在OpenSSL-3和OpenSSL-1之间,“ Openssl X509 -CapreateSerial”的行为已经改变了,我应该如何解决?
使用OpenSSL 1.X,我经常签署认证并创建以下命令的“ .srl”文件,
openssl x509 -in vcom.csr -days 1024 -CAkey ./rootCA.key -CA ./rootCA.pem -force_pubkey vcom_pub.pem -out vcom_cert.pem -CAcreateserial
但是,在升级到OpenSSL 3.x之后。选项“ -cacreateSerial”未能创建新的“ .srl”文件。
在查看OpenSSL 3.x源代码后,似乎选项“ -REQ”生成了一个随机序列号。因此,绕过了与“ -2arceateSerial”有关的源代码。
据我所知,签署证书时记录序列号非常重要,以避免重复。
我在命令上做错了什么?还是我误解了这个“ .srl”文件的概念?
With OpenSSL 1.x, I used to sign certifications and create ".srl" files with the following command
openssl x509 -in vcom.csr -days 1024 -CAkey ./rootCA.key -CA ./rootCA.pem -force_pubkey vcom_pub.pem -out vcom_cert.pem -CAcreateserial
However, after upgrading to OpenSSL 3.x. the option "-CAcreateserial" failed to create new ".srl" files.
After reviewing the OpenSSL 3.x source code, it seems like the option "-req" generates a random serial number; therefore, the source code related to "-CAcreateserial" is bypassed.
To my understanding, it is very important to record the serial number when signing a certificate, to avoid duplication.
Am I doing something wrong with the command? or have I misunderstood the concept of this ".srl" file?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我继续研究这个问题,并发现该选项“耶利尔”也被忽略了。
结果,在“ CSR”文件签署公共密钥的过程中,实际上并未要求“ .srl”文件。
I've continued to investigate into this problem, and found out, that option "-CAserial" is also ignored.
As a result, the ".srl" file is really not requested in the process of signing a public key from a "CSR" file.
我认为这是一个错误,是 filex 2022年5月附近的某个时候。 3.0.5它应如文档中所述工作。
I think it's a bug which was fixed sometime near May, 2022. So, since version 3.0.5 it should work as described in the documentation.