X.509 签名证书有效性

X.509 签名证书有效性

我们正在尝试为 Kafka 服务器集群生成服务器证书,以便通过 SSL 进行通信。

该程序有效,但证书的有效期仅为 30 天。

我们请求 365 天,在“步骤 1”(见下文)之后,我们将获得具有正确有效期的密钥对。请参阅下面的 (1)。

但是,当我们将签名的证书重新导入密钥库后,有效期已缩短为 30 天。请参阅下面的 (2)。

为什么会这样?我们该如何解决这个问题?

echo "Step1: Create the server identity and keystore"
$ORACLE_JDK_1_8_0_u181_keytool -genkey -keystore keystore.p12 -alias localhost -validity 365 -keyalg RSA -deststoretype pkcs12 -ext SAN="DNS:$SERVER_NAME.corp.com,IP:1.2.3.4"

$ORACLE_JDK_1_8_0_u181_keytool -list -v -keystore keystore.p12 -storepass $KPWD
# (1) Shows validity of 365 days: correct

echo "Step2: Export the private key from the keystore to a separate file"
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out $SERVER_NAME_key.pem -passin pass:$KPWD -passout pass:$KPWD

echo "Step3: Create a Certificate Signing Request (CSR)"
openssl req -new -key $SERVER_NAME_key.pem -out $SERVER_NAME.csr -passin pass:$KPWD -passout pass:$KPWD

echo "Step6 Sign the server certificate"
openssl x509 -req -in $SERVER_NAME.csr -CA CAcert.pem -CAkey CAkey.pem -CAcreateserial -out $SERVER_NAME_key_signed.pem -passin pass:$CAPD

echo "Step7: Import both the certificate of the CA and the signed certificate into the keystore."
$ORACLE_JDK_1_8_0_u181_keytool -keystore keystore.p12 -alias CARoot -import -file CAcert.pem -storepass $KPWD
$ORACLE_JDK_1_8_0_u181_keytool -keystore keystore.p12 -alias localhost -import -file $SERVER_NAME_key_signed.pem -storepass $KPWD
$ORACLE_JDK_1_8_0_u181_keytool -list -v -keystore keystore.p12 -storepass $KPWD
# (2) Shows validity of 30 days: WRONG. WHY?

答案1

您应该添加-days以下行:

openssl x509 -req -in $SERVER_NAME.csr -CA CAcert.pem -CAkey CAkey.pem -CAcreateserial -out $SERVER_NAME_key_signed.pem -passin pass:$CAPD

成为

openssl x509 -req -days 365 -in $SERVER_NAME.csr -CA CAcert.pem -CAkey CAkey.pem -CAcreateserial -out $SERVER_NAME_key_signed.pem -passin pass:$CAPD

相关内容