準備cfssl環境

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo chmod +x /usr/local/bin/cfssl*

生成ca證書

cd;mkdir keys;cd keys cat > ca-config.json <<EOF {"signing": {"default": {"expiry": "8760h"},"profiles": {"app": {"usages": ["signing","key encipherment","server auth","client auth"],"expiry": "8760h"}}} } EOFcat > ca-csr.json <<EOF {"CN": "k8s","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "System"}] } EOFcfssl gencert -initca ca-csr.json | cfssljson -bare ca

生成server證書

cd /root/keys cat > app-csr.json <<EOF {"CN": "app","hosts": ["127.0.0.1","192.168.1.11","app","app.ma.com"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "System"}] } EOFcfssl gencert -ca=/root/keys/ca.pem \-ca-key=/root/keys/ca-key.pem \-config=/root/keys/ca-config.json \-profile=app app-csr.json | cfssljson -bare appopenssl x509 -noout -text -in app.pem

構建https webserver模擬測試

cd /root/ cat > http-server.js <<EOF var https = require('https'); var fs = require('fs');var options = {key: fs.readFileSync('./keys/app-key.pem'),cert: fs.readFileSync('./keys/app.pem') };https.createServer(options, function (req, res) {res.writeHead(200);res.end('hello world'); }).listen(8000); EOFyum install nodejs -y npm install https -g node http-server.js

訪問服務端https://192.168.1.x:8000端口(域已添加本地hosts)

發現

opera瀏覽器

處理瀏覽器安全問題

1.導出ca.pem到win7,改名為ca.crt.

2.運行 certmgr.msc 打開證書管理器

3.瀏覽器訪問8000端口(ctrl+shift+del清緩存)

opera瀏覽器

4.使用apps.ma.com訪問,也報錯

無SAN(Subject Alternative Name)-CN: app.ma.com-即使地址欄的域名和CN一樣也報錯

cd /root/keys rm -rf app* cat > app-csr.json <<EOF {"CN": "app.ma.com", #將hosts字段去掉(SAN干掉)"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "System"}] } EOFcfssl gencert -ca=/root/keys/ca.pem \-ca-key=/root/keys/ca-key.pem \-config=/root/keys/ca-config.json \-profile=app app-csr.json | cfssljson -bare appopenssl x509 -noout -text -in app.pem

無SAN(Subject Alternative Name)-CN: *.ma.com-即使地址欄的域名和CN一樣也報錯

cd /root/keys rm -rf app* cat > app-csr.json <<EOF {"CN": "*.ma.com","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "System"}] } EOFcfssl gencert -ca=/root/keys/ca.pem \-ca-key=/root/keys/ca-key.pem \-config=/root/keys/ca-config.json \-profile=app app-csr.json | cfssljson -bare appopenssl x509 -noout -text -in app.pem

SAN含app.ma.com(Subject Alternative Name)-CN: *.ma.com-僅app.ma.com域名可訪問

cd /root/keys rm -rf app* cat > app-csr.json <<EOF {"CN": "*.ma.com","hosts": ["app.ma.com"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "System"}] } EOFcfssl gencert -ca=/root/keys/ca.pem \-ca-key=/root/keys/ca-key.pem \-config=/root/keys/ca-config.json \-profile=app app-csr.json | cfssljson -bare appopenssl x509 -noout -text -in app.pem cd ..;node http-server.js

SAN含.ma.com(Subject Alternative Name)-CN: .ma.com-可用任意*.ma.com來訪問

cd /root/keys rm -rf app* cat > app-csr.json <<EOF {"CN": "*.ma.com","hosts": ["*.ma.com"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "System"}] } EOFcfssl gencert -ca=/root/keys/ca.pem \-ca-key=/root/keys/ca-key.pem \-config=/root/keys/ca-config.json \-profile=app app-csr.json | cfssljson -bare appopenssl x509 -noout -text -in app.pem cd ..;node http-server.js

查看互聯網上一些證書

• 汽車之家的通用型(*)證書(而且一個證書對應了多個域名)
  

• 谷歌的 www證書
  
  

wildcard和san兩種證書的區別

wildcard: 可變部分sub-domain: *.maotai.com www.maotai.com bbs.maotai.comsan: 可變部分: subdomain和domain subdomain *.ma.com *.ma.net *.xx.net

注:一般通用型證書比www證書價格貴一半左右.

瀏覽器如何驗證證書

參考: http://www.cnblogs.com/iiiiher/p/8085698.html
當瀏覽器使用HTTPS連接到您的服務器時，他們會檢查以確保您的SSL證書與地址欄中的主機名稱匹配。

==瀏覽器有三種找到匹配的方法：==

• 1.主機名（在地址欄中）與證書主題(Subject)中的通用名稱(Common Name)完全匹配。
• 2.主機名稱與通配符通用名稱相匹配。例如，www.example.com匹配通用名稱* .example.com。

• 3.主機名 在主題備用名稱(SAN: Subject Alternative Name)字段中列出

• 1.The host name (in the address bar) exactly matches the Common Name in the certificate's Subject.
• 2.The host name matches a Wildcard Common Name. For example, www.example.com matches the common name *.example.com.

• 3.The host name is listed in the Subject Alternative Name field.

參考

客戶端使用服務端返回的信息驗證服務器的合法性，包括：證書是否過期發型服務器證書的CA是否可靠返回的公鑰是否能正確解開返回證書中的數字簽名服務器證書上的域名是否和服務器的實際域名相匹配 -- 要核對CN或SAN,見上驗證通過后，將繼續進行通信，否則，終止通信

在哪里可以查看到san

參考:　https://www.digicert.com/subject-alternative-name.htm

小結: 正因為訪問的域名在san列表,所以訪問才能被通過校驗.

總結

以上是生活随笔為你收集整理的[svc]cfssl模拟https站点-探究浏览器如何校验证书的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。