我一直在尝试生成包含 san 类型的 CSR其他名字。
生成的CSR似乎没有SAN字段。
这是配置文件:
distinguished_name = req_distinguished_name
[req_distinguished_name]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
[v3_req_client]
extendedKeyUsage = clientAuth
subjectAltName = @alt_names
[alt_names]
otherName = 1.3.6.1.4.1.311.20.2.3;UTF8:user@localhost
我生成如下 CSR:
openssl req -out user.csr -newkey rsa:2048 -nodes -keyout private.key -config openssl.conf
但生成的 CSR 没有 subjectaltNames 字段:
ertificate Request:
Data:
Version: 1 (0x0)
Subject: C = co, CN = user
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:df:19:be:1d:55:7d:f9:3a:29:e8:11:f6:ce:50:
76:61:6b:5b:36:10:a7:b0:ac:99:83:0f:0f:a4:c6:
1d:d7:c2:33:96:16:7b:5e:52:65:25:9f:e7:00:79:
7d:b6:92:73:bb:5a:37:6d:ee:1f:18:09:71:bb:46:
7c:65:95:1b:03:83:cf:ef:a8:79:0c:d0:bd:99:a5:
34:5d:97:c3:29:d3:b6:59:4b:90:8c:57:65:aa:7d:
9a:c3:7d:22:50:36:b0:e7:ba:c5:59:b0:f8:f0:90:
26:4e:09:5b:5c:75:f2:1d:db:f4:aa:47:c0:65:b1:
79:b6:10:7e:df:88:1f:9b:25:e4:20:69:09:36:8f:
0e:ca:7c:2f:35:e2:7a:1e:c1:87:0f:20:0c:de:9e:
94:17:8d:d3:4a:73:53:6d:88:d1:8b:e6:00:ca:e2:
0c:99:ff:0b:6b:cb:5a:2d:e0:d0:27:5c:c0:66:ae:
ce:b0:11:4a:9a:2c:30:f7:e2:bc:b0:2e:ac:eb:69:
dd:db:9d:b5:84:85:24:80:d8:64:b5:c0:bc:d5:de:
16:b7:0f:82:9c:8a:5b:9a:c8:21:40:20:42:cd:0b:
64:55:55:76:56:11:af:b5:0b:3d:dc:81:28:61:d2:
ff:c9:fd:43:2b:e3:1e:2e:c8:66:7b:21:14:4d:8d:
45:c7
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
23:b2:58:69:c3:93:b9:f4:45:2e:45:fa:af:e8:69:09:8d:3f:
65:cb:6e:aa:3a:95:04:6a:21:81:02:c2:2f:fc:f4:98:cf:71:
5a:4f:36:8e:e7:f5:09:a2:d3:8f:3d:49:55:6b:93:ed:bb:7e:
78:c2:43:26:c1:6d:bf:9d:3c:29:3a:29:67:90:04:5a:fd:4f:
9c:9d:7f:bb:98:67:ce:ab:66:be:0e:d5:af:4a:e5:fb:3b:72:
c4:9c:cd:d7:f4:1c:81:2e:32:c5:8a:c5:d7:d7:9f:bc:1d:c9:
51:94:0e:30:70:92:e1:ac:d4:d7:93:d8:9a:b8:5e:83:fc:cb:
ab:6c:d4:f1:7f:70:96:f6:61:b8:48:14:d9:dc:1e:02:d3:ae:
e5:90:1c:46:67:f3:99:2e:6e:4b:52:8e:71:0d:d2:31:2e:e6:
0b:f9:88:b2:b8:a9:63:7a:5b:60:08:a4:ce:b8:5e:08:a7:cb:
58:29:28:e4:30:85:2e:63:ae:bf:2b:51:ec:cc:29:96:16:72:
20:80:d7:df:63:05:e8:f4:eb:59:d9:98:a2:f5:81:9f:7f:48:
28:96:3f:bd:0f:e4:93:1a:d1:8d:53:d2:12:67:aa:52:3b:fe:
f0:cf:c0:e5:7f:e4:96:16:c7:44:3f:5e:60:7a:f9:87:a8:e0:
53:af:35:cd
但如果生成这样的证书:
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -out test.pem -outform PEM -keyout test_key.pem -subj "/CN=user" -extensions v3_req_client -config openssl.conf -verbose
生成的证书具有以下主题备用名称:... X509v3 扩展:X509v3 扩展密钥用法:TLS Web 客户端身份验证 X509v3 主题备用名称:othername:
但是我如何才能通过 SAN 获取 CSR?我的 csr 请求命令中缺少什么?
我正在运行 CentOS Linux 版本 8.0.1905(核心),带有 openssl 版本 1.1.1 FIPS
请注意,我不认为这是重复的:openssl 生成的证书缺少 X509 扩展 因为 SAN 甚至不在 CSR 中
答案1
[v3_req_client]
extendedKeyUsage = clientAuth
subjectAltName = @alt_names
此部分未在任何地方引用。它也不会被神奇地使用。您必须明确提供它应该用于什么,就像您对 所做的[req_distinguished_name]
一样distinguished_name = req_distinguished_name
:
req_extensions = v3_req_client