我目前能够解码CSR的值,除了Requested Extensions,特别是X509v3 Subject Alternative Name.这是我的`DecodeCSR(string csr)的相关部分:
public void DecodeCsr(string csrStr){
//getting just csr
var csrChars = Regex.Replace(csrStr, @"-----[^-]+-----", "").Trim().Replace(" ", "").Replace(Environment.NewLine, "").ToCharArray();
//converting that string into a byte array
byte[] csrEncode = Convert.FromBase64CharArray(csrChars, 0, csrChars.Length);
//giving decodeCsr the byte array
Pkcs10CertificationRequest decodeCsr = new Pkcs10CertificationRequest(csrEncode);
//getting a string of subject information
string subject = decodeCsr.GetCertificationRequestInfo().Subject.ToString();
//here's how I'm getting a DerSet of attribute
DerSet atts = (DerSet)decodeCsr.GetCertificationRequestInfo().Attributes;
}
这是一个带有SAN的测试csr:
string csr = "-----BEGIN CERTIFICATE REQUEST-----MIIC1DCCAbwCAQAwXjELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExDTALBgNVBAoMBFRlc3QxHDAaBgNVBAMME3d3dy50aGlzaXNhdGVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFU4pXLB3d8csjvRIkIdZfUF2m9sijtk1bqYohqVwYr3+OyDRkfRuTCni8RJS9VOcl6n5aUiK27P4s5j9LqqfL0vS8B949P/ewb2ip2BGB1sEmxKcsEoZYNNEhMm9p7yNTAEqJ/WN0N1CpKBFV1J/w6xiQy5tUyUe7C9c8DX6K1uhEDF9pfeTaCNxYBShm0JFuAIqn6Z+RzbC7tdwc0KgN/bhx3bEvg8b0p/hgxd2veuUmB/fcIPsFawkGFPcQzLpSbc1Vb+zru40HAbRflyQckA3ZgRsa1OHsdiOyb8vpV7dUm4VHOm38bw2wVImRMfRtNZXrL/WiWcGadtFV8nxXAgMBAAGgMTAvBgkqhkiG9w0BCQ4xIjAgMB4GA1UdEQQXMBWCCHRlc3QuY29tggl0ZXN0Mi5jb20wDQYJKoZIhvcNAQELBQADggEBAKXxHlruiqtTwB1Ov17K+mz03EidfecdW+9u8gcLdOOLKn5kCg6RuC0mCjGHvFGjE6ljFc5cyUFbfdqzd8QXh1f3AgxveR+oq1wExJNr0Yl6kjVEdtndvHhSzUmZZ02EcPbIq/eY5KSTdKidjvIJMwTUtIyUQ71y/vSVn0YavvXYo/re57kC7chW/Ns/hZmHrZ6GvMWE9ea3P3jOKPyXCULJlbQCjXc6CQJAkBlcKpvnW6kU2PjreDWzRMhzqZzUqhc6RsGzz84/xwBsrYXfTj91FQd9+w15CYzBEJOv/Iz3CfVGb4s1+yUPVxgei2ezTjfQVcQgq4CusRnDU5/7lmE=-----END CERTIFICATE REQUEST-----";
我可以得到的信息 …
我需要在证书中指定registeredID。
因此,当使用OpenSSL签署证书时,我将此添加到配置文件中。
[ alternate_names ]
DNS.1 = localhost
RID.1 = 1.2.3.4.5.5
这里1.2.3.4.5.5是OID。
我遵循了如何在Stack Overflow 中的openssl.cnf文件中格式化OID主题替代名称条目。
现在,我想在Go中生成证书。下面是我当前的配置
cfg := cert.Config{
CommonName: name,
Organization: []string{"Elasticsearch Operator"},
AltNames: cert.AltNames{
DNSNames: []string{
"localhost",
},
},
Usages: []x509.ExtKeyUsage{
x509.ExtKeyUsageServerAuth,
x509.ExtKeyUsageClientAuth,
},
}
在此配置中,如何添加OID号。
我正在尝试通过NiFi 1.5.0中的GetHTTP处理器连接到REST端点。我面临的问题是SSL证书已颁发给域,但是我只能直接访问IP:Port地址(公司防火墙)。因此,我遇到了一个问题,即主机名和证书所有者不匹配,并且IP未添加为使用者替代名称。
当我尝试连接时,出现以下错误消息:
javax.net.ssl.SSLPeerUnverifiedException:<[IP-ADDRESS]>的证书与任何主题备用名称都不匹配:[]
有没有办法绕过主机名验证?我找到了这张NiFi Jira门票,但似乎尚未解决。有没有可以使用的解决方法?
我有一些字符串,用逗号分隔。我必须添加与主题备用名称扩展名的任何 GeneralName 匹配的所有扩展名。有人可以帮我完成 for 循环吗?
@Override
public boolean saveKeypair(String arg0) {
KeyPair keyPair = generateKeyPair(Integer.parseInt(access.getPublicKeyParameter()));
PrivateKey privateKey = keyPair.getPrivate();
PublicKey publicKey = keyPair.getPublic();
X500Name name = new X500Name(access.getSubject());
BigInteger serial = new BigInteger(access.getSerialNumber());
Date notBefore = access.getNotBefore();
Date notAfter = access.getNotAfter();
X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(name, serial, notBefore, notAfter, name,
publicKey);
// BEGIN extensions
// certificate policies
boolean isCritPol = access.isCritical(3);
PolicyInformation[] policies = new PolicyInformation[1];
policies[0] = new PolicyInformation(new ASN1ObjectIdentifier("2.16.840.1.101.2.1.11.5"),
new DERSequence(new PolicyQualifierInfo(access.getCpsUri())));
try {
certBuilder.addExtension(Extension.certificatePolicies, isCritPol, new CertificatePolicies(policies)); …java bouncycastle certificate x509certificate subject-alternative-name
bouncycastle ×2
apache-nifi ×1
c# ×1
certificate ×1
csr ×1
go ×1
java ×1
openssl ×1
ssl ×1
sslcontext ×1
x509 ×1