我将证书放入存储库,该存储库不允许使用比前一个证书更有限的后续证书。我需要一个初始虚拟证书/密钥/链来引导该过程,其用途不比允许 serverAuth 和 clientAuth 的 Let's Encrypt 主机证书更开放。我需要的是一个具有这些或更少用途的虚拟主机证书。然而,在昨天和今天阅读了许多文章和 SO 帖子后,我多次迭代命令都无法生成这个证书。
以下是我正在处理的内容:
gen.sh
#!/bin/bash -e
rm dummy*
days=100
openssl genrsa -out dummy-root.key 2048
openssl req -new -x509 -days $days -subj '/C=US/ST=TX/O=foo/OU=bar/CN=dummy-root.com' -key dummy-root.key -out dummy-root.crt
openssl genrsa -out dummy-class2.key 2048
openssl req -new -subj '/C=US/ST=TX/O=foo/OU=bar/CN=dummy-class2.com' -key dummy-class2.key -out dummy-class2.csr
openssl x509 -req -days $days -in dummy-class2.csr -CA dummy-root.crt -CAkey dummy-root.key -CAcreateserial -out dummy-class2.crt
openssl genrsa -out dummy-host.key 2048
openssl req -new -config gen.host.cfg -key dummy-host.key -out dummy-host.csr -extensions my_server_exts
openssl x509 -req -days $days -in dummy-host.csr -CA dummy-class2.crt -CAkey dummy-class2.key -set_serial 1 -out dummy-host.crt -sha256 -ext subjAltName
rm *.srl *.csr
cat dummy-host.crt dummy-class2.crt dummy-root.crt > dummy-chain.crt
# this always fails?
# openssl verify --CAfile dummy-root.crt -untrusted dummy-class2.crt dummy-host.crt
openssl x509 -noout -ext extendedKeyUsage < dummy-host.crt
对于扩展所需的配置文件(如上所述):
gen.host.cfg
[ req ]
prompt = no
default_bits = 2048
default_md = sha256
distinguished_name = my_dn
req_extensions = my_server_exts
[ my_dn ]
# The bare minimum is probably a commonName
commonName = dummy-host2.com
countryName = US
organizationName = foo
organizationalUnitName = bar
[ my_server_exts ]
basicConstraints = critical,CA:false
keyUsage = keyEncipherment
# extendedKeyUsage = serverAuth
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
gen.sh 的最后一行尝试读取扩展并始终显示“证书中没有扩展”,当发送到证书存储库时,会将其解释为具有“任何”用途,然后在使用 Lets Encrypt 证书更新时拒绝减少使用量。
为什么我指定的 EKU 没有进入证书?或者我还能如何创建使用受限的证书?
答案1
由于您使用默认配置文件,因此添加到证书的唯一扩展是根 CA 的扩展。在x509命令调用中,您无需提供-extfile和-extensions命令行选项。
为了对添加的扩展有更好的控制,您可能应该在配置文件中明确列出每个证书的扩展,并向所有证书添加keyUsageCA 证书的扩展:subjectKeyIdentifierauthorityKeyIdentifier
[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = dn
[ dn ]
# -subj used instead
[ root_exts ]
basicConstraints = critical,CA:true
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
keyUsage = keyCertSign, cRLSign
[ intermediate_exts ]
# Can not sign other CA certificates
basicConstraints = critical,CA:true,pathlen:0
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
keyUsage = keyCertSign, cRLSign
[ server_exts ]
basicConstraints = critical,CA:false
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
keyUsage = keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:dummy-host.com
-extfile并使用或选项调用所有证书生成命令(以-config适当者为准):
#!/bin/bash
set -e
days=100
openssl genrsa -out dummy-root.key 2048
openssl req -x509 -key dummy-root.key -out dummy-root.crt -days $days \
-subj '/C=US/ST=TX/O=foo/OU=bar/CN=dummy-root.com' \
-config gen.host.cfg -extensions root_exts
openssl genrsa -out dummy-class2.key 2048
openssl req -new -key dummy-class2.key -out dummy-class2.csr \
-subj '/C=US/ST=TX/O=foo/OU=bar/CN=dummy-class2.com'
openssl x509 -req -in dummy-class2.csr -out dummy-class2.crt -days $days \
-CAkey dummy-root.key -CA dummy-root.crt -CAcreateserial \
-extfile gen.host.cfg -extensions intermediate_exts
openssl genrsa -out dummy-host.key 2048
openssl req -new -key dummy-host.key -out dummy-host.csr \
-subj '/C=US/ST=TX/O=foo/OU=bar/CN=dummy-host.com'
openssl x509 -req -in dummy-host.csr -out dummy-host.crt -days $days \
-CAkey dummy-class2.key -CA dummy-class2.crt -CAcreateserial \
-extfile gen.host.cfg -extensions server_exts
rm *.csr
cat dummy-{host,class2,root}.crt > dummy-chain.crt
openssl verify -CAfile dummy-root.crt -untrusted dummy-class2.crt dummy-host.crt
openssl x509 -noout -ext extendedKeyUsage -in dummy-host.crt