- android - 多次调用 OnPrimaryClipChangedListener
- android - 无法更新 RecyclerView 中的 TextView 字段
- android.database.CursorIndexOutOfBoundsException : Index 0 requested, 光标大小为 0
- android - 使用 AppCompat 时,我们是否需要明确指定其 UI 组件(Spinner、EditText)颜色
生成的 CSR 是否包含 SubjectAltName 我已将 openssl.cnf 文件配置为支持扩展,当我转储 CSR 时我可以看到主题可用而不是 SubjectAltName
CSR就是这样产生的
openssl req -new -sha256 -key ./private.key -out ./cert.csr -config ./openssl.cnf
并查看我使用的CSR的信息
openssl req -noout -text -in cert.csr
输出是
bash:/home/ubuntu# openssl req -noout -text -in cert.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=sd, ST=sd, O=Internet Widgits Pty Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:ae:6f:5d:75:f6:7a:af:2f:af:2b:39:dc:f7:b6:
d0:61:3d:49:f7:50:a2:a6:d1:99:d8:ce:a6:24:87:
1f:4e:ad:02:58:c9:34:12:78:22:f3:99:29:69:c6:
66:78:06:4e:bc:f6:e1:f6:f6:bb:f6:52:97:a4:14:
d7:9d:51:03:07:20:5d:10:88:35:db:32:7a:14:9c:
ea:e3:55:02:7a:20:bc:3c:24:c5:db:e8:82:12:c5:
16:78:cb:fa:0f:79:02:30:f3:23:c1:6b:55:e1:c7:
06:78:30:ac:4c:63:6e:74:5d:28:58:69:20:92:90:
a2:3c:d3:ad:20:c5:64:e3:22:4c:8a:e0:ad:04:60:
2d:c0:3f:d9:05:84:9b:53:1f:17:ac:9e:49:48:68:
08:c6:1d:c5:fe:df:28:64:b1:6d:15:f1:90:c0:4f:
fe:52:c1:8e:2f:d6:20:81:84:db:ed:43:6b:a7:8c:
37:58:a1:7a:fb:a9:4a:80:be:f0:27:d4:4b:13:ac:
56:74:6e:5d:0d:a0:09:8d:96:89:92:8f:b0:af:07:
d8:92:6b:ea:09:15:f6:0c:68:24:30:33:7f:a3:d9:
e6:45:1b:95:aa:79:63:29:60:b2:2b:19:ed:ee:aa:
c7:5f:ce:eb:3c:62:1d:79:6a:20:ec:16:38:3b:d4:
06:04:db:7c:16:da:1b:cb:5c:67:ff:10:69:03:3e:
cd:ee:94:50:45:f4:5c:bb:3b:61:41:fb:00:56:18:
8c:76:09:37:b0:40:53:85:12:8e:36:a9:58:0f:4d:
72:82:a4:79:85:27:2f:36:1e:21:53:ba:f4:23:75:
f1:f6:8b:24:30:d2:e7:47:77:f3:82:6c:73:8d:d4:
d4:ad:af:91:a7:4d:e5:66:38:6c:e1:d1:5f:cb:b8:
59:7f:26:49:80:8f:2f:f6:24:02:4d:92:b3:e4:bd:
ef:e7:69:02:7c:a5:cf:cc:39:ca:c8:42:6c:5f:3e:
77:9c:c1:9a:7b:e4:61:8c:20:eb
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
0c:ef:3a:db:29:88:f6:c0:ce:f2:67:ba:61:35:3e:5f:6a:5a:
2b:85:5f:e1:48:60:60:cb:96:77:8d:30:3b:fe:34:02:4c:04:
78:a0:d3:ec:df:6e:43:02:92:ae:5c:6f:3c:60:fa:b7:36:d7:
bc:d2:4b:1b:5d:61:67:d1:09:3d:6c:ee:56:81:cd:14:be:c9:
33:b9:32:c7:eb:1d:59:f6:5c:98:6c:ae:92:27:94:15:d1:74:
0e:55:8f:2f:9c:6e:9f:85:80:c7:b6:d7:5b:a1:41:82:f4:a8:
73:08:de:45:5f:76:23:60:71:81:f4:ed:e0:cf:f1:14:d4:1c:
a6:c5:f9:a4:b6:e5:d6:01:01:7c:6a:3d:aa:a2:87:25:7c:c5:
e2:d2:0a:12:83:33:65:71:dd:43:7e:35:50:f9:99:77:72:8c:
56:5a:d7:37:cb:a1:ea:87:a9:5f:a9:9d:c7:ae:35:59:85:02:
3e:bd:ae:5e:c7:7a:95:31:bf:b2:0d:c8:0c:d9:45:6e:29:02:
2a:6b:cd:5e:73:b9:31:7a:3e:95:c1:28:f7:0b:f5:26:36:eb:
f4:ac:cc:1d:ef:01:ee:fd:a1:8b:eb:bc:f4:46:9d:42:1e:6f:
81:2f:7a:fc:90:9e:20:24:c1:79:e9:85:04:cb:23:f4:8a:8e:
70:33:48:50:dd:0a:30:00:bf:71:7e:15:31:23:dc:a7:b2:92:
dd:37:d9:83:b5:1b:3c:84:17:ce:49:17:04:2b:6d:0a:7c:51:
fa:e8:d6:97:a8:c1:96:6c:eb:c6:f1:2f:69:27:b8:c2:75:fc:
f7:5b:d2:b8:bf:e6:d9:da:6d:3f:de:da:27:46:4d:3f:6a:b0:
f8:b9:1a:cf:3c:29:67:7f:c4:be:bd:c1:37:db:cd:ae:d5:27:
d3:2d:bc:71:ed:f1:d6:b5:bd:9b:ef:8b:08:c4:d2:c4:ef:ca:
61:d2:c0:19:04:26:07:02:d3:39:56:57:05:48:a9:3d:d9:40:
f6:2f:67:df:dd:55
我的 openssl.cnf 文件设置 alt_names 已启用
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
copy_extensions = copy
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectAltName = @alternate_names
keyUsage = digitalSignature, keyEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
[ alternate_names ]
DNS.1 = test.xyz.com
最佳答案
要使其正常工作,您需要对配置进行一些更改。首先,您需要取消注释req
部分中的req_extensions
值,即:
# req_extensions = v3_req # The extensions to add to a certificate request
需要成为:
req_extensions = v3_req # The extensions to add to a certificate request
然后,在 v3_req
部分:
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
您还需要添加 subjectAltName
(就像您在 v3_ca
部分中所做的那样),因此:
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alternate_names
您可能还需要从 v3_ca
部分和 v3_req
部分复制 subjectKeyIdentifier = hash
值。
这里的关键是要意识到 openssl csr
工具将 SubjectAltName (SAN) 扩展视为请求扩展,而不是 x509 扩展名。令人困惑,我知道。
总结一下,这是我使用的配置,基于上述内容,删除了所有与 openssl csr
无关的设置:
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
string_mask = utf8only
req_extensions = v3_req
x509_extensions = v3_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
subjectAltName = @alternate_names
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectAltName = @alternate_names
keyUsage = digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
[ alternate_names ]
DNS.1 = test.xyz.com
关于ssl - SubjectAltName 未添加到 CSR 中,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/34877563/
我遇到了与此票证相同的问题,但在过去 5 天内尚未解决,因此与该用户不同,我不确定这是否是 DNS 问题。我发布了我的问题版本,因为另一个问题的答案是“它解决了它自己”(这在我的情况下没有发生)。 H
我们如何删除关于重复问题的错误横幅? 这个问题不是 Why does requestjs reject a self-signed SSL certificate that works with Fi
我目前正在使用以下代码为其他域生成带有 subjectAltName 的 CSR。 $domains = ["example.com", "www.example.com"]; $san = impl
一点点背景 : 我正在构建一个 certificate authority使用 M2Crypto 和 Django,所以请在投票结束前三思而后行! :) 我的方法是最终用户由电子邮件地址识别,他们的自
我已经申请了一个证书(用于 IIS 7 上的 SSL),其中包含多个 subjectAltNames。我读到有些人可能不喜欢这样做,因为公众能够看到不同站点之间的链接。 (这无关紧要,因为证书供内部使
生成的 CSR 是否包含 SubjectAltName 我已将 openssl.cnf 文件配置为支持扩展,当我转储 CSR 时我可以看到主题可用而不是 SubjectAltName CSR就是这样产
我需要使用 pyOpenSSL 从 Python 生成 SSL 证书。有谁知道是否可以设置 subjectAltName?从文档(https://pythonhosted.org/pyOpenSSL/
对于“otherName”的 subjectAltName,OpenSSL 似乎总是显示“不支持”。 写入的字符串(通过 M2Crypto 和直接在命令行通过 openssl.cnf): 1.2.3.
我正在尝试使用 logstash-forwarder 连接到 logstash。他们的通信基于 ssl,所以我生成一个自签名证书如下 this .然后我在 logstash-forwarder 端收到
关闭。这个问题不符合Stack Overflow guidelines .它目前不接受答案。 这个问题似乎不是关于 a specific programming problem, a softwar
关闭。这个问题不符合Stack Overflow guidelines .它目前不接受答案。 这个问题似乎不是关于 a specific programming problem, a softwar
我有一些 pyOpenSSL 给我的数据,'0\r\x82\x0bexample.com'。这应该是 subjectAltName X509 扩展名的值。我尝试使用 pyasn1(并基于 pyasn1
我正在创建 CA 证书。我想添加带有一些值的 subjectAltName 扩展名,例如电子邮件或 crl 或公共(public)证书位置等。 package main import ( "c
X509v3 可以包含 IP subject Alternative Name 中的地址字段延期。 作为验证服务器身份的应用程序,应该如何验证IP地址字段? 如果同时存在 DNS 名称和 IP 地址?
我正在尝试使用 DirName 类型的 SubjectAltName 生成自签名证书。其他类型的 SubjectAltName(如 DNS)可以正常工作,但 DirName 将无法正常工作。重现相当简
Chrome 58 弃用了省略主题备用名称 (SAN) 的自签名证书。我使用 Mono.Security.X509 X509CertificateBuilder() 在“本地主机”上为 Windows
我试图抑制以下警告: /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate
我正在寻找一种在 IIS 6.0 证书创建向导中的证书请求中添加主题备用名称的方法。看来我只能填写主题字段而不能填写主题备用名称。 尝试使用 certreq.exe 遵循本指南 ( http://su
我刚刚设置了我的第一个需要 ssl 的应用程序。 这是 RoR 应用程序,托管在 Heroku 上。 我已将 SSL Endpoint 插件添加到我的应用程序中。我从 DNSimple 购买了 SSL
我正在尝试从 C++ 代码创建带有 subjectAltName 的自签名请求(尝试将 this 等动态自签名证书实现到实际版本的 OpenResty,但没有针对 subjectAltName 的解决
我是一名优秀的程序员,十分优秀!