发表新帖
发表新帖

Signing a certificate with my CA

前端 未结
关注
6 1295
忘掉有多难
忘掉有多难 2020-12-23 13:39

On running:

openssl ca -in ${ALIAS}.csr -out user-cert.pem -keyfile cacert-private.pem -cert cacert.pem -passin pass:$PASSWD -config ${CONFIG}
相关标签:
6条回答
  • 情歌与酒
    2020-12-23 14:10

    You can also set the attributes as optional:

    # For the CA policy

[policy_match]
countryName= optional
stateOrProvinceName= optional
organizationName= optional
organizationalUnitName= optional
commonName= supplied
emailAddress= optional
    0 讨论(0)
  • 猫巷女王i
    2020-12-23 14:12

    I have also run into this problem. Thanks to the replies above (mainly Francois), I discovered the source of the problem.

    openssl is encoding using UTF8STRING and keytool (Java 6) is encoding with PRINTABLESTRING.

    Worked around it by changing the openssl configuration so it matches keytool. In /usr/ssl/openssl.cnf change the "string_mask" setting to "pkix".

    0 讨论(0)
  • 南方客
    2020-12-23 14:22

    I just ran into this problem. The root cause is a mismatch between the values of string_mask in the client's and the CA's openssl.cnf. The easy fix is to modify the client's value to match what the CA expects, then regenerate the CSR. The hard fix is to edit the CA's value and start a fresh CA.

    0 讨论(0)
  • 礼貌的吻别
    2020-12-23 14:26

    As shown by : 

    openssl asn1parse -in req.csr

    the request DN strings are encoded as PRINTABLESTRING. 

    openssl asn1parse -in cacert.pem

    shows the CA DN strings are encoded as UTF8STRING.

    For a quick'n dirty hack, I suggest you change the encoding of strings in your request by replacing the encoding type for PRINTABLESTRING (0x13) by the type for UTF8STRING (0x0c), using your favorite hex editor.
    You will have to convert your request in DER before poking it.
    The offset of bytes to change can be found with : 

    openssl asn1parse -in csr |grep PRINTABLESTRING |awk -F":" '{print $1}'

    Then try to sign again.

    0 讨论(0)
  • 一个人的身影
    2020-12-23 14:33

    The previous posters already answered the question, but to make it easier, here is an example how to specify the encoding. Use the string_mask:

    [ req ]
default_bits            = 2048
default_md              = rsa
prompt                  = no
string_mask             = utf8only  # <--------------
distinguished_name      = req_distinguished_name

[ req_distinguished_name ]
countryName             = GB
stateOrProvinceName     = Gloucestershire
localityName            = Cheltenham
organizationName        = Wansdyke House Limited
organizationalUnitName  = Fizio
commonName              = localhost
    0 讨论(0)
  • 盖世英雄少女心
    2020-12-23 14:34

    Promoting mbrownnyc's comment to an answer, as it was useful to me and deserves more attention.

    I believe /usr/ssl/openssl.cnf contains a policy called policy_anything that contains the above setup. You can use it by utilizing the policy argument as follows:

    openssl ca -policy policy_anything -days 365 -out /root/ca/certs/out.pem -in certreq.csr
    0 讨论(0)
 看不清?
提交回复
热议问题