使用 OpenSSL 从证书签名请求中提取请求的有效期
我们使用由 OpenSSL 提供支持的私有证书颁发机构来对我们的客户进行身份验证。 我们提供了一个简单的基于 Web 的实用程序,允许他们上传 CSR 文件以供证书颁发机构签名。
目前,我们只能颁发固定期限的证书,目前为 365 天。 然而,我们的客户询问是否可以指定证书的有效期。
我不想询问用户他们想要什么有效期,因为他们必须在生成 CSR 时指定有效期,并且在签署证书时从 CSR 中提取该有效期是有意义的。 但是我不知道如何做到这一点:OpenSSL 允许您执行的调试 CSR、证书和密钥的正常操作不会显示相关信息:以下是“openssl req -text -noout <”的输出示例; csrfile":
$ openssl req -text -noout < my.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=GB, L=London, O=example.com, CN=customer/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:3b:11:7f:61:31:19:97:b6:26:19:01:e7:c6:
c3:d5:03:a5:f6:5a:4d:e2:03:d0:4e:76:49:d0:7f:
59:92:bf:5e:12:b3:b0:7e:20:5b:d8:a2:3f:cb:50:
c1:64:e5:48:04:c3:b2:04:e3:f2:4c:2f:0e:e2:a6:
c3:7c:36:24:dc:97:c9:f0:ba:ad:87:0f:71:45:9c:
6a:7f:d4:4c:d5:31:8e:49:a8:e4:3d:c4:ec:5e:54:
bf:f9:ba:ce:21:4c:11:15:7d:f0:d3:7a:77:f6:66:
5d:07:4e:4a:d3:0e:f0:52:0d:d9:cf:81:86:fe:9b:
c8:f8:e4:8d:d6:d1:d0:85:7f
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
5e:4c:38:59:95:e5:11:b4:a3:d5:88:1f:3c:c0:33:67:cb:b2:
14:85:73:c3:5a:b8:23:bf:1d:25:2b:a9:38:93:da:fb:67:17:
26:6c:79:07:dd:7f:3c:3f:b0:33:17:d1:c2:41:f7:c9:ce:1e:
32:1c:a1:a0:a3:50:67:56:1b:58:d9:b4:48:56:70:00:43:22:
a9:0c:17:be:67:42:f4:98:d6:d8:c0:d0:4f:6a:73:d1:a8:57:
91:3c:02:dc:dc:8f:e3:fb:48:28:06:a2:8e:8e:27:b2:39:d7:
3e:ce:63:ae:66:9b:ec:38:ee:09:77:dc:0f:91:40:ab:28:0f:
ae:a9
没有提及所请求的有效期。
有什么建议么?
We use a private certificate authority powered by OpenSSL to authenticate our customers. We provide a simple web-based utility which allows them to upload a CSR file for the certificate authority to sign.
At the moment, we can only issue certificates for a fixed period, currently 365 days. However, our customers have asked if they can specify the validity period of their certificates instead.
I would prefer not to have to ask the user what validity period they want, since they have to specify a validity period when they generate their CSR, and it makes sense to extract this period from the CSR when signing the certificate. However I can't work out how to do it: the normal things that OpenSSL lets you do to debug CSRs, certificates and keys don't show the relevant information: here's an example of the output of "openssl req -text -noout < csrfile":
$ openssl req -text -noout < my.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=GB, L=London, O=example.com, CN=customer/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:3b:11:7f:61:31:19:97:b6:26:19:01:e7:c6:
c3:d5:03:a5:f6:5a:4d:e2:03:d0:4e:76:49:d0:7f:
59:92:bf:5e:12:b3:b0:7e:20:5b:d8:a2:3f:cb:50:
c1:64:e5:48:04:c3:b2:04:e3:f2:4c:2f:0e:e2:a6:
c3:7c:36:24:dc:97:c9:f0:ba:ad:87:0f:71:45:9c:
6a:7f:d4:4c:d5:31:8e:49:a8:e4:3d:c4:ec:5e:54:
bf:f9:ba:ce:21:4c:11:15:7d:f0:d3:7a:77:f6:66:
5d:07:4e:4a:d3:0e:f0:52:0d:d9:cf:81:86:fe:9b:
c8:f8:e4:8d:d6:d1:d0:85:7f
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
5e:4c:38:59:95:e5:11:b4:a3:d5:88:1f:3c:c0:33:67:cb:b2:
14:85:73:c3:5a:b8:23:bf:1d:25:2b:a9:38:93:da:fb:67:17:
26:6c:79:07:dd:7f:3c:3f:b0:33:17:d1:c2:41:f7:c9:ce:1e:
32:1c:a1:a0:a3:50:67:56:1b:58:d9:b4:48:56:70:00:43:22:
a9:0c:17:be:67:42:f4:98:d6:d8:c0:d0:4f:6a:73:d1:a8:57:
91:3c:02:dc:dc:8f:e3:fb:48:28:06:a2:8e:8e:27:b2:39:d7:
3e:ce:63:ae:66:9b:ec:38:ee:09:77:dc:0f:91:40:ab:28:0f:
ae:a9
No mention of the requested validity period anywhere.
Any suggestions?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我一直在尝试弄清楚如何在 CSR 中请求特定的有效期,据我所知,CSR 根本不包含该信息。 CSR 的结构在 PKCS#10 / RFC2986 中定义,并且没有专门用于请求的有效期的字段。 PKCS#9 中列出了可以放入 CSR 中的属性和扩展,并且没有关于有效期的内容。 最后,我可以对生成的 CSR 执行
openssl asn1parse操作,发现无论我传递给openssl req的内容,都没有包含与有效期相关的信息。I've been trying to figure out how to request a specific validity period in a CSR, and as far as I can tell, the CSR simply doesn't carry that information. The CSR's structure is defined in PKCS#10 / RFC2986, and it doesn't have a field specifically for a requested validity period. The attributes and extensions that can be put in the CSR are listed in PKCS#9, and there's nothing there about validity periods. And finally, I can do a
openssl asn1parseon my generated CSRs and find that there's no validity-period-related information included regardless of what I pass toopenssl req.我在研究企业社会责任的有效性时偶然发现了你的问题。 正如其他人提到的,有效期不包含在 CSR 中,但我对很多人在创建 CSR 的示例中包含的
-days选项感到好奇。 阅读 OpenSSL 文档后就很清楚了:并且
-x509选项输出自签名证书而不是证书请求I stumbled across you question while researching the validity of a CSR. As other have mentioned, the validity period is not included in the CSR, but I was curious about the
-daysoption a lot of people include in their examples for creating a CSR. After reading the documentation of OpenSSL it is quite clear:and the
-x509option outputs a self signed certificate instead of a certificate request尽管您要求证书有一定的有效期,但在生成 CSR 时,不确定该有效期是否会被 CA 接受。 大多数 CA 更喜欢预定义的有效期,但很少有 CA 同意所请求的有效期并相应地生成 CSR。 现在来说说,根据 PKCS#10 标准的 CSR ASN.1 结构没有指定有效期。 因此您无法从 CSR 中提取该信息。
Though you request for a certain validity period for your certificate, while generating the CSR, its uncertain to expect that validity to be acceptable by CA. Most CA's would prefer a predefined validity period and few CA's are OK with the requested validity period and generate the CSR accordingly. Now coming to the point, the CSR ASN.1 structure according to PKCS#10 standard does not specify the validity period. And thus you cannot extract that information from the CSR.
尝试将
-days xx参数添加到您的请求创建命令中Try to add
-days xxparameter to your request creation command