Azure Application Gateway (6) 使用SAN證書，創建多站點域名 Windows Azure Platform 系列文章目錄

　　《Windows Azure Platform 系列文章目錄》

 

　　Azure Application Gateway可以使用SAN證書，創建多站點域名。

　　SANs是Subject Alternate Names的簡稱，SANs證書是一種SSL證書，它支持添加多個域名，允許將多個域名寫入同一個證書中，這樣就可以保護多個域名，從而降低了運維人員的管理成本，提高了證書管理效率

　　比如www.bing.com的證書，如下圖：

　　

 

　　我們首先需要準備一下pfx證書，具體步驟如下：

　　1.首先安裝openssl。步驟略

　　2.創建私鑰：

openssl genrsa -des3 -out example.com.key 2048

　　3.生成CSR

openssl req -new -key example.com.key -out example.com.csr

Enter pass phrase for example.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:XX
State or Province Name (full name) []:State
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:BU
Common Name (eg, your name or your server's hostname) []:*.example.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

　　

　　3.從祕鑰中刪除密碼

cp example.com.key example.com.key.org
openssl rsa -in example.com.key.org -out example.com.key

 

　　4.爲SAN證書創建config file

touch v3.ext

　　在文件裏，保存如下信息：

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:TRUE
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName         = DNS:example.com, DNS:*.example.com
issuerAltName          = issuer:copy

　　注意subjectAltName裏，設置你需要的DNS Name

　　我這裏設置如下：

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:TRUE
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName         = DNS:leicorp.biz, DNS:*.leicorp.biz, DNS:leidemo.biz, DNS:*.leidemo.biz
issuerAltName          = issuer:copy

 

　　5.創建自簽名證書：

openssl x509 -req -in example.com.csr -signkey example.com.key -out example.com.crt -days 3650 -sha256 -extfile v3.ext

 

　　6.把crt證書轉換爲pfx證書

openssl pkcs12 -export -out certificate.pfx -inkey example.com.key -in example.com.crt

 

　　7.把certificate.pfx證書下載到本地

 

　　8.創建Azure Application Gateway v2，創建basic listener，上傳pfx證書。

　　這裏一個SAN證書包含多個域名，只需要創建一個listener即可。

　　

　　

　　9.設置Application Gateway Rule。

　　

 

　　10.修改DNS指向，或者修改windows的host文件

　　11.登錄域名，查看證書效果：