openssl req命令有缺省configure文件/etc/pki/tls/openssl.cnf; openssl x509命令没有缺省的config文件
,所以缺省没有X509 etension参数,所以签署的是V1的证书,如果要签署V3的证书:
必须制定-extfile v3.ext参数,即使是空文件也有效
v3.ext文件中包含多个X509 V3 extension中涉及的参数
basicConstraints=CA:FALSE
authorityKeyIdentifier=keyid,issuer
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
basicConstraints
A CA certificate must include the basicConstraints value with the CA field set to TRUE
An end user certificate must either set CA to FALSE or nothing. We'd better set CA to FALSE.
下面表示是CA,这个参数是必须的,CA最多有2层:CA->subCA1-Subca2->End User Certificate
basicConstraints=critical,CA:TRUE, pathlen:2
subjectKeyIdentifier
subjectKeyIdentifier=hash
authorityKeyIdentifier
keyid表示从ParentCA拷贝key identifier,本参数优先。 issuer表示拷贝 issuer and serial number from the issuer certificate
subjectAltName
这个参数很重要,现在被很多地方用来签署多域名证书,但它除了DNS,还可指定email, IP,DN等:
subjectAltName=email:copy,email:my@other.address
subjectAltName=DNS:test.com,DNS:demo.com,DNS:
subjectAltName=IP:192.168.7.1
subjectAltName=IP:13::17
subjectAltName=dirName:dir_sect
[dir_sect]
C=UK
O=My Organization
OU=My Unit
CN=My Name
email:copy他会自动把邮件中的拷贝过来.
cat v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=email:copy,DNS:test.com,DNS:demo.com,DNS:,IP:192.168.7.1,dirName:dir_sect
[dir_sect]
C=UK
O=Support
OU=HwzOU1
CN=HwzName2
e.g.
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:E5:A7:68:74:56:67:00:D2:FC:47:9D:85:B6:89:BF:00:48:6F:47:08
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Subject Alternative Name:
email:admin@demo.com, DNS:test.com, DNS:demo.com, DNS:, IP Address:192.168.7.1, DirName:/C=UK/O=Support/OU=HwzOU1/CN=HwzName2
其它参数很多
如keyUsage,extendedKeyUsage,authorityInfoAccess等等
For a V1 user certificate :
openssl x509 -req -in serverx.csr -CA ca.crt -CAkey ca.key -set_serial 03 -out myserverx.crt
For a V3 user certificate :
openssl x509 -req -in serverx.csr -CA ca.crt -CAkey ca.key -out myserverx.crt -set_serial 03 -extfile v3.ext
cat v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
openssl x509 -noout -text -in server3.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Westwood, L=LA, O=Hwz, CN=HWZRootCA
Subject: C=US, ST=Westwood, L=LA, O=Hwz, CN=server2.com/emailAddress=server2@hwz.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)..........
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:E5:A7:68:74:56:67:00:D2:FC:47:9D:85:B6:89:BF:00:48:6F:47:08
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: sha1WithRSAEncryption...........
阅读(9975) | 评论(0) | 转发(0) |
