Ssl

如何使用 OpenSSL 將 nameRelativeToCRLIssuer 添加到 CRL

  • March 19, 2016

我正在嘗試使用 OpenSSL 創建證書,該證書具有 DistributionPoint URL 的 nameRelativeToCRLIssuer 屬性,而不是 fullName 屬性。我一直在使用以下 extfile.cnf 來嘗試生成 nameRelativeToCRLIssuer:

   crlDistributionPoints=crldp1_section

   [crldp1_section]
   namerelativetocrlissuer=URI:http://www.example.com/root.crl

並使用以下 openssl 命令簽名:

   openssl x509 -req -in signingrequest.csr -extfile extfile.cnf -CAform PEM -CA ca.pem -CAkey ca.key -CAcreateserial -out certificate.pem -days 1825

創建以下證書

$$ with a few pieces redacted, since this is a business context $$:

Certificate:
Data:
   Version: 3 (0x2)
   Serial Number: 10317047815326669373 (0x8f2d845373441a3d)
Signature Algorithm: .....
   Issuer: .....
   Validity
       Not Before: Mar 18 19:46:21 2016 GMT
       Not After : Mar 17 19:46:21 2021 GMT
   Subject: .....
   Subject Public Key Info:
       Public Key Algorithm: id-ecPublicKey
           Public-Key: (256 bit)
           pub: 
               04:23:39:f3:76:a6:cf:35:6d:af:9b:39:7a:87:57:
               be:4b:c3:05:01:17:3e:4a:bb:de:44:ce:88:c0:91:
               2d:92:5c:c5:d7:0e:f4:a4:e6:8c:25:58:a1:bb:38:
               e9:be:22:d6:9a:04:ac:6d:f9:35:c8:ec:fe:48:0a:
               c3:0d:6f:14:1f
           ASN1 OID: prime256v1
           NIST CURVE: P-256
   X509v3 extensions:
       X509v3 CRL Distribution Points: 


Signature Algorithm: .....

根據RFC,它是 fullName 和 nameRelativeToCRLIssuer 之間的選擇變數。幾天來,我一直在為此苦苦掙扎,但沒有取得真正的進展。任何人都可以提供的任何幫助將不勝感激。

從 OpenSSL x509v3_configdocs,而不是使用:

crlDistributionPoints=crldp1_section

[crldp1_section]
namerelativetocrlissuer=URI:http://www.example.com/root.crl

你想做這樣的事情:

crlDistributionPoints=crldp1_section

[crldp1_section]
relativename=@relname_section

[relname_section]    
C       = US
O       = Org, Inc.
0.OU    = Org Unit 1
1.OU    = Sub Org Unit 2
CN      = relative common name

有趣的是,使用 OpenSSL,該relativename值僅用於指定(相對)DNfullname ,而不是使用該值可以完成的 URI 。

有關其他範例,請參見此處

希望這可以幫助!

引用自:https://serverfault.com/questions/764667