因nginx上的证书不对,导致ie浏览器即使在导入根证书的情况下还是弹出证书中的域名和请求域名不符的问题,经查是common name需要指定的为域名,如*.test.com。
http://www.haiyun.me/archives/openssl-ca-cert.html
mkdir -p /etc/pki/demoCA 2.生成根证书及私钥:
cd /etc/pki/demoCA mkdir private crl certs newcerts #新建证书存放目录 echo '00' > serial #新建serial文件并写入初始序列号00 touch index.txt #新建index.txt空文件 openssl genrsa -out private/cakey.pem 1024 #生成CA根证书私钥 openssl req -new -x509 -key private/cakey.pem -out cacert.pem #生成CA根证书 3.生成服务器证书私钥、证书,可用于https服务器等。
openssl genrsa -out private/server.key 1024 openssl req -new -key private/server.key -out crl/server.csr #生成证书请求文件,可提供认证CA签核,或自签名。 cd ..
openssl ca -in demoCA/crl/server.csr -out demoCA/certs/server.crt #自签名证书 http://www.rackspace.com/knowledge_center/article/generate-a-csr-with-openssl
| DN Field | Explanation | Example |
| Common Name | The fully qualified domain name for your web server. This must be an exact match. | If you intend to secure the URL https://www.yourdomain.com, then your CSR's common name must be www.yourdomain.com. If you plan on getting a wildcard certificate make sure to prefix your domain with an asterisk, example: *.domain.com. |
| Organization | The exact legal name of your organization. Do not abbreviate your organization name. | domain.com |
| Organization Unit | Section of the organization | IT |
| City or Locality | The city where your organization is legally located. | Wellesley Hills |
| State or Province | The state or province where your organization is legally located. Can not be abbreviated. | Massachusetts |
| Country | The two-letter ISO abbreviation for your country. | US |