0、引言

本文翻译整理自OpenSSL Cookbook :https://www.feistyduck.com/books/openssl-cookbook/ 的【Key and Certificate Management】章节。

本想支持一下作者的书籍，但是网上连影印版都没有，亚马逊上卖500多块，凑合着翻译一点留着备用。

下面主要描述的是怎样使用OpenSSL命令来生成搭建HTTPS Web Server需要的私钥和证书。环境自然是Linux。

通常分为以下几个步骤：　　

• 生成私钥文件
• 生成证书签名请求(CSR)文件
• CA机构或者自己签发证书
• 将私钥和证书导入Web Server

在开始之前，需要知道的几个基本术语

• 对称加密 与 非对称加密
• PKI
• X509
• CA
• CSR

1、生成密钥

使用公共加密(pbulic encryption)的第一步是生成一个私钥(private key)，在生成私钥前你要作3个选择，选择使用什么加密算法、选择密钥的长度 和 选择是否使用通行码保护密钥。

1.1、密钥算法(Key algorithm)

OpenSSL支持RSA、DSA 俺的 ECDSA 密钥,但是并不是所有类型的密钥在所有的情景下都是实用的。

例如，所有人都是用RSA算法生成SSL密钥，这是因为DSA密码的长度限制为1024位(Windows系统支持的最大位数)，

并且ECDSA密钥没有被CA机构广泛支持。对于SSH，DSA 和 RSA的使用都很广泛，但是不是所有的客户端都支持ECDSA密钥。

1.2、密钥长度(Key size)

默认的密钥长度可能是不安全的，所以生成密钥时需要明确的配置密钥的长度。

例如，RSA密钥的默认长度是512位，这是不安全的。现如今如果你的服务器密钥是512位的，

那么入侵者可以使用的你的证书采用暴力破解的方式获取你的私钥，之后他能够冒充你的网站。

现如今2048位的RSA的密钥被认为是安全的，并且这也是你应该使用的密钥长度。

同样的2048位的DSA密钥，至少224位的ECDSA密钥是被认为安全的。

1.3、通行码(Passphrase)

密钥是用通行码是可选的，但是建议使用。受保护的密钥可以安全的存储、传输 和 备份。

但是这样也会造成不便，因为没有通行码你就不能使用这些密码。例如，你每次重启的web服务器时都可能要求你输入通行码。

对于大部分人来说，这样很不方面，或者产生一些不能接受的影响。

另外，使用受保护的密钥实际上不会增强安全性。这是因为一旦使用的该密钥，私钥就会保存在程序的内容中并且不受保护。

能够访问服务器的攻击者只需要一些技巧就能够从内存中拿到私钥。

通行码应该被视为保护未安装在产品系统中的私钥的一种机制，

从另一方面说，即使把通行码保存在产品系统中也没有关系，这也比使用不受通行码保护的密钥好的多。

如果你需要更强的安全性，你应该投资一个硬件解决方案。

通行码的保护方式有DES、3DES、SEED、AES-128、AES-192、AES-256，建议使用AES。

1.4、生成密钥

1.4.1、生成使用通行码保护的RSA私钥

//生成使用通行码保护的私钥$ openssl genrsa -aes256 -out fd.key 2048
Generating RSA private key, 2048 bit long modulus
..............................................................................+++
..+++
e is 65537 (0x10001)
Enter pass phrase for fd.key: ****
Verifying - Enter pass phrase for fd.key:****

//显示生成私钥的内容
$ cat fd.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,DEE8683382BEC12E8D6ADD71DA91C222

uFgnmm9R40heSNzoRKrNrKbwDwfBvDO+KAabn5OVsLAGK3KjcEf2+xtiBo7FiRgg
MTYlikWi0YoNTxBlyIiWFm5yKk4WJ5LU6zBTSVl478vC0QGs4winhs18sXM4Qlyk
qLr1rcAek4MZ/LeSH8m6sf/9USyJCEYQJG/DMYKNX2a1R/DpHl9l3+UoN03yagmR
bs1CX2TXfdOZG1uJTCawLVmQGfbMyqarpXlQrsO4MSQUaFEsMVwy/OhBxzhAZYTj
2YqrtVWKVOCfaxwjZ6xZjVI9mTd0299dBiR/bgWT6pUJYUhETiBtsDtGhROADelo
n2Jt8qEGP6ACZgYwb5zl78FWq+v/IBWKWBulOAmjfaJ3jBZIV/BdbosfUr9pHzm7
X5/GdI1kk5Vze0zePf9BGmX7Kv4086/sF/v2gel7kNsZowXqfRxwap8FcTmGpOJy
BWUzjkRJImAqsSIH9aSPZL0jq5p0Knl+DON8s9VAsicNTiDzVYaJ934M1CUghyXS
Gdbnk3fUU7xJ69zDXOjQG4ZUfWotMiKvoJl0avJq6eaUKVdzsJN3XiJ+Okff0faj
L23vY9bvFeBJWFPeNU+5TDFLwKg1qaXm+cckiWk46G9QMGt1FieZTclOFZaoMDvl
WMFSsmbJ+L8kR41DjJFVQJSJM98PzNPjx38/21ol7yU1Kvdac3odKw7Qg0ZSGqFm
9iEMML6F9DkXu8yRHTPX8+q9vQddxLIjTHz6BU2DAHk1MIFJwkR9l3wsZD/eYpcB
TMsCxbQFcXq27Fq1d+GXpXfcBihfaXzD+qQ2fQs92Uxp93mROgfqlIUeYPrwqjvc
Pr7OwCZwQQy5vHADxMvcisSWHdPVRv1d6Yhgi5q4WU5ZUVWSCBEq4ySrdpJ0FKLI
fGejxjy2Irwb/92+dQGGmmzZrEAB6JxisOkxgiepbJrlyHiVrMLOcpKrefMMTJUl
JswmTTX1bzoHHT+t/vl9Leag9tnQFRGNmLl9x53Pxva0Dzm+GkK8pU/I1cD355FT
ltWQbwbQBJ9J+7HqOage2e5DbV2+TxpmVRLdcvcsXfW1LVs8bBGEy0ZV/BDGqXga
sU+8TIDvCmgRZOmBBb5DJDa65SgZaR0oi2uXVWilIJkm99WCV9YR0KSe7PNo90z8
LLYPbQvU5Vy2REQDSNLld6eUMl4giHC1XR7p1+P0X8UBVFetX9rqU+Cr1qDPanYq
AdcH+2+gBeJDqxovZbKngrYHgdNjjtmSH+lLLrjW4Xrb3KjzZICQjrUF5W+Vsaif
o5Yzh2/OmAlvo+8Qz/Asw3+wbpQzrBgzHMvaDa6KevRWowJYC7NJhPTSi5dCQbbo
7nup7WSan3QAN+6K4Lp89JJW5E2CHA6yJf6XGPxmCb5APdp7QQeB9J84kn6PG5qz
taaZ0ynlwQIYpGI4Ju6Ick3hzuCbzg4bkW7E4wQPi/02ohLomDNNPyys+6Ej90yI
LH15/NGAOOcx2l0SR77WbNFtx3zkbUlf/sXSU/AQGRoa1Wc5aX2PeTl/rYObjXUU
CdxlQvDamSBpGM8OqtVX6CXQkPE34mg5fezWTvqwaSZWJtBbtIVeVRUamL50pH/P
-----END RSA PRIVATE KEY-----

//去除私钥中的通行码保护$ openssl rsa -in fd.key -out fd.key

1.4.2、生成不使用通行码保护的RSA私钥

$ openssl genrsa -out fd.key 2048
Generating RSA private key, 2048 bit long modulus
............................................+++
...................+++
e is 65537 (0x10001)

$ cat fd.key 
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA5xT4MQorNkAvyZRZ5pXdejI+tUESWXKvDudG6MXhOHSy2S+d
i66EIFbIMBqGihQXOlcW+MyrQQA4BAPJYidmUludwzdi8qDwjXvw/EN8z/L+jUzj
gKmtigzaQbWnjNH4OQDCD+Q095ocfmpzdKRJH2WWUf5PJILYRcC1xSswcNo+LfPd
P8ScSgBg/rTWXB7XagQNKQEBmnAvxd89S8laWLHmojTqoIEaM7pe6dJkF1RKzasx
ocszx2FJXmxlDKpkzvYxTGEXctGZPi8q4cEfkkI3/XZAY58rJf+5XSZDkRXhXeDn
EQW9zZ6dHMdYYnaoSIezzsaS7qYwMMwRM2A3gQIDAQABAoIBAQDfCgZkjwQWYO2/
C0manpwfDdAo8p3baC4/nEt88UHpU/osVyEhaVhuPlUK2Q9yxuGElfq+Og4xtxxa
A62k55KDe5pSimse9Og6J576XclijY/UopoT3bJ6xN0E/2ixKxkDLBAjdokJU96c
xfKaateJTmxAx81r2D8XVGId5QnkYWyK/vuHF8Xys24pqzunLinBWUBcwcEizZj8
drLb7Fo1x2C6GdsmBwVHN2QYWlmgbOzFpO3Oigs8z/IF+oEBZwcLZIqAGlh3rhN0
Q552JhRqQ/jm3J7ljx4AQK2JMkf384cxpmXyKSb+S31Ug3cBNmhaDEJLADX3QU/L
jO75JKgBAoGBAPTHT0YqDHpAduH1IWsizpaOaCcNSJFkK644597+yCTTV1eoW5Ng
sdCh3ABBtcwMLcbIytMwrJKnw4E9CUVra+E9Vi0FIBmxvpx6IKrOVYFg2KzHz13r
hAqdmiK/O4Aqbwv9Mz4vloK+j+q36MkuxmwGEqfU08SlsCFODWL79XwRAoGBAPGs
6vM0Ey/y9xY25apprSt1g5wSUp+HHdVVFf/Ilqp89jrrwTtGy1L3UTpMjr642wZ8
RgyUkoeVSqTZO/wQlh9i9Mld7hr7W4e3PUXrtWSw8PYa2rInoFdpznbhY+DrUOCw
PKKpfeR8k56crtrQbtQq7u0f6nLjfxx20LQ2wTRxAoGADYRQEVzTEZErv3CM5uCm
LdQxVi66miTA8L79tue036u4AAQxAmNtjkrR3kXCp0Do6jg+Uwk2DmcrOaDIOUgk
TezYLGZDDogtMXDhCu2X9SwG6wuhnNsbkIaBc3fB7mLpfOz/fmicVB33zotXVHy7
wk1XjGMJSqunnT81KAkn1jECgYEAoSQ9HKCSUpxcaDF+fVwtHRckBAKrmLcNC1vK
aVykKVVdEPh1RUL0+4LwZED7xOuZDv/57RV7hm/i73vxZSbiEld3BHVe+Bq1cw6Z
CnAZ6OOaJ17Mh5GodeCUy+uJH0WIDek05PjCeoEeJNowNLJZ05o06WMofiZ2cNJA
YolH1eECgYEAzmuCb9SHA0HUB94bb8zi/vqyJklVUyXh45j5Huv9oupm01Ho9moI
7lD/amxFA9v4CYvznwDKfYva8GHe7TKtndhVCIyo3o9LL6PnmAEpEq7ilZ7IQpLN
WTAvKwaY88M3KawO1AeDiBEN8+HQ8Y9bK6lXb+jWBhUfSoWwhTD3WZU=
-----END RSA PRIVATE KEY-----
$ 

1.4.3、生成私钥对应的公钥

$ openssl rsa -in fd.key -pubout -out fd-public.key
Enter pass phrase for fd.key:****  //如果是没有通行码保护的私钥则不需要输入通行码
writing RSA key

$ cat fd-public.key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsgw1bgwqlzToi4oC+T3Q
gksuTiPJpNbUBWrpXa2tyCqcDp01u3mgxd/WXcEKoxWrUeAwfRXA0PZQY1QP0sPS
cdjWtPvGxBGEplstN+kOHBh9miMPXhVKr6PjCcI4nWDDXXh9IHnXta8O0zKy5jlk
+IUmTaf2WGen1o9wiscYTeSwlz4FLENNU3s+7N6fEG1jPggE5B6fzWabfUAFhrCY
RIQFEMn1c6fM/NgZSJaGUKXOWPcfRR/+aYJtls2eXpeGz53PBB4JLOH9kTI0+Asa
3+IFDXncFUg724bsFmYxJ57DGau9S+KqEkT2FmdxQR5JoGC2by+xsgMS0i14x3aR
oQIDAQAB
-----END PUBLIC KEY-----
$ 

2、创建CSR请求文件(Creating Certificate Signing Requests)

拥有了私钥之后, 你就可以创建一个证书签名请求(Certificate Signing Request/CSR)文件。
可以使用这个文件向CA机构请求签名的证书(通常是广受信任的CA机构，需要付费的，当然也有免费的)。
当然也可以也可以自己签发证书。制作CSR文件通常是一个交互的过程，需要用户输入许多相关的信息。
其中需要注意的是Common Name字段是网址。

//根据私钥生成csr文件$ openssl req -new -key fd.key -out fd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank. //接下来会要求你输入几个字段的内容，如果你想让该字段留空，那么你应该输入一个英文句号后回车，如果只敲了回车，那么某些字段会有默认值，这可能跟你想要的不同，所以需要注意这一点。
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Some Technology Co., Ltd.
Organizational Unit Name (eg, section) []:Organizational-Unit-Name
Common Name (eg, your name or your server‘s hostname) []:www.test.com
Email Address []:[email protected]

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

//直接查看生成的csr文件内容$ cat fd.csr-----BEGIN CERTIFICATE REQUEST-----MIIC8zCCAdsCAQAwga0xCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMSMwIQYDVQQKDBpTb21lIFRlY2hub2xvZ3kgQ28uLCBMdGQuIDEhMB8GA1UECwwYT3JnYW5pemF0aW9uYWwtVW5pdC1OYW1lMRQwEgYDVQQDDAtDb21tb24tTmFtZTEcMBoGCSqGSIb3DQEJARYNdGVzdEB0ZXN0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOcU+DEKKzZAL8mUWeaV3XoyPrVBEllyrw7nRujF4Th0stkvnYuuhCBWyDAahooUFzpXFvjMq0EAOAQDyWInZlJbncM3YvKg8I178PxDfM/y/o1M44CprYoM2kG1p4zR+DkAwg/kNPeaHH5qc3SkSR9lllH+TySC2EXAtcUrMHDaPi3z3T/EnEoAYP601lwe12oEDSkBAZpwL8XfPUvJWlix5qI06qCBGjO6XunSZBdUSs2rMaHLM8dhSV5sZQyqZM72MUxhF3LRmT4vKuHBH5JCN/12QGOfKyX/uV0mQ5EV4V3g5xEFvc2enRzHWGJ2qEiHs87Gku6mMDDMETNgN4ECAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQDMZGRSEHwJ6YPmnZeCF490dH1R9xEjRqKuTos5tIfScULarTaeMSpE8aXWuC4NhPaws57EvOaECVhXd4nHWqiHVLSzjGh6bu3F/Jhea3E3SL3JZQU0ap0EdIGgu2ASl6AnNnM1vu7MKcEU5ogwL4BVuhy6bS1J+fV3QaJzXsz/ts/rdsj0JC0IzPcdOclGdL3fNHyxlzBPEWM2FdpwL/AhNBLZp6xmgo9msuhC6OZ2kZs7nIO21MfUZrD+2gLwAagxV64SG6hL/mkWCGqUvu5gobOaec/xk9zAq1oHo7p6HknUwqTY4dcI0BhVQT6cXBf+PXaSCCwxljXWRNY7ex/H-----END CERTIFICATE REQUEST-----

//查看csr文件中输入等信息，可以检查是否有输入错误$ openssl req -text -in fd.csr -nooutCertificate Request:    Data:        Version: 0 (0x0)        Subject: C=CN, ST=Beijing, L=Beijing, O=Some Technology Co., Ltd. , OU=Organizational-Unit-Name, CN=www.test.com/[email protected]        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                Public-Key: (2048 bit)                Modulus:                    00:e7:14:f8:31:0a:2b:36:40:2f:c9:94:59:e6:95:                    dd:7a:32:3e:b5:41:12:59:72:af:0e:e7:46:e8:c5:                    e1:38:74:b2:d9:2f:9d:8b:ae:84:20:56:c8:30:1a:                    86:8a:14:17:3a:57:16:f8:cc:ab:41:00:38:04:03:                    c9:62:27:66:52:5b:9d:c3:37:62:f2:a0:f0:8d:7b:                    f0:fc:43:7c:cf:f2:fe:8d:4c:e3:80:a9:ad:8a:0c:                    da:41:b5:a7:8c:d1:f8:39:00:c2:0f:e4:34:f7:9a:                    1c:7e:6a:73:74:a4:49:1f:65:96:51:fe:4f:24:82:                    d8:45:c0:b5:c5:2b:30:70:da:3e:2d:f3:dd:3f:c4:                    9c:4a:00:60:fe:b4:d6:5c:1e:d7:6a:04:0d:29:01:                    01:9a:70:2f:c5:df:3d:4b:c9:5a:58:b1:e6:a2:34:                    ea:a0:81:1a:33:ba:5e:e9:d2:64:17:54:4a:cd:ab:                    31:a1:cb:33:c7:61:49:5e:6c:65:0c:aa:64:ce:f6:                    31:4c:61:17:72:d1:99:3e:2f:2a:e1:c1:1f:92:42:                    37:fd:76:40:63:9f:2b:25:ff:b9:5d:26:43:91:15:                    e1:5d:e0:e7:11:05:bd:cd:9e:9d:1c:c7:58:62:76:                    a8:48:87:b3:ce:c6:92:ee:a6:30:30:cc:11:33:60:                    37:81                Exponent: 65537 (0x10001)        Attributes:            a0:00    Signature Algorithm: sha256WithRSAEncryption         cc:64:64:52:10:7c:09:e9:83:e6:9d:97:82:17:8f:74:74:7d:         51:f7:11:23:46:a2:ae:4e:8b:39:b4:87:d2:71:42:da:ad:36:         9e:31:2a:44:f1:a5:d6:b8:2e:0d:84:f6:b0:b3:9e:c4:bc:e6:         84:09:58:57:77:89:c7:5a:a8:87:54:b4:b3:8c:68:7a:6e:ed:         c5:fc:98:5e:6b:71:37:48:bd:c9:65:05:34:6a:9d:04:74:81:         a0:bb:60:12:97:a0:27:36:73:35:be:ee:cc:29:c1:14:e6:88:         30:2f:80:55:ba:1c:ba:6d:2d:49:f9:f5:77:41:a2:73:5e:cc:         ff:b6:cf:eb:76:c8:f4:24:2d:08:cc:f7:1d:39:c9:46:74:bd:         df:34:7c:b1:97:30:4f:11:63:36:15:da:70:2f:f0:21:34:12:         d9:a7:ac:66:82:8f:66:b2:e8:42:e8:e6:76:91:9b:3b:9c:83:         b6:d4:c7:d4:66:b0:fe:da:02:f0:01:a8:31:57:ae:12:1b:a8:         4b:fe:69:16:08:6a:94:be:ee:60:a1:b3:9a:79:cf:f1:93:dc:         c0:ab:5a:07:a3:ba:7a:1e:49:d4:c2:a4:d8:e1:d7:08:d0:18:         55:41:3e:9c:5c:17:fe:3d:76:92:08:2c:31:96:35:d6:44:d6:         3b:7b:1f:c7$

3、签发证书

生成CSR文件后，你有2个选择，一个是发送给CA机构请求其为你签发证书，另一个就是自己签发证书。

//根据csr文件自己签发证书$ openssl x509 -req -days 365 -in fd.csr -signkey fd.key -out fd.crt
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=Some Technology Co., Ltd. /OU=Organizational-Unit-Name/CN=www.test.com/[email protected]
Getting Private key

$ cat fd.crt
-----BEGIN CERTIFICATE-----
MIID2DCCAsACCQCYrBR/rdwvITANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMC
Q04xEDAOBgNVBAgMB0JlaWppbmcxEDAOBgNVBAcMB0JlaWppbmcxIzAhBgNVBAoM
GlNvbWUgVGVjaG5vbG9neSBDby4sIEx0ZC4gMSEwHwYDVQQLDBhPcmdhbml6YXRp
b25hbC1Vbml0LU5hbWUxFDASBgNVBAMMC0NvbW1vbi1OYW1lMRwwGgYJKoZIhvcN
AQkBFg10ZXN0QHRlc3QuY29tMB4XDTE2MDQwMTEzMjM1NVoXDTE3MDQwMTEzMjM1
NVowga0xCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdC
ZWlqaW5nMSMwIQYDVQQKDBpTb21lIFRlY2hub2xvZ3kgQ28uLCBMdGQuIDEhMB8G
A1UECwwYT3JnYW5pemF0aW9uYWwtVW5pdC1OYW1lMRQwEgYDVQQDDAtDb21tb24t
TmFtZTEcMBoGCSqGSIb3DQEJARYNdGVzdEB0ZXN0LmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAOcU+DEKKzZAL8mUWeaV3XoyPrVBEllyrw7nRujF
4Th0stkvnYuuhCBWyDAahooUFzpXFvjMq0EAOAQDyWInZlJbncM3YvKg8I178PxD
fM/y/o1M44CprYoM2kG1p4zR+DkAwg/kNPeaHH5qc3SkSR9lllH+TySC2EXAtcUr
MHDaPi3z3T/EnEoAYP601lwe12oEDSkBAZpwL8XfPUvJWlix5qI06qCBGjO6XunS
ZBdUSs2rMaHLM8dhSV5sZQyqZM72MUxhF3LRmT4vKuHBH5JCN/12QGOfKyX/uV0m
Q5EV4V3g5xEFvc2enRzHWGJ2qEiHs87Gku6mMDDMETNgN4ECAwEAATANBgkqhkiG
9w0BAQUFAAOCAQEAhPnGD8TuzjZB2qH8Jk4ixRip0nIoXQn3dORDOxG9/XKRgmP0
ozJUDCaOI3Hos+BC0r0wVly7Lmkl9PSHhioqbDFAn+AqX4lTrbVTDV+tKIosOsm0
PWlz2oFACyJXcaFnHYZFFkR1vzeyUqm0rmWwYdB4zV8RnY2TD+k9VMjI9lmtbSSs
zf9dGOaw8FSAee9HuBsb9QBk7lZAcouN8M2CMUVqGDW8nZmnp3JxvotQHYr4Ii7o
kbIPcNJTtSgFFHG++DORSmgelKqJIXN/Sr+aaBDo2byClpWk6iYsGOejf5QZOTFb
8BIf5p6tCNh8YleVfkUzjtXzcVIBojs66g7EGg==
-----END CERTIFICATE-----

如果仅仅是生成自己签发的证书，那么可以省略生成CSR的过程，直接签发证书

$ openssl req -new -x509 -days 365 -key fd.key -out fd.crt

从上面的例子中我们可以看到生成证书的过程需要填写很多字段，OpenSSL允许我们将这么字段预先写入配置文件，

然后就可以引用配置文件生成证书，不用手动输入。

Creating Certificates Valid for Multiple Hostnames

With OpenSSL, by default, generated certificates have only one common name and are thus
valid for only one hostname. Therefore, if you have several web sites, you must generate a separate
certificate for each site. When the same person or group of people maintain several web
sites, it’s fine to use only one certificate for all of the sites; this is what multidomain certificates
are for. Actually, even if you’re running a single web site, you should ensure that the certificate
is valid for all possible paths that end users can take to reach it. In practice, this means using
at least two names, one with the www prefix and one without (e.g., www.feistyduck.com and
feistyduck.com).
There are two mechanisms for supporting multiple hostnames in a certificate. The first is to
list all desired hostnames using an X.509 extension called Subject Alternative Name (SAN).
The second is to use wildcards. You can also use a combination of the two approaches when
it’s more convenient. In practice, for most sites, you can specify a bare domain name and a
wildcard to cover all the subdomains (e.g., feistyduck.com and *.feistyduck.com).

4、密钥证书的格式及转换

私钥和证书可以保存在多种格式中.常用的格式有以下几种，他们之间可以相互转换 :
Binary (DER) certificate
Contains an X.509 certificate in its raw form, using DER ASN.1 encoding.
ASCII (PEM) certificate(s)
Contains a base64-encoded DER certificate, with -----BEGIN CERTIFICATE----- used
as the header and -----END CERTIFICATE----- as the footer. Usually seen with only one
certificate per file, although some programs allow more than one certificate depending
on the context. For example, the Apache web server requires the server certificate to be
alone in one file, with all intermediate certificates together in another.
Binary (DER) key
Contains a private key in its raw form, using DER ASN.1 encoding. OpenSSL creates
keys in its own traditional (SSLeay) format. There’s also an alternative format called
PKCS#8 (defined in RFC 5208), but it’s not widely used. OpenSSL can convert to and
from PKCS#8 format using the pkcs8 command.
ASCII (PEM) key
Contains a base64-encoded DER certificate with additional metadata (e.g., the algorithm
used for password protection).
PKCS#7 certificate(s)
A complex format designed for the transport of signed or encrypted data, defined in
RFC 2315. It’s usually seen with .p7b and .p7c extensions and can include the entire
certificate chain as needed. This format is supported by Java’s keytool utility.
PKCS#12 (PFX) key and certificate(s)
A complex format that can store a protected server key with the corresponding
certificate as well as the intermediate certificates. It’s commonly seen with .p12 and

.pfx extensions. This format is commonly used in Microsoft products. These days, the
PFX name is used as a synonym for PKCS#12, even though PFX referred to a different
format a long time ago (an early version of PKCS#12). It’s unlikely that you’ll encounter
the old version anywhere.