Certificate
X.509 簽名證書有效性
我們正在嘗試為 Kafka 伺服器集群生成伺服器證書,以通過 SSL 進行通信。
該程序有效,但證書的最終有效期僅為 30 天。
我們請求 365 天,並且在“步驟 1”(見下文)之後,我們有一個具有正確有效性的密鑰對。見下文 (1)。
但是,在我們將簽名證書導入回密鑰庫後,有效期已減少到 30 天。見下文 (2)。
為什麼會這樣,我們該如何解決?
echo "Step1: Create the server identity and keystore" $ORACLE_JDK_1_8_0_u181_keytool -genkey -keystore keystore.p12 -alias localhost -validity 365 -keyalg RSA -deststoretype pkcs12 -ext SAN="DNS:$SERVER_NAME.corp.com,IP:1.2.3.4" $ORACLE_JDK_1_8_0_u181_keytool -list -v -keystore keystore.p12 -storepass $KPWD # (1) Shows validity of 365 days: correct echo "Step2: Export the private key from the keystore to a separate file" openssl pkcs12 -in keystore.p12 -nodes -nocerts -out $SERVER_NAME_key.pem -passin pass:$KPWD -passout pass:$KPWD echo "Step3: Create a Certificate Signing Request (CSR)" openssl req -new -key $SERVER_NAME_key.pem -out $SERVER_NAME.csr -passin pass:$KPWD -passout pass:$KPWD echo "Step6 Sign the server certificate" openssl x509 -req -in $SERVER_NAME.csr -CA CAcert.pem -CAkey CAkey.pem -CAcreateserial -out $SERVER_NAME_key_signed.pem -passin pass:$CAPD echo "Step7: Import both the certificate of the CA and the signed certificate into the keystore." $ORACLE_JDK_1_8_0_u181_keytool -keystore keystore.p12 -alias CARoot -import -file CAcert.pem -storepass $KPWD $ORACLE_JDK_1_8_0_u181_keytool -keystore keystore.p12 -alias localhost -import -file $SERVER_NAME_key_signed.pem -storepass $KPWD $ORACLE_JDK_1_8_0_u181_keytool -list -v -keystore keystore.p12 -storepass $KPWD # (2) Shows validity of 30 days: WRONG. WHY?
您應該
-days
在這一行中添加:openssl x509 -req -in $SERVER_NAME.csr -CA CAcert.pem -CAkey CAkey.pem -CAcreateserial -out $SERVER_NAME_key_signed.pem -passin pass:$CAPD
成為
openssl x509 -req -days 365 -in $SERVER_NAME.csr -CA CAcert.pem -CAkey CAkey.pem -CAcreateserial -out $SERVER_NAME_key_signed.pem -passin pass:$CAPD