如何将subjectNameAlt扩展名添加到X509_REQ? [英] How do you add a subjectNameAlt extension to X509_REQ?

问题描述

我正在创建将由我的服务器处理的CSR.它需要设置subjectNameAlt，以便服务器可以处理它.我进行了广泛的搜索，只发现了如何使用普通的X509证书而不是X509_REQ.我该怎么做(使用C和OpenSSL.即，我需要等价于X509_get_ext_d2i，但对于X509_REQ)?

I am creating a CSR which is going to be processed by my server. It needs to set the subjectNameAlt so that the server can process it. I've searched far and wide, and have only found how to do it with normal X509 certs, not X509_REQ. How can I do this (with C and OpenSSL. I.e. I need the equivalent of X509_get_ext_d2i but for X509_REQ)?

推荐答案

以编程方式

看看

Programmatically

Have a look at the demos/x509/mkreq.c file that comes with OpenSSL. It creates a request and adds an email address as an alternative name. Stripped down it does the following:

exts = sk_X509_EXTENSION_new_null();
add_ext(exts, NID_subject_alt_name, "email:steve@openssl.org");
X509_REQ_add_extensions(x, exts);
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);

add_ext的实现方式如下:

int add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, char *value) {
  X509_EXTENSION *ex;
  ex = X509V3_EXT_conf_nid(NULL, NULL, nid, value);
  if (!ex)
    return 0;
  sk_X509_EXTENSION_push(sk, ex);
  return 1;
}

从命令行

我将本节留给其他人使用，尽管OP要求提供API.

https://wiki.cacert.org/FAQ/subjectAltName 建议将openssl.cnf文件复制到临时openssl-san.cnf文件，然后像这样进行

https://wiki.cacert.org/FAQ/subjectAltName advises to copy the openssl.cnf file to a temporary openssl-san.cnf file and then edit that like this:

[req]
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = host1.yourdomain.tld
DNS.2 = host2.yourdomain.tld

这篇关于如何将subjectNameAlt扩展名添加到X509_REQ?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！