具有主题备用名称的OpenSSL证书(版本3) [英] OpenSSL Certificate (Version 3) with Subject Alternative Name
问题描述
我正在使用OpenSSL命令行工具生成自签名证书.除了两个问题外,它似乎工作正常.我无法使用主题备用名称(关键)创建一个.cer,而且我还无法弄清楚如何创建版本3的证书(不确定这是否很关键,但希望学习如何设置版本).
I'm using the OpenSSL command line tool to generate a self signed certificate. It seems to be working correctly except for two issues. I can't get it to create a .cer with a Subject Alternative Name (critical) and I haven't been able to figure out how to create a cert that is Version 3 (not sure if this is critical yet but would prefer learning how to set the version).
有人成功做到了吗?默认的配置(.cfg)文件看似清晰的文档(如下所示):
Has anyone done this successfully? The default config (.cfg) file has seemingly clear documentation (seen below):
"此内容用于subjectAltName和issuerAltname. 导入电子邮件地址. subjectAltName = email:copy"
" This stuff is for subjectAltName and issuerAltname. Import the email address. subjectAltName=email:copy "
但是,这不起作用.我的直觉是主题替代名称未出现在b/c中,而在V1规范中不存在,这就是为什么我也追求设置他的版本.
However this does not work. My hunch is that the subject Alternative Name is not showing up b/c it is not present in the V1 specs, which is why I'm also pursuing setting he version.
这是我正在使用的配置文件:
Here is the config file I'm using:
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
emailAddress = myEmail@email.com
req_extensions = v3_req
x509_extensions = v3_ca
[req_distinguished_name]
C = [Press Enter to Continue]
C_default = US
C_min = 2
C_max = 2
O = [Press Enter to Continue]
O_default = default
0.OU=[Press Enter to Continue]
0.OU_default = default
1.OU=[Press Enter to Continue]
1.OU_default = PKI
2.OU=[Press Enter to Continue]
2.OU_default = ABCD
commonName = Public FQDN of server
commonName_max = 64
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
subjectAltName = email:myEmail@email.com
issuerAltName = issuer:copy
推荐答案
以下是为您准备的简单步骤
Here is the simple steps for you
在生成CSR时,应使用-config和-extensions 在生成证书时,应使用-extfile和-extensions
While generating the CSR you should use -config and -extensions and while generating certificate you should use -extfile and -extensions
以下是示例
openssl req -new -nodes -keyout test.key -out test.csr -days 3650 -subj "/C=US/ST=SCA/L=SCA/O=Oracle/OU=Java/CN=test cert" -config /etc/pki/tls/openssl.cnf -extensions v3_req
openssl x509 -req -days 3650 -in test.csr -CA cacert.pem -CAkey rootCA.key -CAcreateserial -out test.pem -extfile /etc/pki/tls/openssl.cnf -extensions v3_req
希望这会有所帮助
这篇关于具有主题备用名称的OpenSSL证书(版本3)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!