如何正確生成使用受限的 x509 證書

我將證書放入儲存庫中，該儲存庫不允許使用比前一個更有限的連續證書。我需要一個初始的虛擬證書/密鑰/鏈來引導使用不比允許 serverAuth 和 clientAuth 的 Let’s Encrypt 主機證書更開放的程序。我所需要的只是一個具有這些用途或更少用途的虛擬主機證書。但是，在昨天和今天閱讀了許多文章和 SO 文章之後，由於命令的多次迭代，我一直無法生成這個。

這是我正在使用的內容：

gen.sh

#!/bin/bash -e

rm dummy*

days=100

openssl genrsa -out dummy-root.key 2048

openssl req -new -x509 -days $days -subj '/C=US/ST=TX/O=foo/OU=bar/CN=dummy-root.com' -key dummy-root.key -out dummy-root.crt

openssl genrsa -out dummy-class2.key 2048

openssl req -new -subj '/C=US/ST=TX/O=foo/OU=bar/CN=dummy-class2.com' -key dummy-class2.key -out dummy-class2.csr 

openssl x509 -req -days $days -in dummy-class2.csr -CA dummy-root.crt -CAkey dummy-root.key -CAcreateserial -out dummy-class2.crt

openssl genrsa -out dummy-host.key 2048

openssl req -new -config gen.host.cfg -key dummy-host.key -out dummy-host.csr -extensions my_server_exts

openssl x509 -req -days $days -in dummy-host.csr -CA dummy-class2.crt -CAkey dummy-class2.key -set_serial 1 -out dummy-host.crt -sha256  -ext subjAltName

rm *.srl *.csr
cat dummy-host.crt dummy-class2.crt dummy-root.crt > dummy-chain.crt

# this always fails?
# openssl verify --CAfile dummy-root.crt -untrusted dummy-class2.crt dummy-host.crt

openssl x509 -noout -ext extendedKeyUsage < dummy-host.crt

對於擴展所需的配置文件（參考上文）：

生成主機.cfg

[ req ]
prompt             = no
default_bits       = 2048
default_md         = sha256
distinguished_name = my_dn
req_extensions     = my_server_exts


[ my_dn ]
# The bare minimum is probably a commonName
           commonName = dummy-host2.com
          countryName = US
     organizationName = foo
organizationalUnitName = bar

[ my_server_exts ]
basicConstraints = critical,CA:false
keyUsage = keyEncipherment
# extendedKeyUsage = serverAuth
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

gen.sh 的最後一行嘗試讀取副檔名並總是說“證書中沒有副檔名”，當發送到證書儲存庫時會解釋為具有“任何”使用情況，然後在使用 Lets Encrypt 更新時拒絕減少使用情況證書。

為什麼我指定的 EKU 沒有通過證書？或者我還能如何創建使用受限的證書？

添加到證書的唯一擴展是根 CA 的擴展，因為您使用預設配置文件。在x509命令呼叫中，您不提供-extfileand-extensions命令行選項。

要對添加的擴展進行更多控制，您可能應該在配置文件中明確列出每個證書的keyUsage擴展，添加 CA 證書的擴展subjectKeyIdentifier以及authorityKeyIdentifier所有這些擴展：

[ req ]
default_bits       = 2048
default_md         = sha256
distinguished_name = dn

[ dn ]
# -subj used instead

[ root_exts ]
basicConstraints = critical,CA:true
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
keyUsage = keyCertSign, cRLSign

[ intermediate_exts ]
# Can not sign other CA certificates
basicConstraints = critical,CA:true,pathlen:0
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
keyUsage = keyCertSign, cRLSign

[ server_exts ]
basicConstraints = critical,CA:false
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
keyUsage = keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:dummy-host.com

-extfile並使用or-config選項呼叫所有證書生成命令，以適當者為準：

#!/bin/bash
set -e
days=100

openssl genrsa -out dummy-root.key 2048
openssl req -x509 -key dummy-root.key -out dummy-root.crt -days $days \
 -subj '/C=US/ST=TX/O=foo/OU=bar/CN=dummy-root.com' \
 -config gen.host.cfg -extensions root_exts

openssl genrsa -out dummy-class2.key 2048
openssl req -new -key dummy-class2.key -out dummy-class2.csr \
 -subj '/C=US/ST=TX/O=foo/OU=bar/CN=dummy-class2.com' 
openssl x509 -req -in dummy-class2.csr -out dummy-class2.crt -days $days \
 -CAkey dummy-root.key -CA dummy-root.crt -CAcreateserial \
 -extfile gen.host.cfg -extensions intermediate_exts

openssl genrsa -out dummy-host.key 2048
openssl req -new -key dummy-host.key -out dummy-host.csr \
 -subj '/C=US/ST=TX/O=foo/OU=bar/CN=dummy-host.com' 
openssl x509 -req -in dummy-host.csr -out dummy-host.crt -days $days \
 -CAkey dummy-class2.key -CA dummy-class2.crt -CAcreateserial \
 -extfile gen.host.cfg -extensions server_exts

rm *.csr
cat dummy-{host,class2,root}.crt > dummy-chain.crt

openssl verify -CAfile dummy-root.crt -untrusted dummy-class2.crt dummy-host.crt
openssl x509 -noout -ext extendedKeyUsage -in dummy-host.crt

引用自：https://serverfault.com/questions/1010312