[英]Creating an x509 v3 user certificate by signing CSR
I know how to sign a CSR using openssl
, but the result certificate is an x509 v1, and not v3.我知道如何使用
openssl
签署 CSR,但结果证书是 x509 v1,而不是 v3。
I'm using the following commands:我正在使用以下命令:
x509 -req -days 365 -in myCSR.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt
I've searched but have not been able to find a solution.我已经搜索过,但无法找到解决方案。 Is there another way to do this programmatically?
还有另一种方法可以以编程方式执行此操作吗?
You need to specify an extensions file.您需要指定一个扩展文件。
For example:例如:
openssl x509 -days 365 -in myCSR.csr -extfile v3.ext -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt
The extensions file (v3.ext) can look like this:扩展文件 (v3.ext) 可能如下所示:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
The answer of gtrig works if you have -req as well.如果您也有 -req,gtrig 的答案也有效。 It didn't work without that for me.
没有它对我来说就行不通。
So the command is:所以命令是:
openssl x509 -req -in myCSR.csr -extfile v3.ext -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt -days 365
(had to give as a new answer as I don't have enough rep. to comment). (不得不给出一个新的答案,因为我没有足够的代表来评论)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.