我有一对 Root CA 密钥。如何颁发带有 SAN(主体备用名称)扩展的新 SSL 证书?我试过这个
openssl genrsa -out ssl.key 2048
openssl req -new -config ssl.conf -key ssl.key -out ssl.csr
openssl x509 -req -sha256 -days 3650 -CAcreateserial -CAkey root.key -CA root.crt -in ssl.csr -out ssl.crt
ssl.conf:
[req]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
[req_distinguished_name]
CN = 127.0.0.1
[v3_ca]
subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1
IP.2 = ::1
DNS.1 = localhost
但生成的证书不包含SAN。
但是,以下命令生成的自签名证书包含 SAN:
openssl req -new -x509 -sha256 -days 3650 -config ssl.conf -key ssl.key -out ssl.crt
答案1
- 我的 CSR 不包含 SAN。扩展名应在 中指定,
req_extensions
而不是x509_extensions
。 - 有一个错误命令
x509
:证书中的扩展不会转移到证书请求中,反之亦然。
所以我用ca
命令解决了我的问题:
- 创建了空
ca/newcerts
文件夹和空ca/index.txt
文件。 編輯
ssl.conf
:[ca] default_ca = CA_default [CA_default] dir = ./ca database = $dir/index.txt new_certs_dir = $dir/newcerts serial = $dir/serial private_key = ./root.key certificate = ./root.crt default_days = 3650 default_md = sha256 policy = policy_anything copy_extensions = copyall [policy_anything] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [req] prompt = no distinguished_name = req_distinguished_name req_extensions = v3_ca [req_distinguished_name] CN = 127.0.0.1 [v3_ca] subjectAltName = @alt_names [alt_names] IP.1 = 127.0.0.1 IP.2 = ::1 DNS.1 = localhost
运行命令:
openssl genrsa -out ssl.key 2048 openssl req -new -config ssl.conf -key ssl.key -out ssl.csr openssl ca -config ssl.conf -create_serial -batch -in ssl.csr -out ssl.crt