OpenSSL 使用自定义主题字段生成并签署证书

发布于 2024-11-17 17:30:10 字数 394 浏览 8 评论 0原文

我需要使用自定义主题 (, SERIALNUMBER=...,) 创建并签署（我是 CA）证书。

到目前为止，我已经修改了 openssl 配置文件，因此我能够在主题中包含自定义字段。

[ new_oids ]
SERIALNUMBER = 1.2.3.4.1333

问题是，签署此类证书后，新字段会以奇怪的数字格式出现 -

C = FI
O = Maahanmuuttovirasto
1.2.3.4.1333 = 00REINIS00

我应该在 openssl 配置文件中更改哪些位置和内容以生成具有正常字段名称的证书？我如何告诉签名过程 1.2.3.4.1333 应编码为“序列号”。

谢谢你，牛肉

原文

I need to create and sign (I am CA) certificate with custom subject (, SERIALNUMBER=...,).

So far I have modified openssl config file so I am able to inclde custom fields in subject.

[ new_oids ]
SERIALNUMBER = 1.2.3.4.1333

Problem is, that after signing such certificate new fields appear in that strange number format -

C = FI
O = Maahanmuuttovirasto
1.2.3.4.1333 = 00REINIS00

where and what should I change in my openssl config file to generate certificate with normal field names? How do I tell to signing process that 1.2.3.4.1333 should be encoded as 'SERIALNUMBER'.

Thank you,
Beef

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

盛夏已如深秋| 2024-11-24 17:30:10

这实际上根本没有错误。证书主题中存储的是 DistinguishedName。比照。 RFC 5280

TBSCertificate  ::=  SEQUENCE  {
     version         [0]  Version DEFAULT v1,
     serialNumber         CertificateSerialNumber,
     signature            AlgorithmIdentifier,
     issuer               Name,
     validity             Validity,
     subject              Name,
     subjectPublicKeyInfo SubjectPublicKeyInfo,
     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
     subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
     extensions      [3]  Extensions OPTIONAL
                          -- If present, version MUST be v3 --  }

所以主题是一个Name，它被定义为

Name ::= CHOICE { -- only one possibility for now --
      rdnSequence  RDNSequence }

RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue

AttributeTypeAndValue ::= SEQUENCE {
     type     AttributeType,
     value    AttributeValue }

AttributeType ::= OBJECT IDENTIFIER

AttributeValue ::= ANY -- DEFINED BY AttributeType

所以如你所见，主题由一系列RelativeDistingsuishedNames组成，每个代表一对oid加上分配的值。这意味着您的证书中不会存储“SERIALNUMBER”，而只会存储 oid 的值 1.2.3.4.1333。由应用程序将这些 oid 解释为有意义的东西，并且大多数应用程序都知道许多常见的 oid，并将使用字符串表示，例如“C”、“O”、“OU”、“CN”等（参见 RFC 2253 或 RFC 1779）。

但默认情况下，OpenSSL 不知道“SERIALNUMBER”，事实上，您自己将其添加到 new_oids 中。因此，除了打印 OID 本身之外，OpenSSL 不知道如何表示“SERIALNUMBER”。但任何其他识别“SERIALNUMBER”的软件（IIRC Windows/IE 是）都会将其正确显示为“SERIALNUMBER”的值。

That is actually no error at all. What gets stored in the certificate's subject is a DistinguishedName. Cf. RFC 5280

TBSCertificate  ::=  SEQUENCE  {
     version         [0]  Version DEFAULT v1,
     serialNumber         CertificateSerialNumber,
     signature            AlgorithmIdentifier,
     issuer               Name,
     validity             Validity,
     subject              Name,
     subjectPublicKeyInfo SubjectPublicKeyInfo,
     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
     subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
     extensions      [3]  Extensions OPTIONAL
                          -- If present, version MUST be v3 --  }

So the subject is a Name, this is defined as

Name ::= CHOICE { -- only one possibility for now --
      rdnSequence  RDNSequence }

RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue

AttributeTypeAndValue ::= SEQUENCE {
     type     AttributeType,
     value    AttributeValue }

AttributeType ::= OBJECT IDENTIFIER

AttributeValue ::= ANY -- DEFINED BY AttributeType

So as you can see, the subject consists of a sequence of RelativeDistingsuishedNames, that each represent a pair of an oid plus the assigned value. That implies that nowhere in your certificate 'SERIALNUMBER' will be stored, but only the value for the oid, 1.2.3.4.1333. It's up to applications to interpret these oids as something meaningful and there are a number of common oids that most applications know and will represent using a string, such as "C", "O", "OU", "CN" and so on ( cf. RFC 2253 or RFC 1779).

But 'SERIALNUMBER' is unknown to OpenSSL by default, in fact, you are adding it to new_oidsyourself. Due to this, OpenSSL does not know how to represent 'SERIALNUMBER' other than by printing the OID itself. But any other software that is aware of 'SERIALNUMBER' (IIRC Windows/IE is) will display this correctly as being the value of 'SERIALNUMBER'.

回复收藏 0 原文

~没有更多了~