Azure Application Gateway (6) 使用OpenSSL创建SAN证书

　　《Windows Azure Platform 系列文章目录》

　　Azure Application Gateway可以使用SAN证书，创建多站点域名。

　　SANs是Subject Alternate Names的简称，SANs证书是一种SSL证书，它支持添加多个域名，允许将多个域名写入同一个证书中，这样就可以保护多个域名，从而降低了运维人员的管理成本，提高了证书管理效率

　　比如www.bing.com的证书，如下图：

　　

　　我们首先需要准备一下pfx证书，具体步骤如下：

　　1.首先安装openssl。步骤略

　　2.创建私钥：

openssl genrsa -des3 -out example.com.key 2048

　　3.生成CSR

openssl req -new -key example.com.key -out example.com.csr

Enter pass phrase for example.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:XX
State or Province Name (full name) []:State
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:BU
Common Name (eg, your name or your server's hostname) []:*.example.com
Email Address []:admin@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

　　

　　3.从秘钥中删除密码

cp example.com.key example.com.key.org
openssl rsa -in example.com.key.org -out example.com.key

　　4.为SAN证书创建config file

touch v3.ext

　　在文件里，保存如下信息：

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:TRUE
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName         = DNS:example.com, DNS:*.example.com
issuerAltName          = issuer:copy

　　注意subjectAltName里，设置你需要的DNS Name

　　我这里设置如下：

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:TRUE
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName         = DNS:leicorp.biz, DNS:*.leicorp.biz, DNS:leidemo.biz, DNS:*.leidemo.biz
issuerAltName          = issuer:copy

　　5.创建自签名证书：

openssl x509 -req -in example.com.csr -signkey example.com.key -out example.com.crt -days 3650 -sha256 -extfile v3.ext

　　6.把crt证书转换为pfx证书

openssl pkcs12 -export -out certificate.pfx -inkey example.com.key -in example.com.crt

　　如果要导出pem证书，请按照下面操作：

openssl pkcs12 -export -out certificate.pem -inkey example.com.key -in example.com.crt

　　7.把certificate.pfx证书下载到本地

　　8.创建Azure Application Gateway v2，创建basic listener，上传pfx证书。

　　这里一个SAN证书包含多个域名，只需要创建一个listener即可。

　　

　　

　　9.设置Application Gateway Rule。

　　

　　10.修改DNS指向，或者修改windows的host文件

　　11.登录域名，查看证书效果：