生成ECDSA SSL通配符证书

时间:2014-10-12 13:37:56

标签: ssl nginx certificate wildcard ecdsa

我正在努力生成使用我自己的CA签名的ECDSA SSL通配符证书。

我正在使用这些命令:

# Generates CA private key
openssl ecparam -name secp521r1 -genkey -param_enc explicit -out server-ca.key

# Generates CA certificate
openssl req -x509 -sha256 -new -nodes -key server-ca.key -days 3650 -out server-ca.crt

# Generates private key
openssl ecparam -name secp521r1 -genkey -param_enc explicit -out server.key

# Generates certificate signing request
openssl req -new -key server.key -out server.csr -config server.conf -reqexts req_ext

# Generates certificate signed with my CA
openssl x509 -req -sha256 -days 3650 -in server.csr -CA server-ca.crt -CAkey server-ca.key -CAcreateserial -out server.crt -extfile server.conf -extensions req_ext

使用此请求配置(server.conf):

[req]
req_extensions = req_ext
distinguished_name = req_dn
default_md = sha256

[req_ext]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[req_dn]
CN=domain.my

[alt_names]
DNS.1 = domain.my
DNS.2 = *.domain.my

当我使用生成的server-ca.crt,server.key和server.crt配置Apache或nginx时,我无法使用HTTPS进行连接。

当我尝试连接时,这是openssl的输出:

CONNECTED(00000003)
140500060243600:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:762:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

无论我使用哪条曲线,我总是无法连接。但是,当我使用RSA密钥而不是ECDSA时,一切正常。

这是我的nginx配置:

ssl_certificate         server.crt;
ssl_certificate_key     server.key;
ssl_trusted_certificate server-ca.crt;
ssl_session_cache    shared:SSL:1m;
ssl_session_timeout  5m;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers  on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

我做错了什么?

1 个答案:

答案 0 :(得分:1)

  

openssl ecparam -name secp521r1 -genkey -param_enc explicit -out server-ca.key

您必须创建没有" -param_enc explicit"的密钥对。 不要问我为什么;)

相关问题
最新问题