无论如何通过命令行为openssl cert指定basicConstraints [英] Is there anyway to specify basicConstraints for openssl cert via command line

问题描述

我想在我的自签名 CA 创建脚本中包含一个 basicConstraints=CA:TRUE,pathlen:0 约束，如果我不这样做，它将大大简化我的程序'不必创建配置文件和适当 CA 的所有文件夹结构.

I'd like to include a basicConstraints=CA:TRUE,pathlen:0 constraint in my self signed CA creation script and it would go a very long way to simplify my procedure if I didn't have to create a config file and all the folder structure of a proper CA.

我正在尝试创建一个只能签署最终证书而不是进一步 CA 的中间证书.我将使用 bouncycastle 来签署所有进一步的证书，无论如何都不会使用我需要为适当的 CA 创建的文件夹结构.

I'm trying to create an intermediate cert that can only sign end certs, not further CAs. I will be using bouncycastle to sign all further certs, the folder structure I would need to create for a proper CA will not be used anyway.

推荐答案

您不需要创建 OpenSSL 配置文件或任何文件夹结构，即可使用OpenSSL.

You do not need to create an OpenSSL configuration file, or any folder structure at all, to create a self-signed certificate using OpenSSL.

例如，这是一个最小的 OpenSSL 配置文件可能包含的内容，用于按照您的要求设置基本约束扩展:

For example, here is what a minimal OpenSSL configuration file might contain to set the basic constraints extension as you ask:

[req]
distinguished_name=dn
[ dn ]
[ ext ]
basicConstraints=CA:TRUE,pathlen:0

这里我使用 OpenSSL 从带有这个配置文件"的 Bash shell 创建了一个自签名证书，只是，它不是一个文件——它是一个 shell 变量:

And here I create a self-signed certificate using OpenSSL from a Bash shell with this "configuration file", only, it's not a file -- it's a shell variable:

CONFIG="
[req]
distinguished_name=dn
[ dn ]
[ ext ]
basicConstraints=CA:TRUE,pathlen:0
"

openssl req -config <(echo "$CONFIG") -new -newkey rsa:2048 -nodes \
  -subj "/CN=Hello" -x509 -extensions ext -keyout key.pem -out crt.pem

祝你好运！

这篇关于无论如何通过命令行为openssl cert指定basicConstraints的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！