如何使用openssl(包括CRL分发点)创建证书? [英] Howto create a certificate using openssl including a CRL distribution point?
问题描述
在使用openssl创建包含用于测试的crl分发点的x509证书时遇到问题.
I'm having problems using openssl to create a x509 certificate containing a crl distribution point for testing.
我已经检查了文档,并找到了用于此目的的配置设置crlDistributionPoints.不幸的是,openssl始终生成不带crl分发点的x509版本1证书,而不是版本3证书. 我确定我的命令或配置有问题,但是仔细阅读文档并试用配置并没有帮助.考虑了配置文件中的其他设置,因此我确定openssl使用了文件本身.
I've checked the documentation and found the configuration setting crlDistributionPoints for this purpose. Unfortunately openssl always generates x509 version 1 certificates without instead of version 3 certificates with the crl distribution point. I'm sure something is wrong with my command or the configuration but reading the documentation carefully and playing around with the configuration did not help. Other settings from the configuration file are considered so I'm sure the file itself is used by openssl.
我正在使用命令
openssl x509 -req -in $NAME.csr -out certs/$NAME.pem -days 3650 -CAcreateserial -CA cacert.pem -CAkey private/cakey.pem -CAserial serial
我正在使用以下配置文件:
I'm using the following configuration file:
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /home/ca
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
default_days = 3650
default_crl_days = 30
default_md = md5
policy = policy_any
email_in_dn = no
name_opt = ca_default
cert_opt = ca_default
copy_extensions = none
x509_extensions = extensions_section
[ extensions_section ]
crlDistributionPoints=URI:http://example.com/crl.pem
[ policy_any ]
countryName = supplied
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
有什么想法吗?
推荐答案
openssl x509不会读取您在配置文件中上面指定的扩展程序配置.
openssl x509 does not read the extensions configuration you've specified above in your config file.
您可以(至少)通过以下两种方式将crlDistributionPoints放入证书中:
You can get the crlDistributionPoints into your certificate in (at least) these two ways:
-
使用
openssl ca而不是x509签署请求.如果您的配置不在默认位置,请根据需要传递-config.如果省略以-CA
Use
openssl carather thanx509to sign the request. Pass-configas needed if your config is not in a default location. Most of your provided command can be used if you omit the options starting with-CA
openssl ca -in $NAME.csr -out certs/$NAME.pem -days 3650
使用问题中提供的命令,但首先创建一个包含v3扩展名的文件(即mycrl.cnf);将选项-extfile mycrl.cnf添加到对openssl x509
Use the command as you've provided in your question, but first create a file containing your v3 extensions (ie mycrl.cnf); add the option -extfile mycrl.cnf to your call to openssl x509
openssl x509 -req -in $NAME.csr -out certs/$NAME.pem -days 3650 \
-CAcreateserial -CA cacert.pem -CAkey private/cakey.pem \
-CAserial serial -extfile mycrl.cnf`
mycrl.cnf包含以下内容:
crlDistributionPoints=URI:http://example.com/crl.pem
openssl ca可能是更适合您想要执行的命令的命令,因为您会发现大多数示例都依赖openssl.cnf中针对v3扩展的各种设置来依赖该命令.
openssl ca is probably the command better suited to what you want to do, since most examples you will find rely on that command utilizing various settings in openssl.cnf for v3 extensions.
顺便说一句:在证书中使用MD5消息摘要不可行
An aside: it is inadvisable to use MD5 message digest in certificates.
以前,建议使用SHA1替代MD5,但是现在也已不赞成使用SHA1.您可以指定在请求和签名操作中使用的消息摘要,并可以使用openssl list-message-digest-commands列出受支持的消息摘要.
Previously SHA1 was the suggested alternative to MD5, however that too is now becoming deprecated. You can specify the message digest used in requests and signing operations, and you can list the supported message digests with openssl list-message-digest-commands.
例如,在将-md sha256选项设置为openssl ca(或在[CA_default]配置部分中设置default_md=sha256)签署请求时,可以使用SHA256.
As an example, you can use SHA256 when signing a request with the -md sha256 option to openssl ca ( or setting default_md=sha256 in your [CA_default] config section).
这篇关于如何使用openssl(包括CRL分发点)创建证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
