符合Chrome58的证书制作

　　Chrome 58开始取消了对通用名检查的支持, 但网上大多数OpenSSL使用教程没有提及这一点, 制作出的证书总是提示ERR_CERT_COMMON_NAME_INVALID 错误, 所以分享出解决办法, 让大家少走弯路　　

许多人并不知道，那个包含着SSL证书是否对某域名生效的“通用名称”字段，早在二十年前就被RFC淘汰了。取而代之的应该是SAN（主题备用名称）字段. 
然而，这一点多年来一直被忽略，通用名字段被单独使用多年. 从Chrome 58开始, 那些只使用该字段来指示有效域名的证书将不再得到支持。
由于被公开信任的SSL证书同时支持两种字段，确保与所有软件的最大兼容性，因此如果您的证书来自受信任的CA，则无需担心.

0. 实验环境

Win7 64bit 旗舰版

Win64OpenSSL_Light-1_1_0f (下载地址http://slproweb.com/products/Win32OpenSSL.html)

下面的操作, 我将建立一个 MyRootCA 的根证书颁发机构, 然后为一个域名是 myserver.com 签发证书

1. Win64OpenSSL_Light-1_1_0f就默认安装在C:OpenSSL-Win64 吧, 然后将 C:OpenSSL-Win64in 加到系统Path里, 因为我准备在其他文件夹生成证书

2.将 C:OpenSSL-Win64inopenssl.cfg 复制到 F:SSLTest\, 修改以下内容

　　a. 将 [ req ] 下面的这行取消注释(删除前面的#)

　　req_extensions = v3_req

　　b. 在[ v3_req ]加入subjectAltName = @alt_names, 变成

　　basicConstraints = CA:FALSE

　　keyUsage = nonRepudiation, digitalSignature, keyEncipherment

　　subjectAltName = @alt_names  #新增的

　　c.新增 alt_names,注意括号前后的空格，DNS.x 的数量可以自己加, 这里的DNS就是你网站的地址

[ alt_names ]
DNS.1 = myserver.com
DNS.2 = *.myserver.com

3. 在某个文件夹(比如 F:SSLTest)执行下列命令, 生成必要的文件夹和文件(这些文件和文件夹是 openssl.cfg 要求的)

F:SSLTest>mkdir demoCAprivate demoCAnewcerts
F:SSLTest>type nul > demoCAindex.txt
F:SSLTest>echo 01 > demoCAserial

4.生成CA自签名证书

F:SSLTest openssl req -new -x509 -newkey rsa:2048 -days 3650 -keyout demoCAprivateMyRootCA.key -out demoCAMyRootCA.crt -passout pass:123456 -config openssl.cfg

解释一下

-days 3650	根证书的有效期是 10年
-passout pass:123456	CA的密钥是 123456
-config openssl.cfg	使用当前文件夹的openssl.cfg作为默认设置, 如果不使用这个命令的话, 将使用C:OpenSSL-Win64in openssl.cfg

  

Generating a 2048 bit RSA private key

...............................................................+++

..........................+++

writing new private key to 'demoCAprivateMyRootCA.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:SiChuan

Locality Name (eg, city) []:ChengDu

Organization Name (eg, company) [Internet Widgits Pty Ltd]:YourCompany

Organizational Unit Name (eg, section) []:YourUnitName

Common Name (e.g. server FQDN or YOUR name) []:MyRootCA

Email Address []:

5.生成用户的 RSA 密钥对

F:SSLTest openssl genrsa -des3 -out myserver.com.key -passout pass:123456

6. 生成用户证书请求

openssl req -new -days 1825 -key myserver.com.key -out myserver.com.csr -config openssl.cfg

下面中的CN、SiChuan、YourCompany必须与MyRootCA一致, 原因后面讲

Enter pass phrase for myserver.com.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:SiChuan

Locality Name (eg, city) []:ChengDu

Organization Name (eg, company) [Internet Widgits Pty Ltd]:YourCompany

Organizational Unit Name (eg, section) []:AnotherUnitName

Common Name (e.g. server FQDN or YOUR name) []:myserver.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

7. 使用 CA 签发用户证书

F:SSLTest openssl ca -in myserver.com.csr -out myserver.com.crt -cert demoCAMyRootCA.crt -keyfile demoCAprivateMyRootCA.key -extensions v3_req -config openssl.cfg

Using configuration from openssl.cfg

Enter pass phrase for demoCAprivateMyRootCA.key:

Can't open ./demoCA/index.txt.attr for reading, No such file or directory

2440:error:02001002:system library:fopen:No such file or directory:cryptoioss_file.c:74:fopen('./demoCA/index.txt.at

tr','r')

2440:error:2006D080:BIO routines:BIO_new_file:no such file:cryptoioss_file.c:81:

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Aug  3 15:17:43 2017 GMT

            Not After : Aug  3 15:17:43 2018 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = SiChuan

            organizationName          = YourCompany

            organizationalUnitName    = AnotherUnitName

            commonName                = myserver.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            X509v3 Key Usage:

                Digital Signature, Non Repudiation, Key Encipherment

            X509v3 Subject Alternative Name:

                DNS:myserver.com, DNS:*.myserver.com

Certificate is to be certified until Aug  3 15:17:43 2018 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

8.生成Windows支持的p12证书

F:SSLTest openssl pkcs12 -export -inkey myserver.com.key -in myserver.com.crt -out myserver.com.p12

建议密码都是123456

9. 验证

在C:WindowsSystem32driversetchosts中新增一行

127.0.0.1           myserver.com

然后将 MyRootCA.crt 安装到 受信任的根证书颁发机构

在IIS中导入myserver.com.p12, 并为一个网站增加https绑定

然后就可以用Chrome看到效果了

10. 为什么用户证书的CN、SiChuan、YourCompany必须与MyRootCA一致?

openssl.cfg中有这样一段, 当然你可以按需修改

[ policy_match ]
 countryName     = match                    #证书请求与证书本身一样
 stateOrProvinceName = match                #证书请求与证书本身一样
 organizationName    = match                #证书请求与证书本身一样
 organizationalUnitName  = optional         #可选项
 commonName      = supplied                 #证书请求中必须能存在该项
 emailAddress        = optional             #可选项

示例文件下载

本文参考了

基于 OpenSSL 的 CA 建立及证书签发

使用openssl为ssl证书增加“使用者备用名称（DNS）”

Chrome 58发布 与SSL安全有关的变化有哪些(太多了, 不知道哪个是原始链接)