ssl - SubjectAltName 未添加到 CSR 中

Question

生成的 CSR 是否包含 SubjectAltName 我已将 openssl.cnf 文件配置为支持扩展，当我转储 CSR 时我可以看到主题可用而不是 SubjectAltName

CSR就是这样产生的

openssl req -new -sha256 -key ./private.key  -out ./cert.csr -config ./openssl.cnf 

并查看我使用的CSR的信息

openssl req -noout -text -in  cert.csr 

输出是

bash:/home/ubuntu# openssl req -noout -text -in  cert.csr 
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=sd, ST=sd, O=Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    00:ae:6f:5d:75:f6:7a:af:2f:af:2b:39:dc:f7:b6:
                    d0:61:3d:49:f7:50:a2:a6:d1:99:d8:ce:a6:24:87:
                    1f:4e:ad:02:58:c9:34:12:78:22:f3:99:29:69:c6:
                    66:78:06:4e:bc:f6:e1:f6:f6:bb:f6:52:97:a4:14:
                    d7:9d:51:03:07:20:5d:10:88:35:db:32:7a:14:9c:
                    ea:e3:55:02:7a:20:bc:3c:24:c5:db:e8:82:12:c5:
                    16:78:cb:fa:0f:79:02:30:f3:23:c1:6b:55:e1:c7:
                    06:78:30:ac:4c:63:6e:74:5d:28:58:69:20:92:90:
                    a2:3c:d3:ad:20:c5:64:e3:22:4c:8a:e0:ad:04:60:
                    2d:c0:3f:d9:05:84:9b:53:1f:17:ac:9e:49:48:68:
                    08:c6:1d:c5:fe:df:28:64:b1:6d:15:f1:90:c0:4f:
                    fe:52:c1:8e:2f:d6:20:81:84:db:ed:43:6b:a7:8c:
                    37:58:a1:7a:fb:a9:4a:80:be:f0:27:d4:4b:13:ac:
                    56:74:6e:5d:0d:a0:09:8d:96:89:92:8f:b0:af:07:
                    d8:92:6b:ea:09:15:f6:0c:68:24:30:33:7f:a3:d9:
                    e6:45:1b:95:aa:79:63:29:60:b2:2b:19:ed:ee:aa:
                    c7:5f:ce:eb:3c:62:1d:79:6a:20:ec:16:38:3b:d4:
                    06:04:db:7c:16:da:1b:cb:5c:67:ff:10:69:03:3e:
                    cd:ee:94:50:45:f4:5c:bb:3b:61:41:fb:00:56:18:
                    8c:76:09:37:b0:40:53:85:12:8e:36:a9:58:0f:4d:
                    72:82:a4:79:85:27:2f:36:1e:21:53:ba:f4:23:75:
                    f1:f6:8b:24:30:d2:e7:47:77:f3:82:6c:73:8d:d4:
                    d4:ad:af:91:a7:4d:e5:66:38:6c:e1:d1:5f:cb:b8:
                    59:7f:26:49:80:8f:2f:f6:24:02:4d:92:b3:e4:bd:
                    ef:e7:69:02:7c:a5:cf:cc:39:ca:c8:42:6c:5f:3e:
                    77:9c:c1:9a:7b:e4:61:8c:20:eb
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         0c:ef:3a:db:29:88:f6:c0:ce:f2:67:ba:61:35:3e:5f:6a:5a:
         2b:85:5f:e1:48:60:60:cb:96:77:8d:30:3b:fe:34:02:4c:04:
         78:a0:d3:ec:df:6e:43:02:92:ae:5c:6f:3c:60:fa:b7:36:d7:
         bc:d2:4b:1b:5d:61:67:d1:09:3d:6c:ee:56:81:cd:14:be:c9:
         33:b9:32:c7:eb:1d:59:f6:5c:98:6c:ae:92:27:94:15:d1:74:
         0e:55:8f:2f:9c:6e:9f:85:80:c7:b6:d7:5b:a1:41:82:f4:a8:
         73:08:de:45:5f:76:23:60:71:81:f4:ed:e0:cf:f1:14:d4:1c:
         a6:c5:f9:a4:b6:e5:d6:01:01:7c:6a:3d:aa:a2:87:25:7c:c5:
         e2:d2:0a:12:83:33:65:71:dd:43:7e:35:50:f9:99:77:72:8c:
         56:5a:d7:37:cb:a1:ea:87:a9:5f:a9:9d:c7:ae:35:59:85:02:
         3e:bd:ae:5e:c7:7a:95:31:bf:b2:0d:c8:0c:d9:45:6e:29:02:
         2a:6b:cd:5e:73:b9:31:7a:3e:95:c1:28:f7:0b:f5:26:36:eb:
         f4:ac:cc:1d:ef:01:ee:fd:a1:8b:eb:bc:f4:46:9d:42:1e:6f:
         81:2f:7a:fc:90:9e:20:24:c1:79:e9:85:04:cb:23:f4:8a:8e:
         70:33:48:50:dd:0a:30:00:bf:71:7e:15:31:23:dc:a7:b2:92:
         dd:37:d9:83:b5:1b:3c:84:17:ce:49:17:04:2b:6d:0a:7c:51:
         fa:e8:d6:97:a8:c1:96:6c:eb:c6:f1:2f:69:27:b8:c2:75:fc:
         f7:5b:d2:b8:bf:e6:d9:da:6d:3f:de:da:27:46:4d:3f:6a:b0:
         f8:b9:1a:cf:3c:29:67:7f:c4:be:bd:c1:37:db:cd:ae:d5:27:
         d3:2d:bc:71:ed:f1:d6:b5:bd:9b:ef:8b:08:c4:d2:c4:ef:ca:
         61:d2:c0:19:04:26:07:02:d3:39:56:57:05:48:a9:3d:d9:40:
         f6:2f:67:df:dd:55

我的 openssl.cnf 文件设置 alt_names 已启用

HOME                    = .
RANDFILE                = $ENV::HOME/.rnd
oid_section             = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca      = CA_default
[ CA_default ]

dir             = ./demoCA              # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
copy_extensions = copy
default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = default               # use public key default MD
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options. 
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = AU
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Some-State
localityName                    = Locality Name (eg, city)

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Internet Widgits Pty Ltd

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64

# SET-ex3                       = SET extension number 3

[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20
unstructuredName                = An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectAltName      = @alternate_names
keyUsage = digitalSignature, keyEncipherment
subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]

default_tsa = tsa_config1       # the default TSA section

[ tsa_config1 ]

# These are used by the TSA reply generation only.
dir             = ./demoCA              # TSA root directory
serial          = $dir/tsaserial        # The current serial number (mandatory)
crypto_device   = builtin               # OpenSSL engine to use for signing
signer_cert     = $dir/tsacert.pem      # The TSA signing certificate
                                        # (optional)
certs           = $dir/cacert.pem       # Certificate chain to include in reply
                                        # (optional)
signer_key      = $dir/private/tsakey.pem # The TSA private key (optional)

default_policy  = tsa_policy1           # Policy if request did not specify it
                                        # (optional)
other_policies  = tsa_policy2, tsa_policy3      # acceptable policies (optional)
digests         = md5, sha1             # Acceptable message digests (mandatory)
accuracy        = secs:1, millisecs:500, microsecs:100  # (optional)
accuracy        = secs:1, millisecs:500, microsecs:100  # (optional)
clock_precision_digits  = 0     # number of digits after dot. (optional)
ordering                = yes   # Is ordering defined for timestamps?
                                # (optional, default: no)
tsa_name                = yes   # Must the TSA name be included in the reply?
                                # (optional, default: no)
ess_cert_id_chain       = no    # Must the ESS cert id chain be included?
                                # (optional, default: no)
[ alternate_names ]
DNS.1        = test.xyz.com

Answer 1

要使其正常工作，您需要对配置进行一些更改。首先，您需要取消注释req 部分中的req_extensions 值，即:

# req_extensions = v3_req # The extensions to add to a certificate request

需要成为:

req_extensions = v3_req # The extensions to add to a certificate request

然后，在 v3_req 部分:

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

您还需要添加 subjectAltName(就像您在 v3_ca 部分中所做的那样)，因此:

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName      = @alternate_names

您可能还需要从 v3_ca 部分和 v3_req 部分复制 subjectKeyIdentifier = hash 值。

这里的关键是要意识到 openssl csr 工具将 SubjectAltName (SAN) 扩展视为请求扩展，而不是 x509 扩展名。令人困惑，我知道。

总结一下，这是我使用的配置，基于上述内容，删除了所有与 openssl csr 无关的设置:

[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem
default_md              = sha256
distinguished_name      = req_distinguished_name
attributes              = req_attributes
string_mask             = utf8only
req_extensions          = v3_req
x509_extensions         = v3_ca

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = AU
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Some-State
localityName                    = Locality Name (eg, city)

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Internet Widgits Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)

commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64

[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20
unstructuredName                = An optional company name

[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
subjectAltName      = @alternate_names
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectAltName      = @alternate_names
keyUsage = digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer

[ alternate_names ]
DNS.1        = test.xyz.com