自签名证书:将值提取到 conf 文件中
[英]self sign certificate : extract values into conf file
问题描述
I'm creating self signed certificate.
我正在创建自签名证书。 It is one ssl sertificate for several local domains:它是几个本地域的一个 ssl 证书:
- local.dev.lat.com local.dev.lat.com
- local.dev.bet.com local.dev.bet.com
- local.dev.cat.com local.dev.cat.com
- local.dev.mon.com local.dev.mon.com
- local.dev.pop.com local.dev.pop.com
- ... ...
I have this command for creating that:我有这个命令来创建它:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout server.key \
-out server.crt \
-subj "/CN=*.local.dev.lat.com,*.local.dev.bet.com" \
-addext "subjectAltName=DNS:*.local.dev.bet.com,DNS:local.dev.bet.com,DNS:*.local.dev.bet.com,DNS:local.dev.bet.com,IP:127.0.0.1"
My question is: as I have around 30 domains I would like to extract -subj and -addext params to conf file somehow.我的问题是:由于我有大约 30 个域,我想以某种方式将-subj和-addext参数提取到 conf 文件中。 Is it possible?可能吗?
1 个解决方案
解决方案1
0 2021-11-19 02:53:31
Let's call your certificate server.crt ${CERT} .我们将您的证书称为server.crt ${CERT} 。
You can easily get all of the requested info in one command openssl x509 -noout -in ${CERT} -text .您可以在一个命令中轻松获取所有请求的信息openssl x509 -noout -in ${CERT} -text 。 You can parse that, but it's not ideal.您可以解析它,但这并不理想。 Look at the man page for x509 for better options.查看 x509 的手册页以获得更好的选择。
Note I am using bash to do variable substitution.注意我正在使用 bash 进行变量替换。 You should too.你也应该。
To get the serial:获取序列号:
serial=$(openssl x509 -serial -noout -in ${CERT}); #get only the serial
serial=${serial#*=}; #strip the 'serial=' header
To get the subject:获取主题:
subject=$(openssl x509 -subject -noout -in ${CERT}); #get only the subject
subject=${subject#*=}; #strip the 'subject=' header
Now for the subjectAltName... It's an x509 extension, so it gets a bit trickier.现在为 subjectAltName... 这是一个 x509 扩展,所以它变得有点棘手。 But lets try anyways:但无论如何让我们尝试一下:
#use almost every certopt that exists to narrow display to X509v3 section
altname=$(openssl x509 -noout -in ${CERT} -text -certopt no_header,no_version,no_signame \
-certopt no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux,no_serial)
#remove previous extensions, headers, and leading spaces
altname=${altname#*X509v3 Subject Alternative Name: $'\n' };
#remove any possible sections after
altname=${altname%%$'\n'*}
#unset the variable if subjectAltName didn't exist
[[ "${altname}" == " X509v3 extensions:" ]] && unset altname
Your mileage may vary whilst parsing altname.在解析 altname 时,您的里程可能会有所不同。 I just whipped this up in a few minutes, so I'm sure i missed some edge cases.我只是在几分钟内完成了这个,所以我确定我错过了一些边缘情况。 Anyways...无论如何...
Now you have three variables you can throw at anything however you want;现在你有了三个变量,你可以随心所欲地抛出任何东西;
echo -e "${CERT}:\n Serial:\n ${serial}\n Subject:\n ${subject}\n subjectAltName:\n ${altname}"
That's it.而已。 Job done...任务完成...
#there seems to be a pattern forming here
openssl ec -text -noout -check -in private.key #check private key
openssl req -text -noout -verify -in CSR.csr #check signing request
openssl x509 -text -noout -in public.crt #check public key
openssl pkcs12 -info -noout -in keyStore.p12 #check client cert
openssl crl -text -noout -in revocation.crl #check certificate revocation list
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.