我需要首次更新 SSL 证书。我没有原始 CSR,但我有certificate.crt
/对。系统告诉我,我需要在 CSR 中指定相同的数据才能被接受。在此过程中private.key
生成新的证书会很好。private_new.key
如何使用 OpenSSL 命令行实用程序生成新的csr.csr
/对?private_new.key
有问题的服务器是托管在 VPS 上的 webserver/apache2
答案1
要生成新密钥和 CSR:
openssl req -out 'apache.csr' -new -sha512 -newkey rsa:2048 -keyout 'apache.key.pem' -nodes
- 以上假设您有一个有效的
openssl.cnf
,但如果没有,请使用这并修改下面的 V3 和 SAN 配置文件(为了简单起见,保留sophos
原名):#----------------------------------------------------------- ##----- SAN Profile -----## #----------------------------------------------------------- # Lines 189 - 193 # IP.1: If it has a static IP, set it here, else change to 127.0.0.1 # and delete IP.2 # IP.2: If it has more than one static IP, set it in IP.2, etc; # If the webserver can be accessed via SSH, 127.0.0.1 must # remain but can be in IP.3, IP.4, etc. if other IPs exist # DNS.1: If it has an FQDN, set it # DNS.2: If it has more than one FQDN, and/or a local domain name, # set it in DNS.2, etc., else remove DNS.2 # If your cert requires OIDs to be specified, you'd specify each # in the same fashion as below, adding a line below DNS.2 for # either RID.1 or otherName.1 (see lines 159 - 161) [ alt_sophos ] IP.1 = 192.168.2.1 IP.2 = 127.0.0.1 DNS.1 = your.fqdn.com DNS.2 = UTM.WRT
#----------------------------------------------------------- ##----- V3 Profile -----## #----------------------------------------------------------- # Lines 331 - 337 # DO NOT change anything unless you know with 100% certainty one # of these parameters needs to be changed [ v3_sophos ] basicConstraints = critical, CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage = critical, serverAuth subjectAltName = @alt_sophos
- 在您将要工作的目录中创建所需的文件和目录:
通常# openssl can error out if these don't exist since they're in the openssl.cnf # Create openssl.cnf required directories: mkdir -p ~/ssltemp/ca ; cd ssltemp ; mkdir cert ; mkdir crl # Create openssl.cnf required files: echo 01 > crl\crlnumber ; echo 00 > serial ; echo > index ; echo > rand # Copy openssl.cnf from ~ cp ~/openssl.cnf .
openssl.cnf
位于/etc/openssl/openssl.cnf
,但取决于您是否有权写入该目录,您可以将其放在~/openssl.cnf
- 创建私钥和 CSR:
在请求证书时,不要输入证书的 HN、FQDN 或 IP# This should be done on the server, as the key is not encrypted: openssl req -out 'apache.csr' -new -sha512 -newkey rsa:2048 -keyout 'apache.key.pem' -config './openssl.cnf' -extensions v3_sophos -nodes
commonName
,因为根据 RFC,这些都不属于 CN;而是命名证书 - 清理:
rm -rf ~/ssltemp