主题备用名称未复制到签名证书 [英] Subject Alternative Name is not copied to signed certificate
问题描述
我使用自签名 CA 证书来签署其他证书.对于某些证书,我需要指定主题替代名称.我可以在请求生成期间指定它们(openssl req ...
),我在 .csr 文件中看到它们.然后我使用
I use self-signed CA cert to sign other certificates. For some certs I need to specify subject alternative names. I can specify them during request generation (openssl req ...
) and I see them in .csr file. Then I sign it with CA cert using
openssl x509 -req -extensions x509v3_config -days 365 -in ${name}.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ${name}.crt
以及 openssl.cnf 文件中的下一部分:
and next sections in openssl.cnf file:
[ x509 ]
x509_extensions = x509v3_config
[ x509v3_config ]
copy_extensions = copy
但我在 .crt 文件中没有看到 SAN.
but I see no SAN in .crt file.
我了解解决方案 使用 openssl ca ...
命令,但我没有有效的 [ca]
部分,我不想在没有深入了解它的作用的情况下复制/粘贴它.所以我希望 openssl x509 ...
命令存在另一个解决方案.
I know about solutions with openssl ca ...
command but I have no valid [ca]
section and I don't want to copy/paste it without deep understanding what it does. So I hope that exists another solution with openssl x509 ...
command.
推荐答案
copy_extensions
指令只能被 openssl ca
命令理解.无法使用 openssl x509
命令将扩展从 CSR 复制到证书.
The copy_extensions
directive is only understood by the openssl ca
command. There is no way to copy extensions from a CSR to the certificate with the openssl x509
command.
相反,您应该在 openssl x509
命令中指定您想要的 exact 扩展,使用与 openssl req
.
Instead, you should specify the exact extensions you want as part of the openssl x509
command, using the same directives you used for openssl req
.
这篇关于主题备用名称未复制到签名证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!