为多个域设置httpS [英] Setting up httpS for multiple domain
问题描述
我需要为多个domians设置https xxxx.com xxxx.net(带有单个通用证书)
I need to setup https for multiple domians xxxx.com xxxx.net (with single common certificate)
我们购买证书的CA要求创建证书签名请求( CSR),但是当我用openssl生成它时 - 它只询问一个名称
CA where we buying certificate ask to create Certificate Signing Request (CSR), but when I'm generating it with openssl - it asks only for one name
如何为多个域创建一个CSR?
how to make one CSR for multiple domains ?
推荐答案
避免使用多个CN的证书(如评论中所示),这不是规范的方式( RFC 2818 和 RFC 6125 )说它应该工作,虽然它可能在某些客户端应用程序中起作用,但它通常会失败。来自 RFC 2818 :
Avoid certificates with multiple CNs (as suggested in comments), that's not how the specifications (RFC 2818 and RFC 6125) say it should work and, although it may work in some clients applications, it will usually fail. From RFC 2818:
如果存在类型为dNSName的subjectAltName扩展名,则必须使用
作为标识。否则,必须使用证书的Subject字段中的(最具体的)Common Name
字段。尽管
使用公共名称是现有做法,但不推荐使用它,并且鼓励
认证机构改为使用dNSName。
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.
相反,生成具有多个主题备用名称(SAN)的证书(或CSR)。
Instead, generate certificates (or CSR) with multiple Subject Alternative Names (SANs).
如果您使用的是OpenSSL,请编辑您的 openssl.cnf (或编辑副本)并在相关部分设置这些属性( [req] 和 [v3_req] ):
If you're using OpenSSL, edit your openssl.cnf (or edit a copy) and set these properties, in the relevant sections ([req] and [ v3_req ]):
[req]
req_extensions = v3_req
[v3_req]
subjectAltName=DNS:www.example1.com,DNS:www.example2.com,DNS:www.example3.com
这里有一个很好的技巧来使用环境变量(而不是在配置文件中修复它): http://www.crsr.net/Notes/SSL.html
There's also a nice trick to use an environment variable for this (rather in than fixing it in a configuration file) here: http://www.crsr.net/Notes/SSL.html
您可能还希望在CN中拥有其中一个(任何)。
You may also want to have one of them (any) in the CN.
(您可能也对此答案感兴趣。)
(You may also be interested in this answer.)
这篇关于为多个域设置httpS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
