服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 与主题备选名称自签名的证书
Intereting Posts
将传入的udpstream复制到(非本地)远程服务器 Windows RADIUS服务器:RADIUS服务器之间的同步? Google Apps MXlogging include_path不在httpd.conf中工作 重置两端不具有域pipe理员权限的AD信任密码 您可以创build多个单独的Active Directory GPOlogin脚本? iptables日志build立的连接 如何在Mac OS X Snow Leopard上打开端口80? Hyper -V 2012-R2扩展VHDX for VM不会扩展当前文件大小 我怎么知道域名转移已经成功? 用户configuration文件迁移 – Windows 7 列出大多数AD组中的顶级用户 通过MAC地址查找制造/模型的一个很好的工具? 套接字所属程序的PID和名称 为什么数据包要通过网关进入本地networking的主机

与主题备选名称自签名的证书

我试图在Ubuntu 14.10上使用OpenSSL创build一个自签名证书。 我一直在成功地生成一个包含正确扩展的CSR。

当我使用CSR生成证书时,SAN信息无法通过。

openssl.cnf中 

[ ca ] default_ca = CA_default [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = v3_req # The extentions to add to the cert name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options copy_extensions = copy default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = default # use public key default MD preserve = no # keep passed DN ordering policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = usr_cert # The extentions to add to the self signed cert string_mask = utf8only req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = VA localityName = Locality Name (eg, city) localityName_default = Ashburn organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg server FQDN or YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 emailAddress_default = [email protected] [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer subjectAltName=@alt_names [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = CA:true [ crl_ext ] authorityKeyIdentifier=keyid:always [alt_names] IP.1 = 192.168.1.169

生成密钥: 

 openssl genrsa -out test.key 2048

生成csr: 

 openssl req -new -key test.key -out test.csr

validationcsr: 

 openssl req -text -noout -in test.csr | grep "IP Address" IP Address:192.168.1.169

生成证书: 

 openssl x509 -req -in test.csr -signkey test.key -out test.pem

validation证书: 

 openssl x509 -text -noout -in test.pem | grep "IP Address"

openssl x509文档中,当使用openssl x509 -req

 -extfile filename file containing certificate extensions to use. If not specified then no extensions are added to the certificate. -extensions section the section to add certificate extensions from. If this option is not specified then the extensions should either be contained in the unnamed (default) section or the default section should contain a variable called "extensions" which contains the section to use. See the x509v3_config manual page for details of the extension section format.

由于您的openssl x509 -req命令既不使用-extfile也不使用-extensions选项, 您的openssl.cnf有一个默认/未命名部分没有“extensions”variables,那么您生成的自签名证书将不具有扩展。

鉴于此,你可以尝试: 

 $ openssl x509 -req -in test.csr -signkey test.key -out test.pem -extensions v3_ca

请注意编辑openssl.cnf 之后 ,您只需要执行以上操作,以便v3_ca部分如下所示: 

 [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = CA:TRUE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names

你已经添加了subjectAltNamevariables到该部分,就像你在v3_req部分。 没有这一点,你的自签名证书将有扩展,但不是你想要的SAN。 (我也复制了v3_reqkeyUsage扩展,假设你也希望在你的已发布证书中使用这些v3_req )。你可能会试图重新使用那个v3_req部分,而不是更新v3_ca – 但是你不想这样做。 为什么? 因为v3_req说证书不是 CA: 

 [ v3_req ] basicConstraints = CA:FALSE ...

而且由于你正在生成一个自签名的证书,这可能不是你想要的。

希望这可以帮助!