带有主题备用名称的OpenSSL V3

Question

我正在使用OpenSSL命令行工具生成自签名证书.除了两个问题外,它似乎正常工作.我无法用主题替代名称(关键)创建一个.cer并且我无法弄清楚如何创建一个版本3的证书(不确定这是否至关重要,但更愿意学习如何设置版本).

有人做过这个吗？默认配置(.cfg)文件看似清晰(见下文):

"这个东西是为subjectAltName和issuerAltname.导入电子邮件地址.subjectAltName = email:copy"

但这不起作用.我的预感是主题备用名称没有显示b/c它没有出现在V1规格中,这就是为什么我也在追求设置他的版本.

这是我正在使用的配置文件:

[ req ]
default_bits        = 2048 
default_keyfile     = privkey.pem 
distinguished_name  = req_distinguished_name
emailAddress        = myEmail@email.com
req_extensions          = v3_req
x509_extensions         = v3_ca

[req_distinguished_name]
C = [Press Enter to Continue]
C_default = US 
C_min = 2 
C_max = 2 

O = [Press Enter to Continue]
O_default = default 

0.OU=[Press Enter to Continue]
0.OU_default = default 
1.OU=[Press Enter to Continue]
1.OU_default = PKI 
2.OU=[Press Enter to Continue] 
2.OU_default = ABCD
commonName = Public FQDN of server 
commonName_max = 64

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
subjectAltName         = email:myEmail@email.com
issuerAltName          = issuer:copy

Answer 1

这是您的简单步骤

在生成CSR时,您应该使用-config和-extensions,并在生成证书时使用-extfile和-extensions

这是一个例子

openssl req -new -nodes -keyout test.key  -out test.csr -days 3650 -subj "/C=US/ST=SCA/L=SCA/O=Oracle/OU=Java/CN=test cert" -config /etc/pki/tls/openssl.cnf -extensions v3_req
openssl x509 -req -days 3650 -in test.csr -CA cacert.pem -CAkey rootCA.key -CAcreateserial -out test.pem -extfile /etc/pki/tls/openssl.cnf  -extensions v3_req

希望这可以帮助

Answer 2

我让它使用以下版本(emailAddress被错误地放置):

[ req ]
default_bits        = 2048 
default_keyfile     = privkey.pem 
distinguished_name  = req_distinguished_name
req_extensions          = v3_req
x509_extensions         = v3_ca

[req_distinguished_name]
C = [Press Enter to Continue]
C_default = US 
C_min = 2 
C_max = 2 

O = [Press Enter to Continue]
O_default = default 

0.OU=[Press Enter to Continue]
0.OU_default = default 
1.OU=[Press Enter to Continue]
1.OU_default = PKI 
2.OU=[Press Enter to Continue] 
2.OU_default = ABCD
commonName = Public FQDN of server 
commonName_max = 64
emailAddress = [Press Enter to Continue] 
emailAddress_default = myEmail@email.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
subjectAltName         = email:myEmail@email.com
issuerAltName          = issuer:copy

笔记:

• 要生成我使用的证书:

  openssl req -config req.cnf -new -nodes -out req.pem -x509
  

• 我没有看到太多用处issuerAltname(如果你有兴趣知道在哪里).
• 使用issuer:always不推荐authorityKeyIdentifier.
• email:copy现在使用可以使用subjectAltName.
• v3_req部分是多余的(以及req_extensions线.

Answer 3

我刚刚开发了一个基于 Web 的工具，它将根据表单输入自动生成此命令并显示输出。

更新：请参阅certificatetools.com

它变得如此受欢迎，以至于我对其进行了改进并以自己的域名发布。

它不仅会为您提供可下载的 .csr，还会提供用于生成它的 openssl 命令，以及所需的 openssl.cnf 配置选项。

例子：

OpenSSL 命令

#generate the RSA private key
openssl genpkey -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out priv.key

#Create the CSR
openssl req -new -nodes -key priv.key -config csrconfig.txt -out cert.csr

OpenSSL CSR 配置

[ req ]
default_md = sha256
prompt = no
req_extensions = req_ext
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
commonName = example.com
countryName = US
stateOrProvinceName = Louisiana
localityName = Slidell
organizationName = Acme Inc.
[ req_ext ]
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=critical,serverAuth,clientAuth
subjectAltName = @alt_names
[ alt_names ]
IP.0 = 1.1.1.1
IP.1 = 2.2.2.2
DNS.0 = server1.example.com
DNS.1 = server2.example.com
email.0 = email1@example.com
email.1 = email2@example.com

Answer 4

好了，此页面上的其他答案都没有对我有用，因此我尝试了最后一个答案。对我有用的是一个小把戏：

请求证书时：

-config '<(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$SERVER"))' 
-reqexts SAN

并且在签署证书时：

-extfile '<(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$SERVER"))' 
-extensions SAN

因此，不要混淆，这里有一个工作脚本，从一开始就涵盖了所有内容，包括创建证书颁发机构：

# if the server name is undefined, lets default to 'Some-Server'
SERVER="${SERVER:-Some-Server}"

CORPORATION=My-Corp
GROUP=My-Corporate-Group
CITY=City
STATE=State
COUNTRY=US

CERT_AUTH_PASS=`openssl rand -base64 32`
echo $CERT_AUTH_PASS > cert_auth_password
CERT_AUTH_PASS=`cat cert_auth_password`

# create the certificate authority
openssl \
  req \
  -subj "/CN=$SERVER.ca/OU=$GROUP/O=$CORPORATION/L=$CITY/ST=$STATE/C=$COUNTRY" \
  -new \
  -x509 \
  -passout pass:$CERT_AUTH_PASS \
  -keyout ca-cert.key \
  -out ca-cert.crt \
  -days 36500

# create client private key (used to decrypt the cert we get from the CA)
openssl genrsa -out $SERVER.key

# create the CSR(Certitificate Signing Request)
openssl \
  req \
  -new \
  -nodes \
  -subj "/CN=$SERVER/OU=$GROUP/O=$CORPORATION/L=$CITY/ST=$STATE/C=$COUNTRY" \
  -sha256 \
  -extensions v3_req \
  -reqexts SAN \
  -key $SERVER.key \
  -out $SERVER.csr \
  -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$SERVER")) \
  -days 36500

# sign the certificate with the certificate authority
openssl \
  x509 \
  -req \
  -days 36500 \
  -in $SERVER.csr \
  -CA ca-cert.crt \
  -CAkey ca-cert.key \
  -CAcreateserial \
  -out $SERVER.crt \
  -extfile <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$SERVER")) \
  -extensions SAN \
  -passin pass:$CERT_AUTH_PASS

然后，我们可以验证主题替代名称是否在最终证书中：

openssl x509 -in Some-Server.crt -text -noout

相关部分是：

    X509v3 extensions:
        X509v3 Subject Alternative Name: 
            DNS:Some-Server

这样就行了！只要您在浏览器中安装证书颁发机构，此证书就会被所有主流浏览器（包括chrome）接受。就是您需要安装的ca-cert.crt。

这是ngnx的示例配置，它使您可以使用证书：

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name  localhost:443;

    ssl_certificate /etc/ssl/certs/Some-Server.crt;
    ssl_certificate_key /etc/ssl/private/Some-Server.key;
    ssl_dhparam /etc/ssl/certs/https-dhparam.pem;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}