OK, 一段完成了之後第二段就不會太難了。剛剛用 ssl firefox multiple commonName關鍵字去找,便看到了這一篇。commonName 的寫法也列在裡面。

早看到就好了 :) 根據其中的 Interoperability Test,我選用 1. Way: SubjectAltName Only 這個方法;這是 x509v3 的一項 extension。先複製一份 openssl.cnf,在 [v3_req] 區塊裡加上 subjectAltName 的定義:

subjectAltName = DNS:domain1.com, DNS:domain2.com

然後打開 [req] 區塊裡的

req_extensions = v3_req

最後用這個 openssl.cnf 產生 request、簽核 certificate 即可;我把 request/sign 的過程寫成一個如下的 Makefile:

OWNER = yungyuc.yungyuc

default:
      echo "select one"

req:
      openssl req -new \
              -config openssl.cnf -text \
              -key key.pem -out req.pem

reqsubj:
      openssl req -noout -subject -in req.pem

reqtext:
      openssl req -noout -text -in req.pem

crt:
      openssl x509 \
              -req -days 3650 -sha1 \
              -extfile openssl.cnf -extensions v3_req \
              -CA cacert.pem \
              -CAkey cakey.pem \
              -in req.pem -out crt.pem
      chown $(OWNER) crt.pem

crtsubj:
      openssl x509 -noout -subject -in crt.pem

crttext:
      openssl x509 -noout -text -in crt.pem

這樣不管是 Firefox, Mozilla 還是 IE,都可以正確支援多 domain name 的 certificate 了。

Posted by yungyuc at 22:21, 0 comment, 0 trackback.
Navigate
Add a trackback
Add a comment

Your name. (required)

Your personal website. (optional)

Your email address. Will not show in page. (suggested, but optional)

Text format is "Plain Text".

Enter "DIRmh"
© hover year to navigate month: powered by django