我有一对根CA密钥。 如何使用SAN(主题备用名称)扩展名发行新的SSL证书? 我试过这个
openssl genrsa -out ssl.key 2048 openssl req -new -config ssl.conf -key ssl.key -out ssl.csr openssl x509 -req -sha256 -days 3650 -CAcreateserial -CAkey root.key -CA root.crt -in ssl.csr -out ssl.crt ssl.conf中:
[req] prompt = no distinguished_name = req_distinguished_name x509_extensions = v3_ca [req_distinguished_name] CN = 127.0.0.1 [v3_ca] subjectAltName = @alt_names [alt_names] IP.1 = 127.0.0.1 IP.2 = ::1 DNS.1 = localhost
但生成的证书不包含SAN。
但是,下面的命令生成的自签名证书包含SAN:
openssl req -new -x509 -sha256 -days 3650 -config ssl.conf -key ssl.key -out ssl.crt
req_extensions指定扩展req_extensions而不是x509_extensions 。 x509命令中有一个错误 :证书中的扩展不会传输到证书请求,反之亦然。
所以我用ca命令解决了我的问题:
ca/newcerts文件夹并清空ca/index.txt文件。 编辑ssl.conf :
[ca] default_ca = CA_default [CA_default] dir = ./ca database = $dir/index.txt new_certs_dir = $dir/newcerts serial = $dir/serial private_key = ./root.key certificate = ./root.crt default_days = 3650 default_md = sha256 policy = policy_anything copy_extensions = copyall [policy_anything] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [req] prompt = no distinguished_name = req_distinguished_name req_extensions = v3_ca [req_distinguished_name] CN = 127.0.0.1 [v3_ca] subjectAltName = @alt_names [alt_names] IP.1 = 127.0.0.1 IP.2 = ::1 DNS.1 = localhost
Ran命令:
openssl genrsa -out ssl.key 2048 openssl req -new -config ssl.conf -key ssl.key -out ssl.csr openssl ca -config ssl.conf -create_serial -batch -in ssl.csr -out ssl.crt