go 1.15版后仅支持SAN证书,创建本机运行的SAN证书流程如下:
-
创建CA根证书
$openssl genrsa -out ca.key 2048 $openssl req -sha256 -new -x509 -days 36500 -key ca.key -out ca.crt -subj "/C=CN/ST=ZJ/L=HZ/O=Learn/OU=GH/CN=localhost"
-
创建服务端证书
$openssl genrsa -out server.key 2048 $openssl req -new \ -sha256 \ -key server.key \ -subj "/C=CN/ST=ZJ/L=HZ/O=Learn/OU=GH/CN=localhost" \ -reqexts SAN \ -config <(cat ./openssl.cnf \ <(printf "[SAN]\nsubjectAltName=DNS:localhost.test,DNS:localhost")) \ -out server.csr $openssl x509 -req -days 36500 \ -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -extfile <(printf "subjectAltName=DNS:localhost.test,DNS:localhost") \ -out server.crt
-
创建客户端证书
$openssl genrsa -out client.key 2048 $openssl req -new \ -sha256 \ -key client.key \ -subj "/C=CN/ST=ZJ/L=HZ/O=Learn/OU=GH/CN=localhost" \ -reqexts SAN \ -config <(cat ./openssl.cnf \ <(printf "[SAN]\nsubjectAltName=DNS:localhost.test,DNS:localhost")) \ -out client.csr $openssl x509 -req -days 36500 \ -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -extfile <(printf "subjectAltName=DNS:localhost.test,DNS:localhost") \ -out client.crt