我正在尝试在 Amazon Linux AMI 2017.03.0 映像上创建 csr。我运行以下命令来生成 test.key
[root]# openssl genrsa -out test.key 2048
Generating RSA private key, 2048 bit long modulus
............+++
.........................+++
e is 65537 (0x10001)
[root]#
然后我运行以下命令:
[root]# openssl req -new -sha256 -key test.key -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
No template, please set one up.
problems making Certificate Request
[root]#
“无模板,请设置一个”似乎与 openssl.conf 文件相关
我的openssl配置如下:
[root]# pwd
/etc/ssl
[root]# ls -al
total 12
drwxr-xr-x 2 root root 4096 Apr 3 22:53 .
drwxr-xr-x 82 root root 4096 Apr 21 10:54 ..
lrwxrwxrwx 1 root root 16 Jan 20 23:25 certs -> ../pki/tls/certs
-rw-r--r-- 1 root root 138 Apr 3 22:53 openssl.cnf
[root]# cat openssl.cnf
[ ssl_client ]
basicConstraints = CA:FALSE
nsCertType = client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
[root]# rpm -q -a |grep openssl
openssl-1.0.1k-15.99.amzn1.x86_64
[root]#
关于创建 openssl 模板的信息似乎并不多,任何人都可以帮助我或给我示例或教程的链接。
答案1
制作 csr 时,ssl_client 节中的内容将不适用。这些实际上是 x509v3 扩展属性,通常由 CA 在签署 CSR 时添加到证书中,并由节名称引用:
openssl x509 ... -extensions ssl_client
如果您需要填写主题字段,则必须使用类似以下内容的内容:
openssl req -new -sha256 -key test.key -out test.csr -subj "/C=SM/ST=somecountry/L=someloc/O=someorg/OU=somedept/CN=example.com"
还有一些方法可以通过req和req_distinguished_name节指定默认值。通过在 中指定req,您可以配置该openssl req ...命令的默认值。通过指定,req_distinguished_name您可以对主题 DN 组件设置限制,还可以为您通常调用的交互式 CSR 创建设置默认值openssl req -new ...等。
默认值可以设置如下:
[ req_distinguished_name ]
countryName_default = SM
stateOrProvinceName_default = somecountry
localityName_default = someloc
...
当我想使用命令行 openssl 执行某些操作时,我通常会参考两个很棒的页面:
https://jamielinux.com/docs/openssl-certificate-authority/appendix/root-configuration-file.html