有了现有的 crt/private 密钥对,我如何生成新的私钥和新的 CSR 来更新 SSL 证书?

有了现有的 crt/private 密钥对,我如何生成新的私钥和新的 CSR 来更新 SSL 证书?

我需要首次更新 SSL 证书。我没有原始 CSR,但我有certificate.crt/对。系统告诉我,我需要在 CSR 中指定相同的数据才能被接受。在此过程中private.key生成新的证书会很好。private_new.key

如何使用 OpenSSL 命令行实用程序生成新的csr.csr/对?private_new.key

有问题的服务器是托管在 VPS 上的 webserver/apache2

答案1

要生成新密钥和 CSR:

openssl req -out 'apache.csr' -new -sha512 -newkey rsa:2048 -keyout 'apache.key.pem' -nodes
  1. 以上假设您有一个有效的openssl.cnf,但如果没有,请使用并修改下面的 V3 和 SAN 配置文件(为了简单起见,保留sophos原名)
    #-----------------------------------------------------------
                     ##----- SAN Profile -----##
    #-----------------------------------------------------------
    
      # Lines 189 - 193
    
        # IP.1:  If it has a static IP, set it here, else change to 127.0.0.1
                 # and delete IP.2
    
        # IP.2:  If it has more than one static IP, set it in IP.2, etc;
                 # If the webserver can be accessed via SSH, 127.0.0.1 must
                 # remain but can be in IP.3, IP.4, etc. if other IPs exist
    
        # DNS.1: If it has an FQDN, set it
        # DNS.2: If it has more than one FQDN, and/or a local domain name,
                 # set it in DNS.2, etc., else remove DNS.2
    
        # If your cert requires OIDs to be specified, you'd specify each
          # in the same fashion as below, adding a line below DNS.2 for
          # either RID.1 or otherName.1 (see lines 159 - 161)
    
    [ alt_sophos ]
    IP.1                    = 192.168.2.1
    IP.2                    = 127.0.0.1
    DNS.1                   = your.fqdn.com
    DNS.2                   = UTM.WRT
    
    #-----------------------------------------------------------
                      ##----- V3 Profile -----##
    #-----------------------------------------------------------
    
      # Lines 331 - 337
        # DO NOT change anything unless you know with 100% certainty one
        # of these parameters needs to be changed
    
    [ v3_sophos ]
    basicConstraints        = critical, CA:FALSE
    subjectKeyIdentifier    = hash
    authorityKeyIdentifier  = keyid:always, issuer:always
    keyUsage                = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
    extendedKeyUsage        = critical, serverAuth
    subjectAltName          = @alt_sophos
    
  2. 在您将要工作的目录中创建所需的文件和目录:
    # openssl can error out if these don't exist since they're in the openssl.cnf
    
      # Create openssl.cnf required directories:
        mkdir -p ~/ssltemp/ca ; cd ssltemp ; mkdir cert ; mkdir crl
    
      # Create openssl.cnf required files:
        echo 01 > crl\crlnumber ; echo 00 > serial ; echo > index ; echo > rand
    
      # Copy openssl.cnf from ~
        cp ~/openssl.cnf .
    
    通常openssl.cnf位于/etc/openssl/openssl.cnf,但取决于您是否有权写入该目录,您可以将其放在~/openssl.cnf
  3. 创建私钥和 CSR:
    # This should be done on the server, as the key is not encrypted:
      openssl req -out 'apache.csr' -new -sha512 -newkey rsa:2048 -keyout 'apache.key.pem' -config './openssl.cnf' -extensions v3_sophos -nodes
    
    在请求证书时,不要输入证书的 HN、FQDN 或 IP commonName,因为根据 RFC,这些都不属于 CN;而是命名证书
  4. 清理:
    rm -rf ~/ssltemp
    

相关内容