具有主题备用名称的OpenSSL证书(版本3) [英] OpenSSL Certificate (Version 3) with Subject Alternative Name

问题描述

我正在使用OpenSSL命令行工具生成自签名证书.除了两个问题外，它似乎工作正常.我无法使用主题备用名称(关键)创建一个.cer，而且我还无法弄清楚如何创建版本3的证书(不确定这是否很关键，但希望学习如何设置版本).

I'm using the OpenSSL command line tool to generate a self signed certificate. It seems to be working correctly except for two issues. I can't get it to create a .cer with a Subject Alternative Name (critical) and I haven't been able to figure out how to create a cert that is Version 3 (not sure if this is critical yet but would prefer learning how to set the version).

有人成功做到了吗?默认的配置(.cfg)文件看似清晰的文档(如下所示):

Has anyone done this successfully? The default config (.cfg) file has seemingly clear documentation (seen below):

"此内容用于subjectAltName和issuerAltname. 导入电子邮件地址. subjectAltName = email:copy"

" This stuff is for subjectAltName and issuerAltname. Import the email address. subjectAltName=email:copy "

但是，这不起作用.我的直觉是主题替代名称未出现在b/c中，而在V1规范中不存在，这就是为什么我也追求设置他的版本.

However this does not work. My hunch is that the subject Alternative Name is not showing up b/c it is not present in the V1 specs, which is why I'm also pursuing setting he version.

这是我正在使用的配置文件:

Here is the config file I'm using:

[ req ]
default_bits        = 2048 
default_keyfile     = privkey.pem 
distinguished_name  = req_distinguished_name
emailAddress        = myEmail@email.com
req_extensions          = v3_req
x509_extensions         = v3_ca

[req_distinguished_name]
C = [Press Enter to Continue]
C_default = US 
C_min = 2 
C_max = 2 

O = [Press Enter to Continue]
O_default = default 

0.OU=[Press Enter to Continue]
0.OU_default = default 
1.OU=[Press Enter to Continue]
1.OU_default = PKI 
2.OU=[Press Enter to Continue] 
2.OU_default = ABCD
commonName = Public FQDN of server 
commonName_max = 64

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
subjectAltName         = email:myEmail@email.com
issuerAltName          = issuer:copy

推荐答案

以下是为您准备的简单步骤

Here is the simple steps for you

在生成CSR时，应使用-config和-extensions 在生成证书时，应使用-extfile和-extensions

While generating the CSR you should use -config and -extensions and while generating certificate you should use -extfile and -extensions

以下是示例

openssl req -new -nodes -keyout test.key  -out test.csr -days 3650 -subj "/C=US/ST=SCA/L=SCA/O=Oracle/OU=Java/CN=test cert" -config /etc/pki/tls/openssl.cnf -extensions v3_req
openssl x509 -req -days 3650 -in test.csr -CA cacert.pem -CAkey rootCA.key -CAcreateserial -out test.pem -extfile /etc/pki/tls/openssl.cnf  -extensions v3_req

希望这会有所帮助

这篇关于具有主题备用名称的OpenSSL证书(版本3)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！