Openssl
使用 OpenSSL 生成包含證書模板資訊的 CSR
我正在使用以下配置文件使用 OpenSSL 生成 CSR:
[ req ] default_bits = 2048 default_keyfile = usercert.key distinguished_name = req_distinguished_name attributes = req_attributes prompt = no [ req_distinguished_name ] C = FR L = Paris OU = IT CN = FirstName LastName [ req_attributes ] 1.3.6.1.4.1.311.13.2.1 = CertificateTemplate=CustomUserOffline我的目標是在 CSR 中包含模板名稱,以便 Windows CA 能夠處理它。
我使用以下命令行來生成 CSR:
openssl req -new -key usercert.key -out usercert.csr -config usercert.cnf執行它時我沒有收到任何錯誤,我可以使用以下命令驗證 CSR:
openssl req -text -noout -verify -in usercert.csrverify OK Certificate Request: Data: Version: 1 (0x0) Subject: C = FR, L = Paris, OU = IT, CN = FirstName LastName Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:af:85:28:40:84:d8:8a:58:35:86:b8:f5:25:b2: ... 05:8d:57:cc:a0:4c:8f:da:f3:f4:a7:57:76:51:e2: 56:25 Exponent: 65537 (0x10001) Attributes: 1.3.6.1.4.1.311.13.2.1 :CertificateTemplate=CustomUserOffline Signature Algorithm: sha256WithRSAEncryption 1e:4e:9b:6d:24:75:81:5f:be:52:58:ba:79:a1:ac:c8:d6:c9: ... 40:2d:b6:fc但是,當我嘗試
certutil usercert.csr在 Windows 上驗證 CSR 時,出現以下錯誤:PKCS10 Certificate Request: Version: 1 Subject: CN=FirstName LastName OU=IT L=Paris C=FR Name Hash(sha1): ab6adbd772e0ca2a0fce4a32abfdd1645686c0b9 Name Hash(md5): 21d7edb09130201e880133c245617304 Public Key Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN) Algorithm Parameters: 05 00 Public Key Length: 2048 bits Public Key: UnusedBits = 0 0000 30 82 01 0a 02 82 01 01 00 af 85 28 40 84 d8 8a ... 0100 f3 f4 a7 57 76 51 e2 56 25 02 03 01 00 01 Request Attributes: 1 1 attributes: Attribute[0]: 1.3.6.1.4.1.311.13.2.1 (Enrollment Name Value Pair) Value[0][0], Length = 27 Cannot decode object: The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA) CertUtil: -dump command FAILED: 0x8007000d (WIN32: 13 ERROR_INVALID_DATA) CertUtil: The data is invalid.似乎自定義屬性被辨識為
1.3.6.1.4.1.311.13.2.1 (Enrollment Name Value Pair)顯示但我猜名稱/值對CertificateTemplate=CustomUserOffline的格式不正確。我該如何解決?
幾點注意事項:
- 我正在使用 OpenSSL 生成 CSR,因為最終它將是一個生成 CSR 的 Linux 客戶端
- 我知道該
certreq -attrib "CertificateTemplate:CustomUserOffline" -submit usercert.csr命令,但該請求將使用 certenroll API 通過 C# 程式碼送出,因此我想將證書模板資訊直接包含在 CSR 中。
在您
openssl.conf輸入的頂部:[ OIDs ] certificateTemplateName = 1.3.6.1.4.1.311.20.2在你的
[req_attributes]:certificateTemplateName = ASN1:PRINTABLESTRING:CustomUserOffline當然,您可以跳過 OID 的定義,就像您在問題中所做的那樣,直接使用 OID。
使用以下 openssl 配置文件:
oid_section = OIDs [ OIDs ] # This uses the short name of the template: certificateTemplateName = 1.3.6.1.4.1.311.20.2 # Use this instead if you need to refer to the template by OID: # certificateTemplateOID = 1.3.6.1.4.1.311.21.7 [ req ] prompt = no string_mask = default # The size of the keys in bits: default_bits = 2048 distinguished_name = req_dn req_extensions = req_ext [ req_dn ] # Note that the following are in 'reverse order' to what you'd expect to see in # Windows and the numbering is irrelevant as long as each line's number differs. # Domain Components style: # Server name: # 2.DC = com # 1.DC = example # commonName = Acme Web Server # Locality style: # countryName = GB # stateOrProvinceName = London # localityName = Letsby Avenue # organizationName = Acme # organizationalUnitName = IT Dept # organizationalUnitName = Web Services # commonName = Acme Web Server # Or traditional org style: countryName = GB organizationName = Acme organizationalUnitName = IT Dept 2.organizationalUnitName = Web Services commonName = Acme Web Server [ req_ext ] #basicConstraints=critical,CA:TRUE # This requests a certificate using the 'CustomUserOffline' template. Check with the CA for the correct name to use, # or alternatively comment it out and let the CA apply it: certificateTemplateName = ASN1:PRINTABLESTRING:CustomUserOffline subjectAltName = @alt_names [alt_names] # To copy the CN (in the case of a DNS name in the CN) use: # DNS = ${req_dn::commonName} DNS.1 = www.example.com DNS.2 = example.com當使用查看時,這會導致以下提取
openssl req -in usercert.csr -noout -text:Attributes: Requested Extensions: 1.3.6.1.4.1.311.20.2: ..CustomUserOffline以及以下摘錄
certutil usercert.csr:Attribute[0]: 1.2.840.113549.1.9.14 (Certificate Extensions) Value[0][0], Length = 4d Certificate Extensions: 2 1.3.6.1.4.1.311.20.2: Flags = 0, Length = 13 Certificate Template Name (Certificate Type) CustomUserOffline