我知道可以通过openssl.cnf文件来为openssl req模块提供subjectAltName-Extension吗?
我知道可以通过openssl.cnf文件来实现,但这对于批量创建CSR来说确实不是很优雅。 >

评论

我刚刚开发了一个基于Web的工具,该工具将根据表单输入自动生成此命令并显示输出。 kernelmanic.com/…

从所包含的内容还不清楚,工具的输出如何应用于问题。另外,您能否解释一下您的工具如何工作(以防链接失效)?

彼得(编辑):“ OpenSSL”是项目及其整体输出的名称,而“ openssl”则是与该问题相关的命令行“实用程序”的全称。

截至2019年,此答案应为公认的答案:security.stackexchange.com/a/183973/143034

#1 楼

从OpenSSL 1.1.1开始,通过在-addext中引入openssl req标志(通过此提交),直接在命令行上提供subjectAltName变得更加容易。

该提交为openssl req手册页添加了一个示例:

Example of giving the most common attributes (subject and extensions)
on the command line:

 openssl req -new -subj "/C=GB/CN=foo" \
                  -addext "subjectAltName = DNS:foo.co.uk" \
                  -addext "certificatePolicies = 1.2.3.4" \
                  -newkey rsa:2048 -keyout key.pem -out req.pem


它已合并到Github上的openssl命令的master分支中,并且自2018年4月18日起可以通过git pull + compile安装(或通过Homebrew(如果在OS X上为brew install --devel openssl@1.1)。

请注意,如果您在openssl.cfg的“ [req]”部分设置了配置属性“ req_extensions”,它将忽略命令行参数

评论


-addext用于创建签名请求很方便,但是在对csr进行签名时仍然必须添加SAN,对吗? Openssl在x509命令上没有等效标志,因此必须使用文件。

–最终用户
19年2月21日在18:52

@最终用户:如果您使用openssl x509 -req -CA / CAkey颁发证书(未对CSR进行签名),则为yes。如果您使用openssl ca进行配置,则可以使用copy_extensions进行配置,以将来自CSR的扩展名放入证书中。

–dave_thompson_085
19-10-11在0:53

(在其他位置(已在其他地方介绍)),如果您指定-addext并且在配置中也有req_extensions,则它也不会忽略。相反,它创建了两个OID为pkcs9.14的属性项,尽管AFAICS rfc2986并未禁止它(如rfc5280对证书扩展名所做的那样),这显然没有任何意义。 openssl req -text仅显示第一个,并且由于属性是SET且tbs是DER编码的,因此首先以奥秘的方式确定扩展名的集合,该方式也可能是随机的。使用CSR的其他内容,例如带有copy_extensions的openssl ca,也可能会造成混淆。

–dave_thompson_085
9月18日下午1:25

#2 楼

基于DarkLighting的链接,这是我使用嵌套子外壳程序想到的命令。

openssl req -new -sha256 \
    -key domain.key \
    -subj "/C=US/ST=CA/O=Acme, Inc./CN=example.com" \
    -reqexts SAN \
    -config <(cat /etc/ssl/openssl.cnf \
        <(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) \
    -out domain.csr


所有一行:

openssl req -new -sha256 -key domain.key -subj "/C=US/ST=CA/O=Acme, Inc./CN=example.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) -out domain.csr


示例用法:

user@hostname:~$ openssl req -new -sha256 -key domain.key -subj "/C=US/ST=CA/O=Acme, Inc./CN=example.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com\n")) -out domain.csr
user@hostname:~$ openssl req -in domain.csr -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=CA, O=Acme, Inc., CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a8:05:50:86:49:98:c8:05:01:e9:50:18:7f:2f:
                    b4:89:09:29:d1:c1:58:d8:14:bb:58:1d:25:50:11:
                    bb:43:d8:28:03:a5:de:59:49:bb:d2:f7:d3:79:5c:
                    c6:99:2c:98:ff:99:23:8c:df:96:7c:ea:4b:62:2a:
                    a4:c2:84:f5:5d:62:7f:7d:c4:7c:e2:c3:db:e6:58:
                    03:c2:26:9d:02:da:bb:84:d9:11:82:fe:38:12:9b:
                    c7:b6:ff:b2:40:30:38:b1:44:d8:47:1d:43:4a:29:
                    58:6b:49:ec:33:d7:dc:a7:1b:90:05:3a:f5:e6:16:
                    98:08:5d:2d:7e:b4:ea:a2:a4:b1:84:89:f7:f1:c4:
                    67:a6:a1:06:70:dd:4e:6b:0c:f8:b5:9b:bc:3f:06:
                    ee:90:d6:86:29:52:d3:af:f6:d4:2f:c6:cf:4b:5a:
                    b8:cd:01:74:6d:5c:25:a8:02:1c:7c:e8:66:3d:46:
                    07:b1:9d:ef:cc:eb:90:b6:bf:7b:33:e0:5f:b2:9b:
                    e8:b4:12:67:2f:8d:0d:9b:54:9d:95:6e:09:83:cb:
                    f3:5b:1f:31:8e:3b:ca:4e:08:e0:40:c0:60:40:72:
                    dd:0d:3e:99:ec:7c:ac:c4:3c:ba:85:9d:d9:d9:6b:
                    02:2e:bf:a8:a3:02:1d:eb:c8:58:e3:04:b3:a5:f1:
                    67:37
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:example.com, DNS:www.example.com
    Signature Algorithm: sha256WithRSAEncryption
         a2:1d:1a:e8:56:43:e7:e5:c7:c1:04:c1:6a:eb:d5:70:92:78:
         06:c1:96:fa:60:e2:5f:3c:95:ee:75:ed:70:52:c1:f0:a7:54:
         d2:9f:4a:2f:52:0f:d4:27:d8:13:73:1f:21:be:34:3f:0a:9c:
         f1:2a:5c:98:d4:28:b8:9c:78:44:e8:ea:70:f3:11:6b:26:c3:
         d6:29:b3:25:a0:81:ea:a2:55:31:f2:63:c8:60:6d:68:e3:ab:
         24:c9:46:33:92:8f:f2:a7:72:43:c6:aa:bd:8d:e9:6f:64:64:
         9e:fe:30:48:3f:06:2e:58:7c:b5:ef:b1:4d:c3:84:cc:02:a5:
         58:c3:3f:d8:ed:98:c7:54:b9:5e:50:44:5e:be:99:c2:e4:03:
         81:4b:1f:47:9a:b0:4d:74:7b:10:29:2f:84:fd:d1:70:88:2e:
         ea:f3:42:b7:06:94:4a:06:f6:92:10:4c:ce:de:65:89:2d:0a:
         f1:0f:79:90:02:a4:b9:6d:b8:39:db:de:6e:34:61:4f:21:36:
         a0:b5:73:2b:2b:c6:7e:2f:f2:e5:1e:51:9f:85:c8:17:9c:1a:
         b6:59:b0:41:a7:06:c8:5b:f4:88:92:c9:34:71:9d:73:f0:2e:
         31:ae:ed:ab:35:0e:b4:8a:9a:72:7c:6f:7a:3e:5d:66:49:26:
         26:99:e1:69


评论


如果您的配置缺少[SAN]部分,则-reqexts SAN部分将导致错误消息“错误加载请求扩展部分SAN”。万一其他人遇到那个。

–雷神召唤师
16年4月4日在6:37

我还必须设置-extensions SAN才能使其正常工作。完整的1-liner:openssl req -new -sha256 -key domain.key -subj“ / C = US / ST = CA / O = Acme,Inc./CN=example.com” -reqexts SAN-扩展SAN -config < (cat /etc/ssl/openssl.cnf <(printf“ [SAN] \ nsubjectAltName = DNS:example.com,DNS:www.example.com”))-out domain.csr

–杰斯·特尔福德
17年4月7日在5:35

对于自签名证书,我需要在配置文件中使用x509_extensions = SAN,对于CSR -reqexts似乎有效...

– Gert van den Berg
17年8月1日在11:18

@GertvandenBerg对于自签名(意味着openssl req -x509),可以在命令行上指定-extensions SAN,它也可以正常工作。

– Kubanczyk
17年8月26日在20:23

可能由于sub-shell语法,此oneliner仅在BASH(bash)中不能在Bourne shell(sh)中起作用。

–征款
18年11月13日在18:37

#3 楼

我的解决方案是通过环境变量传递subjectAltName

首先将其添加到openssl.conf中:

[ san_env ]
subjectAltName=${ENV::SAN}


然后在调用之前设置环境变量openssl:

export SAN=DNS:value1,DNS:value2
openssl req -extensions san_env -subj '/CN=value1' ...


注意:签名和生成CSR时,必须存在-extensions san_env参数。因此,对于CA签名的CSR,还要在-extensions san_env命令中添加openssl ca

评论


我收到此错误消息错误加载扩展部分san_env

–林智一
16 Dec 22 '14:05

这可能是因为SAN环境变量未设置或为空。

–rustyx
16/12/22在15:21

我将接受的答案和此答案结合使用,以从命令行编写所有脚本。

–托德·里昂(Todd Lyons)
17年9月14日在14:54

它对我有很大帮助。...我以前在Windows OS上进行BATCH

–阿巴斯
19年7月6日在9:48

好的.conf语法要知道!轻微增强:避免通过SAN = DNS:value1,DNS:value2 openssl req导出污染当前的bash环境...

– Anton Tykhyy
19-10-23在21:24



#4 楼

这是我根据上述答案最终生成可工作的自签名证书的解决方案(已接受的答案对我不起作用):

openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt

openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.example.com" -out server.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:example.com,DNS:www.example.com") -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt


openssl x509 -in server.crt -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ef:ca:cb:c7:3e:5c:25:85
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=GD, L=SZ, O=Acme, Inc., CN=Acme Root CA
        Validity
            Not Before: May 15 14:42:17 2017 GMT
            Not After : May 15 14:42:17 2018 GMT
        Subject: C=CN, ST=GD, L=SZ, O=Acme, Inc., CN=*.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:f0:19:32:51:9c:13:ec:dc:d4:52:30:d9:39:4a:
                    f5:9b:53:60:48:10:2d:c1:c0:48:ac:75:a3:2a:d2:
                    6c:62:f1:ed:39:46:7e:e7:e7:03:34:7a:c2:53:b7:
                    42:5a:f2:47:ff:34:68:b1:c9:28:3c:1c:eb:57:af:
                    90:87:53:85:3c:0f:6c:85:62:a1:02:94:b6:5f:3e:
                    e2:d1:bc:48:20:81:46:fe:25:b4:06:cd:b8:04:c4:
                    f5:81:f6:29:55:66:98:95:2f:db:75:39:82:7f:32:
                    5b:18:d9:9d:69:d0:f4:6b:0b:a2:92:83:b2:02:1b:
                    6c:d9:1e:f9:c4:f4:72:a6:76:e7:03:14:d6:29:2b:
                    be:e7:96:3e:42:3a:12:16:8b:51:11:22:7d:c1:d9:
                    47:ab:cd:93:36:27:d3:ad:af:85:0b:c4:d1:75:6e:
                    c1:a8:ed:f8:0f:4a:c8:79:21:4c:02:7f:27:70:00:
                    60:ed:68:8f:97:e0:0e:63:86:9f:12:07:78:aa:bf:
                    b1:bb:d1:30:ff:e6:7e:5c:cd:48:3b:31:fd:ab:54:
                    b4:af:dd:95:49:a6:17:0b:23:98:5f:3d:98:f2:eb:
                    8c:e4:aa:6e:44:2e:2d:5e:d5:91:a3:3a:61:18:3b:
                    56:29:47:86:1f:1d:d7:7c:6b:29:e7:ae:28:ec:3c:
                    e3:b1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:example.com, DNS:www.example.com
    Signature Algorithm: sha1WithRSAEncryption
        56:d2:5b:d0:6a:d9:1d:0b:d4:2d:b3:99:cf:5f:92:e6:9f:4d:
        ea:b7:22:57:0b:85:e1:f7:4b:b1:13:c1:45:f7:7c:06:34:bd:
        0c:4b:e8:45:01:84:58:8a:7a:0d:7b:08:90:a0:91:7c:f1:f7:
        ef:de:3b:94:be:44:4b:71:c5:40:6f:3c:35:3e:61:79:b1:46:
        d9:81:31:bf:11:15:6a:b2:53:b9:a3:d7:81:cd:2d:f5:3e:20:
        dc:06:1c:a0:74:16:9f:d4:53:5d:f2:3a:23:1c:43:2d:ce:8b:
        68:d3:35:f3:36:8a:05:13:34:a7:42:75:6e:df:a2:b5:95:77:
        71:99:ae:be:4a:6c:ae:14:b4:d1:e4:f7:b4:39:b0:30:04:57:
        8a:d8:21:c5:1c:50:f3:86:38:ec:eb:0c:a6:f6:94:f3:f4:af:
        ec:1b:d1:79:ad:16:45:bc:c9:10:2a:a8:2d:b8:cf:7d:8a:aa:
        b4:b5:74:e0:d4:53:82:b5:71:b8:bb:2f:d2:12:51:87:ab:f1:
        b6:dd:1c:24:b1:8b:36:05:83:29:ca:58:ba:6b:f0:83:cc:27:
        86:43:00:da:73:a0:d5:36:31:bb:e7:e5:1b:2f:c0:42:55:7b:
        b4:2e:57:4f:88:b4:cd:0d:d0:bf:a8:87:76:a1:1b:bc:e4:fc:
        31:ba:ee:04



代表“接受的答案对我不起作用”的再现步骤(在OSX 10.12.4上,带有系统openssl):

bash-3.2$ openssl genrsa -out domain.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................................................................+++
....................................+++
e is 65537 (0x10001)
bash-3.2$ openssl req -new -sha256 -key domain.key -subj "/C=US/ST=CA/O=Acme, Inc./CN=example.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) -out domain.csr
bash-3.2$ openssl req -in domain.csr -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=CA, O=Acme, Inc., CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:cd:a5:97:b2:1a:83:c6:1d:0e:78:1a:6f:ca:4c:
                    e6:e3:64:94:41:b8:fb:f3:4a:4c:56:8c:33:36:c1:
                    5d:10:25:f5:86:f5:14:c6:17:22:53:34:7b:16:52:
                    ea:f2:ac:bf:0d:09:7d:55:c8:16:ce:0e:f9:98:20:
                    aa:11:4e:bb:4d:75:b1:ed:1b:ca:37:82:f1:15:71:
                    56:ad:c0:be:40:b4:ef:f2:e6:a5:a2:3b:e3:a8:0c:
                    8b:38:3d:d5:41:1a:e8:92:f6:78:52:9f:35:c2:98:
                    a6:58:87:64:e6:d3:7e:a0:00:8c:d0:16:13:80:e9:
                    ee:81:aa:40:c7:1d:9d:fc:52:9a:50:7d:50:e6:ca:
                    20:38:89:12:7d:99:a0:68:ae:45:64:03:e0:00:3c:
                    30:b7:94:87:ab:de:51:90:73:6b:bc:48:c4:e8:47:
                    2d:0e:5a:d0:fb:b4:1b:cb:76:7b:05:70:1a:a8:03:
                    bc:35:38:70:b5:ca:07:43:d3:9d:66:8c:32:32:74:
                    7e:6f:61:e8:de:80:de:d9:fd:fc:27:d8:bb:fa:8c:
                    f9:94:42:c4:b8:e0:bb:24:8b:1f:71:5b:18:99:ca:
                    ac:42:3b:ed:d7:4d:5f:dc:79:8c:6c:fe:d1:df:44:
                    05:5f:1a:a7:bd:e8:1c:85:0c:70:fb:4e:29:62:a0:
                    e9:71
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:example.com, DNS:www.example.com
    Signature Algorithm: sha256WithRSAEncryption
        47:f3:82:ae:78:f2:19:76:05:e3:97:30:00:16:c5:9c:89:94:
        ef:b0:51:b0:cf:4a:93:81:7d:ee:94:25:9a:0a:9e:1f:7f:e0:
        d8:72:55:75:2d:ac:c3:f9:3a:74:b6:1f:1b:c3:f1:68:d4:66:
        72:89:ed:53:7b:09:da:35:eb:40:63:e6:6a:0f:9a:4f:6e:25:
        9f:63:df:bb:d6:00:77:c2:e7:d6:96:0c:50:58:01:c9:d1:ff:
        df:de:fb:19:fb:72:38:48:25:5d:b7:56:fb:eb:d7:41:f5:f6:
        d7:f7:4b:c7:07:4f:59:b4:b8:c3:d8:bf:c9:2c:07:5a:c3:0a:
        51:f8:02:4f:dc:de:2d:88:49:b7:6d:de:67:04:d0:78:6e:0f:
        96:d8:06:e4:73:4f:fb:ce:29:0f:1e:3a:1a:6e:3c:a5:f3:f1:
        68:3d:22:85:34:fa:f0:ad:f6:75:61:02:81:f1:c4:e3:69:2b:
        80:3d:05:39:c6:9d:72:66:2a:50:93:6c:79:5d:d0:33:42:cf:
        a6:68:6a:16:d7:dc:61:b4:c3:4e:01:ac:68:7c:77:29:d4:fe:
        0d:9d:34:0a:3e:73:02:27:12:a4:08:9c:b9:2e:3e:c8:3f:1d:
        91:33:3b:71:8f:24:6b:66:f5:c3:8a:d7:7b:fe:2d:7f:b4:6d:
        96:cf:52:74
bash-3.2$ openssl x509 -req -in domain.csr -signkey domain.key -out domain.crt
Signature ok
subject=/C=US/ST=CA/O=Acme, Inc./CN=example.com
Getting Private key
bash-3.2$ openssl x509 -in domain.crt -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            de:c5:cf:28:1f:33:6c:53
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=CA, O=Acme, Inc., CN=example.com
        Validity
            Not Before: May 15 15:30:07 2017 GMT
            Not After : Jun 14 15:30:07 2017 GMT
        Subject: C=US, ST=CA, O=Acme, Inc., CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:cd:a5:97:b2:1a:83:c6:1d:0e:78:1a:6f:ca:4c:
                    e6:e3:64:94:41:b8:fb:f3:4a:4c:56:8c:33:36:c1:
                    5d:10:25:f5:86:f5:14:c6:17:22:53:34:7b:16:52:
                    ea:f2:ac:bf:0d:09:7d:55:c8:16:ce:0e:f9:98:20:
                    aa:11:4e:bb:4d:75:b1:ed:1b:ca:37:82:f1:15:71:
                    56:ad:c0:be:40:b4:ef:f2:e6:a5:a2:3b:e3:a8:0c:
                    8b:38:3d:d5:41:1a:e8:92:f6:78:52:9f:35:c2:98:
                    a6:58:87:64:e6:d3:7e:a0:00:8c:d0:16:13:80:e9:
                    ee:81:aa:40:c7:1d:9d:fc:52:9a:50:7d:50:e6:ca:
                    20:38:89:12:7d:99:a0:68:ae:45:64:03:e0:00:3c:
                    30:b7:94:87:ab:de:51:90:73:6b:bc:48:c4:e8:47:
                    2d:0e:5a:d0:fb:b4:1b:cb:76:7b:05:70:1a:a8:03:
                    bc:35:38:70:b5:ca:07:43:d3:9d:66:8c:32:32:74:
                    7e:6f:61:e8:de:80:de:d9:fd:fc:27:d8:bb:fa:8c:
                    f9:94:42:c4:b8:e0:bb:24:8b:1f:71:5b:18:99:ca:
                    ac:42:3b:ed:d7:4d:5f:dc:79:8c:6c:fe:d1:df:44:
                    05:5f:1a:a7:bd:e8:1c:85:0c:70:fb:4e:29:62:a0:
                    e9:71
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        02:71:7f:a5:8e:aa:7d:4b:0a:9d:54:8c:25:cb:b3:66:a3:22:
        c5:61:73:0c:c4:da:3b:ce:e8:4b:ec:ee:45:83:ca:db:e0:25:
        9b:a6:a3:c0:c9:7c:d9:76:a2:8c:38:38:b1:77:c7:84:33:03:
        b7:9a:cb:ff:bf:83:bc:7b:d8:4c:7e:c4:b3:8f:c5:23:22:75:
        67:d3:d6:5e:0e:bd:ef:0b:0f:6a:8d:f0:d3:20:8f:5a:cf:37:
        94:b7:8a:d9:b3:0e:99:31:4f:77:6f:89:33:c5:93:99:2e:8b:
        61:ad:84:17:af:b5:8e:1e:f0:4a:af:b1:90:c3:09:3a:d6:16:
        4b:1b:c4:6b:2e:22:7e:b1:7d:9b:3c:a9:3b:06:20:e2:37:14:
        8b:0d:da:c6:4b:e3:6e:83:9c:df:20:67:2e:d0:33:68:05:17:
        01:d5:5a:6f:51:b3:50:d7:73:10:73:c8:be:3b:de:e6:bd:28:
        60:6f:19:75:0c:05:16:37:4d:50:df:f4:bb:41:f0:65:ba:6f:
        7f:5c:56:27:ae:0e:18:0a:df:7e:d2:7b:93:db:40:d2:bb:e0:
        dc:b8:57:c7:08:07:37:e4:db:d4:09:b6:13:d7:22:e2:ef:6d:
        60:fa:3e:7c:f4:1f:0b:bf:26:f4:08:d0:39:cf:51:dd:bf:b1:
        0e:ee:46:d1
bash-3.2$ openssl version
OpenSSL 0.9.8zh 14 Jan 2016


评论


为什么是您的解决方案?你能说说我们吗?

– schroeder♦
17年5月15日在15:09

这与接受的答案有何不同?

– schroeder♦
17年5月15日在15:10

好的,但是为什么对您有用?哪一部分代替了可接受的答案并使之起作用?现在,这只是一堵代码墙。

– schroeder♦
17年5月15日在15:25



问题是关于创建CSR(大概是提交给真正的CA),然后接受的答案就可以了。您的答案将使用SAN创建一个自签名证书,而不使用SAN创建一个CSR,因此尽管它确实回答了security.stackexchange.com/questions/150078/…,但它在这里没有回答问题。

–dave_thompson_085
17年5月16日下午5:27

与接受的答案(仅处理如何使用subjectAltName生成CSR)相比,此答案的主要区别在于,在此答案中生成了两个证书。根CA证书和域证书。根CA充当域证书的颁发者。

– marekful
18/12/3在15:53

#5 楼

因此,我花了一点时间来使此工作正常进行,并完全投入Ansible。由于Ansible的command模块不允许文件重定向(<(...)),因此我不得不使用一个小的.cnf文件作为模板,但现在一切正常。这是我所做的工作:

san.cnf模板(为每个CSR / CRT对生成):

[req]
distinguished_name = req_distinguished_name
req_extensions     = v3_req
x509_extensions    = v3_req

[req_distinguished_name]
commonName       = {{ common_name }}
emailAddress     = {{ ssl_certs_email }}
organizationName = {{ ssl_certs_organization }}
localityName     = {{ ssl_certs_locality }}
countryName      = {{ ssl_certs_country }}

[v3_req]
# The extentions to add to a self-signed cert
subjectKeyIdentifier = hash
basicConstraints     = critical,CA:false
subjectAltName       = DNS:{{ common_name }}
keyUsage             = critical,digitalSignature,keyEncipherment


有些变量

以下命令中使用了这些Ansible变量,但是您可以根据需要在脚本中进行替换:

ssl_certs_fields: "/C={{ssl_certs_country}}/ST={{ssl_certs_state}}/L={{ssl_certs_locality}}/O={{ssl_certs_organization}}/CN={{common_name}}/emailAddress={{ssl_certs_email}}"
ssl_certs_local_privkey_path:       The path to the Private Key
ssl_certs_local_csr_path:           The path to the CSR
ssl_certs_local_path:               The local dir for this PKI file set
ssl_certs_local_decrypt_cakey_path: A temporarily decrypted copy of the CA 



ssl_certs_local_caserial_path:CA的序列号文件
ssl_certs_local_cert_path:最终生成的证书文件。

CSR生成命令

openssl req -new -sha256 -subj "{{ ssl_certs_fields }}" 
-key "{{ ssl_certs_local_privkey_path }}"
-out "{{ ssl_certs_local_csr_path }}" 
-config "{{ssl_certs_local_path}}/san.cnf"


Self-签署CSR以创建证书

  openssl x509 -req -days {{ ssl_certs_days }}
  -sha256
  -extfile "{{ssl_certs_local_path}}/san.cnf"
  -extensions v3_req
  -in "{{ ssl_certs_local_csr_path }}"
  -CA "{{ ssl_certs_local_ca_path }}"
  -CAkey "{{ ssl_certs_local_decrypt_cakey_path }}"
  -CAcreateserial
  -CAserial "{{ ssl_certs_local_caserial_path }}"
  -out "{{ ssl_certs_local_cert_path }}"


验证结果

openssl x509 -noout -text -in {{ ssl_certs_local_cert_path }}


其中应包括一个部分如下所示:

        X509v3 extensions:
        X509v3 Subject Key Identifier:
            3B:6E:E9:9F:B2:30:08:21:1C:C7:0D:4C:21:7A:B4:92:40:B6:71:98
        X509v3 Basic Constraints: critical
            CA:FALSE
        X509v3 Subject Alternative Name:
            DNS:foo.bar.com


评论


对于类似这样的复杂事物,应使用shell Ansible模块代替命令。无论哪种方式都不是很优雅-但是感谢您的模板解决方法,这当然也可以。

– AdamKalisz
5月22日19:47

我已经提供了使用Ansible shell模块的解决方案。如果仅是更轻松地以合理的方式生成CSR(或者至少具有openssl则具有更好的用户界面)...

– AdamKalisz
7月6日20:40

#6 楼

此链接中的第二篇文章说不可能仅通过命令行来做到这一点,但是同一链接中的第四篇文章提供了一种解决方法,它使用了bash的引用数据的能力,就像在文件中一样。

进一步看一下,有人提到reqexts参数用于添加证书请求。该博客使用bash的env来解决此问题。

但是我只是想提供帮助。我自己还没有测试过任何一个。

评论


谢谢。我使用bash的命令替换功能解决了这个问题。这样,所有内容都包含在一个脚本中。

– Michael Seiwald
2014年12月9日在10:18

#7 楼

以下命令演示了如何使用SAN为example.comexample.net生成自签名证书。

从某种意义上讲,它是可移植的,因为我们不必弄乱(甚至不知道) openssl.cnf文件的位置:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout example.key -out example.crt -subj '/CN=example.com' \
  -extensions san \
  -config <(echo '[req]'; echo 'distinguished_name=req';
            echo '[san]'; echo 'subjectAltName=DNS:example.com,DNS:example.net')


这里的窍门是包括一个最小的[req]部分,该部分足以让OpenSSL在没有其主要openssl.cnf文件的情况下相处。 />
在OpenSSL≥1.1.1中,可以将其简化为:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout example.key -out example.crt -subj '/CN=example.com' \
  -addext 'subjectAltName=DNS:example.com,DNS:example.net'


这里我们使用的是新的-addext选项,因此我们不使用不再需要-extensions-config

别忘了验证生成的证书的内容:

openssl x509 -noout -text -in example.crt


另请参见:https:/ /stackoverflow.com/a/41366949/19163和https://unix.stackexchange.com/a/333325/20407

#8 楼

已测试RHEL7(使用SAN创建自签名证书)

openssl req -x509 -nodes -newkey rsa:2048 -days 3650 -sha256 -keyout test.key -out test.cert -reqexts SAN -extensions SAN -subj '/CN=test.example.com' -config <(cat /etc/pki/tls/openssl.cnf; printf "[SAN]\nsubjectAltName=DNS:test.example.com,DNS:test2.example.com")


#9 楼

我想要一个命令行来创建CSR-完美地使用了conf文件,但没有生成SubjAltName条目。此版本是我使用的版本。使用read -p请求FQDN时,我也希望它也可以与SAN条目一起使用-所以这是一个有效的解决方案。

openssl的版本有依赖性,至少应为1.1.1。因为您需要-addext。

read -p "FQDN ?" CN; openssl req -new -key yourkeyfile.key -subj /C=GB/ST=county/L=city/O=company/OU=yourorg/CN=$CN -addext "subjectAltName = DNS:$CN" -out./$CN.csr


这样不会弄乱conf文件。

#10 楼

我对这个问题的解决方案是通过附加我的命令行收集的subjectAltName信息来创建和引用临时cnf文件。

#11 楼

问题已得到解答,但我仍然很难将其转换为优雅的
和有用的形式来自动生成CSR。一个内衬很好,因此我将其合并到一个例程中,该例程允许使用主题替代名称作为命令参数,而不是文件中的值,这对于SAN或不SAN也具有灵活性。尝试使用一个参数,然后使用多个参数。

#!/bin/bash

#san_cert.sh

# defaults =====================================================================
DOM=domain.com
O=My\ Company,\ LLC
L=Seattle
ST=Washington
C=US
OU=Operations
EMAIL=certalert

#basic checks and strings ======================================================
if [ -z "" ];then
    echo usage: q4312078q name1 optionalname optionalname ...
    echo example: san_cert.sh www web w3 exch mail
    exit
else
    CN=
    SUBJ="/C=$C/ST=$ST/L=$L/O=$O/OU=$OU/CN=$CN.$DOM/emailAddress=$EMAIL.$DOM"
fi

#clearing old files
rm $CN.$DOM.ssl_csr $CN.$DOM.ssl_key

#create private key ============================================================
openssl genrsa -out $CN.$DOM.ssl_key 2048


if [ $# -gt 1 ];then #test for arg count
    #build SAN string ==================
    A=($@)
    I=1
    while [ $I -lt ${#A[@]} ]
    do
        SAN="DNS:${A[I]}.$DOM$CMA${SAN}"
        CMA=","
        I=$[$I+1]
    done
    SAN="\n[SAN]\nsubjectAltName=${SAN}"
    #===================================

    #create SAN certificate signing request ====================================
    openssl req -new -sha256 \
    -subj "$SUBJ" \
    -key   $CN.$DOM.ssl_key \
    -out   $CN.$DOM.ssl_csr \
    -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "$SAN"))
else
    #create Single certificate signing request =================================
    openssl req -new -sha256 \
    -subj "$SUBJ" \
    -key   $CN.$DOM.ssl_key \
    -out   $CN.$DOM.ssl_csr
fi

#verification ==================================================================
openssl req -text -noout -verify -in $CN.$DOM.ssl_csr


#12 楼

已经回答了这个问题,但是如果有人仍在寻找一种无提示,仅限cli的方法来创建自签名根证书(没有CA或CSR),并且不介意使用Java keytool,则可以选择以下方法:

使用keytool生成PKCS12密钥库




keytool -genkeypair \
 -keyalg RSA \
 -keysize 3072 \
 -alias titan \
 -dname "CN=titan,OU=Engineering,O=Titan Corp.,C=US" \
 -ext BC:c=ca:false \
 -ext EKU:c=serverAuth \
 -ext "SAN:c=DNS:titan,IP:192.168.1.7" \
 -validity 3650 \
 -keystore server.p12 \
 -storepass s3cr3t \
 -keypass s3cr3t \
 -storetype pkcs12


使用openssl导出证书和密钥




openssl pkcs12 -in server.p12 -nodes -out cert.pem -passin pass:s3cr3t
openssl pkcs12 -in server.p12 -nodes -nocerts -out key.pem -passin pass:s3cr3t


#13 楼

我需要执行此操作以创建用于本地测试的自签名证书,但还希望能够传递多个扩展参数,而不仅仅是SAN。我发现执行多个-extfile命令似乎互相覆盖,只有最后一个-extfile值以cert结尾。

解决方案是向printf添加更多变量:

openssl x509 -req -sha256 \
    -extfile <(printf "extendedKeyUsage=serverAuth\nsubjectAltName=DNS:example.com") \
    -days 820 -in server.csr -signkey key.pem -out cert.pem


很好,但是我们的工作流已经通过将命令存储在package.json文件中,然后运行npm run newcert来生成证书。尝试将\n添加到printf刚刚中断了该命令。解决方案是切换到使用大量回显以及显式定义扩展名。


注意:要将它们作为npm脚本运行,您必须转义

openssl req -newkey rsa:2048 -sha256 -nodes -keyout key.pem \
    -subj "/C=CN/ST=GD/L=SZ/O=Example/CN=example.com" -out server.csr

openssl x509 -req -sha256 -extensions v3_ca \
    -extfile <(echo "[v3_ca]"; echo "extendedKeyUsage=serverAuth"; echo "subjectAltName=DNS:example.com") \
    -days 820 -in server.csr -signkey key.pem -out cert.pem


运行openssl x509 -noout -text -in cert.pem表示它起作用了:

     X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:example.com


#14 楼

作为@Excalibur回答的补充(顺便说一句,谢谢您的工作!)
我发现此表格更适合Ansible。它回避了由于库依赖性和版本问题而导致难以使用的正式模块openssl_csr的问题。
以下是@Excalibur生成的脚本的一部分的改编。您无需创建文件。这个特定的剧本将证书输出到stdin,您可以用(ansible-playbook -vvvv <playbook.yml>)显示该证书,或者将其转储到变量并使用调试模块进行输出。
domain.key必须与剧本位于同一目录中。
---
- name: Test CSR generation
  hosts: localhost

  vars:
  - country: 'US'                     # C
  - state: 'NJ'                       # ST
  - locality: 'Trenton'               # L
  - organization: 'ACME'              # O
  - organization_unit: 'IT'           # OU
  - common_name: 'host.example.com'
  - email_address: 'info@example.com' # emailAddress
  - add_subj_alt_name: 'IP:192.0.2.0' # without common_name, e.g. IP:2001:db8::1

  tasks:
  - name: Generate CSR
    shell: |
      STR="/C={{ country }}/
        ST={{ state }}/
        L={{ locality }}/
        O={{ organization }}/
        OU={{ organization_unit }}/
        CN={{ common_name }}/
        emailAddress={{ email_address }}"
      openssl req -new -sha256 -key domain.key -subj "$STR" \
      -reqexts v3_req -extensions v3_req -config \
      <(cat <<<'
      [req]
      distinguished_name = req_distinguished_name
      req_extensions     = v3_req
      x509_extensions    = v3_req
      
      [req_distinguished_name]
      countryName                         = {{ country }}
      stateOrProvinceNamecountryName      = {{ state }}
      localityName                        = {{ locality }}
      organizationName                    = {{ organization }}
      organizationalUnitName              = {{ organization_unit }}
      commonName                          = {{ common_name }}
      emailAddress                        = {{ email_address }}
      
      [v3_req]
      # The extentions to add to a self-signed cert
      subjectKeyIdentifier = hash
      basicConstraints     = critical,CA:false
      subjectAltName       = DNS:{{ common_name }},{{ add_subj_alt_name }}
      keyUsage             = critical,digitalSignature,keyEncipherment') -noout -text
    args:
      executable: '/bin/bash'


#15 楼

将CSR签名到CRT时用于IP SAN的extfile
https://www.golinuxcloud.com/openssl-create-client-server-certificate/
openssl x509 -req -in server.csr -CA selfca.crt -CAkey selfca.key -CAcreateserial --extensions v3_req -extfile server.req -out server.crt


评论


为什么要使用extfile?这个答案与提到extfile的所有其他答案有何不同?如果答案在链接中,请在此处在答案中包含链接的相关部分。

– schroeder♦
7月8日8:54