如何在 Linux 上创建自己的通配符证书？

发布于 2024-08-13 04:36:25 字数 145 浏览 8 评论 0原文

有谁知道是否可以在 Ubuntu 下创建我自己的通配符证书？例如，我希望以下域使用一个证书：

https://a.example.com
https://b.example.com
https://c.example.com

原文

Does anyone know if it's possible to create my own wildcard certificate under Ubuntu? For instance, I want the following domains to use one certificate:

https://a.example.com
https://b.example.com
https://c.example.com

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

迷路的信 2024-08-20 04:36:25

只需遵循其中一个许多步骤使用 OpenSSL 创建您自己的证书的分步说明，但将“通用名称”www.example.com 替换为 *.example.com。

通常您必须准备更多的钱才能获得此证书。

> openssl req -new -x509 -keyout cert.pem -out cert.pem -days 365 -nodes
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Germany
Locality Name (eg, city) []:nameOfYourCity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:nameOfYourCompany
Organizational Unit Name (eg, section) []:nameOfYourDivision
Common Name (eg, YOUR name) []:*.example.com
Email Address []:[email protected]

（抱歉，我最喜欢的 Howto 是德语文本，我目前没有现成的且无法找到的文本，因此有“很多”链接）

2017 年编辑：此问题的原始答案是从 2009 年开始，当时的证书选择不包括完全自动化和免费的选项，例如 Let's Encrypt。如今（如果 Let's Encrypt 的“域验证”认证级别足以满足您的目的）为每个子域获取单独的证书是微不足道的。如果您需要比域验证更高的信任级别，通配符证书仍然是一个选择。

同样从 2017 年开始，请注意 @ha9u63ar 的以下评论：

根据 RFC 2818 秒。 3 不再推荐使用 CN 进行主机名标识（已弃用）主题备用名称 (SAN) 似乎是可行的方法。

我对此评论的回答：我相信现在任何颁发通配符证书的 CA 都会有一套适当的说明。对于自签名的快速修复，我不担心。另一方面，随着 LetsEncrypt 的出现，我已经很久没有创建自签名证书了。哎呀，这个答案确实暴露了它的年龄。

Just follow one of the many step by step instructions for creating your own certificate with OpenSSL but replace the "Common Name" www.example.com with *.example.com.

Usually you have to keep a bit more money ready to get a certificate for this.

> openssl req -new -x509 -keyout cert.pem -out cert.pem -days 365 -nodes
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Germany
Locality Name (eg, city) []:nameOfYourCity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:nameOfYourCompany
Organizational Unit Name (eg, section) []:nameOfYourDivision
Common Name (eg, YOUR name) []:*.example.com
Email Address []:[email protected]

(Sorry, my favorite howto is a german text that I don't have readily available and can't find currently, thus the 'many' links)

Edit in 2017: The original answer to this question is from 2009, when the choice for certificates did not include fully automated and free options like Let's Encrypt. Nowadays (if the "domain-validated" certification level of Let's Encrypt is enough for your purpose) it's trivial to obtain individual certificates for each and every subdomain. In case you need a higher trust level than domain-validated, wildcard certificates are still an option.

Also from 2017, note the comment below, by @ha9u63ar:

According RFC 2818 sec. 3 using CN for host name identification is not recommended anymore (deprecated) Subject Alternative Name (SAN) seems to be the way to go.

My answer to this comment: I trust that nowadays any CAs that issue Wildcard certs will have a proper set of instructions. For a self-signed quick fix, I'd not worry. On the other hand, with LetsEncrypt being around these days, it's been a long time since I've created a self-signed certificate. Gee, this answer really shows its age.

回复收藏 0 原文

~没有更多了~