如何使用OpenSSL生成带有SubjectAltName的自签名证书? [英] How can I generate a self-signed certificate with SubjectAltName using OpenSSL?
问题描述
我正在尝试使用其中带有SubjectAltName的OpenSSL生成自签名证书.虽然我正在为证书生成csr,但我猜想我必须使用OpenSSL x509的v3扩展名. 我正在使用:
I am trying to generate a self-signed certificate with OpenSSL with SubjectAltName in it.While I am generating the csr for the certificate, my guess is I have to use v3 extensions of OpenSSL x509. I am using :
openssl req -new -x509 -v3 -key private.key -out certificate.pem -days 730
有人可以帮助我提供确切的语法吗?
Can someone help me with the exact syntax?
推荐答案
有人可以为我提供确切的语法吗?
Can someone help me with the exact syntax?
这是一个三步过程,涉及到修改openssl.cnf
文件.您也许只能使用命令行选项来做到这一点,但我不是那样做的.
Its a three step process, and it involves modifying openssl.cnf
file. You might be able to do it with only command line options, but I don't do it that way.
找到您的openssl.cnf
文件.它可能位于/usr/lib/ssl/openssl.cnf
:
Find your openssl.cnf
file. It is likely located in /usr/lib/ssl/openssl.cnf
:
$ find /usr/lib -name openssl.cnf
/usr/lib/openssl.cnf
/usr/lib/openssh/openssl.cnf
/usr/lib/ssl/openssl.cnf
在我的Debian系统上,内置的openssl
程序使用/usr/lib/ssl/openssl.cnf
.在最新的Debian系统上,它位于/etc/ssl/openssl.cnf
On my Debian system, /usr/lib/ssl/openssl.cnf
is used by the built-in openssl
program. On recent Debian systems it is located at /etc/ssl/openssl.cnf
您可以通过在文件中添加一个虚假的XXX
并查看openssl
是否阻塞来确定正在使用哪个openssl.cnf
.
You can determine which openssl.cnf
is being used by adding a spurious XXX
to the file and see if openssl
chokes.
首先,修改req
参数.将alternate_names
部分添加到openssl.cnf
中,并带有您要使用的名称.没有现有的alternate_names
部分,因此添加位置无关紧要.
First, modify the req
parameters. Add an alternate_names
section to openssl.cnf
with the names you want to use. There are no existing alternate_names
sections, so it does not matter where you add it.
[ alternate_names ]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = mail.example.com
DNS.4 = ftp.example.com
接下来,将以下内容添加到 existing [ v3_ca ]
部分.搜索确切的字符串[ v3_ca ]
:
Next, add the following to the existing [ v3_ca ]
section. Search for the exact string [ v3_ca ]
:
subjectAltName = @alternate_names
您可以在[ v3_ca ]
下将keyUsage
更改为以下内容:
You might change keyUsage
to the following under [ v3_ca ]
:
keyUsage = digitalSignature, keyEncipherment
digitalSignature
和keyEncipherment
是服务器证书的标准格式.不用担心nonRepudiation
.想要成为律师的计算机科学专家认为这毫无用处.这在法律界毫无意义.
digitalSignature
and keyEncipherment
are standard faire for a server certificate. Don't worry about nonRepudiation
. Its a useless bit thought up by comp sci guys who wanted to be lawyers. It means nothing in the legal world.
最后,IETF(RFC 5280),浏览器和CA运行快速且松散,因此您提供的密钥使用方式可能无关紧要.
In the end, the IETF (RFC 5280), Browsers and CAs run fast and loose, so it probably does not matter what key usage you provide.
第二,修改签名参数.在CA_default
部分下找到此行:
Second, modify the signing parameters. Find this line under the CA_default
section:
# Extension copying option: use with caution.
# copy_extensions = copy
并将其更改为:
# Extension copying option: use with caution.
copy_extensions = copy
这可确保将SAN复制到证书中.复制dns名称的其他方法已损坏.
This ensures the SANs are copied into the certificate. The other ways to copy the dns names are broken.
第三,生成您的自签名:
Third, generate your self-signed:
$ openssl genrsa -out private.key 3072
$ openssl req -new -x509 -key private.key -sha256 -out certificate.pem -days 730
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
...
最后,检查证书:
$ openssl x509 -in certificate.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9647297427330319047 (0x85e215e5869042c7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=MD, L=Baltimore, O=Test CA, Limited, CN=Test CA/emailAddress=test@example.com
Validity
Not Before: Feb 1 05:23:05 2014 GMT
Not After : Feb 1 05:23:05 2016 GMT
Subject: C=US, ST=MD, L=Baltimore, O=Test CA, Limited, CN=Test CA/emailAddress=test@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:e2:e9:0e:9a:b8:52:d4:91:cf:ed:33:53:8e:35:
...
d6:7d:ed:67:44:c3:65:38:5d:6c:94:e5:98:ab:8c:
72:1c:45:92:2c:88:a9:be:0b:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
34:66:39:7C:EC:8B:70:80:9E:6F:95:89:DB:B5:B9:B8:D8:F8:AF:A4
X509v3 Authority Key Identifier:
keyid:34:66:39:7C:EC:8B:70:80:9E:6F:95:89:DB:B5:B9:B8:D8:F8:AF:A4
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign
X509v3 Subject Alternative Name:
DNS:example.com, DNS:www.example.com, DNS:mail.example.com, DNS:ftp.example.com
Signature Algorithm: sha256WithRSAEncryption
3b:28:fc:e3:b5:43:5a:d2:a0:b8:01:9b:fa:26:47:8e:5c:b7:
...
71:21:b9:1f:fa:30:19:8b:be:d2:19:5a:84:6c:81:82:95:ef:
8b:0a:bd:65:03:d1
这篇关于如何使用OpenSSL生成带有SubjectAltName的自签名证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!