生成自签名证书字符串太长时的OpenSSL Config错误 [英] OpenSSL Config error when generating self-signed certificate string too long

问题描述

使用以下OpenSSL Config

With the following OpenSSL Config

[ req ]
default_bits        = 2048
default_md          = sha256
default_keyfile     = drone-ci-web.company.com.key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only
prompt              = no
encrypt_key         = no

[ subject ]
countryName                    = Country Name (2 letter code)
countryName_default            = US
stateOrProvinceName            = State or Province Name (full name)
stateOrProvinceName_default    = Missouri
localityName                   = Locality Name (eg, city)
localityName_default           = Jefferson City
organizationName               = Organization Name (eg, company)
organizationName_default       = My Company
organizationalUnitName         = Organizational Unit (eg, team)
organizationalUnitName_default = My Company Technologies
commonName                     = Common Name (e.g. server FQDN or YOUR name)
commonName_default             = drone-ci-web.company.com
emailAddress                   = Email Address
emailAddress_default           = DL_EMAIL_LIST@company.com

[ x509_ext ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment
subjectAltName         = @alternate_names
nsComment              = "Drone-CI - OpenSSL Generated Certificate"

[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName       = @alternate_names
nsComment            = "Drone-CI - OpenSSL Generated Certificate"

[ alternate_names ]
DNS.1 = drone-ci-web.company.com

我运行以下命令:

sudo openssl req -x509 -config drone-ssl.cnf -new -out drone-ci-web.company.com.cert.pem

，我收到以下错误消息:

and I get the following error:

vagrant@jonspc ~]$ sudo openssl req -x509 -config drone-ssl.cnf -new -out drone-ci-web.ccompany.com.cert.pem
Generating a 2048 bit RSA private key
..............................................................................................................+++
....................+++
writing new private key to 'drone-ci-web.company.com.key.pem'
-----
problems making Certificate Request
140184216713104:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:158:maxsize=2

从我认为它告诉我的内容来看，它尝试使用的字段之一是太长"，并且只有两个字符，但是从我继续阅读的内容来看，countryName_default应该覆盖countryName并使其接受默认值.

From what I think its telling me, one of the fields its trying to use is "Too long" and is only two characters, but from what I keep reading, the countryName_default should override the countryName and make this accept the value given for default.

OpenSSL和操作系统信息:

OpenSSL and Operating System information:

[vagrant@jonspc ~]$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
[vagrant@jonspc ~]$ cat /etc/oracle-release
Oracle Linux Server release 7.5
[vagrant@jonspc ~]$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)

但是，如果我删除_default行并再试一次，则此操作将通过以下配置成功完成.

HOWEVER, if I remove the _default lines and try again, this succeeds with the following config.

[ req ]
default_bits        = 2048
default_md          = sha256
default_keyfile     = drone-ci-web.company.com.key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only
prompt              = no
encrypt_key         = no

[ subject ]
countryName            = US
stateOrProvinceName    = Missouri
localityName           = Jefferson City
organizationName       = My Company
organizationalUnitName = My Company Technologies
commonName             = drone-ci-web.company.com
emailAddress           = DL_EMAIL_LIST@company.com

[ x509_ext ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment
subjectAltName         = @alternate_names
nsComment              = "Drone-CI - OpenSSL Generated Certificate"

[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName       = @alternate_names
nsComment            = "Drone-CI - OpenSSL Generated Certificate"

[ alternate_names ]
DNS.1 = drone-ci-web.company.com

这适用于以下输出.

[vagrant@jonspc ~]$ sudo openssl req -x509 -config drone-ssl.cnf -new -out drone-ci-web.company.com.cert.pem
Generating a 2048 bit RSA private key
..............+++
..............+++
writing new private key to 'drone-ci-web.company.com.key.pem'
-----

推荐答案

来自

专有名称和属性部分格式有两个单独的名称 专有名称和属性部分的格式.如果 提示选项设置为否，那么这些部分仅由字段组成 名称和值:例如，

DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT There are two separate formats for the distinguished name and attribute sections. If the prompt option is set to no then these sections just consist of field names and values: for example,

 CN=My Name
 OU=My Organization
 emailAddress=someone@somewhere.org

这允许外部程序(例如基于GUI)生成模板 带有所有字段名称和值的文件，然后将其传递给req.一个 这种配置文件的示例包含在 示例部分.或者，如果不存在提示选项 设置为否，则文件包含字段提示信息.它 由以下形式的行组成:

This allows external programs (e.g. GUI based) to generate a template file with all the field names and values and just pass it to req. An example of this kind of configuration file is contained in the EXAMPLES section. Alternatively if the prompt option is absent or not set to no then the file contains field prompting information. It consists of lines of the form:

 fieldName="prompt"
 fieldName_default="default field value"
 fieldName_min= 2
 fieldName_max= 4

所以基本上你自己弄清楚了.

So basically what you figured out yourself.

这篇关于生成自签名证书字符串太长时的OpenSSL Config错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！