如何使用 OpenSSL 生成带有 SubjectAltName 的自签名证书? [英] How can I generate a self-signed certificate with SubjectAltName using OpenSSL?
问题描述
我正在尝试使用 OpenSSL 生成一个带有 SubjectAltName 的自签名证书.虽然我正在为证书生成 csr,但我猜我必须使用 OpenSSL x509 的 v3 扩展.我正在使用:
openssl req -new -x509 -v3 -key private.key -out certificate.pem -days 730
有人可以帮助我了解确切的语法吗?
有人可以帮助我了解确切的语法吗?
这是一个三步过程,它涉及修改openssl.cnf
文件.您也许可以仅使用命令行选项来执行此操作,但我不会那样做.
找到您的 openssl.cnf
文件.它可能位于/usr/lib/ssl/openssl.cnf
:
$ find/usr/lib -name openssl.cnf/usr/lib/openssl.cnf/usr/lib/openssh/openssl.cnf/usr/lib/ssl/openssl.cnf
在我的 Debian 系统上,/usr/lib/ssl/openssl.cnf
由内置的 openssl
程序使用.在最近的 Debian 系统上,它位于 /etc/ssl/openssl.cnf
您可以通过在文件中添加虚假的 XXX
来确定正在使用哪个 openssl.cnf
,并查看 openssl
是否阻塞.>
首先修改req
参数.使用您要使用的名称将 alternate_names
部分添加到 openssl.cnf
.没有现有的 alternate_names
部分,因此您可以将其添加到何处.
[alternate_names]DNS.1 = example.comDNS.2 = www.example.comDNS.3 = mail.example.comDNS.4 = ftp.example.com
接下来,将以下内容添加到现有 [ v3_ca ]
部分.搜索确切的字符串 [ v3_ca ]
:
subjectAltName = @alternate_names
您可以在 [ v3_ca ]
下将 keyUsage
更改为以下内容:
keyUsage = digitalSignature, keyEncipherment
digitalSignature
和 keyEncipherment
是服务器证书的标准费用.不要担心nonRepudiation
.想成为律师的计算机科学人员/女孩认为这是无用的一点.这在法律界毫无意义.
最后,IETF(RFC 5280),浏览器和 CA 运行得又快又松,因此您提供的密钥用法可能无关紧要.
二、修改签名参数.在 CA_default
部分下找到这一行:
# 扩展复制选项:谨慎使用.# copy_extensions = 复制
并将其更改为:
# 扩展复制选项:谨慎使用.copy_extensions = 复制
这可确保将 SAN 复制到证书中.复制 DNS 名称的其他方法已失效.
第三,生成您的自签名证书:
$ openssl genrsa -out private.key 3072$ openssl req -new -x509 -key private.key -sha256 -out certificate.pem -days 730您将被要求输入将被纳入的信息进入您的证书请求.您将要输入的是所谓的专有名称或 DN....
最后,检查证书:
$ openssl x509 -in certificate.pem -text -noout证书:数据:版本:3 (0x2)序列号:9647297427330319047 (0x85e215e5869042c7)签名算法:sha256WithRSAEncryption发行人:C=US, ST=MD, L=Baltimore, O=Test CA, Limited, CN=Test CA/emailAddress=test@example.com有效性不早于:2014 年 2 月 1 日 05:23:05 GMT之后:2016 年 2 月 1 日 05:23:05 GMT主题:C=US, ST=MD, L=Baltimore, O=Test CA, Limited, CN=Test CA/emailAddress=test@example.com主题公钥信息:公钥算法:rsaEncryption公钥:(3072 位)模数:00:e2:e9:0e:9a:b8:52:d4:91:cf:ed:33:53:8e:35:...d6:7d:ed:67:44:c3:65:38:5d:6c:94:e5:98:ab:8c:72:1c:45:92:2c:88:a9:be:0b:f9指数:65537 (0x10001)X509v3 扩展:X509v3 主题密钥标识符:34:66:39:7C:EC:8B:70:80:9E:6F:95:89:DB:B5:B9:B8:D8:F8:AF:A4X509v3 权限密钥标识符:keyid:34:66:39:7C:EC:8B:70:80:9E:6F:95:89:DB:B5:B9:B8:D8:F8:AF:A4X509v3 基本约束:关键CA:假X509v3 密钥用法:数字签名、不可否认性、密钥加密、证书签名X509v3 主题替代名称:DNS:example.com, DNS:www.example.com, DNS:mail.example.com, DNS:ftp.example.com签名算法:sha256WithRSAEncryption3b:28:fc:e3:b5:43:5a:d2:a0:b8:01:9b:fa:26:47:8e:5c:b7:...71:21:b9:1f:fa:30:19:8b:be:d2:19:5a:84:6c:81:82:95:ef:8b:0a:bd:65:03:d1
I am trying to generate a self-signed certificate with OpenSSL with SubjectAltName in it.While I am generating the csr for the certificate, my guess is I have to use v3 extensions of OpenSSL x509. I am using :
openssl req -new -x509 -v3 -key private.key -out certificate.pem -days 730
Can someone help me with the exact syntax?
Can someone help me with the exact syntax?
It's a three-step process, and it involves modifying the openssl.cnf
file. You might be able to do it with only command line options, but I don't do it that way.
Find your openssl.cnf
file. It is likely located in /usr/lib/ssl/openssl.cnf
:
$ find /usr/lib -name openssl.cnf
/usr/lib/openssl.cnf
/usr/lib/openssh/openssl.cnf
/usr/lib/ssl/openssl.cnf
On my Debian system, /usr/lib/ssl/openssl.cnf
is used by the built-in openssl
program. On recent Debian systems it is located at /etc/ssl/openssl.cnf
You can determine which openssl.cnf
is being used by adding a spurious XXX
to the file and see if openssl
chokes.
First, modify the req
parameters. Add an alternate_names
section to openssl.cnf
with the names you want to use. There are no existing alternate_names
sections, so it does not matter where you add it.
[ alternate_names ]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = mail.example.com
DNS.4 = ftp.example.com
Next, add the following to the existing [ v3_ca ]
section. Search for the exact string [ v3_ca ]
:
subjectAltName = @alternate_names
You might change keyUsage
to the following under [ v3_ca ]
:
keyUsage = digitalSignature, keyEncipherment
digitalSignature
and keyEncipherment
are standard fare for a server certificate. Don't worry about nonRepudiation
. It's a useless bit thought up by computer science guys/gals who wanted to be lawyers. It means nothing in the legal world.
In the end, the IETF (RFC 5280), browsers and CAs run fast and loose, so it probably does not matter what key usage you provide.
Second, modify the signing parameters. Find this line under the CA_default
section:
# Extension copying option: use with caution.
# copy_extensions = copy
And change it to:
# Extension copying option: use with caution.
copy_extensions = copy
This ensures the SANs are copied into the certificate. The other ways to copy the DNS names are broken.
Third, generate your self-signed certificate:
$ openssl genrsa -out private.key 3072
$ openssl req -new -x509 -key private.key -sha256 -out certificate.pem -days 730
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
...
Finally, examine the certificate:
$ openssl x509 -in certificate.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9647297427330319047 (0x85e215e5869042c7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=MD, L=Baltimore, O=Test CA, Limited, CN=Test CA/emailAddress=test@example.com
Validity
Not Before: Feb 1 05:23:05 2014 GMT
Not After : Feb 1 05:23:05 2016 GMT
Subject: C=US, ST=MD, L=Baltimore, O=Test CA, Limited, CN=Test CA/emailAddress=test@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:e2:e9:0e:9a:b8:52:d4:91:cf:ed:33:53:8e:35:
...
d6:7d:ed:67:44:c3:65:38:5d:6c:94:e5:98:ab:8c:
72:1c:45:92:2c:88:a9:be:0b:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
34:66:39:7C:EC:8B:70:80:9E:6F:95:89:DB:B5:B9:B8:D8:F8:AF:A4
X509v3 Authority Key Identifier:
keyid:34:66:39:7C:EC:8B:70:80:9E:6F:95:89:DB:B5:B9:B8:D8:F8:AF:A4
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign
X509v3 Subject Alternative Name:
DNS:example.com, DNS:www.example.com, DNS:mail.example.com, DNS:ftp.example.com
Signature Algorithm: sha256WithRSAEncryption
3b:28:fc:e3:b5:43:5a:d2:a0:b8:01:9b:fa:26:47:8e:5c:b7:
...
71:21:b9:1f:fa:30:19:8b:be:d2:19:5a:84:6c:81:82:95:ef:
8b:0a:bd:65:03:d1
这篇关于如何使用 OpenSSL 生成带有 SubjectAltName 的自签名证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!