4,450
社区成员
发帖
与我相关
我的任务
分享为什么证书请求的扩展项设置无效?
我定制了一份openssl.cnf,加入若干x509.v3扩展项:
....
[ req ]
....
req_extensions = v3_req
....
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,codeSigning
....
我用如下命令生成证书请求:
openssl req -new -key /tmp/server.key -out /tmp/cert.req -config /tmp/openssl.cnf
查看证书请求,确认其中已经包括扩展项:
openssl req -text -in /tmp/cert.req
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=c1, ST=bj, L=bj, O=test, OU=test, CN=test
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bb:f4:fc:0c:08:0b:78:69:6e:32:c0:27:14:29:
14:2a:03:8e:f3:89:5c:8f:10:f9:90:e3:7d:55:e4:
01:d7:54:73:0d:c6:8f:d0:33:24:a3:bd:88:5b:91:
42:f7:b2:bb:41:53:ab:ed:bf:f7:d1:66:56:10:4b:
c4:f9:fa:24:17:5d:90:54:39:4c:75:a2:47:5b:56:
9d:86:e3:d6:87:d6:65:54:f9:83:72:ac:15:e1:e3:
80:33:0d:2d:2d:b9:ca:5b:cd:7c:43:b8:6c:18:2b:
a9:d9:90:0a:c6:08:8b:8e:d0:38:b4:6a:e4:17:53:
5a:3d:8d:63:67:5f:ae:9b:4d
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, Code Signing
Signature Algorithm: md5WithRSAEncryption
3a:b3:d6:36:c4:ea:dd:d2:81:4e:78:bc:41:5d:bc:6d:6a:26:
27:15:1d:1f:e2:12:28:ea:2a:bc:fe:6b:67:07:eb:c9:55:ff:
a3:63:18:00:36:f5:ea:51:a0:12:73:2f:dd:78:61:69:67:ba:
f6:c7:01:10:af:89:bf:d7:f9:c8:dc:0e:90:eb:b5:5e:01:d6:
07:5b:22:af:03:ec:0b:d1:46:26:e8:4c:15:5d:c0:02:58:7c:
50:5a:bc:0c:74:0f:cb:48:e5:72:06:b6:01:72:9a:a6:ba:52:
4f:05:aa:ab:dd:ff:6a:ab:66:eb:63:6e:f0:8d:44:d8:26:67:
1a:6f
-----BEGIN CERTIFICATE REQUEST-----
MIIB7jCCAVcCAQAwZjELMAkGA1UEBhMCYzExCzAJBgNVBAgTAmJqMQswCQYDVQQH
EwJiajEMMAoGA1UEChMDYWx1MQ4wDAYDVQQLEwV3Y2RtYTEfMB0GA1UEAxMWenN1
cHMzZDUuY24ubHVjZW50LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
u/T8DAgLeGluMsAnFCkUKgOO84lcjxD5kON9VeQB11RzDcaP0DMko72IW5FC97K7
QVOr7b/30WZWEEvE+fokF12QVDlMdaJHW1adhuPWh9ZlVPmDcqwV4eOAMw0tLbnK
W818Q7hsGCup2ZAKxgiLjtA4tGrkF1NaPY1jZ1+um00CAwEAAaBIMEYGCSqGSIb3
DQEJDjE5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMDMA0GCSqGSIb3DQEBBAUAA4GBADqz1jbE6t3SgU54vEFd
vG1qJicVHR/iEijqKrz+a2cH68lV/6NjGAA29epRoBJzL914YWlnuvbHARCvib/X
+cjcDpDrtV4B1gdbIq8D7AvRRiboTBVdwAJYfFBavAx0D8tI5XIGtgFymqa6Uk8F
qqvd/2qrZutjbvCNRNgmZxpv
-----END CERTIFICATE REQUEST-----
使用如下方法生成证书:
openssl x509 -req -CA /tmp/cacert.pem -CAkey /tmp/cakey.pem -passin pass:"rootca" -CAcreateserial -CAserial /tmp/ca.srl -days 90 -in /tmp/cert.req -sha1 -out /tmp/server.crt
但是生成的证书里并不包含我在证书请求中指定的扩展项。请问为什么会这样?
....
[ req ]
....
req_extensions = v3_req
....
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,codeSigning
....
我用如下命令生成证书请求:
openssl req -new -key /tmp/server.key -out /tmp/cert.req -config /tmp/openssl.cnf
查看证书请求,确认其中已经包括扩展项:
openssl req -text -in /tmp/cert.req
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=c1, ST=bj, L=bj, O=test, OU=test, CN=test
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bb:f4:fc:0c:08:0b:78:69:6e:32:c0:27:14:29:
14:2a:03:8e:f3:89:5c:8f:10:f9:90:e3:7d:55:e4:
01:d7:54:73:0d:c6:8f:d0:33:24:a3:bd:88:5b:91:
42:f7:b2:bb:41:53:ab:ed:bf:f7:d1:66:56:10:4b:
c4:f9:fa:24:17:5d:90:54:39:4c:75:a2:47:5b:56:
9d:86:e3:d6:87:d6:65:54:f9:83:72:ac:15:e1:e3:
80:33:0d:2d:2d:b9:ca:5b:cd:7c:43:b8:6c:18:2b:
a9:d9:90:0a:c6:08:8b:8e:d0:38:b4:6a:e4:17:53:
5a:3d:8d:63:67:5f:ae:9b:4d
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, Code Signing
Signature Algorithm: md5WithRSAEncryption
3a:b3:d6:36:c4:ea:dd:d2:81:4e:78:bc:41:5d:bc:6d:6a:26:
27:15:1d:1f:e2:12:28:ea:2a:bc:fe:6b:67:07:eb:c9:55:ff:
a3:63:18:00:36:f5:ea:51:a0:12:73:2f:dd:78:61:69:67:ba:
f6:c7:01:10:af:89:bf:d7:f9:c8:dc:0e:90:eb:b5:5e:01:d6:
07:5b:22:af:03:ec:0b:d1:46:26:e8:4c:15:5d:c0:02:58:7c:
50:5a:bc:0c:74:0f:cb:48:e5:72:06:b6:01:72:9a:a6:ba:52:
4f:05:aa:ab:dd:ff:6a:ab:66:eb:63:6e:f0:8d:44:d8:26:67:
1a:6f
-----BEGIN CERTIFICATE REQUEST-----
MIIB7jCCAVcCAQAwZjELMAkGA1UEBhMCYzExCzAJBgNVBAgTAmJqMQswCQYDVQQH
EwJiajEMMAoGA1UEChMDYWx1MQ4wDAYDVQQLEwV3Y2RtYTEfMB0GA1UEAxMWenN1
cHMzZDUuY24ubHVjZW50LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
u/T8DAgLeGluMsAnFCkUKgOO84lcjxD5kON9VeQB11RzDcaP0DMko72IW5FC97K7
QVOr7b/30WZWEEvE+fokF12QVDlMdaJHW1adhuPWh9ZlVPmDcqwV4eOAMw0tLbnK
W818Q7hsGCup2ZAKxgiLjtA4tGrkF1NaPY1jZ1+um00CAwEAAaBIMEYGCSqGSIb3
DQEJDjE5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMDMA0GCSqGSIb3DQEBBAUAA4GBADqz1jbE6t3SgU54vEFd
vG1qJicVHR/iEijqKrz+a2cH68lV/6NjGAA29epRoBJzL914YWlnuvbHARCvib/X
+cjcDpDrtV4B1gdbIq8D7AvRRiboTBVdwAJYfFBavAx0D8tI5XIGtgFymqa6Uk8F
qqvd/2qrZutjbvCNRNgmZxpv
-----END CERTIFICATE REQUEST-----
使用如下方法生成证书:
openssl x509 -req -CA /tmp/cacert.pem -CAkey /tmp/cakey.pem -passin pass:"rootca" -CAcreateserial -CAserial /tmp/ca.srl -days 90 -in /tmp/cert.req -sha1 -out /tmp/server.crt
但是生成的证书里并不包含我在证书请求中指定的扩展项。请问为什么会这样?
...全文
请发表友善的回复…
发表回复
