有了现有的 crt/private 密钥对,我如何生成新的私钥和新的 CSR 来更新 SSL 证书?

tag-icon tag-icon openssl ssl-certificate
有了现有的 crt/private 密钥对,我如何生成新的私钥和新的 CSR 来更新 SSL 证书?

我需要首次更新 SSL 证书。我没有原始 CSR,但我有certificate.crt/对。系统告诉我,我需要在 CSR 中指定相同的数据才能被接受。在此过程中private.key生成新的证书会很好。private_new.key

如何使用 OpenSSL 命令行实用程序生成新的csr.csr/对?private_new.key

有问题的服务器是托管在 VPS 上的 webserver/apache2

答案1

要生成新密钥和 CSR:

openssl req -out 'apache.csr' -new -sha512 -newkey rsa:2048 -keyout 'apache.key.pem' -nodes
  1. 以上假设您有一个有效的openssl.cnf,但如果没有,请使用并修改下面的 V3 和 SAN 配置文件(为了简单起见,保留sophos原名)
    #-----------------------------------------------------------
                 ##----- SAN Profile -----##
#-----------------------------------------------------------

  # Lines 189 - 193

    # IP.1:  If it has a static IP, set it here, else change to 127.0.0.1
             # and delete IP.2

    # IP.2:  If it has more than one static IP, set it in IP.2, etc;
             # If the webserver can be accessed via SSH, 127.0.0.1 must
             # remain but can be in IP.3, IP.4, etc. if other IPs exist

    # DNS.1: If it has an FQDN, set it
    # DNS.2: If it has more than one FQDN, and/or a local domain name,
             # set it in DNS.2, etc., else remove DNS.2

    # If your cert requires OIDs to be specified, you'd specify each
      # in the same fashion as below, adding a line below DNS.2 for
      # either RID.1 or otherName.1 (see lines 159 - 161)

[ alt_sophos ]
IP.1                    = 192.168.2.1
IP.2                    = 127.0.0.1
DNS.1                   = your.fqdn.com
DNS.2                   = UTM.WRT

    #-----------------------------------------------------------
                  ##----- V3 Profile -----##
#-----------------------------------------------------------

  # Lines 331 - 337
    # DO NOT change anything unless you know with 100% certainty one
    # of these parameters needs to be changed

[ v3_sophos ]
basicConstraints        = critical, CA:FALSE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always
keyUsage                = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage        = critical, serverAuth
subjectAltName          = @alt_sophos
  2. 在您将要工作的目录中创建所需的文件和目录: 
    # openssl can error out if these don't exist since they're in the openssl.cnf

  # Create openssl.cnf required directories:
    mkdir -p ~/ssltemp/ca ; cd ssltemp ; mkdir cert ; mkdir crl

  # Create openssl.cnf required files:
    echo 01 > crl\crlnumber ; echo 00 > serial ; echo > index ; echo > rand

  # Copy openssl.cnf from ~
    cp ~/openssl.cnf .
    通常openssl.cnf位于/etc/openssl/openssl.cnf,但取决于您是否有权写入该目录,您可以将其放在~/openssl.cnf
  3. 创建私钥和 CSR: 
    # This should be done on the server, as the key is not encrypted:
  openssl req -out 'apache.csr' -new -sha512 -newkey rsa:2048 -keyout 'apache.key.pem' -config './openssl.cnf' -extensions v3_sophos -nodes
    在请求证书时,不要输入证书的 HN、FQDN 或 IP commonName,因为根据 RFC,这些都不属于 CN;而是命名证书
  4. 清理: 
    rm -rf ~/ssltemp

相关内容