最开始主要是想玩玩 Go http 2 Push 的, 但是发现以前那种最简单的自签 Chrome58+ 后就不认了…
查询后才知道 Chrome58+ 后只允许包含SAN(Subject Alternative Name)信息的证书.
重新制作包含SAN的自签证书
生成 Root CA private key
openssl genrsa -out rootCA.key 2048
生成 RootCA
rootCA.pem.conf 主要是方便自己以后生成的, 不用重复工作.
[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = subject
[ subject ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName = Locality Name (eg, city)
localityName_default = Beijing
organizationName = Organizational Name
organizationName_default = Yaku Mioto Co., Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Yaku Mioto Root CA
openssl req \
-new \
-x509 \
-nodes \
-sha256 \
-days 3650 \
-key rootCA.key \
-config rootCA.pem.conf \
-out rootCA.pem
生成 证书请求 CSR
server.csr.conf 同理. 减少工作量.
[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = subject
[ subject ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName = Locality Name (eg, city)
localityName_default = Beijing
organizationName = Organizational Name
organizationName_default = Yaku Mioto Co., Ltd
openssl req \
-new \
-nodes \
-sha256 \
-config server.scr.conf \
-newkey rsa:2048 \
-keyout server.key \
-out server.csr
签发证书
创建 v3.ext file, 支持了多域名多IP. 这是个好东西啊, https 负载均衡.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = miotombp.local
openssl x509 \
-req \
-sha256 \
-days 3650 \
-CA rootCA.pem \
-CAcreateserial \
-extfile v3.ext \
-CAkey rootCA.key \
-in server.csr \
-out server.crt
大功告成, 至于怎么添加到系统信任, 那就是各个操作系统的事情了.