问题
I'd like to create a tsa certificate for my timestamping service.
First I create a root certificate
openssl genrsa -out tsaroot.key 4096 -config openssl.cnf
openssl req -new -x509 -days 1826 -key tsaroot.key -out tsaroot.crt -config openssl.cnf
Then I create the tsa certificate
openssl genrsa -des3 -out tsa.key 4096 -config openssl.cnf
openssl req -new -key tsa.key -out tsa.csr -config openssl.cnf
openssl x509 -req -days 730 -in tsa.csr -CA tsaroot.crt -CAkey tsaroot.key -set_serial 01 -out tsa.crt
openssl pkcs12 -export -out tsa.p12 -inkey tsa.key -in tsa.crt -chain -CAfile tsaroot.crt
In my openssl.cnf file, i add the following line :
extendedKeyUsage = critical,timeStamping
Howerver, the created certificate doesn't seem to include the extendeKeyUsage (when i try to read it with bouncy castle i got a "Certificate must have an ExtendedKeyUsage extension." exception
How can I generate a valid tsa certificate (with the correct extendedKeyUsage value included)?
Thanks
回答1:
Try with the following:
Add a named section in the
openssl.cnffile:[v3_tsa] extendedKeyUsage = critical,timeStampingWhen generating the TSA certificate from the
tsr, add the switch-extensions:openssl x509 -req ... -extensions v3_tsa
回答2:
The following worked :
create a file extKey.cnf with the extendedKeyUsage inside
extendedKeyUsage = critical,timeStamping
Add it when creating the request :
openssl x509 -req -days 730 -in tsa.csr -CA tsaroot.crt -CAkey tsaroot.key -set_serial 01 -out tsa.crt -extfile extKey.cnf
来源:https://stackoverflow.com/questions/13332694/create-tsa-timestamping-certificate-with-openssl-add-a-extendedkeyusage-in-a