Linux

SSL 證書請求的非互動式創建

  • August 23, 2020

有沒有辦法通過在初始命令上指定所有必需的參數來創建 SSL 證書請求?我正在編寫一個基於 CLI 的 Web 伺服器控制面板,如果可能,我想在執行時避免使用期望openssl

這是創建證書請求的典型方法:

$ openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout foobar.com.key -out foobar.com.csr
Generating a 2048 bit RSA private key
.................................................+++
........................................+++
writing new private key to 'foobar.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New Sweden
Locality Name (eg, city) []:Stockholm
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Scandanavian Ventures, Inc.
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:foobar.com
Email Address []:gustav@foobar.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:FooBar

我希望看到這樣的東西:( 不起作用的例子)

$ openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout foobar.com.key -out foobar.com.csr \
-Country US \
-State "New Sweden" \
-Locality Stockholm \
-Organization "Scandanavian Ventures, Inc." \
-CommonName  foobar.com \
-EmailAddress gustav@foobar.com \
-Company FooBar

精美的手冊頁對此事無話可說,我也無法通過 Google 找到任何內容。SSL 證書請求生成必須是一個互動式過程,還是有某種方法可以在單個命令中指定所有參數?

這是在 Debian 派生的 Linux 發行版上執行openssl 1.0.1.

您缺少兩部分:

主題行,可以稱為

-subj "/C=US/ST=New Sweden/L=Stockholm /O=.../OU=.../CN=.../emailAddress=..."
  • 將 … 替換為值,X=X509 程式碼(組織/組織單位/等…)

密碼值,可以稱為

-passout pass:client11
-passin  pass:client11
  • 給出輸出/輸入密碼

我對新鑰匙的呼喚看起來像

openssl genrsa -aes256 -out lib/client1.key -passout pass:client11 1024
openssl rsa -in lib/client1.key -passin pass:client11 -out lib/client1-nokey.key

openssl req -new -key lib/client1.key -subj req -new \
   -passin pass:client11 -out lib/client1.csr \
   -subj "/C=US/ST=New Sweden/L=Stockholm/O=.../OU=.../CN=.../emailAddress=..."

(現在我看到了,有兩個-new……)

引用自:https://serverfault.com/questions/649990