Sign SSL certificate as Ca

  In order to solve ssl Problems with certificate signing . for example ： Apply for free ssl There is no way to add certificates dns Parse entry ,vps No domain name filing , Make it impossible to complete the formal ssl Certificate issued .SSL Self signature is not reliable , Many browsers may also not recognize self signed certificates . In order to eradicate this problem directly , We act directly as CA, Use self signature CA Certificate to issue the required SSL certificate . I stepped on a lot of pits during this period , Finally finished .

 ssl.conf

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = GB
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = England
localityName                = Locality Name (eg, city)
localityName_default        = Brighton
organizationName            = Organization Name (eg, company)
organizationName_default    = Hallmarkdesign
organizationalUnitName            = Organizational Unit Name (eg, section)
organizationalUnitName_default    = IT
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = 【SERVER_DOMAIN_NAME_WITH:PORT_NUMBER】

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
IP.1    = 【YOUR_SERVER_PUBLIC_IP】
DNS.1   = 【SERVER_DNS_DOMAIN】

 sign.conf

subjectAltName=IP:【SERVER_IP_ADDRESS】,DNS:【DNS_NAME】

Here are the specific commands . 

cd ~
openssl rand -writerand .rnd

cd 【WORKING_DIRECTORY】

openssl genrsa -des3 -out rootCA.key 4096

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 99999 -out rootCA.crt

openssl genrsa -out server.key 2048

openssl req -new -sha256 -out server.csr -key server.key -config ssl.conf

openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 99999 -sha256 -extfile sign.conf

The back end here is flask For example . The following configuration ssl Certificate and private key

ssl_context = ("server.crt", "server.key")

  Then in order to complete the whole trust chain , take rootCA.crt Import as “ Trusted root certificate ” that will do . Android and Windows All the tests were successful , Painless access https Interface , no need 443 It is normal to replace the port with another port , in front 【SERVER_DOMAIN_NAME_WITH:PORT_NUMBER】 Just mark the port , for instance test.example.com:6666

  design sketch ：

You may encounter the situation that there is no record when you visit , But try restarting the back-end service program