#建立ca私鑰
openssl genrsa 2048 > ca.key
#建立申請檔
openssl req -new -key ca.key -out ca.req
#自簽署 (注意:ca只用使用v1版)
openssl x509 -req -days 36500 -in ca.req -signkey ca.key -out ca.crtCountry Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:TAIWAN
Locality Name (eg, city) []:CHW
Organization Name (eg, company) [Internet Widgits Pty Ltd]:TSC
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:Josh
Email Address []:josh.hsu@tscs.com.tw
#建立server私鑰(網關及IIS用)
openssl genrsa 2048 > server.key
#建立申請檔 (也可以使用iis來申請)
openssl req -new -key server.key -out server.req
#需要使用v3版的serverAuth,才能用在網關,要先建立v3_req.txt,並引用v3_req
openssl x509 -req -extfile v3_req.txt -extensions v3_req -CAcreateserial -days 36500 -CA ca.crt -CAkey ca.key -in server.req -out server.crtCountry Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:TAIWAN
Locality Name (eg, city) []:CHW
Organization Name (eg, company) [Internet Widgits Pty Ltd]:TSC
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:*.tscs.com.tw
Email Address []:josh.hsu@tscs.com.tw
#vi v3_req.txt
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.tscs.com.tw
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt
解決登入慢,另要更新憑證的問題
在server 2008 開啟TLS1.2
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"DisableLoopbackCheck"=dword:00000001
