OK, 一段完成了之後第二段就不會太難了。剛剛用 ssl firefox multiple commonName 當關鍵字去找,便看到了這一篇。commonName 的寫法也列在裡面。
早看到就好了 :) 根據其中的 Interoperability Test,我選用 1. Way: SubjectAltName Only 這個方法;這是 x509v3 的一項 extension。先複製一份 openssl.cnf,在 [v3_req] 區塊裡加上 subjectAltName 的定義:
subjectAltName = DNS:domain1.com, DNS:domain2.com
然後打開 [req] 區塊裡的
req_extensions = v3_req
最後用這個 openssl.cnf 產生 request、簽核 certificate 即可;我把 request/sign 的過程寫成一個如下的 Makefile:
OWNER = yungyuc.yungyuc default: echo "select one" req: openssl req -new \ -config openssl.cnf -text \ -key key.pem -out req.pem reqsubj: openssl req -noout -subject -in req.pem reqtext: openssl req -noout -text -in req.pem crt: openssl x509 \ -req -days 3650 -sha1 \ -extfile openssl.cnf -extensions v3_req \ -CA cacert.pem \ -CAkey cakey.pem \ -in req.pem -out crt.pem chown $(OWNER) crt.pem crtsubj: openssl x509 -noout -subject -in crt.pem crttext: openssl x509 -noout -text -in crt.pem
這樣不管是 Firefox, Mozilla 還是 IE,都可以正確支援多 domain name 的 certificate 了。
Posted by yungyuc
at 22:21,
0 comment,
0 trackback.
Navigate
- Previous: One Certificate, Many Domainname (commonName) @2005/09/28
- Next: 時光荏苒 @2005/09/29
Add a trackback
Please send trackback to: http://blog.seety.org/everydaywork/2005/9/28/409/trackback/.
Add a comment