最开始主要是想玩玩 Go http 2 Push 的, 但是发现以前那种最简单的自签 Chrome58+ 后就不认了…

查询后才知道 Chrome58+ 后只允许包含SAN(Subject Alternative Name)信息的证书.

重新制作包含SAN的自签证书

生成 Root CA private key

1
openssl genrsa -out rootCA.key 2048

生成 RootCA

rootCA.pem.conf 主要是方便自己以后生成的, 不用重复工作.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[ req ]
default_bits        = 2048
default_md          = sha256
distinguished_name  = subject

[ subject ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Beijing

localityName                    = Locality Name (eg, city)
localityName_default            = Beijing

organizationName                = Organizational Name
organizationName_default        = Yaku Mioto Co., Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  =

commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_default              = Yaku Mioto Root CA
1
2
3
4
5
6
7
8
9
openssl req \
        -new \
        -x509 \
        -nodes \
        -sha256 \
        -days 3650 \
        -key rootCA.key \
        -config rootCA.pem.conf \
        -out rootCA.pem

生成 证书请求 CSR

server.csr.conf 同理. 减少工作量.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
[ req ]
default_bits        = 2048
default_md          = sha256
distinguished_name  = subject

[ subject ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Beijing

localityName                    = Locality Name (eg, city)
localityName_default            = Beijing

organizationName                = Organizational Name
organizationName_default        = Yaku Mioto Co., Ltd
1
2
3
4
5
6
7
8
openssl req \
        -new \
        -nodes \
        -sha256 \
        -config server.scr.conf \
        -newkey rsa:2048 \
        -keyout server.key \
        -out server.csr

签发证书

创建 v3.ext file, 支持了多域名多IP. 这是个好东西啊, https 负载均衡.

1
2
3
4
5
6
7
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = miotombp.local
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
openssl x509 \
        -req \
        -sha256 \
        -days 3650 \
        -CA rootCA.pem \
        -CAcreateserial \
         -extfile v3.ext \
        -CAkey rootCA.key \
        -in server.csr \
        -out server.crt

大功告成, 至于怎么添加到系统信任, 那就是各个操作系统的事情了.

参考