OpenSSL生成https服务器端数字证书

1. 下载安装OpenSSL

可以从OpenSSL官网下载源码编译，也可以直接下载安装文件，地址：
http://download.csdn.net/download/nicholas_lin/10169024
//20180125修改

注意：使用这个安装包后我经常出现蓝屏错误，昨天卸载后暂时正常。

srv.sys

PAGE_FAULT_IN_NONPAGED_AREA

2. 配置OpenSSL

打开bin/openssl.cfg文件，修改以下内容：

# 使用安装包的需要修改dir
[ CA_default ]
dir		= ./PEM/demoCA		# Where everything is kept

# 确保req下存在以下2行（默认第一行是有的，第2行被注释了）
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req

# 确保req_distinguished_name下没有 0.xxx 的标签，有的话把0.xxx的0. 去掉
[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= CN
countryName_min			= 2
countryName_max			= 2
stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= Fujian

localityName			= Locality Name (eg, city)
localityName_default = FuZhou

organizationName		= Organization Name (eg, company)
organizationName_default	= Some Company Co., Ltd

# we can do this but it is not needed normally :-)
#1.organizationName		= Second Organization Name (eg, company)
#1.organizationName_default	= World Wide Web Pty Ltd

organizationalUnitName		= Organizational Unit Name (eg, section)
organizationalUnitName_default	= Some department

commonName			= Common Name (e.g. server FQDN or YOUR name)
commonName_max			= 64

emailAddress			= Email Address
emailAddress_max		= 64

# 新增最后一行内容 subjectAltName = @alt_names（前2行默认存在）
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

# 新增 alt_names,注意括号前后的空格，DNS.x 的数量可以自己加
[ alt_names ]
DNS.1 = abc.example.com
DNS.2 = dfe.example.org
IP.1 = 127.0.0.1
IP.2 = 188.188.188.188

//20180118修改

注意: 客户端是Win7时，如果SAN中既配置了DNS又配置了IP，则只有DNS生效。客户端是Win10没有问题。

3. 生成自签名CA证书

命令行定位到bin目录，输入

openssl

生成CA密钥对

OpenSSL> genrsa -out ./demoCA/cakey.pem 2048

自签名CA生成根证书

OpenSSL> req -new -x509 -key ./demoCA/cakey.pem -out ./demoCA/cacert.pem -config openssl.cfg -days 730

导出CA根证书为DER格式

OpenSSL> x509 -outform der -in ./demoCA/cacert.pem -out ./demoCA/cacert.der

4. 生成服务器端证书

生成服务器端密钥对

OpenSSL> genrsa -out ./demoCA/server.key 2048

生成PKCS证书签名请求（请求中会包含alt_names的内容）

OpenSSL> req -new -key ./demoCA/server.key -out ./demoCA/server.csr -config openssl.cfg

签发服务器端证书

OpenSSL> ca -in ./demoCA/server.csr -out ./demoCA/server.crt -cert ./demoCA/cacert.pem -keyfile ./demoCA/cakey.pem -extensions v3_req -days 730 -config openssl.cfg

导出服务器端证书和密钥

OpenSSL> pkcs12 -export -in ./demoCA/server.crt -inkey ./demoCA/server.key -out ./demoCA/server.pfx

5. 导出服务器端证书库供Tomcat使用

打开命令行

导入根证书

CMD> keytool -importcert -v -file ./demoCA/cacert.pem -keystore ./demoCA/server.keystore

导入服务器端证书和密钥

CMD> keytool -importkeystore -v -srckeystore ./demoCA/server.pfx -srcstoretype PKCS12 -destkeystore ./demoCA/server.keystore

6. 配置Tomcat

/conf/server.xml

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="/conf/server.keystore" keystorePass="12345678"
truststoreFile="/conf/server.keystore" truststorePass="12345678" />

7. 参考文章

使用openssl为ssl证书增加“使用者备用名称（DNS）