我想使用 openssl 创建 CSR,同时提供国家名称、州或省名称等一些答案但我仍然希望它提示输入通用名称 (FQDN)。到目前为止,我有类似以下内容的内容:
openssl req -new -sha256 -key example.com.key -out example.com.csr -subj "/C=US/ST=Ohio/L=Columbus/O=Widgets Inc/OU=Some Unit"
但是,这不会提示我输入通用名称。正确的做法是什么?
答案1
您可以read在命令行中使用结果变量来执行此openssl操作:
read -p "FQDN? " cn; openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout $cn.key -subj "/CN=$cn\/emailAddress=admin@$cn/C=US/ST=Ohio/L=Columbus/O=Widgets Inc/OU=Some Unit" -out $cn.csr
如果这是您经常做的事情,请将其作为一个函数并将其添加到您的.bashrc文件中,这样您就可以用参数替换提示:
function csr { openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout $1.key -subj "/CN=$cn\/emailAddress=admin@$1/C=US/ST=Ohio/L=Columbus/O=Widgets Inc/OU=Some Unit" -out $1.csr }
然后在你需要的时候调用它:
csr example.com
以下 openssl.conf 文件执行几乎一样的东西:
[req]
default_bits=2048
encrypt_key=no
default_md=sha256
distinguished_name=req_subj
[req_subj]
commonName="Fully Qualified Domain Name (FQDN)"
emailAddress="Administrative Email Address"
countryName="Country Name (2 letter code)"
countryName_default=US
stateOrProvinceName="State Name (full name)"
stateOrProvinceName_default=Ohio
localityName="Locality Name (e.g., city)"
localityName_default=Columbus
organizationName="Organization Name (e.g., company)"
organizationName_default=Widgets Inc
organizationalUnitName="Organizational Unit Name (e.g., section)"
organizationalUnitName_default=Some Unit
然后将您的OPENSSL_CONF环境变量设置为该文件
export $OPENSSL_CONF=~/.dotfiles/openssl.conf
或者通过 CLI 上的开关指定
openssl req -new -config openssl.conf -keyout example.key -out example.csr
我说几乎因为它仍然会提示您输入这些属性,但它们现在是默认属性,因此您只需Return在指定域和电子邮件后将键敲到最后即可。
答案2
我不确定是否有办法仅通过命令行值来实现这一点。我一直使用配置文件来实现这一点。例如,在配置中设置默认值的条目可能如下所示:
policy = policy_anything
# For the 'anything' policy, which defines allowed DN fields
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
# request handling
[ req ]
default_bits = 2048
default_keyfile = private/key.pem
default_md = default
distinguished_name = standard_dn
####################################################################
# DN (Subject) handling
[ standard_dn ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = California
localityName = Locality Name (eg, city)
localityName_default = Beverily Hills
commonName = Common Name (eg, YOUR name)
commonName_default = John Smith
commonName_max = 64
emailAddress = Email Address
emailAddress_default = [email protected]
emailAddress_max = 64
答案3
很多年前,我编写了这个 BASH 脚本,因为我当时创建了很多 CSR。如果仔细观察,你就会发现我如何在 CSR 上将 FQDN(主机名)添加为 CN(通用名称)。此脚本跳过 CSR 部分并使用“req”和“-x509”选项调用 openssl,因此它会生成自签名证书而不是 CSR。但它展示了如何构建一个以 FQDN 结尾的 SN 作为 CN。它是根据 BSD 许可证发布的,因此你可以随意使用它的任何部分。具体来说,如果你想要 CSR,你可以将最后一部分更改为类似以下内容:
# Now create the CSR
if [ 0 = ${#PASSWORD} ]; then
openssl req -new -batch -key $CN.key -subj "$SN" -out $CN.crt
else
openssl req -new -batch -key $CN.key -subj "$SN" -out $CN.crt \
-passin "pass:$PASSWORD"
fi
从:https://gist.github.com/OhMeadhbh/6201808
#!/bin/bash
# Copyright (c) 2003-2013, Meadhbh S. Hamrick. All Rights Reserved.
# Released under a BSD License. See http://opensource.org/licenses/BSD-2-Clause
#
# This script uses openssl to generate a self-signed certificate. Usage is
# like this:
# gssc <host name> [-p password] [-s subject] [-b bitlength]
# The host name parameter is the subject name of the certificate; i.e. - the
# FQDN of the host you're generating a certificate for. This is also the base
# name for the key, certificate signing request and certificate files. If you
# want the key to be protected by a password, use the -p option to specify
# it. The subject name of the requested cert defaults to:
# "C=US, ST=California, L=Felton, CN=<host name>"
# You can select a differetn subject name by using the -s option and providing
# a complete openssl style subject name. For example:
# "/C=IO/ST=Chagos/L=Diego Garcia/CN=foo.bar.mil"
# will specify the expected subject name. Remember to put the slashes
# in front of each clause and to put the Common Name (CN) entry (we don't
# do it for you.) By default, we generate 2048 bit RSA keys. If you want some
# other bit length, use the -b flag.
#
# For example, the following command generates a self signed cert for the
# machine "secure.example.com" with a 1536 bit RSA key and a common name of
# "C=US, ST=Montana, L=Bozeman, CN=secure.example.com":
# gssc secure.example.com -b 1536 -password "badpassword" \
# -s "/C=US/ST=Montana/L=Bozeman/CN=secure.example.com"
#
# This example creates a self signed cert for www.example.org with no password
# on the private key and a subject name of "C=US, ST=California, L=Felton,
# CN=www.example.org":
# fssc www.example.com
#
# Cheers!
# Check to see if we provided a host name
if [ $# -lt 1 ]; then
echo "Usage: $0 <host name> [-b bits] [-p password] [-s subject name]"
exit 1
fi
# Set up defaults
CN=$1
BITS=2048
PASSWORD=""
SN="/C=US/ST=California/L=Felton/CN=$1"
# Now apply the parameters
shift
while getopts "b:p:s:" flag
do
case $flag in
b) BITS=$OPTARG;;
p) PASSWORD=$OPTARG;;
s) SN=$OPTARG;;
esac
done
# First off, generate a RSA key
if [ 0 = ${#PASSWORD} ]; then
openssl genrsa -out $CN.key $BITS
else
if [ 4 -gt ${#PASSWORD} ]; then
echo "Your pass phrase must be four or more characters."
exit 2
else
openssl genrsa -out $CN.key -des3 -passout "pass:$PASSWORD" $BITS
fi
fi
# Now create the certificate
if [ 0 = ${#PASSWORD} ]; then
openssl req -new -batch -x509 -key $CN.key -subj "$SN" -days 365 -out $CN.crt
else
openssl req -new -batch -x509 -key $CN.key -subj "$SN" -days 365 -out $CN.crt \
-passin "pass:$PASSWORD"
fi