openssl:使用非DNS主题备用名称生成证书请求

要使用openssl为主机创建包含主题备用名称(SAN)的证书请求,我可以使用这样的配置文件(剪切):

[req]
req_extensions = v3_req
[ v3_req ]
subjectAltName = @alt_names
[alt_names]
DNS = xyz.example.com

如果我需要提供专有名称或用户主体名称,我应该如何为用户证书请求配置alt_names部分?
例如,我试过了

[alt_names]
UPN = xyz@example.com

但是我收到了这个错误:

Error Loading request extension section v3_req
5356:error:22075075:X509 V3 routines:v2i_GENERAL_NAME_ex:unsupported option:.\crypto\x509v3\v3_alt.c:557:name=userPrincipalName
5356:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:.\crypto\x509v3\v3_conf.c:93:name=subjectAltName, value=@alt_names
最佳答案
您可以指定CA允许的几乎任何内容.

相关的RFC是RFC5280.它在4.2.1.6节中说. “主题替代名称”

The subject alternative name extension allows identities to be bound
to the subject of the certificate. These identities may be included
in addition to or in place of the identity in the subject field of
the certificate. Defined options include an Internet electronic mail
address, a DNS name, an IP address, and a Uniform Resource Identifier
(URI). Other options exist, including completely local definitions.
Multiple name forms, and multiple instances of each name form, MAY be
included. Whenever such identities are to be bound into a
certificate, the subject alternative name (or issuer alternative
name) extension MUST be used; however, a DNS name MAY also be
represented in the subject field using the domainComponent attribute
as described in Section 4.1.2.4. Note that where such names are
represented in the subject field implementations are not required to
convert them into DNS names.

您应该阅读该部分的其余部分,然后与您的CA核实他们支持的内容.值得注意的是,您的CA必须验证所有主题替代名称是否正确.

要使用电子邮件地址,RFC在4.1.2.6节中说明

Conforming implementations generating new certificates with
electronic mail addresses MUST use the rfc822Name in the subject
alternative name extension (Section 4.2.1.6) to describe such
identities. Simultaneous inclusion of the emailAddress attribute in
the subject distinguished name to support legacy implementations is
deprecated but permitted.

因此,您应该使用rfc822Name而不是UPI.

转载注明原文:openssl:使用非DNS主题备用名称生成证书请求 - 代码日志