Ssl
如何使用 OpenSSL 將 nameRelativeToCRLIssuer 添加到 CRL
我正在嘗試使用 OpenSSL 創建證書,該證書具有 DistributionPoint URL 的 nameRelativeToCRLIssuer 屬性,而不是 fullName 屬性。我一直在使用以下 extfile.cnf 來嘗試生成 nameRelativeToCRLIssuer:
crlDistributionPoints=crldp1_section [crldp1_section] namerelativetocrlissuer=URI:http://www.example.com/root.crl
並使用以下 openssl 命令簽名:
openssl x509 -req -in signingrequest.csr -extfile extfile.cnf -CAform PEM -CA ca.pem -CAkey ca.key -CAcreateserial -out certificate.pem -days 1825
創建以下證書
$$ with a few pieces redacted, since this is a business context $$:
Certificate: Data: Version: 3 (0x2) Serial Number: 10317047815326669373 (0x8f2d845373441a3d) Signature Algorithm: ..... Issuer: ..... Validity Not Before: Mar 18 19:46:21 2016 GMT Not After : Mar 17 19:46:21 2021 GMT Subject: ..... Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:23:39:f3:76:a6:cf:35:6d:af:9b:39:7a:87:57: be:4b:c3:05:01:17:3e:4a:bb:de:44:ce:88:c0:91: 2d:92:5c:c5:d7:0e:f4:a4:e6:8c:25:58:a1:bb:38: e9:be:22:d6:9a:04:ac:6d:f9:35:c8:ec:fe:48:0a: c3:0d:6f:14:1f ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 CRL Distribution Points: Signature Algorithm: .....
根據RFC,它是 fullName 和 nameRelativeToCRLIssuer 之間的選擇變數。幾天來,我一直在為此苦苦掙扎,但沒有取得真正的進展。任何人都可以提供的任何幫助將不勝感激。
從 OpenSSL
x509v3_config
docs,而不是使用:crlDistributionPoints=crldp1_section [crldp1_section] namerelativetocrlissuer=URI:http://www.example.com/root.crl
你想做這樣的事情:
crlDistributionPoints=crldp1_section [crldp1_section] relativename=@relname_section [relname_section] C = US O = Org, Inc. 0.OU = Org Unit 1 1.OU = Sub Org Unit 2 CN = relative common name
有趣的是,使用 OpenSSL,該
relativename
值僅用於指定(相對)DNfullname
,而不是使用該值可以完成的 URI 。有關其他範例,請參見此處。
希望這可以幫助!