# 服务器证书请求

跟根证书也差不多,只不过配置不同

# 命令

openssl req -new -key server.key -out server.csr -config openssl.cnf

# 配置

#openssl.cnf
[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = v3_req

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = JiangSu
localityName                    = Locality Name (eg, city)
localityName_default            = SuZhou
organizationName                = Organization Name (eg, company)
organizationName_default        = MyComponent
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = MyComponent RD
commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_max                  = 64
commonName_default              = 192.168.1.16

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

# 没有这个的证书不能用,这个可以证明证书是属于 192.168.41.16 的
[alt_names]
IP.1    = 192.168.1.16

# 注意事项

要注意上面的 alt_names 选项,这个一定是需要的,否则会提示

此服务器无法证实它就是 192.168.1.16 - 它的安全证书没有指定主题备用名称。这可能是因为某项配置有误或摸个攻击者拦截了您的链接。

另外这个配置,在签发服务器证书的时候也要使用。