주체 대체 이름을 사용하여 인증서 만들기

2024-5-14 • tag-icon

SAN(주체 대체 이름)을 포함해야 하는 CA 인증서를 만듭니다.

openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -config ca_server.cnf

ca_server.cnf 파일의 내용:

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt = no
[ req_distinguished_name ]
countryName                 =LT
stateOrProvinceName         = Some-State
localityName               = London
organizationName           = KKK
commonName                 = 192.168.1.8
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = 192.168.1.8

다음 명령을 사용하여 인증서 내용을 확인해 보십시오.

openssl x509 -in server.crt -text

출력을 얻으십시오 :

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            e2:d6:9e:6d:ae:ee:67:d1
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=LT, ST=Some-State, L=London, O=KKK, CN=192.168.1.8
        Validity
            Not Before: Jan 11 12:29:19 2020 GMT
            Not After : Dec 31 12:29:19 2021 GMT
        Subject: C=LT, ST=Some-State, L=London, O=Internet Widgits Pty Ltd, CN=1                              92.168.1.8
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c3:5d:ed:55:f4:20:13:8b:b4:0a:41:ba:71:e3:
                    3f:73:56:4c:30:52:2b:fb:2a:fe:cb:42:a9:ae:5f:
                    bf:2e:5f:ef:57:22:c8:cb:23:f6:fb:41:d9:77:23:
                    28:b8:2f:61:b0:28:dc:6f:a7:7d:5e:51:ca:4e:77:
                    bc:f1:8a:71:ab:50:be:ae:fe:7e:b3:88:a6:19:6b:
                    a6:87:61:9a:d5:9e:59:41:da:52:3c:84:0d:dc:b9:
                    7f:d5:e6:c6:08:28:30:45:d3:30:71:81:68:3e:bf:
                    06:22:d4:5e:a9:d4:11:cf:47:8e:39:b2:b7:04:26:
                    d7:72:d3:b3:b2:1b:9f:0c:81:38:a6:9c:c6:f8:80:
                    46:da:75:5a:11:a4:c4:54:8c:60:a2:0b:7b:d6:7c:
                    b8:8d:44:c2:9d:21:9d:63:44:2d:52:89:8a:fd:a1:
                    de:58:82:90:ed:bb:0b:a4:ea:f5:4c:37:fb:1a:af:
                    3e:a5:42:f3:c0:9c:bf:2b:ae:3b:b5:ce:5e:17:c8:
                    89:56:05:d9:e6:ac:0e:79:49:fc:ee:b4:94:c8:a2:
                    97:57:15:e8:2b:2a:84:24:99:3c:28:45:57:f9:41:
                    16:14:a9:aa:4f:d9:0c:9f:52:c9:ea:16:0d:7f:4f:
                    99:23:53:86:e9:37:7b:b6:39:1d:fd:63:dd:90:16:
                    db:57
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         46:f3:ca:39:e5:7b:6c:7e:41:9a:d4:1d:d0:b3:6f:4e:a9:0c:
         ee:52:d5:f8:0a:07:f4:a1:80:85:31:61:d7:6d:0a:63:87:19:
         15:57:86:91:48:d5:be:28:c7:99:9d:25:9a:85:d9:b1:2c:8a:
         a4:cd:8a:e6:b3:6a:71:e9:b5:b6:01:80:bb:5e:4e:65:0e:ae:
         5c:6e:a6:47:0b:d3:6b:7d:ca:79:cf:cf:16:73:05:8b:1d:72:
         3b:31:e3:b3:c6:4f:64:21:df:1d:ec:78:84:a9:e5:51:c9:28:
         74:75:93:75:92:93:8a:1c:1a:27:6d:e9:b2:99:77:d1:e0:01:
         5f:ea:7b:a4:e9:3c:05:ac:44:07:ec:26:c3:df:eb:55:3b:e3:
         14:2a:5b:3b:30:81:3a:ee:45:b4:9e:44:90:ff:13:91:5c:9c:
         6d:46:71:73:bc:0b:b8:3a:e6:c0:b1:a2:ba:88:fb:ea:cf:c7:
         2a:12:e8:bb:ba:62:24:1e:47:02:eb:71:eb:37:ea:2a:d4:31:
         bc:28:d0:89:b0:4a:17:e3:87:23:1a:5d:c3:6c:2c:75:dd:38:
         79:a7:51:f1:61:0c:45:44:77:2d:44:2f:bb:e8:c0:34:f7:61:
         1b:d8:fe:11:f7:18:3f:4b:e6:a8:59:24:e0:1f:c1:69:f4:44:
         51:1d:b4:80
-----BEGIN CERTIFICATE-----
MIIDPzCCAicCCQDi1p5tru5n0TANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJM
VDETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UEBwwGTG9uZG9uMQwwCgYDVQQK
DANLS0sxFDASBgNVBAMMCzE5Mi4xNjguMS44MB4XDTIwMDExMTEyMjkxOVoXDTIx
MTIzMTEyMjkxOVowbDELMAkGA1UEBhMCTFQxEzARBgNVBAgMClNvbWUtU3RhdGUx
DzANBgNVBAcMBkxvbmRvbjEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkg
THRkMRQwEgYDVQQDDAsxOTIuMTY4LjEuODCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMNd7VX0IBOLtApBunHjP3NWTDBSK/sq/stCqa5fvy5f71ciyMsj
9vtB2XcjKLgvYbAo3G+nfV5Ryk53vPGKcatQvq7+frOIphlrpodhmtWeWUHaUjyE
Ddy5f9XmxggoMEXTMHGBaD6/BiLUXqnUEc9HjjmytwQm13LTs7IbnwyBOKacxviA
Rtp1WhGkxFSMYKILe9Z8uI1Ewp0hnWNELVKJiv2h3liCkO27C6Tq9Uw3+xqvPqVC
88CcvyuuO7XOXhfIiVYF2easDnlJ/O60lMiil1cV6CsqhCSZPChFV/lBFhSpqk/Z
DJ9SyeoWDX9PmSNThuk3e7Y5Hf1j3ZAW21cCAwEAATANBgkqhkiG9w0BAQsFAAOC
AQEARvPKOeV7bH5BmtQd0LNvTqkM7lLV+AoH9KGAhTFh120KY4cZFVeGkUjVvijH
mZ0lmoXZsSyKpM2K5rNqcem1tgGAu15OZQ6uXG6mRwvTa33Kec/PFnMFix1yOzHj
s8ZPZCHfHex4hKnlUckodHWTdZKTihwaJ23pspl30eABX+p7pOk8BaxEB+wmw9/r
VTvjFCpbOzCBOu5FtJ5EkP8TkVycbUZxc7wLuDrmwLGiuoj76s/HKhLou7piJB5H
Autx6zfqKtQxvCjQibBKF+OHIxpdw2wsdd04eadR8WEMRUR3LUQvu+jANPdhG9j+
EfcYP0vmqFkk4B/BafREUR20gA==
-----END CERTIFICATE-----

SAN 정보를 얻고 싶었지만 찾을 수 없습니다. 내가 뭘 잘못했나요?

답변1

garethTheRed가 쓴 대로 올바른 옵션(v3_req)을 사용해야 합니다. 다음은 귀하의 데이터를 사용하여 제공한 예입니다.

[req]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = v3_req
prompt = no
[req_distinguished_name]
countryName                = LT
stateOrProvinceName        = Some-State
localityName               = London
organizationName           = KKK
commonName                 = yourservername.example.com
[v3_req]
subjectKeyIdentifier = hash
basicConstraints = CA:TRUE
subjectAltName = @alt_names
[alt_names]
DNS.1  = yourservername.example.com
DNS.2  = youraliasname.example.com
DNS.3  = youraliasname
IP.1   = 192.168.1.8

브라우저의 인증서 오류를 방지하려면 IP 주소를 DNS 이름으로 사용하지 마십시오.

답변1

관련 정보