使用以下OpenSSL Config
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = drone-ci-web.company.com.key.pem
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
prompt = no
encrypt_key = no
[ subject ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Missouri
localityName = Locality Name (eg, city)
localityName_default = Jefferson City
organizationName = Organization Name (eg, company)
organizationName_default = My Company
organizationalUnitName = Organizational Unit (eg, team)
organizationalUnitName_default = My Company Technologies
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = drone-ci-web.company.com
emailAddress = Email Address
emailAddress_default = DL_EMAIL_LIST@company.com
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "Drone-CI - OpenSSL Generated Certificate"
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "Drone-CI - OpenSSL Generated Certificate"
[ alternate_names ]
DNS.1 = drone-ci-web.company.com
我运行以下命令:
sudo openssl req -x509 -config drone-ssl.cnf -new -out drone-ci-web.company.com.cert.pem
,我收到以下错误消息:
vagrant@jonspc ~]$ sudo openssl req -x509 -config drone-ssl.cnf -new -out drone-ci-web.ccompany.com.cert.pem
Generating a 2048 bit RSA private key
..............................................................................................................+++
....................+++
writing new private key to 'drone-ci-web.company.com.key.pem'
-----
problems making Certificate Request
140184216713104:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:158:maxsize=2
从我认为它告诉我的内容来看,它尝试使用的字段之一是“太长”,并且只有两个字符,但是根据我不断阅读的内容,countryName_default应该覆盖{{1} },并使其接受默认值。
OpenSSL和操作系统信息:
countryName但是,如果我删除[vagrant@jonspc ~]$ openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[vagrant@jonspc ~]$ cat /etc/oracle-release
Oracle Linux Server release 7.5
[vagrant@jonspc ~]$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)
行并重试,则使用以下配置会成功。
_default这适用于以下输出。
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = drone-ci-web.company.com.key.pem
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
prompt = no
encrypt_key = no
[ subject ]
countryName = US
stateOrProvinceName = Missouri
localityName = Jefferson City
organizationName = My Company
organizationalUnitName = My Company Technologies
commonName = drone-ci-web.company.com
emailAddress = DL_EMAIL_LIST@company.com
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "Drone-CI - OpenSSL Generated Certificate"
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "Drone-CI - OpenSSL Generated Certificate"
[ alternate_names ]
DNS.1 = drone-ci-web.company.com
答案 0 :(得分:1)
专有名称和属性部分格式有两个单独的名称 专有名称和属性部分的格式。如果 提示选项设置为否,那么这些部分仅由字段组成 名称和值:例如,
CN=My Name
OU=My Organization
emailAddress=someone@somewhere.org
这允许外部程序(例如基于GUI)生成模板 带有所有字段名称和值的文件,然后将其传递给req。一个 此类配置文件的示例包含在 示例部分。或者,如果不存在提示选项 设置为否,则文件包含字段提示信息。它 由以下形式的行组成:
fieldName="prompt"
fieldName_default="default field value"
fieldName_min= 2
fieldName_max= 4
所以基本上你自己弄清楚了。