config中的req_extensions和命令行上的-extensions有什么区别? [英] What is the difference between req_extensions in config and -extensions on command line?
问题描述
OpenSSL Cookbook 中的示例openssl根ca配置定义了以下内容(p40 ):
The sample openssl root ca config from the OpenSSL Cookbook defines the following (p40):
[req]
...
req_extensions = ca_ext
[ca_ext]
...
稍后(p43),将生成根ca密钥,然后生成根ca自签名证书.
Later (p43), the root ca key is generated, then the root ca selfsigned cert.
openssl req -new \
-config root-ca.conf \
-out root-ca.csr \
-keyout private/root-ca.key
openssl ca -selfsign \
-config root-ca.conf \
-in root-ca.csr \
-out root-ca.crt \
-extensions ca_ext
在此特定用例中req_extensions是否多余? 何时真正需要req_extension?
Isn't req_extensions redundant in this specific use case? When is req_extension really needed?
推荐答案
req_extensions用于声明要包含在PKCS#10 证书签名请求中的请求扩展. (CSR)对象.扩展名是CSR中已签名数据的一部分.
通常,CA响应于CSR创建和签名X.509证书时,并取决于证书配置文件,可能会或可能不会注意特定的请求扩展.您将需要使用它来生成CSR,以便与希望通过这种方式传达特定信息的CA一起使用.
req_extensions is used for declaring request extensions to be included in PKCS #10 certificate signing request (CSR) objects. The extensions are part of the signed data in the CSR.
In general, a CA, when creating and signing a X.509 certificate in response to a CSR, and depending on the certificate profile, may or may not heed particular request extensions. You will need to use this to generate a CSR for use with a CA that expects particular information to be conveyed in this way.
OpenSSL本身不会将 any 扩展从PKCS#10请求复制到X.509证书;证书的所有扩展名都必须明确声明. OpenSSL x509手册页提供了一些注释:
OpenSSL itself does not copy any extensions from PKCS #10 requests to X.509 certificates; all extensions for certificates must be explicitly declared. The OpenSSL x509 man page provides some commentary:
证书的扩展名不会转移到证书申请中,反之亦然.
Extensions in certificates are not transferred to certificate requests and vice versa.
由于您使用的是OpenSSL CA,因此req_extensions的使用确实是多余的.
Because you are using the OpenSSL CA, the use of req_extensions is indeed redundant.
这篇关于config中的req_extensions和命令行上的-extensions有什么区别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
