主页 / computer / 问题 / 1844512
Accepted
user180574
Asked: 2024-06-02 03:50:30 +0800 CST

openssl 证书签名:未复制主题行

  • 772

当我创建 CSR 时,我指定了主题行。

$ openssl req -in csr -noout -text
...
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = 12345-67890, serialNumber = 67890, 1.3.5.7.9.24.6.8 = 1234
...

$ openssl ca -verbose -config signer.cnf -in csr -out output.crt
...
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = 12345-67890, serialNumber = 67890, 1.3.5.7.9.24.6.8 = 1234
...
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName        :ASN.1 12:'12345-67890'
serialNumber      :PRINTABLE:'67890'
1.3.5.7.9.24.6.8  :ASN.1 12:'1234'
Everything appears to be ok, creating and signing the certificate
Successfully added extensions from config
The subject name appears to be ok, checking data base for clashes
Certificate is to be certified until Jun  1 16:48:27 2025 GMT (365 days)
Sign the certificate? [y/n]:

但是当我检查output.crt时,主题行是空的“主题:”。

下面是配置“signer.cnf”。

[ ca ]
default_ca = my_ca

[ my_ca ]
dir = .
certs = $dir
new_certs_dir = $dir
database = index.txt
serial = serial
private_key = ...
certificate = ...
default_days = 365
policy = my_policy
x509_extensions = my_extensions
copy_extensions = copy

[ my_extensions ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment

[ my_policy ]
ssl

1 个回答

  1. Best Answer

    您的[ policy ]部分是空的。

    来自openssl-ca手册页:

    除非设置了 -preserveDN 选项,否则策略部分中未提及的任何字段都会被静默删除

    -preserveDN选项是命令行选项。配置文件中的等效内容是添加preserve到您的[ my_ca ]部分。

    • 1

相关问题