我正在生成一个自签名的SSL证书:
$ openssl req -x509 -newkey rsa:2048 -subj 'CN=example.com' 我想在创build时指定一个subjectAltName ,但是在openssl的manpage中找不到关于如何执行的信息。
尝试将subjectAltName写入临时文件(我将其命名为hostextfile )
basicConstraints=CA:FALSE extendedKeyUsage=serverAuth subjectAltName=email:[email protected],RID:1.2.3.4
并通过“-extfile”选项在openssl命令中链接到它,例如:
openssl ca -days 730 -in hostreq.pem -out -hostcert.pem -extfile hostextfile
openssl命令不提供一种方法来包含像subjectAltName这样的扩展名,而不必先写configuration文件。 我写了一个简单的实用程序,它自动完成。 它在github上可用: https : //github.com/rtts/certify
使用示例:
./certify example.com www.example.com mail.example.com
这将创build一个名为example.com.crt的文件,其中包含具有example.com,www.example.com和mail.example.com的使用者替代名称的证书。
使用SubjectAltName创build自签名证书
cd /etc/ssl cat > my.conf <<- "EOF" [req] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C=UA ST=Dnepropetrovskaya L=Kamyanske O=DMK OU=OASUP emailAddress=webmaster@localhost CN = www.dmkd.dp.ua [ req_ext ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ alt_names ] DNS.0 = www.dmkd.dp.ua DNS.1 = dmkd.dp.ua EOF # Create key openssl genrsa -des3 -out server.key.secure 2048 # Disable secret phrase for key openssl rsa -in server.key.secure -out server.insecure.key # Create request certificate file with params from file my.conf openssl req -new -key server.insecure.key -out server.csr -config my.conf # Create certificate with params from file my.conf openssl x509 -req -days 365 -in server.csr -signkey server.insecure.key -out server.crt -extensions req_ext -extfile my.conf # Check request file and certificate for SubjectAltName precense openssl req -text -noout -in server.csr openssl x509 -in server.crt -text -noout