openssl req 中的 CN 中出现奇怪的空字节

openssl req 中的 CN 中出现奇怪的空字节

我需要将 CSR(证书签名请求)发送给 SSL 颁发机构以获取我们的通配符域 SSL 证书。我在 CN(通用名称)字段中看到奇怪的值,例如CN=\x00*\x00.\x00e\x00x\x00a\x00m\x00p\x00l\x00e\x00.\x00c\x00o\x00m。如果我生成非通配符 CSR,则 CN 值将符合预期:CN=www.example.com

\x00为什么通配符域名的 CSR 中的 CN 中有字符?

可以吗?一切(HTTPS)都可以正常工作吗?


我使用的是 Debian 稳定版(Wheezy),openssl 软件包版本是 1.0.1e-2+deb7u11。

$ openssl version
OpenSSL 1.0.1e 11 Feb 2013

这是我生成 CSR 的方式:

$ openssl req -new -newkey rsa:2048 -nodes -keyout wildcard.key -out wildcard.csr
Generating a 2048 bit RSA private key
.....................................+++
.......................................+++
writing new private key to 'wildcard.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CZ
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

这是有关证书的信息:

$ openssl req -text -noout -verify -in wildcard.csr
verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=CZ, ST=Some-State, O=Internet Widgits Pty Ltd, CN=\x00*\x00.\x00e\x00x\x00a\x00m\x00p\x00l\x00e\x00.\x00c\x00o\x00m
        Subject Public Key Info:
...

答案1

openssl.conf是选项string_mask。当将其设置为时default。那么可以使用BMPString对CN进行编码(如果我没记错的话),这会生成s \x00

如今(openssl.conf 中说“2004 年之后的 PKIX 建议”),该值应设置为utf8onlystring_mask = utf8only。然后 CN 看起来“正常”:

Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=*.example.com

相关内容