我正在管理一台 RHEL 6.6 服务器,这台服务器是我从一位公司不再联系的管理员那里继承来的。我需要替换 SSL 证书,为此需要一些有关物理组织的信息:
$ openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout example.com.key -out example.com.csr
Generating a 2048 bit RSA private key
..........+++
.........................................................+++
writing new private key to 'example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New Jersey
Locality Name (eg, city) []:Salem
Organization Name (eg, company) [Internet Widgits Pty Ltd]:International Widgets
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:International Widgets
给定现有的 SSL 证书或密钥,我如何恢复所使用的组织信息?我不确定这些信息与之前的信息是否相符有多重要,但我宁愿谨慎行事,以免事后后悔。不幸的是,由于这是一家在线企业,因此没有一个可以简单使用的实体地址,并且该企业由四个所有者分担,他们中没有人知道原始证书中的信息是谁的。
或许如果我简单地回答所有“foobar”真的没什么关系,但我不能这样认为。
我尝试使用该openssl工具获取信息,但没有得到任何感兴趣的信息:
$ openssl x509 -text -in example.com.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1xxxxxxxxxx1 (0x4xxxxxxxb)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=07969287
Validity
Not Before: Aug 11 12:16:01 2014 GMT
Not After : Aug 11 12:16:01 2015 GMT
Subject: OU=Domain Control Validated, CN=*.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
7d:05:34:ac:7f:e2:c2:13:d3:56:9e:4e:fb:57:e3:
...
16:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.godaddy.com/gds1-112.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114413.1.7.23.1
CPS: http://certificates.godaddy.com/repository/
Authority Information Access:
OCSP - URI:http://ocsp.godaddy.com/
CA Issuers - URI:http://certificates.godaddy.com/repository/gd_intermediate.crt
X509v3 Authority Key Identifier:
keyid:FD:AC:xx:xx:xx:xx:xx:xx:xx:CC:E7
X509v3 Subject Alternative Name:
DNS:*.example.com, DNS:example.com
X509v3 Subject Key Identifier:
1C:EB:xx:xx:xx:xx:xx:xx:F0:2F
Signature Algorithm: sha1WithRSAEncryption
...
43:fd:fb:92:8b:ee:82:0e:63:db:4f:dc:66:46:0f:fb:ac:de:
...
d8:a5:89:eb
-----BEGIN CERTIFICATE-----
...
ODcwHhcNMTQwODIxMTAyNjA2WhcNMTUwODIxMTAyNjA2WjA8MSEwHwYDVQQLExhE
xZHYpYnr
-----END CERTIFICATE-----
答案1
您应该能够使用此命令获取正确的信息:(请注意,您需要使用 CSR,而不是 CRT)
openssl x509 -in example.com.csr -noout -text
在输出的顶部你会看到主题信息。
例子:
[user@server ssl]# openssl req -in example.com.csr -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=State, L=City, O=Default Company Ltd, CN=example.com/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
答案2
如前所述,证书详细信息准确性的重要性因供应商而异。验证过程还取决于类型您所获得的证书。例如,“扩展验证”证书的审批流程更为严格。无论如何,我认为让信息尽可能准确是一种很好的做法。
如果您仍然拥有之前签名的证书,您绝对可以使用@Alex 建议的 openssl 命令。
以下是它的一个变体:openssl x509 -in example.crt -text -noout | grep -i "Subject:"
这应该会隔离Subject:证书的详细信息并显示属性。例如,您可以获得如下输出:
Subject: C=US, ST=California, L=San Francisco, O=Example Company, OU=IT Services, CN=somewebaddress.example.com