如何在命令行中为startdate和enddate指定自签名证书?

时间:2018-03-28 13:41:36

标签: ssl openssl self-signed

我正在尝试使用单个命令行生成自签名证书,指定主题,一些扩展名以及开始和结束日期。

到目前为止,我找到了这个解决方案

openssl req -x509 -sha1 -key /tmp/server.key -out /tmp/server.crt \
    -subj "/C=US/CN=192.168.56.101/" -extensions SAN -config \
    <(printf "[ca]\ndefault_ca=CA_default\n[CA_default]\n[req]\ndistinguished_name=dn\n[dn]CN=not.used\n[SAN]\nsubjectAltName=DNS:ottavio.com,DNS:www.ottavio.com") \
    -subj "/C=US/ST=CA/O=Acme, Inc./CN=example.com"

根据主题和扩展名创建所需的证书:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c7:e8:23:02:ea:f0:67:4c
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = US, ST = CA, O = "Acme, Inc.", CN = example.com
        Validity
            Not Before: Mar 28 13:33:24 2018 GMT
            Not After : Apr 27 13:33:24 2018 GMT
        Subject: C = US, ST = CA, O = "Acme, Inc.", CN = example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d8:4e:f8:22:7d:85:b7:fe:13:c0:e8:c8:f3:91:
                    9e:47:3e:c2:81:ad:54:7e:d1:9f:45:a2:a2:a1:45:
                    38:fe:d9:9c:84:8a:2c:ed:02:59:41:b3:eb:91:ec:
                    3b:b9:9a:4b:a8:dd:ca:cc:d5:14:18:9e:9a:4d:95:
                    ad:b8:70:9b:81:ff:7b:a8:39:63:10:fa:13:f4:b7:
                    a7:5a:f6:1e:e8:ba:d8:e8:fa:37:5c:7e:d5:92:5a:
                    02:10:b8:06:62:7d:19:7c:16:cd:28:5c:20:37:1f:
                    3a:e9:19:d4:cc:3d:99:26:25:1a:e0:b6:fa:9f:7c:
                    08:be:27:42:71:d6:f8:6f:0d:da:1e:f8:03:ea:3e:
                    07:7d:c8:40:7e:be:39:38:83:e2:8b:cb:89:f8:51:
                    aa:11:68:b0:db:cf:31:c5:02:10:81:f2:c8:d8:8e:
                    0c:61:b1:a3:5b:e5:23:cf:fc:20:86:70:95:7a:33:
                    c8:57:7a:3a:71:74:25:2b:13:ac:fe:dc:84:06:f9:
                    64:65:a4:e5:67:a4:f9:18:31:b3:15:6e:34:62:70:
                    df:90:78:b9:19:2c:3a:b9:30:c6:99:a3:59:2c:d2:
                    a2:e9:67:90:f0:f9:a7:7d:a8:67:b0:c6:48:3f:df:
                    f3:81:ac:d6:5e:72:d1:11:f2:3d:27:db:32:0c:01:
                    8c:3f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:ottavio.com, DNS:www.ottavio.com
    Signature Algorithm: sha1WithRSAEncryption
         bf:42:c8:87:52:06:83:05:e5:6a:2d:0f:dc:d6:8e:83:ec:f7:
         24:37:3a:f0:1e:15:a8:ac:16:df:d0:5a:74:74:c4:ad:20:d0:
         fe:3b:87:87:e9:43:30:43:a4:9a:03:4a:3e:8b:b0:73:06:cd:
         91:ca:73:8f:e6:23:ca:82:aa:c0:fa:03:88:0c:3a:89:d3:7f:
         ab:6d:ec:d7:dd:7c:4c:fd:bd:ec:8e:86:00:3c:8d:fa:c5:89:
         cb:80:61:b3:41:3d:e7:0c:22:83:bb:ef:66:58:5b:8c:9c:c2:
         de:23:76:85:64:5c:61:a6:b6:14:17:f5:de:b2:ee:44:8d:90:
         1b:0f:53:5d:d7:a8:98:7f:11:dc:8e:a2:1e:fb:ec:48:da:7a:
         c0:14:40:df:c7:4e:cb:5e:ef:b7:67:34:4f:57:6e:5f:96:1a:
         cb:aa:66:86:3e:c5:af:c6:e1:be:17:b4:d9:83:86:c8:2c:6c:
         41:4d:6d:bb:57:ce:49:64:ec:08:a9:26:33:f2:39:d2:16:bd:
         9b:a4:ab:46:43:a9:ff:d2:51:2c:da:a2:0e:dd:5a:33:fb:6f:
         c3:18:d9:7a:87:32:dc:4f:a5:23:dc:4f:2f:79:be:15:41:11:
         53:08:d2:ad:21:fd:95:8e:0d:71:da:a0:77:02:45:f4:32:20:
         6b:0e:6b:0f
notBefore=Mar 28 13:33:24 2018 GMT
notAfter=Apr 27 13:33:24 2018 GMT

我的问题是我希望能够更改notBeforenotAfter字段。我想我可以在-config的论证中加入一些内容,但我无法理解遗漏的内容。

我该怎么做?

1 个答案:

答案 0 :(得分:0)

通过使用默认的openssl命令行选项,这是不可能的,可以在此处找到关于此的一个很好的解释:https://security.stackexchange.com/a/31609/54143

但是这仍然可以通过编程方式创建证书,只是在这是使用golang的一个非常基本的示例的情况下:

https://play.golang.org/p/i4Sf7Noak80

package main

import (
    "bytes"
    "crypto/rand"
    "crypto/rsa"
    "crypto/x509"
    "crypto/x509/pkix"
    "encoding/pem"
    "io/ioutil"
    "math/big"
    "time"
)

func main() {
    template := x509.Certificate{
        SerialNumber: big.NewInt(time.Now().Unix()),
        Subject:      pkix.Name{Organization: []string{"localhost"}},
        NotBefore:    time.Now().AddDate(0, 0, 7),
        NotAfter:     time.Now().AddDate(1, 0, 7),
        KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
        ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
        DNSNames:     []string{"localhost"},
    }
    privatekey, err := rsa.GenerateKey(rand.Reader, 2048)
    if err != nil {
        panic(err)
    }
    crt, err := x509.CreateCertificate(rand.Reader,
        &template, 
        &template, 
        &privatekey.PublicKey, 
        privatekey)
    if err != nil {
        panic(err)
    }
    var certOut, keyOut bytes.Buffer
    pem.Encode(&certOut, &pem.Block{Type: "CERTIFICATE", Bytes: crt})
    pem.Encode(&keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privatekey)})
    ioutil.WriteFile("/tmp/key", keyOut.Bytes(), 0644)
    ioutil.WriteFile("/tmp/pem", certOut.Bytes(), 0644)
}

请注意:

NotBefore:    time.Now().AddDate(0, 0, 7),
NotAfter:     time.Now().AddDate(1, 0, 7),

在这种情况下,创建一个在7天和1年后有效的证书,可以在模板中添加更多选项,但希望这可以帮助一个基本的例子。