我正在尝试创建我的自签名证书:
- CA 私钥创建:
openssl genrsa -out ca.key 2048
- CA 证书创建(见下文
ca.cnf
内容):openssl req -x509 -new -key ca.key -out ca.crt -days 10000 -config ca.cnf
- 服务私钥创建:
openssl genrsa -out cert.key 2048
- 创建 csr(见下文
node.cnf
):openssl req -new -key cert.key -out cert.csr -config node.cnf
- 创建服务器证书:
openssl x509 -req -in cert.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cert.crt -days 100
之后,我尝试检查我的 SAN 是否已填充:
我明白了:
openssl x509 -noout -ext subjectAltName -in cert.crt
No extensions in certificate
有任何想法吗?
ca.cnf
文件是:
# OpenSSL CA configuration file
[ ca ]
default_ca = CA_default
[ CA_default ]
default_days = 365
database = index.txt
serial = serial.txt
default_md = sha256
copy_extensions = copy
unique_subject = no
# Used to create the CA certificate.
[ req ]
prompt=no
distinguished_name = distinguished_name
x509_extensions = extensions
[ distinguished_name ]
organizationName = jeusdi
commonName = cicdgitops
[ extensions ]
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign
basicConstraints = critical,CA:true,pathlen:1
# Common policy for nodes and users.
[ signing_policy ]
organizationName = supplied
commonName = optional
# Used to sign node certificates.
[ signing_node_req ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
# Used to sign client certificates.
[ signing_client_req ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth
node.cnf
:
# OpenSSL node configuration file
[ req ]
prompt=no
distinguished_name = distinguished_name
req_extensions = extensions
[ distinguished_name ]
organizationName = jeusdi
[ extensions ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = registry.localhost
DNS.2 = host.k3d.internal
openssl x509的人说:
您可以使用该
-extfile
选项以及-extensions
将 openssl 指向正确的扩展名。您需要告诉它要使用哪个文件-extfile node.cnf
以及哪个部分-extensions extensions
,如下所示:之后你得到: