openssl 如何生成具有 S/MIME 功能的 CSR

openssl 如何生成具有 S/MIME 功能的 CSR

我应该将哪些 req_extensions 传递给 openssl 以包含“S/MIME 功能“纳入我的 CSR 中?

请参阅下面已安装证书的示例 openssl s_client 输出。

我知道

“X509v3 扩展”——keyUsage=属性。

“X509v3 扩展密钥用法”-extendedKeyUsage=属性。

openssl s_client输出:

X509v3 extensions:
    X509v3 Key Usage: critical
        Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment

    S/MIME Capabilities: 
        050...{some binary like data}

    X509v3 Extended Key Usage: 
        TLS Web Server Authentication

PS 对于 MS 来说,这看起来像是 -SmimeCapabilities 属性: https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps

答案1

关于 S/MIME 功能:

答案在这里:http://openssl.6102.n7.nabble.com/SMIME-Capabilities-encoding-in-openssl-cnf-td24845.html

*包含 SMIME-CAPS 的路径是:[ req ] 部分 -> req_extensions = req_ext -> [ req_ext ] 部分 -> SMIME-CAPS = ASN1:SEQUENCE:smime_seq

[ req_ext ]
SMIME-CAPS         = ASN1:SEQUENCE:smime_seq
[ smime_seq ]
capabilityID.0 = OID:sha1
capabilityID.1 = OID:sha256
capabilityID.2 = OID:sha1WithRSA
capabilityID.3 = OID:aes-256-ecb
capabilityID.4 = OID:aes-256-cbc
capabilityID.5 = OID:aes-256-ofb
capabilityID.6 = OID:aes-128-ecb
capabilityID.7 = OID:aes-128-cbc
capabilityID.8 = OID:aes-128-ecb

附加问题是

如何从服务器上安装的证书读取 SMIME 功能并将其转换为 aes-128-ecb 等 OID?

使用‘openssl s_client -connect ..’或任何其他。

相关内容