问题
I know you can specify the purpose for which a certificate public key can be used for by adding a line like this one in the openssl.cfg file:
extendedKeyUsage=serverAuth,clientAuth
But since I have several certificates to create, each with a different extended key usage, is it possible to specify which attribute I need in the command line (without using the openssl.cfg file)? Something like:
openssl req -newkey rsa:4096 \
-extendedKeyUsage "serverAuth,clientAuth" \
-keyform PEM \
-keyout server-key.pem \
-out server-req.csr \
-outform PEM
Thanks!
回答1:
You can only use something like this:
openssl -extensions mysection -config myconfig.cnf
and myconfig.cnf:
[mysection]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
I am not aware of command line interface to this functionality.
回答2:
What I ended up doing is creating several different openssl.cfg files and refer to the proper one by using either the -config or the -extfile switch.
回答3:
the same as processing SAN
openssl req -subj "/CN=client" -sha256 -new -key client-key.pem -out client.csr\
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com\nextendedKeyUsage=serverAuth,clientAuth"))
来源:https://stackoverflow.com/questions/17089889/openssl-x509v3-extended-key-usage