如何编辑使用 openssl xampp 创建的自签名证书? [英] How do I edit a self signed certificate created using openssl xampp?

问题描述

我使用内置在 xampp 中的 openssl 创建了自己的自签名证书.但是，我想编辑通用名称，这可能吗?有谁知道我如何覆盖证书?

I created my own self signed certificate using openssl which is built in in xampp. However, I want to edit the common name, is this possible? Does anyone know how I can overwrite the certificate?

推荐答案

但是，我想编辑通用名称，这可以吗?有谁知道我如何覆盖证书?

However, I want to edit the common name, is this possible? Does anyone know how I can overwrite the certificate?

这不可能本身.通用名称 (CN) 位于已签名证书的一部分，因此您不能在不使签名无效的情况下简单地将其删除.

Its not possible per se. The Common Name (CN) is in the part of the certificate that is signed, so you can't simply remove it without invalidating the signature.

但是，您可以简单地生成一个新的证书请求或自签名证书，其中 DNS 名称位于主题备用名称 (SAN) 中(而不是通用名称 (CN) 中).

However, you can simply generate a new certificate request or self-signed certificate with DNS names in the Subject Alternate Name (SAN) (and not in the Common Name (CN)).

在 SAN 中使用 DNS 名称创建自签名证书的技巧是您需要使用自定义配置文件.您不能仅使用命令行生成一个，因为 SAN 中的 DNS 名称未被复制.下面是我使用的自定义 CONF 文件(称为 example-com.conf).

The trick to creating a self signed certificate with DNS names in the SAN is you need to use a custom configuration file. You can't generate one using just the command line because the DNS names in the SAN are not copied. Below is the custom CONF file I use (called example-com.conf).

example-com.conf:

# Self Signed (note the addition of -x509):
#     openssl req -config example-com.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.cert.pem
# Signing Request (note the lack of -x509):
#     openssl req -config example-com.conf -new -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.req.pem
# Print it:
#     openssl x509 -in example-com.cert.pem -text -noout
#     openssl req -in example-com.req.pem -text -noout

[ req ]
default_bits        = 2048
default_keyfile     = server-key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
#   Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
countryName         = Country Name (2 letter code)
countryName_default     = US

stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = NY

localityName            = Locality Name (eg, city)
localityName_default        = New York

organizationName         = Organization Name (eg, company)
organizationName_default    = Example, LLC

# Use a friendly name here because its presented to the user. The server's DNS
#   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
#   by both IETF and CA/Browser Forums. If you place a DNS name here, then you 
#   must include the DNS name in the SAN too (otherwise, Chrome and others that
#   strictly follow the CA/Browser Baseline Requirements will fail).
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = Example Company

emailAddress            = Email Address
emailAddress_default        = test@example.com

# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]

subjectKeyIdentifier        = hash
authorityKeyIdentifier  = keyid,issuer

basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# extendedKeyUsage  = serverAuth, clientAuth

# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
[ req_ext ]

subjectKeyIdentifier        = hash

basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# extendedKeyUsage  = serverAuth, clientAuth

[ alternate_names ]

DNS.1       = example.com
DNS.2       = www.example.com
DNS.3       = mail.example.com
DNS.4       = ftp.example.com

# Add these if you need them. But usually you don't want them or
#   need them in production. You may need them for development.
# DNS.5       = localhost
# DNS.6       = localhost.localdomain
# DNS.7       = 127.0.0.1

# IPv6 localhost
# DNS.8     = ::1

这篇关于如何编辑使用 openssl xampp 创建的自签名证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！