2014-11-24 2 views
0

나열된 기본 제약 조건을 보여주는 자체 서명 된 인증서가 있지만이 인증서에서 생성 된 서명 요청에 [v3_req]와 같은 속성이 표시되지 않습니다. 어떻게 보이게 할 수 있습니까? 나는 인증서 생성을 위해 openssl을 사용하고있다.openssl show extensions 속성을 사용하여 자체 서명 된 인증서에서 인증서 서명 요청을 생성해야합니까?

시나리오 :

openssl.conf 2048 -keyout privateKey.key -out certificate.crt -config : 하려면 openssl REQ -x509 -nodes -days 365 -newkey RSA : 내가 사용하여 자체 서명 된 인증서를 만들

내가 인증서를 검사 할 때, 그것은 필요 보여줍니다 확장 : 는 OpenSSL을 X509 -in certificate.crt -text -noout

는 지금이 하려면 openssl에서는 X509 -x509toreq -in certificate.crt -out CSR에서 CSR을 생성합니다. csr -signkey privateKey.key

내가 사용하여 CSR을 확인하십시오 하려면 openssl REQ -text -noout -verify -in CSR.csr

그것은 필요한 확장을 표시하지 않습니다.

내 openssl.conf 파일

# 
 
# OpenSSL example configuration file. 
 
# This is mostly being used for generation of certificate requests. 
 
# 
 

 
# This definition stops the following lines choking if HOME isn't 
 
# defined. 
 
HOME \t \t \t = . 
 
RANDFILE \t \t = $ENV::HOME/.rnd 
 

 
# Extra OBJECT IDENTIFIER info: 
 
#oid_file \t \t = $ENV::HOME/.oid 
 
oid_section \t \t = new_oids 
 

 
# To use this configuration file with the "-extfile" option of the 
 
# "openssl x509" utility, name here the section containing the 
 
# X.509v3 extensions to use: 
 
# extensions \t \t = 
 
# (Alternatively, use a configuration file that has only 
 
# X.509v3 extensions in its main [= default] section.) 
 

 
[ new_oids ] 
 

 
# We can add new OIDs in here for use by 'ca' and 'req'. 
 
# Add a simple OID like this: 
 
# testoid1=1.2.3.4 
 
# Or use config file substitution like this: 
 
# testoid2=${testoid1}.5.6 
 

 
#################################################################### 
 
[ ca ] 
 
default_ca \t = CA_default \t \t # The default ca section 
 

 
#################################################################### 
 
[ CA_default ] 
 

 
dir \t \t = ./demoCA \t \t # Where everything is kept 
 
certs \t \t = $dir/certs \t \t # Where the issued certs are kept 
 
crl_dir \t \t = $dir/crl \t \t # Where the issued crl are kept 
 
database \t = $dir/index.txt \t # database index file. 
 
new_certs_dir \t = $dir/newcerts \t \t # default place for new certs. 
 

 
certificate \t = $dir/cacert.pem \t # The CA certificate 
 
serial \t \t = $dir/serial \t \t # The current serial number 
 
crl \t \t = $dir/crl.pem \t \t # The current CRL 
 
private_key \t = $dir/private/cakey.pem# The private key 
 
RANDFILE \t = $dir/private/.rand \t # private random number file 
 

 
x509_extensions \t = usr_cert \t \t # The extentions to add to the cert 
 

 
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 
 
# so this is commented out by default to leave a V1 CRL. 
 
# crl_extensions \t = crl_ext 
 

 
default_days \t = 365 \t \t \t # how long to certify for 
 
default_crl_days= 30 \t \t \t # how long before next CRL 
 
default_md \t = md5 \t \t \t # which md to use. 
 
preserve \t = no \t \t \t # keep passed DN ordering 
 

 
# A few difference way of specifying how similar the request should look 
 
# For type CA, the listed attributes must be the same, and the optional 
 
# and supplied fields are just that :-) 
 
policy \t \t = policy_match 
 

 
# For the CA policy 
 
[ policy_match ] 
 
countryName \t \t = match 
 
stateOrProvinceName \t = match 
 
organizationName \t = match 
 
organizationalUnitName \t = optional 
 
commonName \t \t = supplied 
 
emailAddress \t \t = optional 
 

 
# For the 'anything' policy 
 
# At this point in time, you must list all acceptable 'object' 
 
# types. 
 
[ policy_anything ] 
 
countryName \t \t = optional 
 
stateOrProvinceName \t = optional 
 
localityName \t \t = optional 
 
organizationName \t = optional 
 
organizationalUnitName \t = optional 
 
commonName \t \t = supplied 
 
emailAddress \t \t = optional 
 

 
#################################################################### 
 
[ req ] 
 
default_bits \t \t = 1024 
 
default_keyfile \t = privkey.pem 
 
distinguished_name \t = req_distinguished_name 
 
attributes \t \t = req_attributes 
 
x509_extensions \t = v3_ca \t # The extentions to add to the self signed cert 
 

 
# Passwords for private keys if not present they will be prompted for 
 
# input_password = secret 
 
# output_password = secret 
 

 
# This sets a mask for permitted string types. There are several options. 
 
# default: PrintableString, T61String, BMPString. 
 
# pkix \t : PrintableString, BMPString. 
 
# utf8only: only UTF8Strings. 
 
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 
 
# MASK:XXXX a literal mask value. 
 
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 
 
# so use this option with caution! 
 
string_mask = nombstr 
 

 
req_extensions = v3_req # The extensions to add to a certificate request 
 

 
[ req_distinguished_name ] 
 
countryName \t \t \t = Country Name (2 letter code) 
 
countryName_default \t \t = AU 
 
countryName_min \t \t \t = 2 
 
countryName_max \t \t \t = 2 
 

 
stateOrProvinceName \t \t = State or Province Name (full name) 
 
stateOrProvinceName_default \t = Some-State 
 

 
localityName \t \t \t = Locality Name (eg, city) 
 

 
0.organizationName \t \t = Organization Name (eg, company) 
 
0.organizationName_default \t = Internet Widgits Pty Ltd 
 

 
# we can do this but it is not needed normally :-) 
 
#1.organizationName \t \t = Second Organization Name (eg, company) 
 
#1.organizationName_default \t = World Wide Web Pty Ltd 
 

 
organizationalUnitName \t \t = Organizational Unit Name (eg, section) 
 
#organizationalUnitName_default \t = 
 

 
commonName \t \t \t = Common Name (eg, YOUR name) 
 
commonName_max \t \t \t = 64 
 

 
emailAddress \t \t \t = Email Address 
 
emailAddress_max \t \t = 40 
 

 
# SET-ex3 \t \t \t = SET extension number 3 
 

 
[ req_attributes ] 
 
challengePassword \t \t = A challenge password 
 
challengePassword_min \t \t = 4 
 
challengePassword_max \t \t = 20 
 

 
unstructuredName \t \t = An optional company name 
 

 
[ usr_cert ] 
 

 
# These extensions are added when 'ca' signs a request. 
 

 
# This goes against PKIX guidelines but some CAs do it and some software 
 
# requires this to avoid interpreting an end user certificate as a CA. 
 

 
basicConstraints=CA:FALSE 
 

 
# Here are some examples of the usage of nsCertType. If it is omitted 
 
# the certificate can be used for anything *except* object signing. 
 

 
# This is OK for an SSL server. 
 
# nsCertType \t \t \t = server 
 

 
# For an object signing certificate this would be used. 
 
# nsCertType = objsign 
 

 
# For normal client use this is typical 
 
# nsCertType = client, email 
 

 
# and for everything including object signing: 
 
# nsCertType = client, email, objsign 
 

 
# This is typical in keyUsage for a client certificate. 
 
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment 
 

 
# This will be displayed in Netscape's comment listbox. 
 
nsComment \t \t \t = "OpenSSL Generated Certificate" 
 

 
# PKIX recommendations harmless if included in all certificates. 
 
subjectKeyIdentifier=hash 
 
authorityKeyIdentifier=keyid,issuer:always 
 

 
# This stuff is for subjectAltName and issuerAltname. 
 
# Import the email address. 
 
# subjectAltName=email:copy 
 

 
# Copy subject details 
 
# issuerAltName=issuer:copy 
 

 
#nsCaRevocationUrl \t \t = http://www.domain.dom/ca-crl.pem 
 
#nsBaseUrl 
 
#nsRevocationUrl 
 
#nsRenewalUrl 
 
#nsCaPolicyUrl 
 
#nsSslServerName 
 

 
[ v3_req ] 
 

 
# Extensions to add to a certificate request 
 

 
basicConstraints = CA:FALSE 
 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment 
 

 
[ v3_ca ] 
 

 

 
# Extensions for a typical CA 
 

 

 
# PKIX recommendation. 
 

 
subjectKeyIdentifier=hash 
 

 
authorityKeyIdentifier=keyid:always,issuer:always 
 

 
# This is what PKIX recommends but some broken software chokes on critical 
 
# extensions. 
 
#basicConstraints = critical,CA:true 
 
# So we do this instead. 
 
basicConstraints = CA:true 
 

 
# Key usage: this is typical for a CA certificate. However since it will 
 
# prevent it being used as an test self-signed certificate it is best 
 
# left out by default. 
 
# keyUsage = cRLSign, keyCertSign 
 

 
# Some might want this also 
 
# nsCertType = sslCA, emailCA 
 

 
# Include email address in subject alt name: another PKIX recommendation 
 
# subjectAltName=email:copy 
 
# Copy issuer details 
 
# issuerAltName=issuer:copy 
 

 
# DER hex encoding of an extension: beware experts only! 
 
# obj=DER:02:03 
 
# Where 'obj' is a standard or added object 
 
# You can even override a supported extension: 
 
# basicConstraints= critical, DER:30:03:01:01:FF 
 

 
[ crl_ext ] 
 

 
# CRL extensions. 
 
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 
 

 
# issuerAltName=issuer:copy 
 
authorityKeyIdentifier=keyid:always,issuer:always

답변

0

나는 그것이 가능해야한다는 당신과 동의,하지만 난 같은 문제가 있었고, 멋진 오래 지속이 있음을 http://blog.simonandkate.net/20140411/self-signed-openssl-subjectaltname에서 발견 https://www.openssl.org/docs/apps/x509.html#bugs에 언급 된 버그 :

인증서의 확장자는 인증서 요청에 전송되지 않습니다. 및 그 반대입니다.

제 해결 방법은 'test.cnf'설정 파일을 만드는 것입니다. 여기에는 원하는 모든 확장명의 사양이 들어 있습니다. 다음과 같이

[req] 
prompt = no 
distinguished_name = req_dn 
req_extensions  = req_exts 

[req_dn] 
commonName   = my_name 
#emailAddress  = 
#countryName   = 
#organizationName  = 
#organizationalUnitName  = 
#localityName   = 
#stateOrProvinceName  = 

[req_exts] 
basicConstraints = CA:false 
keyUsage = dataEncipherment, keyEncipherment, digitalSignature, nonRepudiation 
extendedKeyUsage = emailProtection 
subjectAltName=critical, email:my_address1, email:my_address2 

는 OpenSSL을 함께 적용합니다 :

openssl req -new -key privkey.pem -config test.cnf -out test.csr 
관련 문제