创建有效期超过一年的 OpenVPN 证书

创建有效期超过一年的 OpenVPN 证书

该命令不断生成有效期仅 365 天的证书,无论我将值更改为 100 还是 3650,结果都是相同的。 1年。如何生成有效期为10年的证书?

# openssl req -new -keyout newkey.pem -out newreq.pem -days 3650
Generating a 2048 bit RSA private key
...........................................................+++
.........................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:State
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits PTY Ltd]:company
Organizational Unit Name (eg, section) []:section
Common Name (eg, server FQDN or YOUR name) []:server
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# ./CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            cb:32:13:1d:e2:40:2f:e4
        Validity
            Not Before: May 11 17:58:32 2021 GMT
            Not After : May 11 17:58:32 2022 GMT
        Subject:
            countryName               = AU
            stateOrProvinceName       = State
            localityName              = City
            organizationName          = company
            organizationalUnitName    = section
            commonName                = server
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                E7:8A:D9:91:7C:81:BF:C0:CE:D9:43:D7:C8:D8:03:1C:60:85:D0:35
            X509v3 Authority Key Identifier:
                keyid:CF:76:53:4A:FB:01:EC:DE:CE:40:C1:F2:F0:F6:6E:12:57:24:8F:45

Certificate is to be certified until May 11 17:58:32 2022 GMT (365 days)
Sign the certificate? [y/n]:

答案1

由于某些奇怪的原因,您必须更改 in default_daysopenssl.cnf否则它将覆盖-days命令行选项。

即编辑openssl.conf,使其具有:

default_days = 3650

从直觉上看,这显然是错误的,并且与软件默认值和命令行选项应如何交互的合理预期相反(确实如此),但这就是它的工作方式。

相关内容