OpenSSL Certificate (Version 3) with Subject Alternative Name
I\'m using the OpenSSL command line tool to generate a self signed certificate. It seems to be working correctly except for two issues. I can\'t get it to create a .cer with a S
-
#! /bin/dash # Steps 1-3 show how to use openssl to create a certificate request # that includes Subject Alternative Names. # In the uncommon case where you are creating your own CA, steps 4-6 # show how to use openssl to create a CA and then use that CA to # create a certificate from the request. # Step 1: Create an OpenSSL configuration file # to specify the Subject Alternative Names echo ; echo 'step 1' cat > foo.cnf <<EOF [ req ] distinguished_name = arbitrary_name_1 req_extensions = arbitrary_name_2 [ arbitrary_name_1 ] [ arbitrary_name_2 ] subjectAltName = @arbitrary_name_3 [ arbitrary_name_3 ] DNS.1 = foo.com DNS.2 = bar.com DNS.3 = baz.com EOF # Step 2: Create a certificate request for foo.com. # # openssl # req # -config read openssl configuration from this file # -subj set the commonName of the certificate # -newkey generate a new key (and, by implication, a new request!) # -nodes do not encrypt the new private key ("no DES") # -keyout write the new private key to this file # -out write the request to this file echo ; echo 'step 2' openssl \ req \ -config foo.cnf \ -subj '/CN=foo.com' \ -newkey rsa:2048 \ -nodes \ -keyout foo.key \ -out foo.req # Step 3: Display the requested extensions. echo ; echo 'step 3' openssl req -in foo.req -noout -text | \ grep -A 2 'Requested Extensions:' # Step 4: Create a certificate authority by creating # a private key and self-signed certificate. # # openssl # req generate a certificate request, but don't because ... # -x509 generate a self-signed certificate instead # -subj set the commonName of the certificate # -days certificate is valid for N days, starting now # -newkey generate a new private key # -nodes do not encrypt the new private key ("no DES") # -keyout write the new private key to this file # -out write the self-signed certificate to this file echo ; echo 'step 4' openssl \ req \ -x509 \ -subj "/CN=Custom CA" \ -days 4000 \ -newkey rsa:2048 \ -nodes \ -keyout ca.key \ -out ca.cert # Step 5: Use the certificate authority # to create a certificate for foo.com. # # openssl # x509 operate on an x509 certificate # -req create an x509 certificate from a request # -in read the request from this file # -CA read the CA certificate from this file # -CAkey read the CA key form this file # -extfile read openssl's configuration from this file # -extensions read extensions from this section of the configuration # -days certificate is valid for N days, starting now # -set_serial set the new certificate's serial number # -out write the new certificate to this file echo ; echo 'step 5' openssl \ x509 \ -req \ -in foo.req \ -CA ca.cert \ -CAkey ca.key \ -extfile foo.cnf \ -extensions arbitrary_name_2 \ -days 30 \ -set_serial 1001 \ -out foo.cert # Step 6: Display the X509v3 extensions: echo ; echo 'step 6' openssl x509 -in foo.cert -noout -text | \ grep -A 2 'X509v3 extensions:'讨论(0) -
Here is the simple steps for you
While generating the CSR you should use -config and -extensions and while generating certificate you should use -extfile and -extensions
Here is the example
openssl req -new -nodes -keyout test.key -out test.csr -days 3650 -subj "/C=US/ST=SCA/L=SCA/O=Oracle/OU=Java/CN=test cert" -config /etc/pki/tls/openssl.cnf -extensions v3_req openssl x509 -req -days 3650 -in test.csr -CA cacert.pem -CAkey rootCA.key -CAcreateserial -out test.pem -extfile /etc/pki/tls/openssl.cnf -extensions v3_reqhope this helps
讨论(0) -
The
v3_reqis required with the entrysubjectAltNamein the config file. The commandopenssl x509 ... -extfile openssl.cnf -extensions v3_reqwill insert the SAN into the certificate.
讨论(0)
加载中...
- 热议问题