openssl ca vs openssl x509（openssl ca 命令没有在证书上注册相同的？）

Question

openssl ca和openssl x509命令有什么区别？我正在使用它来创建和签署我的 root-ca、intermed-ca 和客户端证书，但该openssl ca命令不会在证书上注册手机和电子邮件地址，而openssl x509会注册。

openssl x509：

openssl x509 -req \
-in client.req.pem \
-out client.cert.pem -signkey client.privkey.pem \
-CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -days 365

打开ssl ca：

openssl ca \
-in client.req.pem \
-out client.cert.pem \
-extensions client_ext \
-startdate `date +%y%m%d000000Z -u -d -2day` \
-enddate `date +%y%m%d000000Z -u -d +1years+1day`

我的ca.cnf

CA_HOME                 = .
RANDFILE                = $ENV::CA_HOME/private/.rnd
#oid_section             = new_oids

# XMPP address Support
#[ new_oids ]
#xmppAddr          = 1.3.6.1.5.5.7.8.5
#dnsSRV            = 1.3.6.1.5.5.7.8.7

# Default Certification Authority
[ ca ]
default_ca              = intermed_ca

# Intermediate Certification Authority
[ intermed_ca ]
dir                     = $ENV::CA_HOME
certs                   = $dir/certs
serial                  = $dir/intermed-ca.serial
database                = $dir/intermed-ca.index
new_certs_dir           = $dir/newcerts
certificate             = $dir/intermed-ca.cert.pem
private_key             = $dir/private/intermed-ca.key.pem
default_days            = 730 # Two years
crl                     = $dir/crl/intermed-ca.crl
crl_dir                 = $dir/crl
crlnumber               = $dir/intermed-ca.crlnum
name_opt                = multiline, align
cert_opt                = no_pubkey
copy_extensions         = copy
crl_extensions          = crl_ext
default_crl_days        = 30
default_md              = sha256
preserve                = no
email_in_dn             = no
policy                  = policy
unique_subject          = no

#
# Distinguished Name Policy
[ policy ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied

#
# Distinguished Name Policy for Personal Certificates
[ user_policy ]
countryName             = supplied
stateOrProvinceName     = optional
localityName            = supplied
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = supplied
#xmppAddr               = optional # Added to SubjAltName by req

#
# Intermediate CA request options
[ req ]
default_bits            = 3072
default_keyfile         = private/intermed-ca.key.pem
encrypt_key             = yes
default_md              = sha256
string_mask             = utf8only
utf8                    = yes
prompt                  = no
req_extensions          = req_ext
distinguished_name      = distinguished_name
subjectAltName          = subject_alt_name

#
# Intermediate CA Request Extensions
[ req_ext ]
subjectKeyIdentifier    = hash
subjectAltName          = @subject_alt_name

#
# Distinguished Name (DN)
[ distinguished_name ]
countryName             = BR
stateOrProvinceName     = mystate
localityName            = mycity
organizationName        = domain.com
organizationalUnitName  = P&D
commonName              = domain.com.br Intermediate Certification Authority
emailAddress            = my.email@domain.com

#
# Server Certificate Extensions
[ server_ext ]
basicConstraints        = CA:FALSE
keyUsage                = critical, digitalSignature, keyEncipherment
extendedKeyUsage        = critical, serverAuth, clientAuth
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always
issuerAltName           = issuer:copy
authorityInfoAccess     = @auth_info_access
crlDistributionPoints   = crl_dist

#
# Client Certificate Extensions
[ client_ext ]
basicConstraints        = CA:FALSE
keyUsage                = critical, digitalSignature
extendedKeyUsage        = critical, clientAuth
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always
issuerAltName           = issuer:copy
authorityInfoAccess     = @auth_info_access
crlDistributionPoints   = crl_dist

#
# User Certificate Extensions
[ user_ext ]
basicConstraints        = CA:FALSE
keyUsage                = critical, digitalSignature
extendedKeyUsage        = critical, clientAuth, emailProtection
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always
issuerAltName           = issuer:copy
authorityInfoAccess     = @auth_info_access
crlDistributionPoints   = crl_dist

#
# CRL Certificate Extensions
[ crl_ext ]
authorityKeyIdentifier  = keyid:always
issuerAltName           = issuer:copy

#
# Certificate Authorities Alternative Names
[ subject_alt_name ]
URI                     = http://ca.domain.com/
email                   = contato@domain.com

#
# Certificate download addresses for the intermediate CA
[ auth_info_access ]
caIssuers;URI           = http://ca.domain.com/certs/domain.com_Intermediate_Certification_Authority.cert.pem

#
# CRL Download address for the intermediate CA
[ crl_dist ]
fullname                = URI:http://ca.domain.com/crl/domain.com_Intermediate_Certification_Authority.crl

参考

https://roll.urown.net/ca/ca_root_setup.html

Answer 1

从 ca(1) 的手册页（在某些系统上为 ca(1ssl) 或类似内容），强调补充：

政策格式

策略部分由一组对应于证书 DN 字段的变量组成。如果值为“match”，则字段值必须与 CA 证书中的相同字段匹配。如果该值是“提供的”，那么它必须存在。如果该值为“可选”，则它可能存在。策略部分中未提及的任何 [DN] 字段都将被静默删除，除非设置了 -preserveDN 选项[,] 但这可以被视为比预期行为更奇怪。

然后：

BUGS
...
请求中不存在于策略中的任何 [DN] 字段都将被静默删除。如果使用 -preserveDN 选项，则不会发生这种情况。为了强制在 DN 中不存在 EMAIL 字段，如 RFC 所建议的，无论请求的[s]主题[，]的内容如何，​​都可以使用 -noemailDN 选项。行为应该更友好和可配置。

虽然这些只提到了命令行选项-preserveDN，但在其他地方（不完整）描述了这个相关的配置项：

保留
与 -preserveDN 相同

确切的说，如果preserve 是yes它覆盖的政策，并保留所有DN字段（按顺序），如（正确地）为记录-preserveDN，但您发布的文件有preserve = no。

我还注意到您-extensions在您的ca但未在您的x509. ca如果您指定命令行选项-extensions或配置项x509_extensions（您发布的文件没有），则可以从配置文件中将扩展名放入证书中，如果您指定配置，也可以从 CSR（如果有，您未指明）复制扩展项目copy_extensions（你做的）。x509只能从配置文件（绝不是 CSR）中放置扩展名，并且仅当您在命令行-extfile file和可选的-extensions section. 这将在您的证书中产生非常重要的差异，可能比主题中的电子邮件和电话号码更重要，并且已经被其他问题所涵盖，例如https://security.stackexchange.com/questions/150078/missing-x509-extensions-带有一个openssl生成的证书和https://unix.stackexchange.com/questions/371997/creating-a-local-ssl-certificate