1년 이상 유효한 OpenVPN 인증서 생성

tag-icon tag-icon openvpn
1년 이상 유효한 OpenVPN 인증서 생성

이 명령은 값을 100으로 변경하든 3650으로 변경하든 365일 동안만 유효한 인증서를 계속 생성하지만 결과는 동일합니다. 일년. 10년 동안 유효한 인증서를 생성하는 방법은 무엇입니까?

# openssl req -new -keyout newkey.pem -out newreq.pem -days 3650
Generating a 2048 bit RSA private key
...........................................................+++
.........................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:State
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits PTY Ltd]:company
Organizational Unit Name (eg, section) []:section
Common Name (eg, server FQDN or YOUR name) []:server
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# ./CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            cb:32:13:1d:e2:40:2f:e4
        Validity
            Not Before: May 11 17:58:32 2021 GMT
            Not After : May 11 17:58:32 2022 GMT
        Subject:
            countryName               = AU
            stateOrProvinceName       = State
            localityName              = City
            organizationName          = company
            organizationalUnitName    = section
            commonName                = server
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                E7:8A:D9:91:7C:81:BF:C0:CE:D9:43:D7:C8:D8:03:1C:60:85:D0:35
            X509v3 Authority Key Identifier:
                keyid:CF:76:53:4A:FB:01:EC:DE:CE:40:C1:F2:F0:F6:6E:12:57:24:8F:45

Certificate is to be certified until May 11 17:58:32 2022 GMT (365 days)
Sign the certificate? [y/n]:

답변1

이상한 이유로 변경해야 합니다. default_days그렇지 않으면 명령줄 옵션을 openssl.cnf덮어쓰게 됩니다 .-days

즉, 다음과 같이 편집 openssl.conf하세요.

default_days = 3650

직관적으로 이것은 명백히 잘못된 것이며 소프트웨어 기본값과 명령줄 옵션이 어떻게 상호 작용해야 하는지(그리고 실제로 상호 작용하는지)에 대한 합리적인 기대에 어긋나지만 이것이 작동하는 방식입니다.

관련 정보