2021-07-12-SSL 为IP签发证书

概述#

引用：https://stackoverflow.com/questions/1095780/are-ssl-certificates-bound-to-the-servers-ip-address

An SSL certificate cannot be issued for Reserved IP addresses (RFC 1918 and RFC 4193 range)/ private IP addresses (IPv4, IPv6), Intranet for Internal Server Name, local server name with a non-public domain name suffix.(不能为保留的IP地址(RFC 1918和RFC 4193范围)/私有IP地址(IPv4, IPv6)、内部网用于内部服务器名、带有非公共域名后缀的本地服务器名颁发SSL证书。)

A certificate can be bound to an IP address . You can issue a self-signed certificate to a private address, but a trusted CA will not issue a certificate to a private address because it can not verify its identity.(证书可以绑定到一个IP地址。您可以向私有地址颁发自签名证书，但受信任的CA不会向私有地址颁发证书，因为它无法验证其身份。)

For example a certificate issued to 192.168.0.1 would be theoretically valid in any context, and this should not be allowed by a trusted CA(例如，发给192.168.0.1的证书理论上在任何上下文中都是有效的，而受信任的CA不应该允许这样做)

为公网IP签发证书#

引用：https://blog.csdn.net/u012912380/article/details/93173058

IP的SSL证书有两种，一种是DVSSL，另外一种是OVSSL：

DVSSL：

这种证书无论是企业还是个人均可申请，只需要验证IP地址的管理权限。同时支持多个IP绑定在一起。颁发只需要30分钟左右。

OVSSL

这种证书只能企业等单位性质的用户才能申请，除了验证IP的管理权限之外，还需要验证企业的身份。当然得到的证书和上面的DVSSL也是不一样的。颁发需要1-3工作日

IP地址申请SSL证书需要满足以下条件：

1. IP必须是公网IP；
2. 申请者对申请SSL证书的IP具有管理权限；
3. 申请者可以是企业，组织机构，也可以是个人；
4. IP可以申请OVSSL（企业型SSL证书）或DVSSL证书（基础验证级证书）；
5. IP只能申请单个IP，或者多个IP绑在一起的SSL证书，目前不支持IP段的通配。
   审核流程与企业型SSL证书和域名型SSL证书基本一致。

为私有IP签发证书#

引用：https://blog.csdn.net/ustccw/article/details/76691248

本地生成SSL相关文件
3.1 证书生成脚本
我们自己本地使用 makefile.sh 脚本建立一个CA(ca.crt + ca.key)，用这个CA给server和client分别颁发证书。

makefile.sh

# * Redistributions in binary form must reproduce the above copyright
#   notice, this list of conditions and the following disclaimer in the
#   documentation and/or other materials provided with the distribution.
# * Neither the name of the axTLS project nor the names of its
#   contributors may be used to endorse or promote products derived
#   from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 
# OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

#
# Generate the certificates and keys for testing.
#


PROJECT_NAME="TLS Project"

# Generate the openssl configuration files.
cat > ca_cert.conf << EOF  
[ req ]
distinguished_name     = req_distinguished_name
prompt                 = no

[ req_distinguished_name ]
 O                      = $PROJECT_NAME Dodgy Certificate Authority
EOF

cat > server_cert.conf << EOF  
[ req ]
distinguished_name     = req_distinguished_name
prompt                 = no

[ req_distinguished_name ]
 O                      = $PROJECT_NAME
 CN                     = 192.168.111.100
EOF

cat > client_cert.conf << EOF  
[ req ]
distinguished_name     = req_distinguished_name
prompt                 = no

[ req_distinguished_name ]
 O                      = $PROJECT_NAME Device Certificate
 CN                     = 192.168.111.101
EOF

mkdir ca
mkdir server
mkdir client
mkdir certDER

# private key generation
openssl genrsa -out ca.key 1024
openssl genrsa -out server.key 1024
openssl genrsa -out client.key 1024

# cert requests
openssl req -out ca.req -key ca.key -new \
            -config ./ca_cert.conf
openssl req -out server.req -key server.key -new \
            -config ./server_cert.conf 
openssl req -out client.req -key client.key -new \
            -config ./client_cert.conf 

# generate the actual certs.
openssl x509 -req -in ca.req -out ca.crt \
            -sha1 -days 5000 -signkey ca.key
openssl x509 -req -in server.req -out server.crt \
            -sha1 -CAcreateserial -days 5000 \
            -CA ca.crt -CAkey ca.key
openssl x509 -req -in client.req -out client.crt \
            -sha1 -CAcreateserial -days 5000 \
            -CA ca.crt -CAkey ca.key

openssl x509 -in ca.crt -outform DER -out ca.der
openssl x509 -in server.crt -outform DER -out server.der
openssl x509 -in client.crt -outform DER -out client.der

mv ca.crt ca.key ca/
mv server.crt server.key server/
mv client.crt client.key client/

mv ca.der server.der client.der certDER/

rm *.conf
rm *.req
rm *.srl