如何创建旧版(v1或v2)X.509证书进行测试 [英] how to create a legacy (v1 or v2) X.509 cert for testing

问题描述

我必须针对新代码编写一个测试用例，以检查X.509证书是否为版本3，但是在测试过程中需要使用一些旧版(v1/v2)证书来验证代码是否有效.

I have to write a test case against new code which checks to make sure that an X.509 cert is version 3, but I need some legacy (v1/v2) certs to use during testing to verify that the code works.

我正在尝试在Mac上使用openssl生成证书.我得到的都是v3证书.

I'm trying to generate the certs using openssl on a Mac. All i get are v3 certs.

我已经阅读了openssl联机帮助页，对创建v1或v2证书一无所知.

I've read thru the openssl manpage and see nothing about creating v1 or v2 certs.

除了在旧硬件上设置旧操作系统并安装旧版本的openssl之外，还有生成旧证书或将v3证书转换为v1/v2的想法吗?

Aside from setting up an old OS on old hardware and installing an old version of openssl, are there any ideas for generating old certs or converting v3 certs to v1/v2?

推荐答案

版本1和版本3证书之间的主要区别是在版本3中添加了证书扩展.

A key difference between Version 1 and Version 3 certificates is the addition of certificate extensions in Version 3.

看看OpenSSL ca命令文档. -extensions section选项的文档说明:

Take a look at the OpenSSL ca command documentation. The doc for the -extensions section option explains:

配置文件中包含要在颁发证书时添加的证书扩展名的部分(除非使用-extfile选项，否则默认为x509_extensions).如果没有扩展部分，则创建V1证书.如果存在扩展部分(即使扩展部分为空)，则将创建V3证书.有关扩展部分格式的详细信息，请参见:w x509v3_config(5)手册页

要创建版本1证书，请将openssl命令指向一个不带扩展名部分的配置文件.删除该部分的一种快速方法是注释掉或删除读取x509_extensions = <...>的行.

To create a Version 1 certificate, point your openssl command a configuration file without the extension section. A quick way to remove the section is to comment out or delete the lines reading x509_extensions = <...>.

然后，您应该能够通过运行常规命令来生成版本1证书.例如:

You should then be able to generate Version 1 certificates by running the usual commands. For example:

openssl genrsa -out ca.key 1024
openssl req -new -key ca.key -out ca.csr -config /path/to/config-file
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

这篇关于如何创建旧版(v1或v2)X.509证书进行测试的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！