Openssl 从 CSR 创建证书(无私钥 - 存储在另一个系统中) [英] Openssl creating a certificate from a CSR (No Private Key - Stored in another System)

问题描述

我需要根据第三方生成的 CSR 创建证书，我无法访问私钥.生成的证书需要有keyUsage = keyCertSign 作为证书的一部分.

I need to create a certificate based on a CSR generated by a third party I have no access to the private key. The certificate generated needs to have keyUsage = keyCertSign as a minimum as part of the certificate.

C:/OpenSSL-Win32/bin/openssl.exe req -in C:/xampp/htdocs/certs/test.csr -out test.cer -config C:/xampp/htdocs/command.cnf

当然没用.

这可能吗?如果不能，可以使用 certreq 代替吗?我们使用的 PKI 服务器是基于 Microsoft 的.

Is this possible? If not can certreq be used instead? The PKI servers we are using are Microsoft Based.

推荐答案

给定证书 (ca-cert.pem) 及其私钥 (ca-key.pem)，使用 OpenSSL 签署提供的 CSR (csr.pem)) 并为其生成证书 (cert.pem) -

Given a certificate (ca-cert.pem) and its private key (ca-key.pem), use OpenSSL to sign a provided CSR (csr.pem) and generate a certificate for it (cert.pem) -

openssl x509 -req -in csr.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 365 -sha256

选项的含义 -

• -CAcreateserial - 将为证书随机生成序列号(并在未来激活时增加).
• -days 365 - 证书的有效期为 365 天.
• -sha256 - 证书将使用 SHA256 作为其签名算法(这是默认值).

• -CAcreateserial - serial number would be randomly generated for the certificate (and increased in future activations).
• -days 365 - certificate would have a validity of 365 days.
• -sha256 - certificate would use SHA256 as its signature algorithm (which is the default).

要使用证书签名"密钥用法(以及您可能需要的 CA 基本约束)生成此类证书，请创建一个配置文件 (config.txt) -

To generate such a certificate with "certificate signing" key usage (and also a CA basic constraint, which you probably need), create a configuration file (config.txt) -

[extensions]
keyUsage = keyCertSign
basicConstraints = CA:TRUE

并将其提供给 OpenSSL(指向扩展"部分)-

And provide it to OpenSSL as well (pointing to the "extensions" section) -

openssl x509 -req -in csr.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 365 -sha256 -extfile config.txt -extensions extensions

检查生成的证书 -

openssl x509 -in cert.pem -noout -text

它有 -

X509v3 extensions:
  X509v3 Key Usage:
    Certificate Sign
  X509v3 Basic Constraints:
    CA:TRUE

为了完整起见，这里是如何创建提供的"CA 密钥、CA 自签名证书、主题密钥和 CSR(此处使用 RSA 密钥，EC 密钥可以相同使用)-

For completeness, here is how to create the "provided" CA key, CA self-sign certificate, subject key and CSR (here using RSA keys, EC keys can be used identically) -

CA 密钥 -

openssl genpkey -algorithm RSA -out ca-key.pem -pkeyopt rsa_keygen_bits:2048

CA 自签名证书 -

openssl req -key ca-key.pem -new -x509 -days 365 -out ca-cert.pem -sha256 -subj /CN=CACert

主题键 -

openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048

主题键的CSR -

openssl req -new -key key.pem -out csr.pem -sha256 -subj /CN=SubjectCert

这篇关于Openssl 从 CSR 创建证书(无私钥 - 存储在另一个系统中)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！