openssl生成密钥对和签发证书的基本操作,可以参照
`https://blog.csdn.net/dotalee/article/details/78041691`
opensll使用如下的方式可以创建带扩展字段的x509证书:
`openssl req -new -sha256 -key server.key -subj "/C=CN/ST=GD/L=SZ/O=Lee/OU=study/CN=sxstest" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=URI:sxs")) -out server.csr`
上述subjectAltName的赋值,“URI”关键字需要openssl的支持。如果随意输入,如“other”,会出现错误:
`[root@localhost ca]# openssl req -new -sha256 -key server.key -subj "/C=CN/ST=GD/L=SZ/O=Lee/OU=study/CN=sxstest" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=other:sxs")) -out server.csr
Error Loading request extension section SAN
140737354008480:error:22075075:X509 V3 routines:v2i_GENERAL_NAME_ex:unsupported option:v3_alt.c:550:name=other
140737354008480:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=subjectAltName, value=other:sxs`
从报错信息中,查看openssl的源码,发现当前支持的类型如下:
以上类型的具体含义,参考:
`https://www.openssl.org/docs/man1.0.2/apps/x509v3_config.html`
相关的内容:
Subject Alternative Name.
The subject alternative name extension allows various literal values to be included in the configuration file. These include email (an email address) URI a uniform resource indicator, DNS(a DNS domain name), RID (a registered ID: OBJECT IDENTIFIER), IP (an IP address), dirName(a distinguished name) and otherName.
The email option include a special 'copy' value. This will automatically include and email addresses contained in the certificate subject name in the extension.
The IP address used in the IP options can be in either IPv4 or IPv6 format.
The value of dirName should point to a section containing the distinguished name to use as a set of name value pairs. Multi values AVAs can be formed by prefacing the name with a +character.
otherName can include arbitrary data associated with an OID: the value should be the OID followed by a semicolon and the content in standard ASN1_generate_nconf format.
Examples:
subjectAltName=email:copy,email:[email protected],URI:http://my.url.here/
subjectAltName=IP:192.168.7.1
subjectAltName=IP:13::17
subjectAltName=email:[email protected],RID:1.2.3.4
subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
subjectAltName=dirName:dir_sect
[dir_sect]
C=UK
O=My Organization
OU=My Unit
CN=My Name
接下来产生证书时会出现一个错误(以下转自https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.2/html/Developer_Guide/Creating_an_SSL_Certificate.html):
openssl ca -in server.csr -md sha256 -keyfile ca.key -cert ca.crt -extensions SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=email:1@1900:01:01-1900:02:02;email:2@1900:03:03-1900:04:04")) -out server.crt
The above command may result in the following error:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
139883256969032:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen('/etc/pki/CA/index.txt','r')
139883256969032:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:
Procedure C.3. Resolving this error
Create the index.txt file.
`# touch /etc/pki/CA/index.txt`
Create a serial file to label the CA and all subsequent certificates.
`# echo '1000' > /etc/pki/CA/serial`
You will only need to do this the first time you set up the SSL certificate. Re-run the command:
`# openssl ca -cert ca.crt -keyfile ca.key -out ssl.crt -infiles ssl.csr`
重复进行测试时,
Certificate is to be certified until Aug 21 08:29:35 2019 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
产生的原因是:
This thing happens when certificates share common data. You cannot have two
certificates that look otherwise the same.
解决办法:
eccho
[root@localhost CA]# vi /etc/pki/CA/index.txt.attr
unique_subject = yes
改为no