Certificado perdendo a seção SAN

Question

Certificado perdendo a seção SAN

#1 resposta do (1 votos)

0

Minha solicitação de certificado tem SAN:

» openssl req -in csr/example.com.csr -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=example.com, O=Something, C=XX, ST=YYY, L=Someplace
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e3:5c:b4:4c:7b:b1:8f:9f:66:0e:0d:de:d1:c6:
                    e0:48:c9:ba:1c:00:e9:22:f9:44:fd:91:53:c3:81:
                    a8:99:7b:8b:48:f6:32:aa:58:cf:ff:47:d6:b6:20:
                    d4:53:a7:6d:03:02:bd:75:dd:ca:aa:81:2d:f1:fd:
                    67:c1:4a:fe:d7:6f:0e:5c:41:13:0f:d8:30:ea:a6:
                    0f:2f:fd:56:43:df:be:5f:68:c5:5f:8a:fd:ad:9c:
                    c4:e6:87:b4:5b:1f:36:a8:b5:d3:aa:98:c7:5f:08:
                    0e:65:42:e6:d0:4d:3d:51:b3:33:af:59:0f:17:2d:
                    7e:99:d0:58:7a:00:85:65:ff:a2:4e:3b:ca:de:ec:
                    fb:bb:c4:53:50:c2:a8:90:b9:09:3d:ee:91:af:24:
                    f4:3e:0f:62:d2:eb:4a:77:a2:72:b8:11:5e:6c:4c:
                    95:99:03:4f:3e:48:dc:e5:95:3c:b6:ce:2f:50:d8:
                    12:8e:98:67:44:3b:a7:2d:46:04:de:96:3e:c8:89:
                    21:1d:e6:ce:ed:2f:24:32:85:ee:4e:35:b3:19:d7:
                    fe:00:4e:e1:a1:1c:3a:9d:ba:72:39:eb:bc:f8:b3:
                    4e:43:07:0a:4c:a2:aa:35:5b:95:88:13:15:0f:bb:
                    a9:77:37:66:0e:3a:05:c2:95:fd:cf:50:f5:bb:bd:
                    4d:07
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:example.com, DNS:www.example.com
    Signature Algorithm: sha256WithRSAEncryption
         2a:60:b5:f8:1e:aa:72:c1:7d:c8:aa:2f:09:82:71:0f:25:7a:
         1c:2b:b2:87:4c:9e:d3:82:50:b6:da:52:d3:09:a1:70:5a:ea:
         56:94:a8:b9:52:87:cd:35:40:35:51:c9:72:5e:a6:be:8e:e9:
         d2:9f:63:1a:4f:62:a3:2b:83:10:80:8a:6a:a9:de:7f:f6:42:
         b5:b8:a7:d5:8e:dc:33:a5:6a:5a:08:d6:8c:ab:cd:75:74:cd:
         1d:12:ef:72:dd:6c:4d:95:f9:cf:ad:ea:6e:73:e5:cc:4a:e5:
         0a:48:65:20:42:c3:46:0b:6a:1b:3e:49:b1:4e:1d:03:4d:80:
         e0:de:fa:fd:52:96:a5:6d:88:d0:a7:66:d6:fa:0a:ed:89:91:
         31:b3:0c:3a:18:f8:91:0c:1a:ca:21:22:40:af:24:14:e5:9c:
         04:5b:2a:d6:a4:bf:3f:04:00:7d:d1:35:47:e4:c5:58:83:0e:
         87:e2:70:c0:9a:89:cc:89:88:67:df:9d:cb:8d:4e:a4:a2:fa:
         f7:36:4c:44:b2:0a:e1:73:b4:a7:58:b8:5b:16:22:d4:19:b0:
         d5:a2:83:08:4b:d9:22:8e:85:7f:c7:86:8d:97:f8:b1:b6:5b:
         86:b2:c7:a5:09:da:78:4d:c0:39:b5:4e:b1:0d:a2:74:04:95:
         04:92:ed:16

Mas o certificado perdeu:

» openssl x509 -in certs/example.com.crt -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 17807092983826911732 (0xf71f80b9075a91f4)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=OOO, L=LLLL, ST=STST, C=CC
        Validity
            Not Before: Mar 20 10:46:25 2018 GMT
            Not After : Aug  2 10:46:25 2019 GMT
        Subject: CN=example.com, O=OOO, C=CC, ST=STST, L=LLLL
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e3:5c:b4:4c:7b:b1:8f:9f:66:0e:0d:de:d1:c6:
                    e0:48:c9:ba:1c:00:e9:22:f9:44:fd:91:53:c3:81:
                    a8:99:7b:8b:48:f6:32:aa:58:cf:ff:47:d6:b6:20:
                    d4:53:a7:6d:03:02:bd:75:dd:ca:aa:81:2d:f1:fd:
                    67:c1:4a:fe:d7:6f:0e:5c:41:13:0f:d8:30:ea:a6:
                    0f:2f:fd:56:43:df:be:5f:68:c5:5f:8a:fd:ad:9c:
                    c4:e6:87:b4:5b:1f:36:a8:b5:d3:aa:98:c7:5f:08:
                    0e:65:42:e6:d0:4d:3d:51:b3:33:af:59:0f:17:2d:
                    7e:99:d0:58:7a:00:85:65:ff:a2:4e:3b:ca:de:ec:
                    fb:bb:c4:53:50:c2:a8:90:b9:09:3d:ee:91:af:24:
                    f4:3e:0f:62:d2:eb:4a:77:a2:72:b8:11:5e:6c:4c:
                    95:99:03:4f:3e:48:dc:e5:95:3c:b6:ce:2f:50:d8:
                    12:8e:98:67:44:3b:a7:2d:46:04:de:96:3e:c8:89:
                    21:1d:e6:ce:ed:2f:24:32:85:ee:4e:35:b3:19:d7:
                    fe:00:4e:e1:a1:1c:3a:9d:ba:72:39:eb:bc:f8:b3:
                    4e:43:07:0a:4c:a2:aa:35:5b:95:88:13:15:0f:bb:
                    a9:77:37:66:0e:3a:05:c2:95:fd:cf:50:f5:bb:bd:
                    4d:07
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         58:fa:f2:83:e1:34:50:f7:f2:04:28:af:0d:e7:27:8d:36:03:
         d3:a9:07:69:ed:5c:3e:2a:ed:e9:2a:58:f8:a3:ef:9b:4e:a6:
         ee:0a:a8:19:84:9d:5a:51:e0:7f:eb:3d:24:be:d9:9e:84:5b:
         4a:6f:57:10:b6:6b:1e:e9:12:91:bd:55:47:20:79:7f:1a:a5:
         83:b6:5c:04:7f:06:3f:f4:97:af:a5:27:7a:81:b7:08:b8:16:
         dd:f1:ab:6d:5a:f8:07:11:f3:97:96:86:08:13:42:b9:de:25:
         38:3e:ee:84:96:93:70:2a:a6:fc:7f:29:25:5d:a8:4c:c7:7c:
         3f:7a:c2:d4:9d:6e:cc:0e:b0:2c:38:dd:4c:d3:91:65:fd:cc:
         f8:ec:4d:9c:d4:88:79:e8:fc:3a:ee:8f:00:dd:9e:95:5c:ca:
         d8:bd:f7:e8:7c:cc:b4:9e:53:6c:60:d8:7a:d2:f2:4f:4a:76:
         3f:0c:33:6f:cf:d0:72:93:39:7e:12:e7:19:f4:e2:77:bf:a0:
         b7:57:22:a9:34:25:51:86:15:26:3a:8c:b2:00:29:d8:5f:98:
         69:f9:b0:36:75:a6:ca:2f:67:dc:5a:11:b2:c3:00:ab:05:6c:
         40:2c:77:d5:0d:53:1b:bb:d6:1f:dd:cd:88:95:26:e1:88:32:
         f7:92:0b:ef
-----BEGIN CERTIFICATE-----
MIIDMjCCAhoCCQD3H4C5B1qR9DANBgkqhkiG9w0BAQsFADBQMR0wGwYDVQQKExRE
YW5pZWwgTWV0cm8gU3lzdGVtczEUMBIGA1UEBxMLRHVlc3NlbGRvcmYxDDAKBgNV
BAgTA05SVzELMAkGA1UEBhMCREUwHhcNMTgwMzIwMTA0NjI1WhcNMTkwODAyMTA0
NjI1WjBmMRQwEgYDVQQDDAtleGFtcGxlLmNvbTEdMBsGA1UECgwURGFuaWVsIE1l
dHJvIFN5c3RlbXMxCzAJBgNVBAYTAkRFMQwwCgYDVQQIDANOUlcxFDASBgNVBAcM
C0R1ZXNzZWxkb3JmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA41y0
THuxj59mDg3e0cbgSMm6HADpIvlE/ZFTw4GomXuLSPYyqljP/0fWtiDUU6dtAwK9
dd3KqoEt8f1nwUr+128OXEETD9gw6qYPL/1WQ9++X2jFX4r9rZzE5oe0Wx82qLXT
qpjHXwgOZULm0E09UbMzr1kPFy1+mdBYegCFZf+iTjvK3uz7u8RTUMKokLkJPe6R
ryT0Pg9i0utKd6JyuBFebEyVmQNPPkjc5ZU8ts4vUNgSjphnRDunLUYE3pY+yIkh
HebO7S8kMoXuTjWzGdf+AE7hoRw6nbpyOeu8+LNOQwcKTKKqNVuViBMVD7updzdm
DjoFwpX9z1D1u71NBwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBY+vKD4TRQ9/IE
KK8N5yeNNgPTqQdp7Vw+Ku3pKlj4o++bTqbuCqgZhJ1aUeB/6z0kvtmehFtKb1cQ
tmse6RKRvVVHIHl/GqWDtlwEfwY/9JevpSd6gbcIuBbd8attWvgHEfOXloYIE0K5
3iU4Pu6ElpNwKqb8fyklXahMx3w/esLUnW7MDrAsON1M05Fl/cz47E2c1Ih56Pw6
7o8A3Z6VXMrYvffofMy0nlNsYNh60vJPSnY/DDNvz9Bykzl+EucZ9OJ3v6C3VyKp
NCVRhhUmOoyyACnYX5hp+bA2dabKL2fcWhGywwCrBWxALHfVDVMbu9Yf3c2IlSbh
iDL3kgvv
-----END CERTIFICATE-----

Qual poderia ser o motivo? O CA_default da CA raiz tem:

copy_extensions                = copy

EDITAR

Adicionando uma cópia da minha configuração (editada) (para o certificado raiz da CA):

#
# OpenSSL configuration file.
#

# Establish working directory.

dir                            = data

[ ca ]
default_ca                     = CA_default

[ CA_default ]
serial                         = $dir/serial
database                       = $dir/certindex.txt
new_certs_dir                  = $dir/certs
certificate                    = $dir/cacert.pem
private_key                    = $dir/private/cakey.pem
default_days                   = 365
default_md                     = md5
preserve                       = no
email_in_dn                    = no
nameopt                        = default_ca
certopt                        = default_ca
policy                         = policy_match

[ policy_match ]
countryName                    = match
stateOrProvinceName            = match
organizationName               = match
organizationalUnitName         = optional
commonName                     = supplied
emailAddress                   = optional

[ req ]
default_bits                   = 1024                   # Size of keys
default_keyfile                = key.pem                # name of generated keys
default_md                     = md5                    # message digest algorithm
string_mask                    = nombstr                # permitted characters
distinguished_name             = req_distinguished_name
req_extensions                 = v3_req

[ req_distinguished_name ]
# Variable name                Prompt string
#-------------------------     ----------------------------------
0.organizationName             = MyOrg
organizationalUnitName         = Organizational Unit Name
emailAddress                   = [email protected]
emailAddress_max               = 40
localityName                   = ThisLocation
stateOrProvinceName            = ThisState
countryName                    = RQ
countryName_min                = 2
countryName_max                = 2
commonName                     = My Certificate Authority
commonName_max                 = 64

# Default values for the above, for consistency and less typing.
# Variable name                Value
#------------------------      ------------------------------
0.organizationName_default     = Organizational Unit Name
localityName_default           = ThisLocation
stateOrProvinceName_default    = ThisState
countryName_default            = RQ

[ v3_ca ]
basicConstraints               = CA:TRUE
subjectKeyIdentifier           = hash
authorityKeyIdentifier         = keyid:always,issuer:always

[ v3_req ]
basicConstraints               = CA:FALSE
subjectKeyIdentifier           = hash

EDIT2

O conf para o CSR:

#
# OpenSSL configuration file, for generating CSRs
#

[req]
distinguished_name             = req_distinguished_name
req_extensions                 = v3_req

[ req_distinguished_name ]
# Variable name                Prompt string
#-------------------------     ----------------------------------
0.organizationName             = Some Org
organizationalUnitName         = Some Unit
emailAddress                   = [email protected]
localityName                   = SomeLoc
stateOrProvinceName            = SomeState
countryName                    = RQ
commonName                     = The Common Name

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints               = CA:FALSE
keyUsage                       = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName                 = $ENV::ALTNAME

ssl certificate ssl-certificate

por dangonfast 20.03.2018 / 11:53

1 resposta

Tags ssl certificate ssl-certificate

curinga SAN para todo o TLD de domínio unix shell tips para atribuir um valor booleano à variável de um teste

score 1 · Answer 1

Você está criando atualmente um certificado da versão 1. Esses primeiros certificados não têm extensões, e é por isso que as extensões de suas solicitações não estão sendo copiadas.

Para resolver isso, você precisa adicionar a opção x509_extensions = <name> ; onde <name> é o nome de uma seção que lista as extensões a serem adicionadas ao novo certificado. Isso forçará o OpenSSL a criar certificados da versão 3, que é a versão que suporta extensões. Se você não quiser forçar a CA a adicionar extensões adicionais aos novos certificados, simplesmente deixe essa seção como vazia - mas ela deve existir para criar um certificado V3.

Por exemplo:

x509_extensions = cert_ext

[cert_ext]

# This is an empty section - the next section starts below

Pode ser mais seguro adicionar a extensão basicContstraints aos seus novos certificados com a opção basicConstraints = critical,CA:FALSE em sua seção, para garantir que ninguém tente roubar uma solicitação de certificado de CA.

x509_extensions = cert_ext

[cert_ext]

basicConstraints = critical,CA:FALSE

# The next section starts below