
    mysql解决datetime与timestamp精确到毫秒的问题
    keepalived + nginx实现高可用
    配置文件keepalived.conf详解
  • 原文地址:https://www.cnblogs.com/threestone/p/16463387.html
Copyright © 2020-2023  润新知