.png)
使用 SAN 创建证书时,Step-CA 的帮助文本如下:
Request a new certificate with multiple Subject Alternative Names. The
Subject Common Name of the certificate will be 'foobar'. However, because
additional SANs are configured using the --san flag and 'foobar' is not one
of these, 'foobar' will not be in the SAN extensions of the certificate.
The certificate will have 2 IP Address extensions (1.1.1.1, 10.2.3.4) and 1
DNS Name extension (hello.example.com):
$ step ca certificate --san 1.1.1.1 --san hello.example.com --san 10.2.3.4 foobar internal.crt internal.key
当我尝试如下等效命令时:
step ca certificate --san dtk --san dtk.intranet.local foobar /root/dtk.crt /root/dtk.key
我得到以下输出:
✔ Provisioner: acme-smallstep (ACME)
Using Standalone Mode HTTP challenge to validate dtk .. done!
Using Standalone Mode HTTP challenge to validate dtk.dynautics.local .. done!
Waiting for Order to be 'ready' for finalization .. done!
Finalizing Order .error finalizing order: error finalizing order: CSR names do not match identifiers exactly: CSR names = [dtk dtk.dynautics.local foobar], Order names = [dtk dtk.dynautics.local]
如果我用空字符串替换“foobar”,它会提示我输入主题。如果我用“dtk dtk.dynautics.local”作为单个字符串替换“foobar”,我会得到:
Finalizing Order .error finalizing order: error finalizing order: CSR names do not match identifiers exactly: CSR names = [dtk dtk dtk.dynautics.local dtk.dynautics.local], Order names = [dtk dtk.dynautics.local]
我感到很困惑。SAN 肯定很常见吧?这个功能肯定在 Step-CA 发布之前就测试过了?
为什么他们自己的例子不起作用?
答案1
Step-CA 帮助文本给出的示例完全错误。要解决此问题,请使用主名称作为主题。例如:
step ca certificate --san dtk --san dtk.intranet.local dtk.intranet.local /root/dtk.crt /root/dtk.key