问题
In the common name field of the DN of a X509 certificate, as defined in ASN.1 notation for OID "2.5.4.3", the limit is up to 64 characters. Is there any turnaround if we want to have a common name of more than 64 characters?
回答1:
Even if you could cajole your certificate generation code to have a longer CN, it's also the clients that will need to change, of which most you have no control over. Clients could well reject a certificate with a too-long CN and then you'll have no certificate at all.
As mentioned in the comments, you can (and should) put that and other domain names into the Subject Alternate Name extension and leave the CN empty. Not the whole "Subject", but just the CN part of it.
回答2:
In case you want to "cajole" the certificate generation code like @Chris Cogdon alluded to, it's not very hard. I needed to do this as part of a reverse engineering challenge and so the fact that it was against the standards didn't matter whatsoever. I completely agree with the message that you shouldn't be doing this but I'll still explain how I did it since it took a little while to figure out.
Here are the (rough) steps:
- Download the latest source of libressl from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ (I used 2.6.0 because it's the version that ships on macOS Mojave)
- Unzip/tar/gz and then open
/crypto/asn1/a_mbstr.cin your favorite editor - Search for something that looks like the following:
if ((maxsize > 0) && (nchar > maxsize)) {
ASN1error(ASN1_R_STRING_TOO_LONG);
ERR_asprintf_error_data("maxsize=%ld", maxsize);
return -1;
}
and comment it out. For version 2.6.0, this was on lines 155-159. By removing these lines, you are removing the max CN length check.
Follow the directions in the
READMEfile to build the binary. I didn't need to install any libraries when I built on macOS but YMMV. I usedcmakewhich dropped the new openssl binary in/build/apps/opensslGenerate a CSR using the command line flags (read: NOT THE INTERACTIVE TOOL -- it has a special check that is not patched out by this modification!).
For example:
/build/apps/openssl/openssl req -new -newkey rsa:2048 -nodes -out a.csr -keyout a.key -subj "/CN=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
- Using the stock
opensslbinaries (or the modified ones, if you want), sign the CSR:openssl x509 -req -in a.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out a.crt -days 500 -sha256
After that, you should have your wonderful non-compliant certificate ready to use. As noted by many people in the comments and by Chris Cogdon, there are quite a few issues with using certificates with CNs longer than 64 characters (macOS curl cannot speak to servers using these certificates, Wireshark truncates the CN in the disector display, etc). This certificate, however, did work for exactly what I needed so I can at least confirm that these certificates are functional in some specific cases.
来源:https://stackoverflow.com/questions/39035571/distinguished-name-length-constraint-in-x-509-certificate