我正在尝试在 Ubuntu 14.10 上使用 OpenSSL 创建带有 SAN 的自签名证书。我即将成功生成包含适当扩展的 CSR。
当我使用 CSR 生成证书时,SAN 信息无法通过。
openssl.cnf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = v3_req # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
copy_extensions = copy
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = usr_cert # The extentions to add to the self signed cert
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = VA
localityName = Locality Name (eg, city)
localityName_default = Ashburn
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = [email protected]
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=@alt_names
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[alt_names]
IP.1 = 192.168.1.169
生成密钥:
openssl genrsa -out test.key 2048
生成 csr:
openssl req -new -key test.key -out test.csr
验证 csr:
openssl req -text -noout -in test.csr | grep "IP Address"
IP Address:192.168.1.169
生成证书:
openssl x509 -req -in test.csr -signkey test.key -out test.pem
验证证书:
openssl x509 -text -noout -in test.pem | grep "IP Address"
答案1
来自openssl x509
文档,使用时openssl x509 -req
:
-extfile filename
file containing certificate extensions to use. If not specified then no extensions are added to the certificate.
-extensions section
the section to add certificate extensions from. If this option is not specified then the extensions should either be contained in the unnamed (default) section or the default section should contain a variable called "extensions" which contains the section to use. See the x509v3_config manual page for details of the extension section format.
由于您的openssl x509 -req
命令未使用-extfile
或-extensions
选项,和您openssl.cnf
有一个没有“扩展”变量的默认/未命名部分,那么您生成的自签名证书将没有扩展。
鉴于此,您可以尝试:
$ openssl x509 -req -in test.csr -signkey test.key -out test.pem -extensions v3_ca
笔记你只想做上述事情后您已编辑您的内容openssl.cnf
,因此该v3_ca
部分如下所示:
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
IE您也已将变量添加subjectAltName
到该部分,就像在部分中一样v3_req
。如果没有,您的自签名证书将具有扩展名,但不是您想要的 SAN。(我还keyUsage
从中复制了扩展名v3_req
,假设您也希望在颁发的证书中使用它们。)您可能您可能很想重复使用该v3_req
部分,而不是进行更新v3_ca
- 但您不想这样做。为什么?因为v3_req
证书上说不是CA:
[ v3_req ]
basicConstraints = CA:FALSE
...
由于你正在生成自签名证书,因此大概也不是你想要的。
希望这可以帮助!
答案2
创建自签名证书以及 subjectAltName
openssl req \
-x509 \
-newkey rsa:4096 \
-sha256 \
-days 3560 \
-nodes \
-keyout certs/domain.key \
-out certs/domain.crt \
-subj '/CN=myregistrydomain.com' \
-extensions san \
-config <( \
echo '[req]'; \
echo 'distinguished_name=req'; \
echo '[san]'; \
echo 'subjectAltName=IP:127.0.0.1')