我需要将 CSR(证书签名请求)发送给 SSL 颁发机构以获取我们的通配符域 SSL 证书。我在 CN(通用名称)字段中看到奇怪的值,例如CN=\x00*\x00.\x00e\x00x\x00a\x00m\x00p\x00l\x00e\x00.\x00c\x00o\x00m
。如果我生成非通配符 CSR,则 CN 值将符合预期:CN=www.example.com
。
\x00
为什么通配符域名的 CSR 中的 CN 中有字符?
可以吗?一切(HTTPS)都可以正常工作吗?
我使用的是 Debian 稳定版(Wheezy),openssl 软件包版本是 1.0.1e-2+deb7u11。
$ openssl version
OpenSSL 1.0.1e 11 Feb 2013
这是我生成 CSR 的方式:
$ openssl req -new -newkey rsa:2048 -nodes -keyout wildcard.key -out wildcard.csr
Generating a 2048 bit RSA private key
.....................................+++
.......................................+++
writing new private key to 'wildcard.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CZ
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
这是有关证书的信息:
$ openssl req -text -noout -verify -in wildcard.csr
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CZ, ST=Some-State, O=Internet Widgits Pty Ltd, CN=\x00*\x00.\x00e\x00x\x00a\x00m\x00p\x00l\x00e\x00.\x00c\x00o\x00m
Subject Public Key Info:
...
答案1
在openssl.conf
是选项string_mask
。当将其设置为时default
。那么可以使用BMPString对CN进行编码(如果我没记错的话),这会生成s \x00
。
如今(openssl.conf 中说“2004 年之后的 PKIX 建议”),该值应设置为utf8only
:string_mask = utf8only
。然后 CN 看起来“正常”:
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=*.example.com