我正在按照此处Create PKCS#12 file with self-signed certificate via OpenSSL in Windows for my Android App的步骤使用OpenSSL生成自签名证书。
openssl req -x509 -days 365 -subj" / CN =此处需要的多行" -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
此处主题由cmd的提示填充,如Country,State等。我希望为CN属性提供多行值。我如何在命令行中执行此操作?
答案 0 :(得分:16)
...当我需要多个域名时,情况怎么样?比如www.google.com和www.yahoo.com?
以下是如何向证书添加多个DNS名称。您必须通过Subject Alternate Names(SAN)添加它们。
在您的情况下,在www.google.com部分下添加www.yahoo.com和alternate_names。
(我不确定这是答案还是评论。我还是不清楚你是否希望试图通过添加{{1}来破解PKI的事情到CRLF;或者如果您只想向证书添加多个DNS名称。
<强>第一
Common Name<强>第二
将以下内容添加到配置文件中。调整它以适合您的口味。
$ touch example-com.conf
<强>第三
使用以下内容生成证书。它会为每个请求生成一个新密钥。调整它以适合您的口味。例如,如果省略[ req ]
default_bits = 2048
default_keyfile = server-key.pem
distinguished_name = subject
req_extensions = extensions
x509_extensions = extensions
string_mask = utf8only
[ subject ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = NY
localityName = Locality Name (eg, city)
localityName_default = New York
organizationName = Organization Name (eg, company)
organizationName_default = Example, LLC
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Example, LLC
emailAddress = Email Address
emailAddress_default = test@example.com
[ extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
[ alternate_names ]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = mail.example.com
DNS.4 = ftp.example.com
,则会获得CSR而不是证书。
-x509<强>四
使用以下内容检查证书。
$ openssl req -config example-com.conf -new -x509 -newkey rsa:2048 -nodes \
-keyout example-com.key.pem -days 365 -out example-com.cert.pem
您将在SAN中看到多个DNS名称。
$ openssl x509 -in example-com.cert.pem -text -noout