[英]Azure key vault: Merge certificate
I'm trying to understand the merge API of Azure Key vault.我试图了解 Azure Key Vault 的合并 API。 What is the use case of it?
它的用例是什么? https://docs.microsoft.com/en-us/rest/api/keyvault/mergecertificate/mergecertificate
https://docs.microsoft.com/en-us/rest/api/keyvault/mergecertificate/mergecertificate
The doc says医生说
The MergeCertificate operation performs the merging of a certificate or certificate chain with a key pair currently available in the service.
One use case I understand here is to create CSR in key vault, get it signed by your CA and then merge it to the CSR in key vault to complete the certificate creation.我在这里了解的一个用例是在密钥库中创建 CSR,由您的 CA 对其进行签名,然后将其合并到密钥库中的 CSR 以完成证书创建。
But what do we mean by merging a certificate chain?但是合并证书链是什么意思? Does it mean the certificate chain that was used to sign the CSR?
这是否意味着用于签署 CSR 的证书链?
Yes, merging the chain means that the whole chain, which starts with the certificate that is generated for CSR.是的,合并链意味着整个链,从为 CSR 生成的证书开始。
So, to have a local test using OpenSSL 1.1.1因此,使用 OpenSSL 1.1.1 进行本地测试
openssl req -new -newkey rsa:2048 -nodes -out ca.csr -keyout ca.key -extensions v3_ca
openssl x509 -signkey ca.key -days 365 -req -in ca.csr -set_serial 01 -out ca.crt
openssl req -new -newkey rsa:2048 -nodes -out inter.csr -keyout inter.key -addext basicConstraints=CA:TRUE
openssl x509 -CA ca.crt -CAkey ca.key -days 365 -req -in inter.csr -set_serial 02 -out inter.crt
Generate request using Azure KeyVault and download CSR to test.csr file.使用 Azure KeyVault 生成请求并将 CSR 下载到 test.csr 文件。 Assuming using keyvault test-kv and certificate with name test .
假设使用 keyvault test-kv和名称为test的证书。
Sign the request using intermediate CA使用中间 CA 签署请求
openssl x509 -CA inter.crt -CAkey inter.key -days 365 -req -in test.csr -set_serial 03 -out test.crt
cat test.crt inter.crt ca.crt > test-chain.pem
az keyvault certificate pending merge --vault-name test-kv --name test --file test-chain.pem
Additional note about formats:关于格式的附加说明:
The certificate content type can be set to either PKCS12 or PEM upon creation in Azure KeyVault.在 Azure KeyVault 中创建证书内容类型时,可以将其设置为 PKCS12 或 PEM。 As result merged certificate is exported/downloaded
结果合并证书被导出/下载
The format of the chain bundle for merging, however, does not depend on that content type.但是,用于合并的链束的格式不依赖于该内容类型。 It only depends on the method that is used to perform the merge:
它仅取决于用于执行合并的方法:
The following command can be used to create a P7B file containing the chain:以下命令可用于创建包含链的 P7B 文件:
openssl crl2pkcs7 -nocrl -certfile test.crt -out test.p7b -certfile inter.crt -certfile ca.crt
When certificate that was merged together with the chain is downloaded in PEM, it contains the whole chain already.当与链合并在一起的证书在 PEM 中下载时,它已经包含整个链。 When certificate is downloaded in PFX, to extract individual certificates the following command can be used to convert to PEM, containing only certificates (omitting the private key):
在 PFX 中下载证书时,要提取单个证书,可以使用以下命令转换为 PEM,仅包含证书(省略私钥):
openssl pkcs12 -in downloaded-cert.pfx -nokeys -nodes -out chain.pem
Then chain.pem can be opened with text editor and individual certificates can be extracted to separate crt files然后可以使用文本编辑器打开chain.pem,并且可以将单个证书提取到单独的crt文件中
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.