我通过以下方式生成证书:
openssl.conf
#
# OpenSSL configuration file.
# Author: Sapnesh Naik <[email protected]>
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/cakey.pem
default_days = 365
default_md = sha384
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
unique_subject=no
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = sha384 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = IN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = KN
localityName = Locality Name (eg, city)
localityName_default = BNG
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Intel
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = NLCG
commonName = Common Name (eg, YOUR name)
commonName_max = 64
commonName_default = CA
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = IN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = KN
localityName = Locality Name (eg, city)
localityName_default = BNG
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Intel
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = NLCG
commonName = Common Name (eg, YOUR name)
commonName_max = 64
commonName_default = localhost
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
subjectAltName=${ENV::CBS_SAN}
创建CA:
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 365 -config openssl.cnf -subj "/C=IN/ST=KN/L=BNG/O=test/CN=SPA_CA" -passout pass:changeit
实体:
设置SAN
export CBS_SAN=DNS.1:localhost,DNS.2:10.3.0.226,DNS.3:compute1
生成CSR和密钥
openssl req -new -nodes -out SPA_csr.pem -keyout SPA_key.pem -days 3650 -config openssl.cnf -subj "/C=IN/ST=KN/L=BNG/O=test/CN=SPA"
CSR具有SAN:
openssl req -noout -text -in SPA_csr.pem | grep DNS
生成证书:
openssl ca -passin pass:changeit -batch -out SPA_cert.pem -days 3650 -config openssl.cnf -infiles SPA_csr.pem
但是证书没有SAN:
openssl x509 -noout -text -in SPA_cert.pem | grep DNS
我该如何解决?
ca应用程序默认情况下不会将扩展名从CSR复制到证书。如果要执行此操作,则需要将此行添加到配置文件中的CA_default
部分:
copy_extensions = copy
从手册页:
copy_extensions
确定证书申请中的扩展方式应该处理。如果设置为none或不存在此选项,则扩展名将被忽略,并且不会复制到证书中。如果设置为然后复制请求中存在的尚未扩展的所有扩展目前存在的被复制到证书。如果设置为copyall,则全部请求中的扩展名将复制到证书:如果扩展名已经存在于证书中,它首先被删除。使用此选项之前,请参阅“警告”部分。
此选项的主要用途是允许证书请求提供某些扩展名的值,例如subjectAltName。
https://www.openssl.org/docs/man1.1.1/man1/ca.html
请务必阅读该手册页的“警告”部分。应该谨慎使用copy_extensions选项,它可能会带来安全风险。