问题
I need to add the following SAN to a certifacate:
oid:1.2.3.4.5.5
My normal certificate creation process is to generate an openssl.cnf file, then using this file generate a csr (certificate signing request), and then generate a certificate from the csr using my own CA.
The .cnf file is a plain text file which contains a section describing all the SANs that I would like included in the csr and eventually the crt. That section looks like this:
...
[san]
DNS.1 = foo.bar
DNS.2 = baz.foobar
IP.1 = 1.1.1.1
IP.2 = 2.2.2.2
...
I have tried inserting the OID entry 3 different ways:
attempt 1) OID.1 = 1.2.3.4.5.5
attempt 2) DNS.3 = 1.2.3.4.5.5
attempt 3) IP.3 = 1.2.3.4.5.5
With 1) I get an error when trying to generate the certificate, indicating that the prefix OID is unrecognized. With 2) and 3) I am able to generate the crt, but when I put it in place the SAN oid:1.2.3.4.5.5 is not supported.
So, I am wondering what the correct syntax would be for adding such and entry to the Subject Alternative Names section of an openssl.cnf file.
Cheers!
回答1:
Based on Steffen Ullrich's answer, this version correctly specifies the OID identifier in a complete example:
subjectAltName=@san
[san]
DNS.1=foo.example.com
DNS.2=bar.example.com
RID.1=1.2.3.4.5.5
Alternatively, do it on one line:
subjectAltName=DNS:foo.example.com,DNS:bar.example.com,RID:1.2.3.4.5.5
This is particularly useful when combined with https://security.stackexchange.com/a/91556 to pass -config options to the CLI without using a .cnf file.
回答2:
From the documentation of the config file:
otherName can include arbitrary data associated with an OID: the value should be the OID followed by a semicolon and the content in standard ASN1_generate_nconf format.
Examples:
subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
or with your example of having a SAN section it should be
subjectAltName=@san
[san]
DNS.1=foo.example.com
DNS.2=bar.example.com
otherName.1=1.2.3.4;UTF8:some other identifier
来源:https://stackoverflow.com/questions/38030893/how-to-format-an-oid-subject-alt-name-entry-in-a-openssl-cnf-file