我正在尝试使用单个命令行生成自签名证书,指定主题,一些扩展名以及开始和结束日期。
到目前为止,我找到了这个解决方案
openssl req -x509 -sha1 -key /tmp/server.key -out /tmp/server.crt \
-subj "/C=US/CN=192.168.56.101/" -extensions SAN -config \
<(printf "[ca]\ndefault_ca=CA_default\n[CA_default]\n[req]\ndistinguished_name=dn\n[dn]CN=not.used\n[SAN]\nsubjectAltName=DNS:ottavio.com,DNS:www.ottavio.com") \
-subj "/C=US/ST=CA/O=Acme, Inc./CN=example.com"
根据主题和扩展名创建所需的证书:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c7:e8:23:02:ea:f0:67:4c
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = US, ST = CA, O = "Acme, Inc.", CN = example.com
Validity
Not Before: Mar 28 13:33:24 2018 GMT
Not After : Apr 27 13:33:24 2018 GMT
Subject: C = US, ST = CA, O = "Acme, Inc.", CN = example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d8:4e:f8:22:7d:85:b7:fe:13:c0:e8:c8:f3:91:
9e:47:3e:c2:81:ad:54:7e:d1:9f:45:a2:a2:a1:45:
38:fe:d9:9c:84:8a:2c:ed:02:59:41:b3:eb:91:ec:
3b:b9:9a:4b:a8:dd:ca:cc:d5:14:18:9e:9a:4d:95:
ad:b8:70:9b:81:ff:7b:a8:39:63:10:fa:13:f4:b7:
a7:5a:f6:1e:e8:ba:d8:e8:fa:37:5c:7e:d5:92:5a:
02:10:b8:06:62:7d:19:7c:16:cd:28:5c:20:37:1f:
3a:e9:19:d4:cc:3d:99:26:25:1a:e0:b6:fa:9f:7c:
08:be:27:42:71:d6:f8:6f:0d:da:1e:f8:03:ea:3e:
07:7d:c8:40:7e:be:39:38:83:e2:8b:cb:89:f8:51:
aa:11:68:b0:db:cf:31:c5:02:10:81:f2:c8:d8:8e:
0c:61:b1:a3:5b:e5:23:cf:fc:20:86:70:95:7a:33:
c8:57:7a:3a:71:74:25:2b:13:ac:fe:dc:84:06:f9:
64:65:a4:e5:67:a4:f9:18:31:b3:15:6e:34:62:70:
df:90:78:b9:19:2c:3a:b9:30:c6:99:a3:59:2c:d2:
a2:e9:67:90:f0:f9:a7:7d:a8:67:b0:c6:48:3f:df:
f3:81:ac:d6:5e:72:d1:11:f2:3d:27:db:32:0c:01:
8c:3f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:ottavio.com, DNS:www.ottavio.com
Signature Algorithm: sha1WithRSAEncryption
bf:42:c8:87:52:06:83:05:e5:6a:2d:0f:dc:d6:8e:83:ec:f7:
24:37:3a:f0:1e:15:a8:ac:16:df:d0:5a:74:74:c4:ad:20:d0:
fe:3b:87:87:e9:43:30:43:a4:9a:03:4a:3e:8b:b0:73:06:cd:
91:ca:73:8f:e6:23:ca:82:aa:c0:fa:03:88:0c:3a:89:d3:7f:
ab:6d:ec:d7:dd:7c:4c:fd:bd:ec:8e:86:00:3c:8d:fa:c5:89:
cb:80:61:b3:41:3d:e7:0c:22:83:bb:ef:66:58:5b:8c:9c:c2:
de:23:76:85:64:5c:61:a6:b6:14:17:f5:de:b2:ee:44:8d:90:
1b:0f:53:5d:d7:a8:98:7f:11:dc:8e:a2:1e:fb:ec:48:da:7a:
c0:14:40:df:c7:4e:cb:5e:ef:b7:67:34:4f:57:6e:5f:96:1a:
cb:aa:66:86:3e:c5:af:c6:e1:be:17:b4:d9:83:86:c8:2c:6c:
41:4d:6d:bb:57:ce:49:64:ec:08:a9:26:33:f2:39:d2:16:bd:
9b:a4:ab:46:43:a9:ff:d2:51:2c:da:a2:0e:dd:5a:33:fb:6f:
c3:18:d9:7a:87:32:dc:4f:a5:23:dc:4f:2f:79:be:15:41:11:
53:08:d2:ad:21:fd:95:8e:0d:71:da:a0:77:02:45:f4:32:20:
6b:0e:6b:0f
notBefore=Mar 28 13:33:24 2018 GMT
notAfter=Apr 27 13:33:24 2018 GMT
我的问题是我希望能够更改notBefore
和notAfter
字段。我想我可以在-config
的论证中加入一些内容,但我无法理解遗漏的内容。
我该怎么做?
答案 0 :(得分:0)
通过使用默认的openssl
命令行选项,这是不可能的,可以在此处找到关于此的一个很好的解释:https://security.stackexchange.com/a/31609/54143。
但是这仍然可以通过编程方式创建证书,只是在这是使用golang的一个非常基本的示例的情况下:
https://play.golang.org/p/i4Sf7Noak80
package main
import (
"bytes"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"io/ioutil"
"math/big"
"time"
)
func main() {
template := x509.Certificate{
SerialNumber: big.NewInt(time.Now().Unix()),
Subject: pkix.Name{Organization: []string{"localhost"}},
NotBefore: time.Now().AddDate(0, 0, 7),
NotAfter: time.Now().AddDate(1, 0, 7),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
DNSNames: []string{"localhost"},
}
privatekey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
panic(err)
}
crt, err := x509.CreateCertificate(rand.Reader,
&template,
&template,
&privatekey.PublicKey,
privatekey)
if err != nil {
panic(err)
}
var certOut, keyOut bytes.Buffer
pem.Encode(&certOut, &pem.Block{Type: "CERTIFICATE", Bytes: crt})
pem.Encode(&keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privatekey)})
ioutil.WriteFile("/tmp/key", keyOut.Bytes(), 0644)
ioutil.WriteFile("/tmp/pem", certOut.Bytes(), 0644)
}
请注意:
NotBefore: time.Now().AddDate(0, 0, 7),
NotAfter: time.Now().AddDate(1, 0, 7),
在这种情况下,创建一个在7天和1年后有效的证书,可以在模板中添加更多选项,但希望这可以帮助一个基本的例子。