如何将其他信息添加到证书签名请求(CSR)? [英] How do i add additional information to Certificate Signing Request (CSR)?
问题描述
我正在使用OpenSSL生成证书签名请求(CSR).
I'm using OpenSSL to generate a Certificate Signing Request (CSR).
标准字段为:
常用名:John Doe
组织:MyCompany Inc.
组织单位:销售
地点:SF
州:CA
国家/地区:美国
电子邮件:john.doe@mycompany.com
Common Name: John Doe
Organization: MyCompany Inc.
Organization Unit: Sales
Locality: SF
State: CA
Country: US
Email: john.doe@mycompany.com
但是我想将自己的字段添加到证书中,例如:
GroupId:348348923
员工等级:3级
However I want to add my own fields to the certificate such as:
GroupId: 348348923
EmployeeLevel: Class 3
在我请求证书颁发机构(CA)签署CSR之前,这样做的正确方法是什么?
What is the proper way to do this before I request the Certificate Authority (CA) sign the CSR?
推荐答案
您要描述的所有字段都是X509 CSR中的主题.它们实际上是OID(通常以给定的短名称显示).您可以在此处找到它们的列表.做您想做的事需要一些事情.首先,您必须定义要映射到您的短名称的OID.有几种方法可以做到这一点,但是如果您要从技术上保证唯一性,则应该请求来自IANA的企业编号(私人任务列表).
All the fields you're describing are subject items in an X509 CSR. They're actually OIDs (usually displayed by their given short name). You can find a list of them here. To do what you want requires a few things. First, you must define an OID that you want to map to your short names. There are several ways to do this, but if you want to guarantee uniqueness technically you should be requesting an enterprise number from IANA (list of private assignments).
如果您真的不需要那种东西,您可以作弊并只在1.3.6.1.4.1.X下生成您自己的化妆#,但是我建议您使用非常大的#.
If you don't really need that sort of thing you can cheat and just generate your own made-up # under 1.3.6.1.4.1.X of course, but I'd recommend using a very large #.
完成后,您可以在conf或您可能使用的任何其他工具中定义OpenSSL OID映射.当然,如果您在不知道自己的映射的任何内容中查看生成的证书,则不会看到"GroupId",而是会看到类似"1.3.6.1.4.1.3838483483.1 = Class 3"的内容.
Once you've done that you can define OpenSSL OID mappings in the conf or whatever other tool you may be using. Of course, if you view the resulting certificate in anything that's unaware of your own mappings you won't see "GroupId" but will instead see something more like "1.3.6.1.4.1.3838483483.1=Class 3".
请注意,如果您将此CSR发送到任何公共信任的CA(而不是您自己的私有CA),则它们很有可能会丢弃任何未知字段.
It should be noted that if you're sending this CSR to any publicly trusted CA (rather than your own private CA) there's a very, very high probability that they will drop any unknown fields.
当然,很可能您不一定要执行任何此类操作.如果您需要将这些值编码为证书,我建议您直接引用您的虚构OID,或者从已经使用短名称映射的各种很少使用的预定义主题OID中进行选择.
OF course, chances are you don't necessarily want to do any of this. If you need to encode these values into a certificate I'd suggest either directly referencing your made-up OID or choosing from the wide variety of rarely used predefined subject OIDs that have shortname mappings already.
这篇关于如何将其他信息添加到证书签名请求(CSR)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
