我有一个负载均衡器,它需要具有特定配置的证书,不幸的是,创建第一个证书的人没有记录这个配置,而且我只有一个不完整的命令列表。
我有这两个文件:例子_ca.crt和例子.crt
并使用此 OpenSSL 命令:
openssl x509 -in file_name.crt -text -noout
这些是它的属性(我将省略不相关的信息):
例子_ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
cb:0f:b8:78:38:9a:a9:da
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = example.org
Validity
Not Before: Jun 10 10:33:06 2020 GMT
Not After : May 17 10:33:06 2120 GMT
Subject: CN = example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
81:FE:D0:6D:DE:0A:CC:10:1D:B3:74:EA:4B:C8:F3:43:37:B4:D1:FD
X509v3 Authority Key Identifier:
keyid:81:FE:D0:6D:DE:0A:CC:10:1D:B3:74:EA:4B:C8:F3:43:37:B4:D1:FD
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
[...]
例子.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
80:1d:bb:9e:9f:2c:4e:ce
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = example.org
Validity
Not Before: Jun 10 10:33:44 2020 GMT
Not After : May 17 10:33:44 2120 GMT
Subject: CN = example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Authority Key Identifier:
keyid:81:FE:D0:6D:DE:0A:CC:10:1D:B3:74:EA:4B:C8:F3:43:37:B4:D1:FD
X509v3 Subject Key Identifier:
B1:2C:74:04:EE:03:84:C9:F7:92:35:CE:6E:20:EF:C6:FE:B8:23:A7
Signature Algorithm: sha256WithRSAEncryption
[...]
我成功复制例子_ca.crt使用这些命令和配置(与到期日期无关):
openssl genrsa -out example_ca.key 2048
openssl req -new -x509 -days 365 -key example_ca.key -out example_ca.crt -config root.cnf
根目录
# OpenSSL configuration for Root CA
[ req ]
prompt = no
string_mask = default
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = x509_ext
[ req_distinguished_name ]
commonName = example.org
[ x509_ext ]
extendedKeyUsage = clientAuth, serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
basicConstraints=CA:true
我的问题出现在我无法复制的时候例子.crt,我尝试了很多可能性服务器配置文件和openssl.cnf文件,但我并没有接近预期的结果。
对于最后的步骤我使用了以下命令:
openssl genrsa -out example.key 2048
openssl req -new -out example.csr -key example.key -config server.cnf
echo extendedKeyUsage = clientAuth > openssl.cnf
openssl x509 -req -in example.csr -out example.crt -signkey example.key -CA example_ca.crt -CAkey example_ca.key -CAcreateserial -days 365 -extfile openssl.cnf
我将跳过以下内容服务器配置文件因为那是我需要帮助的地方。但基本上我总是错过“X509v3 扩展”会议例子.crt
如果有必要,请随意强制使用密码,或者纠正我的复制例子_ca.crt我只是简单解释了一下基本原理。
更新:
服务器配置文件
# OpenSSL configuration for end-entity cert
[ req ]
prompt = no
string_mask = default
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = x509_ext
[ req_distinguished_name ]
commonName = example.org
[ x509_ext ]
keyUsage=critical,digitalSignature,keyAgreement
subjectAltName = @alt_names
Multiple Alternate Names are possible
[alt_names]
DNS.1 = example.org
IP.1 = 127.0.0.1
# DNS.2 = altName.example.com
答案1
创建一个local.cnf类似以下内容的文件(如果需要,请删除我的评论):
[server]
# These two are expected...
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is wise for end-entities and SHOULD be critical:
# keyUsage = critical, digitalSignature, keyAgreement
# Choose (wisely) from: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, encipherOnly, and decipherOnly
# but not keyCertSign or cRLSign as they are for CAs.
# This is for end-entity certificates only.
extendedKeyUsage = clientAuth, serverAuth
# Choose (wisely) from: https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Extended-Key-Usage
然后,在命令中使用以下标志openssl x509来应用:
openssl x509 ... -extfile local.cnf -extensions server