生成一个有效的SSL证书
让它是自签名的或本地生成的CA签名。
# ssl.conf [ req ] default_bits = 1024 default_keyfile = server.key distinguished_name = req_distinguished_name req_extensions = req_ext # The extentions to add to the self signed cert [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Connecticut localityName = Locality Name (eg, city) localityName_default = Stamford organizationName = Organization Name (eg, company) organizationName_default = Example, Inc. commonName = Common Name (eg, YOUR name) commonName_max = 64 [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = *.domain1.com DNS.2 = *.domain2.com 在csr世代期间input的CN:
*.domain1.com
在domain2.com上的Firefox错误
domain2.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for *.domain1.com (Error code: sec_error_untrusted_issuer)
纯文本SSL证书:
Certificate: Data: Version: 1 (0x0) Serial Number: e9:59:8a:31:8e:29:df:bf Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=*.domain1.com Validity Not Before: Oct 27 06:18:28 2010 GMT Not After : Oct 24 06:18:28 2020 GMT Subject: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=*.domain1.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c9:9c:50:52:be:35:64:98:7a:b9:49:8a:f3:f0: af:52:62:49:2f:d3:a1:a3:d7:78:b1:88:14:e9:b2: 52:f1:2a:04:71:76:14:a3:17:d8:15:61:da:de:50: 5b:dd:66:74:12:8d:d6:6b:15:94:35:20:7b:cf:e7: 32:31:33:d5:f5:b9:12:a5:dc:a6:7d:08:1f:c9:f6: 9f:35:4d:46:1d:a0:a9:6e:90:35:0f:21:7d:76:d2: 96:41:7c:c9:4a:fd:9d:81:be:89:f6:f4:70:eb:52: 56:5d:0c:d5:62:2b:d5:fc:7f:21:0a:9c:e9:19:d5: ad:dc:6b:2b:12:3e:47:3a:ed Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption a1:1f:4f:85:ae:82:52:d0:7e:47:59:fb:d2:17:5c:04:2a:a9: 28:82:84:71:70:41:8d:61:51:3d:89:a9:0c:b3:a2:fd:f9:ff: c6:e4:aa:3a:5b:0f:c5:17:f3:62:4a:78:78:10:bf:45:e6:f4: f3:43:3b:dc:26:fd:86:17:fc:f5:e2:1a:ee:fe:76:6e:59:7f: b1:38:ad:d8:6d:8e:23:55:39:bc:47:20:c9:a0:f4:db:64:ed: 5b:b2:bf:44:a6:a9:82:fb:76:b9:87:6c:92:07:42:f6:a3:00: c1:58:86:b2:2b:0e:6f:f1:74:4a:08:6f:37:80:02:65:4b:e5: 0d:a9
[ req ] default_bits = 1024 default_keyfile = server.key distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Connecticut localityName = Locality Name (eg, city) localityName_default = Stamford organizationName = Organization Name (eg, company) organizationName_default = Example, Inc. 0.commonName = Common Name (eg, YOUR name) 0.commonName_default = *.domain1.com 0.commonName_max = 64 1.commonName = Common Name (eg, YOUR name) 1.commonName_default = *.domain2.com 1.commonName_max = 64
在这种情况下,FirefoxOutput:
domain1.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for *.domain2.com
纯文本SSL证书输出:
Certificate: Data: Version: 1 (0x0) Serial Number: 80:b5:78:8a:27:0e:e5:b8 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=*.domain1.com, CN=*.domain2.com Validity Not Before: Oct 27 06:05:40 2010 GMT Not After : Oct 24 06:05:40 2020 GMT Subject: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=*.domain1.com, CN=*.domain2.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e8:f6:a6:ef:a7:68:cd:5d:99:d8:5a:7d:9e:23: 4e:9f:67:f8:e0:20:8a:5c:ad:5f:1f:71:63:66:cf: 34:7d:c8:21:86:65:3b:07:ed:27:4c:f8:55:08:7e: 67:5e:c3:e9:53:0c:44:3f:1f:e8:f9:85:24:6e:60: c6:98:b4:f0:13:85:46:23:c3:bf:ec:3c:5b:0d:cb: bd:8a:67:c3:a6:fe:d2:27:de:38:60:23:fd:12:9d: 95:1a:38:c6:bc:81:57:bb:c1:1a:60:1a:79:c9:f1: d9:e4:a0:2d:a1:6e:c6:12:e7:2a:e2:76:d7:56:89: a9:77:ce:7e:d1:d6:b8:28:1b Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 41:82:a7:c1:f2:11:e6:04:a8:7b:58:3c:47:ac:af:d9:46:48: 87:24:c4:f2:fe:94:94:5f:6c:54:17:51:26:73:0b:fb:97:74: 82:47:1d:7f:b8:63:ca:6c:49:e6:36:86:bf:7d:60:7a:74:c0: 41:43:2a:35:7a:67:11:2b:cc:91:4e:5e:d4:23:9e:2b:a7:ad: 35:af:90:82:7e:33:ac:36:f7:c4:46:fc:81:55:f4:3f:75:04: 67:07:cb:8f:2b:3c:07:c0:a2:61:bc:f1:aa:fe:b3:26:c9:dc: a1:a1:6a:e6:81:95:1f:a9:36:33:bb:b0:04:45:69:cf:51:9d: 8d:45
<VirtualHost 127.0.1.3:443> ServerName domain1.com ServerAlias www.domain1.com ServerAlias www1.domain1.com ServerAlias www2.domain1.com ServerAdmin [email protected] DocumentRoot /var/www/ssltest/domain1/ SSLEngine on SSLCertificateFile /etc/apache2/ssl-files/server.crt SSLCertificateKeyFile /etc/apache2/ssl-files/server.key ErrorLog /var/log/apache2/domain1.com-error_log CustomLog /var/log/apache2/domain1.com-access_log common </VirtualHost> <VirtualHost 127.0.1.2:443> ServerName domain2.com ServerAlias www.domain2.com ServerAlias www1.domain2.com ServerAlias www2.domain2.com ServerAdmin [email protected] DocumentRoot /var/www/ssltest/domain2/ SSLEngine on SSLCertificateFile /etc/apache2/ssl-files/server.crt SSLCertificateKeyFile /etc/apache2/ssl-files/server.key ErrorLog /var/log/apache2/domain2.com-error_log CustomLog /var/log/apache2/domain2.com-access_log common </VirtualHost>
同样在每个场景中,Firefox都会抱怨:
domain1.com使用无效的安全证书。
The certificate is not trusted because it is self-signed. The certificate is only valid for *.domain1.com (Error code: sec_error_untrusted_issuer)
如果我访问https://domain1.com而不是vhostconfiguration中的那些ServerAliases
我很抱歉,如果我错过了一些细节,使得这完全错误(我现在有限的时间,我会在后面详细阅读)。 看起来你正在尝试使用多个通配符来颁发证书; 对于几乎所有的浏览器都是无效的。