主题备用名称未复制到签名证书 [英] Subject Alternative Name is not copied to signed certificate

问题描述

我使用自签名 CA 证书来签署其他证书.对于某些证书，我需要指定主题替代名称.我可以在请求生成期间指定它们(openssl req ...)，我在 .csr 文件中看到它们.然后我使用

I use self-signed CA cert to sign other certificates. For some certs I need to specify subject alternative names. I can specify them during request generation (openssl req ...) and I see them in .csr file. Then I sign it with CA cert using

openssl x509 -req -extensions x509v3_config -days 365 -in ${name}.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ${name}.crt

以及 openssl.cnf 文件中的下一部分:

and next sections in openssl.cnf file:

[ x509 ]
x509_extensions = x509v3_config

[ x509v3_config ]
copy_extensions = copy

但我在 .crt 文件中没有看到 SAN.

but I see no SAN in .crt file.

我了解解决方案 使用 openssl ca ... 命令，但我没有有效的 [ca] 部分，我不想在没有深入了解它的作用的情况下复制/粘贴它.所以我希望 openssl x509 ... 命令存在另一个解决方案.

I know about solutions with openssl ca ... command but I have no valid [ca] section and I don't want to copy/paste it without deep understanding what it does. So I hope that exists another solution with openssl x509 ... command.

推荐答案

copy_extensions 指令只能被 openssl ca 命令理解.无法使用 openssl x509 命令将扩展从 CSR 复制到证书.

The copy_extensions directive is only understood by the openssl ca command. There is no way to copy extensions from a CSR to the certificate with the openssl x509 command.

相反，您应该在 openssl x509 命令中指定您想要的 exact 扩展，使用与 openssl req.

Instead, you should specify the exact extensions you want as part of the openssl x509 command, using the same directives you used for openssl req.

这篇关于主题备用名称未复制到签名证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！