gpt4 book ai didi

生成自签名证书字符串太长时 OpenSSL 配置错误

转载 作者:行者123 更新时间:2023-12-03 16:24:11 24 4
gpt4 key购买 nike

使用以下 OpenSSL 配置

[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = drone-ci-web.company.com.key.pem
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
prompt = no
encrypt_key = no

[ subject ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Missouri
localityName = Locality Name (eg, city)
localityName_default = Jefferson City
organizationName = Organization Name (eg, company)
organizationName_default = My Company
organizationalUnitName = Organizational Unit (eg, team)
organizationalUnitName_default = My Company Technologies
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = drone-ci-web.company.com
emailAddress = Email Address
emailAddress_default = DL_EMAIL_LIST@company.com

[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "Drone-CI - OpenSSL Generated Certificate"

[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "Drone-CI - OpenSSL Generated Certificate"

[ alternate_names ]
DNS.1 = drone-ci-web.company.com

我运行以下命令:
sudo openssl req -x509 -config drone-ssl.cnf -new -out drone-ci-web.company.com.cert.pem

我收到以下错误:
vagrant@jonspc ~]$ sudo openssl req -x509 -config drone-ssl.cnf -new -out drone-ci-web.ccompany.com.cert.pem
Generating a 2048 bit RSA private key
..............................................................................................................+++
....................+++
writing new private key to 'drone-ci-web.company.com.key.pem'
-----
problems making Certificate Request
140184216713104:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:158:maxsize=2

从我认为它告诉我的情况来看,它尝试使用的字段之一是“太长”并且只有两个字符,但从我一直阅读的内容来看, countryName_default应该覆盖 countryName并使其接受默认值。

OpenSSL 和操作系统信息:
[vagrant@jonspc ~]$ openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[vagrant@jonspc ~]$ cat /etc/oracle-release
Oracle Linux Server release 7.5
[vagrant@jonspc ~]$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)

但是,如果我删除 _default行并重试,使用以下配置成功。
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = drone-ci-web.company.com.key.pem
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
prompt = no
encrypt_key = no

[ subject ]
countryName = US
stateOrProvinceName = Missouri
localityName = Jefferson City
organizationName = My Company
organizationalUnitName = My Company Technologies
commonName = drone-ci-web.company.com
emailAddress = DL_EMAIL_LIST@company.com

[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "Drone-CI - OpenSSL Generated Certificate"

[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "Drone-CI - OpenSSL Generated Certificate"

[ alternate_names ]
DNS.1 = drone-ci-web.company.com

这适用于以下输出。
[vagrant@jonspc ~]$ sudo openssl req -x509 -config drone-ssl.cnf -new -out drone-ci-web.company.com.cert.pem
Generating a 2048 bit RSA private key
..............+++
..............+++
writing new private key to 'drone-ci-web.company.com.key.pem'
-----

最佳答案

来自 documentation :

DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT There are two separate formats for the distinguished name and attribute sections. If the prompt option is set to no then these sections just consist of field names and values: for example,


 CN=My Name
OU=My Organization
emailAddress=someone@somewhere.org

This allows external programs (e.g. GUI based) to generate a template file with all the field names and values and just pass it to req. An example of this kind of configuration file is contained in the EXAMPLES section. Alternatively if the prompt option is absent or not set to no then the file contains field prompting information. It consists of lines of the form:


 fieldName="prompt"
fieldName_default="default field value"
fieldName_min= 2
fieldName_max= 4

所以基本上你自己想出来的。

关于生成自签名证书字符串太长时 OpenSSL 配置错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/54081575/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com