使用openssl创建tsa(时间戳记)证书-在证书中添加ExtendedKeyUsage [英] create tsa (timestamping) certificate with openssl - add a extendedKeyUsage in a certificate

问题描述

我想为时间戳服务创建一个tsa证书.

I'd like to create a tsa certificate for my timestamping service.

首先，我创建一个根证书

First I create a root certificate

openssl genrsa -out tsaroot.key 4096 -config openssl.cnf
openssl req -new -x509 -days 1826 -key tsaroot.key -out tsaroot.crt -config openssl.cnf

然后我创建tsa证书

openssl genrsa -des3 -out tsa.key 4096 -config openssl.cnf
openssl req -new -key tsa.key -out tsa.csr -config openssl.cnf
openssl x509 -req -days 730 -in tsa.csr -CA tsaroot.crt -CAkey tsaroot.key -set_serial 01 -out tsa.crt
openssl pkcs12 -export -out tsa.p12 -inkey tsa.key -in tsa.crt -chain -CAfile tsaroot.crt

在我的openssl.cnf文件中，添加以下行:

In my openssl.cnf file, i add the following line :

extendedKeyUsage = critical,timeStamping

但是，创建的证书似乎不包含extendeKeyUsage(当我尝试用充气城堡读取它时，我得到了证书必须具有ExtendedKeyUsage扩展名."例外

Howerver, the created certificate doesn't seem to include the extendeKeyUsage (when i try to read it with bouncy castle i got a "Certificate must have an ExtendedKeyUsage extension." exception

如何生成有效的tsa证书(包括正确的extendedKeyUsage值)?

How can I generate a valid tsa certificate (with the correct extendedKeyUsage value included)?

谢谢

推荐答案

以下方法有效:

创建一个文件extKey.cnf，其中包含extendedKeyUsage

create a file extKey.cnf with the extendedKeyUsage inside

extendedKeyUsage = critical,timeStamping

在创建请求时添加它:

openssl x509 -req -days 730 -in tsa.csr -CA tsaroot.crt -CAkey tsaroot.key -set_serial 01 -out tsa.crt -extfile extKey.cnf

这篇关于使用openssl创建tsa(时间戳记)证书-在证书中添加ExtendedKeyUsage的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！