《Windows Azure Platform 系列文章目錄》
Azure Application Gateway可以使用SAN證書,創建多站點域名。
SANs是Subject Alternate Names的簡稱,SANs證書是一種SSL證書,它支持添加多個域名,允許將多個域名寫入同一個證書中,這樣就可以保護多個域名,從而降低了運維人員的管理成本,提高了證書管理效率
比如www.bing.com的證書,如下圖:
我們首先需要準備一下pfx證書,具體步驟如下:
1.首先安裝openssl。步驟略
2.創建私鑰:
openssl genrsa -des3 -out example.com.key 2048
3.生成CSR
openssl req -new -key example.com.key -out example.com.csr
Enter pass phrase for example.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:XX
State or Province Name (full name) []:State
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:BU
Common Name (eg, your name or your server's hostname) []:*.example.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.從祕鑰中刪除密碼
cp example.com.key example.com.key.org openssl rsa -in example.com.key.org -out example.com.key
4.爲SAN證書創建config file
touch v3.ext
在文件裏,保存如下信息:
subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:TRUE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign subjectAltName = DNS:example.com, DNS:*.example.com issuerAltName = issuer:copy
注意subjectAltName裏,設置你需要的DNS Name
我這裏設置如下:
subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:TRUE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign subjectAltName = DNS:leicorp.biz, DNS:*.leicorp.biz, DNS:leidemo.biz, DNS:*.leidemo.biz issuerAltName = issuer:copy
5.創建自簽名證書:
openssl x509 -req -in example.com.csr -signkey example.com.key -out example.com.crt -days 3650 -sha256 -extfile v3.ext
6.把crt證書轉換爲pfx證書
openssl pkcs12 -export -out certificate.pfx -inkey example.com.key -in example.com.crt
7.把certificate.pfx證書下載到本地
8.創建Azure Application Gateway v2,創建basic listener,上傳pfx證書。
這裏一個SAN證書包含多個域名,只需要創建一個listener即可。
9.設置Application Gateway Rule。
10.修改DNS指向,或者修改windows的host文件
11.登錄域名,查看證書效果: