问题
I want to create a self signed certificate with RSA algorithm keysize 2048 with subject key identifier. I know we made some some default change in openssl.conf. What i suppose to change?
genrsa -des3 -out mcedt.key 2048
req -new -key mcedt.key -out mcedt.csr
CN = server.test , OU =, O =, L = Toronto, S = ontario , C = can
x509 -req -days 365 -in mcedt.csr -signkey mcedt.key -out mcedt.crt
pkcs12 -export -in mcedt.crt -inkey mcedt.key -out mcedt.pfx
回答1:
You could create an extension file (extensions.cnf) with the following information:
subjectKeyIdentifier=hash
as mentioned by OpenSSL :
This is really a string extension and can take two possible values. Either the word hash which will automatically follow the guidelines in RFC3280 or a hex string giving the extension value to include. The use of the hex string is strongly discouraged.
Then you should change
x509 -req -days 365 -in mcedt.csr -signkey mcedt.key -out mcedt.crt
into
x509 -req -days 365 -extfile extensions.cnf -in mcedt.csr -signkey mcedt.key -out mcedt.crt
来源:https://stackoverflow.com/questions/21179132/create-self-signed-certificate-with-subject-key-identifier