我应该将哪些 req_extensions 传递给 openssl 以包含“S/MIME 功能“纳入我的 CSR 中?
请参阅下面已安装证书的示例 openssl s_client 输出。
我知道
“X509v3 扩展”——keyUsage=属性。
和
“X509v3 扩展密钥用法”-extendedKeyUsage=属性。
openssl s_client输出:
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
S/MIME Capabilities:
050...{some binary like data}
X509v3 Extended Key Usage:
TLS Web Server Authentication
PS 对于 MS 来说,这看起来像是 -SmimeCapabilities 属性: https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps
答案1
关于 S/MIME 功能:
答案在这里:http://openssl.6102.n7.nabble.com/SMIME-Capabilities-encoding-in-openssl-cnf-td24845.html
*包含 SMIME-CAPS 的路径是:[ req ] 部分 -> req_extensions = req_ext -> [ req_ext ] 部分 -> SMIME-CAPS = ASN1:SEQUENCE:smime_seq
[ req_ext ]
SMIME-CAPS = ASN1:SEQUENCE:smime_seq
[ smime_seq ]
capabilityID.0 = OID:sha1
capabilityID.1 = OID:sha256
capabilityID.2 = OID:sha1WithRSA
capabilityID.3 = OID:aes-256-ecb
capabilityID.4 = OID:aes-256-cbc
capabilityID.5 = OID:aes-256-ofb
capabilityID.6 = OID:aes-128-ecb
capabilityID.7 = OID:aes-128-cbc
capabilityID.8 = OID:aes-128-ecb
附加问题是:
如何从服务器上安装的证书读取 SMIME 功能并将其转换为 aes-128-ecb 等 OID?
使用‘openssl s_client -connect ..’或任何其他。