我正在pipe理一个RHEL 6.6服务器,我从pipe理员那里inheritance了公司不再有联系。 我需要replaceSSL证书,为此需要一些关于物理组织的信息:
$ openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout example.com.key -out example.com.csr Generating a 2048 bit RSA private key ..........+++ .........................................................+++ writing new private key to 'example.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New Jersey Locality Name (eg, city) []:Salem Organization Name (eg, company) [Internet Widgits Pty Ltd]:International Widgets Organizational Unit Name (eg, section) []: Common Name (eg server FQDN or YOUR name) []:example.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:International Widgets 鉴于现有的SSL证书或密钥,我怎样才能恢复使用的组织信息? 我不确定这个信息与之前的情况相比有多重要,但是我宁愿安全,也不要抱歉。 不幸的是,这是一个在线业务,没有一个单一的物理地址只是简单的使用,业务分为四个业主,谁都不知道谁是原始证书的信息。
如果我简单地回答一切“foobar”,可能真的没关系,但我不能这样认为。
我尝试使用openssl工具来获取信息,但没有兴趣:
$ openssl x509 -text -in example.com.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1xxxxxxxxxx1 (0x4xxxxxxxb) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=07969287 Validity Not Before: Aug 11 12:16:01 2014 GMT Not After : Aug 11 12:16:01 2015 GMT Subject: OU=Domain Control Validated, CN=*.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ... 7d:05:34:ac:7f:e2:c2:13:d3:56:9e:4e:fb:57:e3: ... 16:cb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 CRL Distribution Points: Full Name: URI:http://crl.godaddy.com/gds1-112.crl X509v3 Certificate Policies: Policy: 2.16.840.1.114413.1.7.23.1 CPS: http://certificates.godaddy.com/repository/ Authority Information Access: OCSP - URI:http://ocsp.godaddy.com/ CA Issuers - URI:http://certificates.godaddy.com/repository/gd_intermediate.crt X509v3 Authority Key Identifier: keyid:FD:AC:xx:xx:xx:xx:xx:xx:xx:CC:E7 X509v3 Subject Alternative Name: DNS:*.example.com, DNS:example.com X509v3 Subject Key Identifier: 1C:EB:xx:xx:xx:xx:xx:xx:F0:2F Signature Algorithm: sha1WithRSAEncryption ... 43:fd:fb:92:8b:ee:82:0e:63:db:4f:dc:66:46:0f:fb:ac:de: ... d8:a5:89:eb -----BEGIN CERTIFICATE----- ... ODcwHhcNMTQwODIxMTAyNjA2WhcNMTUwODIxMTAyNjA2WjA8MSEwHwYDVQQLExhE xZHYpYnr -----END CERTIFICATE-----
你应该能够通过使用这个命令得到正确的信息:(注意,你将要使用CSR,而不是CRT)
openssl x509 -in example.com.csr -noout -text
在输出的顶部,您将看到“主题”信息。
例:
[user@server ssl]# openssl req -in example.com.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=State, L=City, O=Default Company Ltd, CN=example.com/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit)
如前所述,证书细节准确性的重要性往往因供应商而异。 validation过程还取决于您获得的证书的types 。 例如,“扩展validation”证书具有更严格的审批stream程。 无论如何,我认为尽可能使信息尽可能准确是一种好的做法。
如果您仍然拥有以前签署的证书,则可以绝对使用build议的openssl命令@Alex。
下面是它的一个变种: openssl x509 -in example.crt -text -noout | grep -i "Subject:" openssl x509 -in example.crt -text -noout | grep -i "Subject:"
这应该隔离Subject:证书的细节,并显示属性。 例如,你可以得到如下输出:
Subject: C=US, ST=California, L=San Francisco, O=Example Company, OU=IT Services, CN=somewebaddress.example.com