Openssl

SSL:未填充 SAN

  • April 27, 2022

我正在嘗試創建我的自簽名證書:

  1. CA 私鑰創建:openssl genrsa -out ca.key 2048
  2. CA 證書創建(見下文ca.cnf內容):openssl req -x509 -new -key ca.key -out ca.crt -days 10000 -config ca.cnf
  3. 服務私鑰創建:openssl genrsa -out cert.key 2048
  4. 創建 csr(見下文node.cnf):openssl req -new -key cert.key -out cert.csr -config node.cnf
  5. 創建伺服器證書:openssl x509 -req -in cert.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cert.crt -days 100

之後,我嘗試檢查我的 SAN 是否已填充:

我明白了:

openssl x509 -noout -ext subjectAltName -in cert.crt
No extensions in certificate

有任何想法嗎?

ca.cnf文件是:

# OpenSSL CA configuration file
[ ca ]
default_ca = CA_default

[ CA_default ]
default_days = 365
database = index.txt
serial = serial.txt
default_md = sha256
copy_extensions = copy
unique_subject = no

# Used to create the CA certificate.
[ req ]
prompt=no
distinguished_name = distinguished_name
x509_extensions = extensions

[ distinguished_name ]
organizationName = jeusdi
commonName = cicdgitops

[ extensions ]
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign
basicConstraints = critical,CA:true,pathlen:1

# Common policy for nodes and users.
[ signing_policy ]
organizationName = supplied
commonName = optional

# Used to sign node certificates.
[ signing_node_req ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth

# Used to sign client certificates.
[ signing_client_req ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth

node.cnf:

# OpenSSL node configuration file
[ req ]
prompt=no
distinguished_name = distinguished_name
req_extensions = extensions

[ distinguished_name ]
organizationName = jeusdi

[ extensions ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = registry.localhost
DNS.2 = host.k3d.internal

openssl x509的人說:

-extfile 文件名

包含要使用的證書副檔名的文件。如果未指定,則不會向證書添加任何擴展。

您可以使用該-extfile選項以及-extensions將 openssl 指向正確的副檔名。您需要告訴它要使用哪個文件-extfile node.cnf以及哪個部分-extensions extensions,如下所示:

$ openssl x509 -req -in cert.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cert.crt -days 100 -extfile node.cnf -extensions extensions

之後你得到:

$ openssl x509 -noout -ext subjectAltName -in cert.crt
X509v3 Subject Alternative Name: 
   DNS:registry.localhost, DNS:host.k3d.internal

引用自:https://unix.stackexchange.com/questions/700647

相關問答

Openssl

未找到 keyUsage 命令(用於在非互動模式下創建證書)

  • May 8, 2022
檢視問答
Openssl

如何從 Linux 中的證書鏈中提取根 CA 和從屬 CA?

  • October 29, 2021
檢視問答
Nginx

無法獲取本地頒發者證書(但我信任的 CA 證書商店似乎還可以)

  • July 30, 2021
檢視問答
Openssl

創建 *.local ssl 證書

  • January 13, 2021
檢視問答
Apache-Httpd

當 DNS 為我提供多個 IP 地址之一時,如何驗證特定電腦的證書?

  • July 25, 2020
檢視問答
Openssl

在 localhost 上實現 SSL 的正確方法

  • May 26, 2020
檢視問答