昨天添加了自签名证书后,发现chrom 还是不认可,认为该证书缺少SAN (Subject Altenative Name).
原来chrome 57以后,加入了这个认证.所以还需要重新生成证书. 这次主要参考了这篇文章
笔记:OpenSSL 生成「自签名」证书遇到的 missing_subjectAltName 问题
和
Provide subjectAltName to openssl directly on command line
重新改进的生成证书的顺序如下
--
-- Step 1 CA KEY
--
openssl genrsa -out ca.key 2048
--
-- Step 2 CA CRT
--
openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt
--
-- Step 3 CSR
--
openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.delianholiday.vm" -out server.csr
--
-- Step 4 Server CRT
--
openssl x509 -req -extfile <(printf "subjectAltName=DNS:delianholiday.vm,DNS:www.delianholiday.vm") -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
然后在apache的vhost配置内加上
#adding custom SSL cert
SSLEngine on
SSLCertificateFile /var/www/delianholiday_web/cert/server.crt
SSLCertificateKeyFile /var/www/delianholiday_web/cert/server.key
SSLCACertificateFile /var/www/delianholiday_web/cert/ca.crt
然后在chrome导入server.crt和ca.crt 两个证书,重启chrome后就搞定了.