Security Changes in Chrome 58: Common Name Support Dropped.
Read more at https://www.thesslstore.com/blog/security-changes-in-chrome-58/
Chrome 从版本58开始,不再支持Common Name字段,如果证书SANs中没有列出相应的DNS名或IP,证书将不会得到Chrome的信任。
那我们如何生成带有SANs的证书呢?大致操作如下:
- 创建配置文件,比如ca.conf
[req]
default_bits = 2048
prompt = no
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn
[dn]
C = CN
ST = Beijing
L = Beijing
O = AXESDN
CN = AXESDN
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.0 = localhost
DNS.1 = company.com
IP.0 = xxx.xxx.xxx.xxx
IP.1 = yyy.yyy.yyy.yyy
确保alt_names section包含你所需要的DNS名和IP。
- 用配置文件ca.conf创建证书
openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout company.com.key -days 3560 -out company.com.crt -config ca.cnf
然后在OS上把证书设为trust,Chrome就不会有警告了。
网友评论