签名时更改 x509 证书属性(即组织)
Change x509 certificate attributes (i.e. Organization) when signing
我已经使用 OpenSSL 构建了一个内部签名 CA。
我的签名策略需要某些属性才能 MATCH,包括 organizationName
[ match_pol ]
organizationName = supplied # Must match 'Company ABC'
organizationalUnitName = optional # Included if present
commonName = supplied # Must be present
countryName = supplied # Must be present
一些人给我签名的 CSR 没有正确的组织名称(拼写错误等)
我能否在返回签名证书之前修改 OrganizationName(或其他属性),使其与我想要的名称相匹配,而不必拒绝并要求用户提供新的 CSR?
根据个人经验,我知道我上传到 DigiCert 的 CSR 可以包含任何值,并且返回的签名证书将具有已获批准的正确 EV/OV 名称。
如果您使用 ca 工具 (openssl ca) 来操作您的 CA,那么您可以使用 -subj 选项覆盖请求中的主题:
-subj arg
supersedes subject name given in the request. The arg must be formatted as /type0=value0/type1=value1/type2=..., characters may be escaped by \ (backslash), no spaces are skipped.
结合以下选项配置扩展(包括主题别名),您应该能够修改所有属性和扩展:
-extensions section
the section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to x509_extensions unless the -extfile option is used). If no extension section is present then, a V1 certificate is created. If the extension section is present (even if it is empty), then a V3 certificate is created. See the x509v3_config(5) manual page for details of the extension section format.
并且,可能:
-extfile file
an additional configuration file to read certificate extensions from (using the default section unless the -extensions option is also used).
我已经使用 OpenSSL 构建了一个内部签名 CA。
我的签名策略需要某些属性才能 MATCH,包括 organizationName
[ match_pol ]
organizationName = supplied # Must match 'Company ABC'
organizationalUnitName = optional # Included if present
commonName = supplied # Must be present
countryName = supplied # Must be present
一些人给我签名的 CSR 没有正确的组织名称(拼写错误等)
我能否在返回签名证书之前修改 OrganizationName(或其他属性),使其与我想要的名称相匹配,而不必拒绝并要求用户提供新的 CSR?
根据个人经验,我知道我上传到 DigiCert 的 CSR 可以包含任何值,并且返回的签名证书将具有已获批准的正确 EV/OV 名称。
如果您使用 ca 工具 (openssl ca) 来操作您的 CA,那么您可以使用 -subj 选项覆盖请求中的主题:
-subj arg
supersedes subject name given in the request. The arg must be formatted as /type0=value0/type1=value1/type2=..., characters may be escaped by \ (backslash), no spaces are skipped.
结合以下选项配置扩展(包括主题别名),您应该能够修改所有属性和扩展:
-extensions section
the section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to x509_extensions unless the -extfile option is used). If no extension section is present then, a V1 certificate is created. If the extension section is present (even if it is empty), then a V3 certificate is created. See the x509v3_config(5) manual page for details of the extension section format.
并且,可能:
-extfile file
an additional configuration file to read certificate extensions from (using the default section unless the -extensions option is also used).