更换奇安信VPN设备网关证书
作者: ryan 发布于: 5/30/2025 更新于: 8/24/2025 字数: 0 字 阅读: 0 分钟
由于设备自带网关证书为自签发证书,用户在访问VPN网关时会提示风险。我们将网关证书更换成我们自己从可信机构签发的SSL证书就可以解决以下问题了。
申请SSL证书
首先从阿里云申请SSL证书,这里使用的免费的证书有效期90天。建议还是购买商用的避免频繁更换。
下载证书
选择证书格式为 pfx 服务器类型 Tomcat
还要下载一个 Apache 类型 crt/key 格式的,因为我们需要证书链(后面需要补全)
获取根证书
方法一:通过运营商下载根证书
目前阿里云支持下载的根证书如下,请您根据所签发SSL证书的品牌和类型,单击对应的链接进行下载。例如,您购买签发的是DigiCert OV型SSL证书,则需要下载DigiCert OV型根证书。
方法二:在线证书解析工具
这个工具是将Apache/OpenSSL使用的“CRT文件”解析,获取证书信息、中间证书和根证书。
补全证书链
使用 openssl 查看一下我们的颁发机构信息
bash
openssl x509 -in sec.ceamg.com_chain.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0d:e0:ff:b5:ee:62:cb:61:10:9f:60:8c:9c:ed:5e:d3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
Validity
Not Before: Nov 27 12:46:40 2017 GMT
Not After : Nov 27 12:46:40 2027 GMT
Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Encryption Everywhere DV TLS CA - G2
Subject Public Key Info:创建 pem 文件
将以下三个都放到 pem 文件中
中间CA证书
- 由
DigiCert Global Root G2签发用于颁发终端实体证书(如sec.ceamg.com的服务器证书)
根证书
- 自签名的根证书
DigiCert Global Root CA签发 - 新根证书
DigiCert Global Root G2通过交叉签名确保兼容性
示例:
bash
subject=C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Encryption Everywhere DV TLS CA - G2
issuer=C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAgIQDeD/te5iy2EQn2CMnO1e0zANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
MjAeFw0xNzExMjcxMjQ2NDBaFw0yNzExMjcxMjQ2NDBaMG4xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xLTArBgNVBAMTJEVuY3J5cHRpb24gRXZlcnl3aGVyZSBEViBUTFMgQ0EgLSBH
MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO8Uf46i/nr7pkgTDqnE
....
....
GfzyIDkH3JrwYZ8caPTf6ZX9M1GrISN8HnWTtdNCH2xEajRa/h9ZBXjUyFKQrGk2
n2hcLrfZSbynEC/pSw/ET7H5nWwckjmAJ1l9fcnbqkU/pf6uMQmnfl0JQjJNSg==
-----END CERTIFICATE-----
subject=C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
issuer=C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
....
....
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
subject=C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
issuer=C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIEfjCCA2agAwIBAgIQD+Ayq4RNAzEGxQyOE8iwaDANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0yNDAxMTgwMDAwMDBaFw0zMTExMDkyMzU5NTlaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
....
....
....
HSAECjAIMAYGBFUdIAAwDQYJKoZIhvcNAQELBQADggEBAHRBl3jN7+XHBUK0dZnu
hMdoNwD1nCROU3BTIh1TNzRI0bQ0m5+C/dCRzzlqoSAFHUlOi+OiDltWkXTzmQn6
Z8bH5PFBy5sYpc/8cNPoSzhyqcpvvEZvv/Ivc0Up+dzma7vBDJC9WrMRUUlSFSQp
kdXSmphDNkXJsgARmxzc18IN6LYMRiOWlY7RE2F900pPW60BvJHHNCX0bbSRj/Ql
bmVq8wuftBD++D+RS8K++ujpMjFBROyWfBX+woQDGsMazkmgulQdnZrdj476elOL
axRvrSgEorju1kJM7M65z2RUZrfzQYW/1rs8mRUXin6iEtad/Rv1ZI1WGYmWPyBm
pbo=
-----END CERTIFICATE-----转换为 p7b 格式
bash
openssl crl2pkcs7 -nocrl -certfile fullchain.pem -out fullchain.p7b -outform der配置奇安信VPN
证书补全后我们将证书配置到设备中,打开系统设置——> 网关证书
导入第三方证书
测试访问效果
