使用 SAN 创建证书时 Step-CA 的帮助文本如下:
Request a new certificate with multiple Subject Alternative Names. The
Subject Common Name of the certificate will be 'foobar'. However, because
additional SANs are configured using the --san flag and 'foobar' is not one
of these, 'foobar' will not be in the SAN extensions of the certificate.
The certificate will have 2 IP Address extensions (1.1.1.1, 10.2.3.4) and 1
DNS Name extension (hello.example.com):
$ step ca certificate --san 1.1.1.1 --san hello.example.com --san 10.2.3.4 foobar internal.crt internal.key
当我尝试如下等效命令时:
step ca certificate --san dtk --san dtk.intranet.local foobar /root/dtk.crt /root/dtk.key
我得到以下输出:
✔ Provisioner: acme-smallstep (ACME)
Using Standalone Mode HTTP challenge to validate dtk .. done!
Using Standalone Mode HTTP challenge to validate dtk.dynautics.local .. done!
Waiting for Order to be 'ready' for finalization .. done!
Finalizing Order .error finalizing order: error finalizing order: CSR names do not match identifiers exactly: CSR names = [dtk dtk.dynautics.local foobar], Order names = [dtk dtk.dynautics.local]
如果我用空字符串替换“foobar”,它会提示我输入主题。如果我将“foobar”替换为“dtk dtk.dynautics.local”作为单个字符串,我会得到:
Finalizing Order .error finalizing order: error finalizing order: CSR names do not match identifiers exactly: CSR names = [dtk dtk dtk.dynautics.local dtk.dynautics.local], Order names = [dtk dtk.dynautics.local]
我很困惑。SAN肯定是常见的东西吗?这个功能肯定是在 Step-CA 发布之前测试过的吗?
为什么他们自己的例子不起作用?
Step-CA 帮助文本给出的例子都是错误的。要解决此问题,请使用主名称作为主题。例如: