OpenSSL生成v3證書(shū)方法及配置文件詳解
場(chǎng)景
業(yè)務(wù)需要生成v3版的證書(shū),而一般使用OpenSSL生成證書(shū)時(shí)都是v1版的,不帶擴(kuò)展屬性。
方法
在使用CA證書(shū)進(jìn)行簽署證書(shū)時(shí)加入-exfile和-extensions選項(xiàng),具體命令如下:
openssl x509 -req -days 365 -sha256 -extfile openssl.cnf -extensions v3_req -in server.csr -signkey server.key -out server.crt
對(duì)應(yīng)openssl.cnf配置文件
tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 #################################################################### [ ca ] default_ca = CA_default ?# The default ca section #################################################################### [ CA_default ] dir ?= ./demoCA ?# Where everything is kept certs ?= $dir/certs ?# Where the issued certs are kept crl_dir ?= $dir/crl ?# Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no ? # Set to 'no' to allow creation of ? ? ?# several ctificates with same subject. new_certs_dir = $dir/newcerts ?# default place for new certs. certificate = $dir/cacert.pem ?# The CA certificate serial ?= $dir/serial ? # The current serial number crlnumber = $dir/crlnumber # the current crl number ? ? ?# must be commented out to leave a V1 CRL crl ?= $dir/crl.pem ? # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert ?# The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt ?= ca_default ?# Subject Name options cert_opt ?= ca_default ?# Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 ? # how long to certify for default_crl_days= 30 ? # how long before next CRL default_md = default ?# use public key default MD preserve = no ? # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy ?= policy_match # For the CA policy [ policy_match ] countryName ?= match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName ?= supplied emailAddress ?= optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName ?= optional stateOrProvinceName = optional localityName ?= optional organizationName = optional organizationalUnitName = optional commonName ?= supplied emailAddress ?= optional #################################################################### [ req ] default_bits ?= 1024 default_keyfile ?= privkey.pem distinguished_name = req_distinguished_name attributes ?= req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options.? # default: PrintableString, T61String, BMPString. # pkix ?: PrintableString, BMPString (PKIX recommendation before 2004) # utf8only: only UTF8Strings (PKIX recommendation after 2004). # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. string_mask = utf8only req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName ? = Country Name (2 letter code) countryName_default ?= CN countryName_min ? = 2 countryName_max ? = 2 stateOrProvinceName ?= State or Province Name (full name) stateOrProvinceName_default = BeiJing localityName ? = Locality Name (eg, city) 0.organizationName ?= Organization Name (eg, company) 0.organizationName_default = myca # we can do this but it is not needed normally :-) #1.organizationName ?= Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName ?= Organizational Unit Name (eg, section) #organizationalUnitName_default = commonName ? = Common Name (e.g. server FQDN or YOUR name) commonName_max ? = 64 emailAddress ? = Email Address emailAddress_max ?= 64 # SET-ex3 ? = SET extension number 3 [ req_attributes ] challengePassword ?= A challenge password challengePassword_min ?= 4 challengePassword_max ?= 20 unstructuredName ?= An optional company name [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType ? = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment ? = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectAltName=email:move # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl ?= ?http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName # This is required for TSA certificates. # extendedKeyUsage = critical,timeStamping [ svr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. nsCertType ? = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # ?digitalSignature nonRepudiation keyEncipherment dataEncipherment ? # ?keyAgreement keyCertSign cRLSign encipherOnly decipherOnly? keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement # This will be displayed in Netscape's comment listbox. #nsComment ? = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectAltName=email:move # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl ?= ?http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName # This is required for TSA certificates. extendedKeyUsage = serverAuth,clientAuth [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign # Some might want this also # nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy # DER hex encoding of an extension: beware experts only! # obj=DER:02:03 # Where 'obj' is a standard or added object # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always [ proxy_cert_ext ] # These extensions should be added when creating a proxy certificate # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType ? = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment ? = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectAltName=email:move # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl ?= ?http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName # This really needs to be in place for it to be a proxy certificate. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo #################################################################### [ tsa ] default_tsa = tsa_config1 # the default TSA section [ tsa_config1 ] # These are used by the TSA reply generation only. dir ?= ./demoCA ?# TSA root directory serial ?= $dir/tsaserial # The current serial number (mandatory) crypto_device = builtin ?# OpenSSL engine to use for signing signer_cert = $dir/tsacert.pem ?# The TSA signing certificate ? ? ?# (optional) certs ?= $dir/cacert.pem # Certificate chain to include in reply ? ? ?# (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional) default_policy = tsa_policy1 ?# Policy if request did not specify it ? ? ?# (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) digests ?= md5, sha1 ?# Acceptable message digests (mandatory) accuracy = secs:1, millisecs:500, microsecs:100 # (optional) clock_precision_digits ?= 0 # number of digits after dot. (optional) ordering ?= yes # Is ordering defined for timestamps? ? ? # (optional, default: no) tsa_name ?= yes # Must the TSA name be included in the reply? ? ? # (optional, default: no) ess_cert_id_chain = no # Must the ESS cert id chain be included? ? ? # (optional, default: no)
到此這篇關(guān)于OpenSSL生成v3證書(shū)方法及配置文件詳解的文章就介紹到這了,更多相關(guān)OpenSSL生成v3證書(shū)內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家!
相關(guān)文章
RabbitMQ隊(duì)列中間件消息持久化?確認(rèn)機(jī)制?死信隊(duì)列原理
這篇文章主要介紹了消息隊(duì)列中間件之RabbitMQ消息的持久化、確認(rèn)機(jī)制、死信隊(duì)列原理詳解,有需要的朋友可以借鑒參考下,希望能夠有所幫助,祝大家多多進(jìn)步,早日升職加薪2023-05-05油猴腳本開(kāi)發(fā)詳解+油猴爬蟲(chóng)腳本實(shí)例
這篇文章主要介紹了油猴腳本開(kāi)發(fā)詳解+油猴爬蟲(chóng)腳本實(shí)例,油猴安裝,油猴自定義腳本,油猴腳本模板,油猴實(shí)戰(zhàn)Ajax,油猴實(shí)戰(zhàn)WebSocket通信,需要的朋友可以參考下2024-02-025個(gè)Linux平臺(tái)程序員最愛(ài)的開(kāi)發(fā)工具匯總
這篇文章主要介紹了5個(gè)Linux平臺(tái)程序員最愛(ài)的開(kāi)發(fā)工具匯總,程序最重要的工具就是源碼編輯器了,或者是一個(gè)全能的IDE,本文就羅列了5個(gè)Linux平臺(tái)最常用的編輯給大家,需要的朋友可以參考下2014-09-09基于chatgpt的微信自動(dòng)回復(fù)功能實(shí)現(xiàn)
這篇文章主要介紹了基于chatgpt的微信自動(dòng)回復(fù)功能實(shí)現(xiàn),微信自動(dòng)回復(fù)基于聊天api的實(shí)現(xiàn)代碼,本文通過(guò)實(shí)例代碼給大家介紹的非常詳細(xì),需要的朋友可以參考下2023-02-02Jebrains付費(fèi)插件Activation code[持續(xù)更新]
這篇文章主要介紹了Jebrains付費(fèi)插件Activation code[持續(xù)更新],使用本Activation code需要jetbrains-agent支持!感興趣的朋友跟隨小編一起看看吧2020-09-09輕量級(jí)思維導(dǎo)圖XMind?2023免費(fèi)激活教程
這篇文章主要介紹了輕量級(jí)思維導(dǎo)圖XMind?2023免費(fèi)激活教程,本文給大家介紹的非常詳細(xì),對(duì)大家的學(xué)習(xí)或工作具有一定的參考借鑒價(jià)值,需要的朋友可以參考下2023-07-07