[英]Change x509 certificate attributes (i.e. Organization) when signing
I've built an internal signing CA using OpenSSL.我已经使用 OpenSSL 构建了一个内部签名 CA。
My signing policy requires certain attributes to MATCH, including organizationName我的签名策略需要某些属性才能匹配,包括组织名称
[ match_pol ]
organizationName = supplied # Must match 'Company ABC'
organizationalUnitName = optional # Included if present
commonName = supplied # Must be present
countryName = supplied # Must be present
Some of the CSR's I'm being given to sign from people don't have the correct organizationName (typo's, etc)我从人们那里得到的一些 CSR 没有正确的组织名称(错别字等)
Am I able to modify the OrganizationName (or other attributes) before returning the signed certificate so it matches the name I want, and without having to reject and ask for a new CSR from the user?我是否能够在返回签名证书之前修改 OrganizationName(或其他属性),使其与我想要的名称相匹配,而不必拒绝并要求用户提供新的 CSR?
I know from personal experience the CSRs I upload to DigiCert can contain any value and the returned signed certificate will have the correct EV/OV name that has been approved.我根据个人经验知道我上传到 DigiCert 的 CSR 可以包含任何值,并且返回的签名证书将具有已批准的正确 EV/OV 名称。
If you're using the ca
tool ( openssl ca
) to operate your CA then you can use the -subj
option to override the Subject within the request:如果您使用
ca
工具 ( openssl ca
) 来操作您的 CA,那么您可以使用-subj
选项来覆盖请求中的主题:
-subj arg
-subj arg
supersedes subject name given in the request.取代请求中给出的主题名称。 The arg must be formatted as /type0=value0/type1=value1/type2=..., characters may be escaped by \\ (backslash), no spaces are skipped.
arg 的格式必须为 /type0=value0/type1=value1/type2=...,字符可以通过 \\(反斜杠)进行转义,不会跳过任何空格。
Combined the with the following option(s) to configure the extensions (including Subject Alternate Name), you should be able to modify all the attributes and extensions:结合以下选项来配置扩展(包括主题备用名称),您应该能够修改所有属性和扩展:
-extensions section
-扩展部分
the section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to x509_extensions unless the -extfile option is used).包含在颁发证书时要添加的证书扩展名的配置文件部分(默认为 x509_extensions,除非使用 -extfile 选项)。 If no extension section is present then, a V1 certificate is created.
如果不存在扩展部分,则会创建 V1 证书。 If the extension section is present (even if it is empty), then a V3 certificate is created.
如果存在扩展部分(即使它是空的),则会创建一个 V3 证书。 See the x509v3_config(5) manual page for details of the extension section format.
有关扩展部分格式的详细信息,请参阅 x509v3_config(5) 手册页。
and, possibly:并且,可能:
-extfile file
-extfile 文件
an additional configuration file to read certificate extensions from (using the default section unless the -extensions option is also used).一个额外的配置文件来读取证书扩展(使用默认部分,除非还使用了 -extensions 选项)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.