Open moooofly opened 5 years ago
Does anyone know if it's possible to create my own wildcard certificate under Ubuntu? For instance, I want the following domains to use one certificate:
https://a.example.com
https://b.example.com
https://c.example.com
step by step instructions for creating your own certificate with OpenSSL but replace the "Common Name" www.example.com
with *.example.com
.
Nowadays (if the "domain-validated" certification level of Let's Encrypt is enough for your purpose) it's trivial to obtain individual certificates for each and every subdomain. In case you need a higher trust level than domain-validated, wildcard certificates are still an option.
What is a CSR? A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate. It is usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country. It also contains the public key that will be included in the certificate. A private key is usually created at the same time that you create the CSR, making a key pair. A CSR is generally encoded using ASN.1 according to the PKCS #10 specification.
A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.
Name | Explanation | Examples |
---|---|---|
Common Name | The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error. | *.google.com mail.google.com |
Organization | The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. | Google Inc. |
Organizational Unit | The division of your organization handling the certificate. | Information Technology IT Department |
City/Locality | The city where your organization is located. | Mountain View |
State/County/Region | The state/region where your organization is located. This shouldn't be abbreviated. | California |
Country | The two-letter ISO code for the country where your organization is location. | US GB |
Email address | An email address used to contact your organization. | webmaster@google.com |
Public Key | The public key that will go into the certificate. | The public key is created automatically |
Most CSRs are created in the Base-64 encoded PEM format. This format includes the "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" lines at the begining and end of the CSR.
You need to generate a CSR and private key on the server that the certificate will be used on.
If you are familiar with OpenSSL you can use the following command to generate a CSR and private key:
openssl req -new -newkey rsa:2048 -nodes -out servername.csr -keyout servername.key
在线工具:Generator
Advanced CSR, Private Key and Certificate triplet generator
You can easily decode your CSR to see what is in it by using our CSR Decoder. In order to decode a CSR on your own machine using OpenSSL, use the following command:
openssl req -in server.csr -noout -text
CSR Decoder 示意图
基于 openssl 解码 CSR 文件
[#268#root@ubuntu-1604 /go/src/github.com/moooofly/tunnel-proxy/certs]$openssl req -in custom.csr -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CN, ST=Shanghai, O=Liulishuo LLS, CN=*.llsapp.com/emailAddress=fei.sun@liulishuo.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:da:dd:da:4a:4a:26:43:84:3c:f9:63:21:ff:aa:
7c:4e:0a:a6:74:8c:1a:b0:1a:86:8e:29:4d:50:22:
3b:db:3a:70:be:45:f9:ce:ab:f1:a1:46:5f:cf:66:
d5:dc:bd:39:ba:6a:b9:3e:98:c8:b4:98:9f:17:cd:
7c:55:6c:ff:0c:91:d0:98:cd:73:b1:f4:7f:db:c4:
b8:e7:31:5c:4e:e2:9c:56:61:ea:7e:33:2a:10:4e:
0f:53:10:17:8b:3b:c3:66:52:af:b6:19:f8:74:5a:
25:c4:de:05:01:2c:7e:e3:b4:6b:e4:f5:cf:3f:e2:
9a:8b:d3:09:c5:7a:53:3e:27:83:c8:c2:b2:f9:fa:
98:7d:59:d4:6f:4c:80:9b:df:df:49:b7:23:2f:a6:
8d:8b:55:09:af:e3:52:bc:e4:4b:3a:5d:0c:8f:bd:
14:3c:0f:a5:fc:46:b6:2e:4d:bf:3c:d5:0c:38:4c:
11:94:08:2a:d5:7a:45:b0:9f:88:32:f6:c7:7e:e9:
15:68:87:21:21:e8:5d:4d:61:71:fb:68:74:d8:54:
9d:a2:28:69:8d:16:f0:80:d1:66:91:b3:1b:5d:89:
09:b1:76:47:2c:f8:ee:d0:11:ce:17:13:f6:d5:17:
30:d8:42:ff:10:c4:37:d0:d6:1a:74:b7:7f:f2:26:
7a:d6:c9:31:81:68:2e:dd:ab:d8:04:96:ea:16:bb:
8b:c2:a9:a8:d7:1d:c2:c5:e0:3c:93:d7:a6:d7:30:
5f:ee:c4:9b:94:0f:8b:5a:64:48:f5:5e:b0:3f:6d:
45:83:99:2b:80:aa:17:6b:cd:7e:58:37:54:ad:e3:
1d:0b:34:8b:e6:81:c0:ac:cb:b5:e3:d8:ad:a9:95:
cd:98:c2:65:d0:85:56:65:1b:d7:1e:a3:30:b4:61:
ad:56:f7:3b:33:d2:55:52:49:33:75:c0:34:53:9e:
fd:a7:c8:49:79:20:13:d2:07:f3:85:44:78:7e:c9:
64:b0:03:52:81:75:13:a9:82:7e:47:95:5d:95:7b:
dc:bb:ed:36:89:f5:34:8b:22:00:4c:db:9c:12:3a:
55:1c:c3:93:a7:c4:9e:e1:d6:84:04:89:1f:58:26:
6f:eb:e0:14:2b:f0:8a:44:c4:24:59:d7:65:20:6f:
61:d3:95:69:4a:f9:29:83:f0:03:e9:9c:02:0d:93:
e5:03:6b:8e:28:96:41:4f:a7:c6:89:67:4c:2a:08:
eb:24:54:31:93:46:1f:3b:75:f9:5d:2c:3d:fa:59:
79:9d:e6:39:25:8f:97:4d:33:bb:0c:ba:b2:e7:ab:
10:a1:59:5f:85:c3:42:b2:21:db:e2:3e:70:88:67:
c3:f1:a9
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
07:35:bc:17:52:e1:66:de:be:a3:d0:ba:05:38:9c:df:d9:b3:
1e:30:bd:2c:a7:2d:2b:ca:1f:24:6f:13:5f:80:6e:91:89:a3:
a9:80:f2:1b:a1:a6:a5:c9:cb:9d:da:2f:4c:7d:99:5c:66:ba:
a7:9c:29:2a:8e:43:2c:36:99:61:0b:4c:a1:f2:a3:c0:9f:24:
6b:a0:39:b8:90:97:22:10:ba:cb:c7:a7:fc:36:ba:18:d0:9d:
14:81:3a:d6:85:b7:ea:28:39:11:d3:0a:da:b1:10:4e:8c:98:
b2:23:a2:7e:b0:86:68:7b:8b:f2:a5:be:7f:9f:00:01:fa:47:
95:77:6c:1b:3d:37:a8:0a:40:68:1f:af:67:1d:cf:3f:82:1c:
80:be:7e:92:6f:b3:75:fc:7d:31:9c:e1:c3:ef:99:34:37:7e:
98:a4:82:37:3e:d1:0b:89:dd:78:10:3e:2c:52:b1:96:8c:4b:
ef:1f:a9:ba:35:8e:46:36:7f:bc:f8:ce:1e:75:ca:11:c9:cc:
27:b7:46:36:bd:87:7e:9e:a2:74:96:18:c4:aa:a8:56:e0:0c:
52:f9:7d:31:c2:7e:f9:0b:94:14:d8:0b:79:42:4e:ed:b0:61:
17:1e:fd:07:eb:3a:c7:d5:ee:8d:af:53:b2:b7:7d:62:3e:a8:
0b:1a:30:fe:9f:fa:70:2a:3b:c1:74:10:fc:2e:e1:b6:90:49:
2d:84:98:06:80:dd:37:ad:59:08:8e:33:79:ea:10:38:eb:55:
7e:b5:b9:45:7e:29:5c:f6:67:76:be:7f:f0:e0:1f:14:a5:0d:
b7:ea:f9:a3:15:b0:7f:89:36:85:fb:bf:ab:40:cc:c8:73:29:
15:44:e8:00:f6:e2:80:8f:1a:15:42:5f:20:e9:fb:2c:a0:15:
ee:66:79:46:d4:19:fa:08:b3:cb:94:59:a7:5d:d9:1e:15:c3:
f0:42:12:43:dc:9e:ae:36:d8:84:06:d7:b4:f2:9e:b2:a6:28:
eb:dc:af:42:9a:84:70:32:48:da:46:9a:b7:ab:0d:bb:03:2c:
d5:79:1b:3a:ae:5c:9a:48:33:9e:d9:0d:7b:26:dc:29:42:3f:
d3:f5:71:b0:92:87:13:99:8d:8b:f1:bc:c0:59:db:c7:7d:a2:
8b:fe:fe:15:86:55:fd:ba:b1:a2:02:c3:7b:3c:2c:5f:e8:f3:
13:47:bd:79:d6:bf:2c:7e:4b:56:e0:7f:c2:c3:21:2e:e1:df:
35:48:f2:db:65:54:55:d5:a9:78:a6:48:c1:84:36:ca:1c:45:
f9:3b:ce:a7:02:a2:47:06:6c:e6:5b:35:cc:ad:c1:74:38:7a:
81:1f:45:65:78:1c:f3:76
[#269#root@ubuntu-1604 /go/src/github.com/moooofly/tunnel-proxy/certs]$
在线工具:SSL & CSR Decoder
Submit your base64 encoded CSR or certificate in the field below. We will attempt to decode and analyze it to detect issues with it if any.
The bit-length of a CSR and private key pair determine how easily the key can be cracked using brute force methods. As of 2016, a key size of less than 2048 bits is considered weak and could potentially be broken in a few months or less with enough computing power. If a private key is broken, all the connections initiated with it would be exposed to whomever had the key. The Extended Validation guidelines that SSL certificate providers are required to follow, require that all EV certificates use a 2048-bit key size to ensure their security well into the future. Because of this, most providers encourage 2048-bit keys on all certificates whether they are EV or not.
digitalocean 整理的非常全面的文章,建议仔细阅读;大纲如下
Yes, but it depends on what standard you are following.
RFC 7468 is one of them.
But its also a lot like xkcd: Standards.
The PEM encodings OpenSSL recognizes can be found in <openssl dir>/crypto/pem/pem.h>
. Using NEW is apparently an old way of doing it.
# define PEM_STRING_X509_OLD "X509 CERTIFICATE"
# define PEM_STRING_X509 "CERTIFICATE"
# define PEM_STRING_X509_PAIR "CERTIFICATE PAIR"
# define PEM_STRING_X509_TRUSTED "TRUSTED CERTIFICATE"
# define PEM_STRING_X509_REQ_OLD "NEW CERTIFICATE REQUEST"
# define PEM_STRING_X509_REQ "CERTIFICATE REQUEST"
# define PEM_STRING_X509_CRL "X509 CRL"
# define PEM_STRING_EVP_PKEY "ANY PRIVATE KEY"
# define PEM_STRING_PUBLIC "PUBLIC KEY"
# define PEM_STRING_RSA "RSA PRIVATE KEY"
# define PEM_STRING_RSA_PUBLIC "RSA PUBLIC KEY"
# define PEM_STRING_DSA "DSA PRIVATE KEY"
# define PEM_STRING_DSA_PUBLIC "DSA PUBLIC KEY"
# define PEM_STRING_PKCS7 "PKCS7"
# define PEM_STRING_PKCS7_SIGNED "PKCS #7 SIGNED DATA"
# define PEM_STRING_PKCS8 "ENCRYPTED PRIVATE KEY"
# define PEM_STRING_PKCS8INF "PRIVATE KEY"
# define PEM_STRING_DHPARAMS "DH PARAMETERS"
# define PEM_STRING_DHXPARAMS "X9.42 DH PARAMETERS"
# define PEM_STRING_SSL_SESSION "SSL SESSION PARAMETERS"
# define PEM_STRING_DSAPARAMS "DSA PARAMETERS"
# define PEM_STRING_ECDSA_PUBLIC "ECDSA PUBLIC KEY"
# define PEM_STRING_ECPARAMETERS "EC PARAMETERS"
# define PEM_STRING_ECPRIVATEKEY "EC PRIVATE KEY"
# define PEM_STRING_PARAMETERS "PARAMETERS"
# define PEM_STRING_CMS "CMS"
It looks like "NEW CERTIFICATE REQUEST" (old style) and "CERTIFICATE REQUEST" (new style) are the two winners.
Converter - The goal of this tool is to provide web GUI for basic x509v3 certificates conversion operations.
If your server/device requires a different certificate format other than Base64 encoded X.509, a third party tool such as OpenSSL can be used to convert the certificates into the appropriate format.
如果你需要的证书格式不是 Base64 encoded X.509 ,则可以使用 OpenSSL 进行证书格式的转换;
Note: The PEM format is the most common format used for certificates. Extensions used for PEM certificates are cer
, crt
, and pem
. They are Base64 encoded ASCII files. The DER format is the binary form of the certificate. DER formatted certificates do not contain the "BEGIN CERTIFICATE/END CERTIFICATE" statements. DER formatted certificates most often use the '.der
' extension.
Some common conversion commands are listed below:
转换方向 | 命令 | 补充说明 |
---|---|---|
Convert x509 to PEM | openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem | |
Convert PEM to DER | openssl x509 -outform der -in certificatename.pem -out certificatename.der | |
Convert DER to PEM | openssl x509 -inform der -in certificatename.der -out certificatename.pem | |
Convert PEM to P7B | openssl crl2pkcs7 -nocrl -certfile certificatename.pem -out certificatename.p7b -certfile CACert.cer | Note: The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c. A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key. The most common platforms that support P7B files are Microsoft Windows and Java Tomcat. |
Convert PKCS7 to PEM | openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem | |
Convert pfx to PEM | openssl pkcs12 -in certificatename.pfx -out certificatename.pem | Note: The PKCS#12 or PFX format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys. |
Convert PFX to PKCS#8 | openssl pkcs12 -in certificatename.pfx -nocerts -nodes -out certificatename.pem openSSL pkcs8 -in certificatename.pem -topk8 -nocrypt -out certificatename.pk8 |
Note: This requires 2 commands STEP 1: Convert PFX to PEM STEP 2: Convert PEM to PKCS8 |
Convert P7B to PFX | openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer |
Note: This requires 2 commands STEP 1: Convert P7B to CER STEP 2: Convert CER and Private Key to PFX |
ref: What are certificate formats and what is the difference between them?
有些 server 支持多种证书格式;有些 server 只支持特定的格式;
Once you’ve got your certificate files, seeing your file extension will allow you to know what’s in the file, and which file fits best your needs.
*.pem
, *.crt
, *.ca-bundle
, *.cer
, *.p7b
, *.p7s
files contain one or more X.509 digital certificate files that use base64 (ASCII) encoding. You get one of those in a zip file downloaded from your user account, or receive such file from the Certificate Authority.
几种常见的证书后缀 *.pem
, *.crt
, *.ca-bundle
, *.cer
, *.p7b
, *.p7s
,这些证书文件中都包含了 base64 加密过的 X.509 数字证书;
You may also encounter *.pfx
files. This is an archive file format for storing several cryptographic objects in a single file. In the scope of SSL certificates for SSL/TLS client and SSL/TLS webserver authentication (the ones we offer), a .pfx
file must contain the end-entity certificate (issued to your domain), a matching private key, and may optionally include an intermediate certification authority (a.k.a. CA Bundle). All this is wrapped up in a single file which is then protected with a pfx password. We can’t possibly provide you with a ready .pfx
file, since it has a private key as the second essential element. Private key must be kept secret and is something that you generate alongside with the certificate signing request (CSR) by using available server tools, asking your webhost to generate it for you, or using an online CSR + private key generation tool.
*.pfx
后缀的文件是一种归档格式;其中会包含 end-entity certificate 和相应的 private key ;还可能包含 intermediate certification authority (a.k.a. CA Bundle) ;
Submit the Hostname and Port in the fields below. This checker supports SNI and STARTTLS.
You can easily see if you did the SSL Certificate installation correctly by entering the hostname in the following box and clicking "Check SSL". Our SSL Checker will show you the certificate that is installed and tell you if there are any SSL install problems.
ref: https://support.globalsign.com/customer/portal/articles/1221018-generate-csr---openssl
Generate a CSR & Private Key:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privatekey.key
Note: To generate a 4096-bit CSR you can replace the rsa:2048
syntax with rsa:4096
as shown below.
openssl req -out CSR.csr -new -newkey rsa:4096 -nodes -keyout privatekey.key
Fill out the following fields as prompted:
Field | Example |
---|---|
Country Name | US (2 Letter Code) |
State or Province | New Hampshire (Full State Name) |
Locality | Portsmouth (Full City name) |
Organization | GMO GlobalSign Inc (Entity's Legal Name) |
Organizational Unit | Support (Optional, e.g. a department) |
Common Name | www.globalsign.com (Domain or Entity name) |
You should now have a Private Key (privatekey.key) which should stay on your computer, and a Certificate Signing Request (CSR.csr), which can be submitted to GlobalSign to sign your public key.
ref: https://www.sslshopper.com/ssl-certificate-installation.html
Any certificate in between your certificate and the root certificate is called a chain or intermediate certificate. These must be installed to the web server with the primary certificate for your web site so that user's browers can link your certificate to a trusted authority. Most certificate authorities use intermediate certificates for security purposes and most web servers and devices support them. To find out more about Intermediate certificates and why most providers require them for SSL Certificate installation, see Extinction of Unchained SSL Certificates.
A wildcard certificate is installed the exact same way that a normal certificate is installed. The only difference is the * character in the common name field. Nothing extra is needed to install the certificate on the server.
If you need to create a new certificate based on a new private key, you will need to reissue it. By reissuing you can install the certificate on a new server without moving your private key or replace your certificate if your private key is lost or stolen. Most certificate authorities offer free reissues but some are more flexible than others. In order to reissue your certificate you will just need to create a new CSR, reissue with your certificate provider, and install the new certificate.
No. Most certificates authorities allow you to reissue the certificate with a new private key if you lose the current one. Still, it is a very good idea to backup your certificate and private key.
Without your private key, your digital certificate is useless. It isn't possible to recover a private key once it is lost. The certificate authority that creates the certificate never sees your private key, so they can't help you if you lose it. If you do lose your private key you can create a new one and reissue the certificate. You can backup the SSL certificate using our SSL Certificate Import/Export/Move Instructions.