PKI 公钥基础设施 及 CA 认证原理 之 -- X509 V3 证书扩展配置格式
OpenSSL 可以配置下列项
1. 证书查看的显示格式
扩展部分中的每个条目都采用以下形式:
name = [critical, ]value(s)
critical: 如果存在 critical ,则 extension 将被标记为 critical
value(s): value 的格式取决于 name 允许的值(具体看下面),如果 vlues是type-value格式用 冒号 : 隔开,
1.1 values 的 四种类型:
string: 就是一个简单的字符串
multi-valued: 分为 长格式和短格式
短格式:用逗号分隔的名称和值列表
basicConstraints = critical, CA:true, pathlen:1
长格式:允许将值放在单独的块中 @basic_constraints
[extensions] basicConstraints = critical, @basic_constraints [basic_constraints] CA = true pathlen = 1
raw:由源码定义,尽量少用 。【例子: 证书策略】
arbitrary:如果上面的都不支持,那么可以使用任意语法 arbitrary。【详见】
1.2 注意事项
如果扩展名是多值并且字段值包含逗号,则必须使用长格式,否则逗号将被误解为字段分隔符。例如:
错误:
subjectAltName = URI:ldap://somehost.com/CN=foo,OU=bar
正确的是
[extensions] subjectAltName = @subject_alt_section [subject_alt_section] subjectAltName = URI:ldap://somehost.com/CN=foo,OU=bar
同一个字段在同一个块中不能出现多次,后面的会覆盖前面的:
错误的
[extensions] subjectAltName = @alt_section [alt_section] email = steve@here email = steve@there
正确的
[extensions] subjectAltName = @alt_section [alt_section] email.1 = steve@here email.2 = steve@there
2. 标准 扩展 STANDARD EXTENSIONS
下列为受支持的扩展语法,
2.1 Basic Constraints 基本约束
multi-valued 类型;
basicConstraints = CA:TRUE basicConstraints = CA:FALSE basicConstraints = critical, CA:TRUE, pathlen:1
CA: 必须, TRUE, FALSE ,表示这个证书是否为 ca 证书。用户证书则为 CA=FALSE
pathlen: 如果 CA=TRUE ,值为一个非负整数;在 CA chain 链下可能指定的 子CA 数目,如果为0,那么这个 CA 不能创建 子CA ,只能签名用户证书
2.2 Key Usage 密钥用法
multi-valued 类型;
keyUsage = digitalSignature, nonRepudiation keyUsage = critical, keyCertSign
可以定义的值有:
digitalSignature
nonRepudiation
keyEncipherment
dataEncipherment
keyAgreement
keyCertSign
cRLSign
encipherOnly
decipherOnly
2.3 Extended Key Usage 扩展密钥用法
multi-valued 类型;指明证书公钥可用于的目的,每个值可以是短文本名称或OID。
extendedKeyUsage = critical, codeSigning, 1.2.3.4 extendedKeyUsage = serverAuth, clientAuth
已知 type 及其 代表的意思:
Value Meaning ----- ------- serverAuth SSL/TLS Web Server Authentication clientAuth SSL/TLS Web Client Authentication codeSigning Code signing emailProtection E-mail Protection (S/MIME) timeStamping Trusted Timestamping OCSPSigning OCSP Signing ipsecIKE ipsec Internet Key Exchange msCodeInd Microsoft Individual Code Signing (authenticode) msCodeCom Microsoft Commercial Code Signing (authenticode) msCTLSign Microsoft Trust List Signing msEFS Microsoft Encrypted File System
2.4 Subject Key Identifier 主题密钥标识符
string 类型;可选值 hash (通过RFC 5280计算hash值,建议) 或 直接输入一个十六进制字符串 (不建议)
subjectKeyIdentifier = hash
2.5 Authority Key Identifier 权限密钥标识符
该扩展名有两个选项,keyid 和 issuer ,他们都可以具有 always 的值
authorityKeyIdentifier = keyid, issuer authorityKeyIdentifier = keyid, issuer:always
keyid:【可选】尝试从父证书复制 subject key identifier,如果存在 always 值,如果失败则返回错误
issuer:【可选】尝试从父证书复制 issuer 和 serial number,如果存在 always 值,如果失败则返回错误
2.6 Subject Alternative Name 使用者替代名称
multi-valued 类型
subjectAltName = email:copy, email:my@other.address, URI: subjectAltName = IP:192.168.7.1 subjectAltName = IP:13::17 subjectAltName = email:my@other.address, RID:1.2.3.4 subjectAltName = otherName:1.2.3.4;UTF8:some other identifier [extensions] subjectAltName = dirName:dir_sect [dir_sect] C = UK O = My Organization OU = My Unit CN = My Name
支持的名称标识符:
email:电子邮件地址,自动包含证书 subject name 中电子邮件地址
URI:统一资源指示符
DNS:DNS域名
RID:注册ID,对象标识符
IP:一个IP地址 , IPV4 或 IPV6
dirName:值作为 distinguished 名字 ,name-pair 对
otherName:包含于 OID 管理的 任意值,【见语法】
2.7 Issuer Alternative Name 发行人备用名称
从 issuer certificate 中赋值内容
issuerAltName = issuer:copy
2.8 Authority Info Access 授权信息访问
该扩展提供了有关如何检索与CA可用证书有关的信息的详细信息
authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
access_id:对象标识符
location:和 subject alternative name 语法相同(但不支持email:copy)
2.9 CRL distribution points CRL分发点
multi-valued 类型, 可以是与 subject alternative name 一样 name-value 对,也可以是 单个的 块 名字
简单用法
当使用 name-value 对时,给定值将作为distributionPoint 的 fullName 字段值,并且 reasons 和 cRLIssuer 字段将被省略
crlDistributionPoints = URI:http://myhost.com/myca.crl crlDistributionPoints = URI:http://my.com/my.crl, URI:http://oth.com/my.crl
完整分发的例子
[extensions] crlDistributionPoints = crldp1_section [crldp1_section] fullname = URI:http://myhost.com/myca.crl CRLissuer = dirName:issuer_sect reasons = keyCompromise, CACompromise [issuer_sect] C = UK O = Organisation CN = Some Name
当使用单个选项时,该值是块的名字,并且该 块 可以具有以下各项:
fullname:distribution point 的全名,格式和 subject alternative name. 一样
relativename:该片段被设置为 nameRelativeToCRLIssuer 字段的值,并作为 distinguished name 一部分
CRLIssuer:和 subject alternative name 格式相同
reasons:一个包含撤消原因的多值字段,值为:keyCompromise, CACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn, and AACompromise.
只能同时设定 fullname 和 relativename 中的一个
2.10 Issuing Distribution Point 发行分发点
multi-valued 类型, 此扩展名应仅出现在 CRL 中,指定一个 块
[extensions] issuingDistributionPoint = critical, @idp_section [idp_section] fullname = URI:http://myhost.com/myca.crl indirectCRL = TRUE onlysomereasons = keyCompromise, CACompromise
块中可指定的字段:
fullname:distribution point 的全名,格式和 subject alternative name. 一样
relativename:该片段被设置为 nameRelativeToCRLIssuer 字段的值,并作为 distinguished name 一部分
onlysomereasons:一个包含撤消原因的多值字段,值可以为:keyCompromise,CACompromise,affiliationChanged,superseded,cessationOfOperation,certificateHold,privilegeWithdrawn,和AACompromise。
onlyuser, onlyCA, onlyAA, indirectCRL:值为 布尔值
2.11 Certificate Policies
raw 类型;支持证书扩展的所有定义字段。
没有限定符的策略通过提供OID来指定。多个策略以逗号分隔。例如:
certificatePolicies = 1.2.4.5, 1.1.3.4
要包括策略限定符,请使用“ @section”语法指向指定块中的所有信息。
所引用的部分必须包括使用名称 policyIdentifier的 策略 OID 。cPSuri 的 限定词 可以使用以下语法:
CPS.nnn = value # nnn 是数字
userNotice 限定词可以使用以下语法设置
userNotice.nnn = @notice
userNotice 限定词 的值在 相关块中指定,此部分可以包括 explicitText,organization和noticeNumbers选项
explicitText 和 organization 是文本字符串
noticeNumbers 是逗号分隔的数字列表。
必须同时包含 organization 和 noticeNumbers 选项(如果包括)。某些软件可能需要在顶层使用 ia5org 选项。这会将编码从 Displaytext 更改为 IA5String。
[extensions] certificatePolicies = ia5org, 1.2.3.4, 1.5.6.7.8, @polsect [polsect] policyIdentifier = 1.3.5.8 CPS.1 = "http://my.host.name/" CPS.2 = "http://my.your.name/" userNotice.1 = @notice [notice] explicitText = "Explicit Text Here" organization = "Organisation Name" noticeNumbers = 1, 2, 3, 4
可以通过在值前面加上UTF8,BMP或VISIBLE以及冒号来指定explicitText的字符编码。例如:
[notice] explicitText = "UTF8:Explicit Text Here"
更过查看: https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
证书示例
[root@tmp ca]# openssl x509 -in 214539495230732.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 03:56:f2:6f:3a:cb:a1:50:72:d8:cd:ef:b8:9d:e1:67 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018 Validity Not Before: Mar 19 00:00:00 2018 GMT Not After : Mar 19 12:00:00 2019 GMT Subject: C=CN, L=\xE4\xB8\x8A\xE6\xB5\xB7\xE5\xB8\x82, O=\xE4\xB8\x8A\xE6\xB5\xB7\xE5\xA4\xA7\xE4\xBC\x97\xE5\x87\xBA\xE8\xA1\x8C\xE4\xBF\xA1\xE6\x81\xAF\xE6\x8A\x80\xE6\x9C\xAF\xE8\x82\xA1\xE4\xBB\xBD\xE6\x9C\x89\xE9\x99\x90\xE5\x85\xAC\xE5\x8F\xB8, OU=IT, CN=*.letzgo.com.cn Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:83:68:63:a7:7a:14:92:dd:b3:22:d8:40:d5:58: c7:65:0c:cd:84:96:7d:15:a6:41:32:8f:f1:ed:84: e5:2d:58:85:d8:a3:1b:42:f9:f5:c3:bc:87:ca:5f: bf:e5:59:43:9f:4b:2d:44:d2:50:d9:5c:aa:a4:2e: dd:30:39:a1:82:35:92:5e:b1:3e:be:69:11:a0:e9: 77:1a:53:9a:90:70:78:62:99:c3:5d:bd:b3:80:7d: 19:e8:11:cd:16:19:0e:8c:27:d5:93:03:c0:a4:79: c3:e6:d5:18:32:6a:e8:ac:ff:c5:50:75:d6:77:94: c8:c0:0b:ef:87:78:dc:50:84:25:2c:1d:c7:34:9b: 2a:61:6b:34:b2:19:73:49:e9:5f:69:dc:fc:7d:ce: 9a:9e:3d:cf:fa:84:81:b3:ea:5c:d9:3b:7e:99:0a: 4a:58:b2:cb:12:15:8c:3c:6f:dd:5c:0c:e5:83:b3: 7b:d6:39:82:af:84:3c:36:4f:5d:01:a0:e2:53:18: 6d:5b:24:cd:fb:5a:ac:95:19:1c:95:a8:db:1f:be: 87:97:82:13:a7:72:21:e9:fd:49:bc:9f:d8:d0:f5: cd:7e:f0:8c:b8:d0:cf:c9:7b:a2:30:75:e7:f5:89: 72:91:6c:fb:9f:47:11:ad:ca:5f:de:ee:84:e9:47: 21:4b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:90:58:FF:B0:9C:75:A8:51:54:77:B1:ED:F2:A3:43:16:38:9E:6C:C5 X509v3 Subject Key Identifier: 15:8D:C6:82:16:AD:A3:69:90:CE:0A:1B:A0:4C:44:FF:DF:51:00:4B X509v3 Subject Alternative Name: DNS:*.XXX.com.cn, DNS:XXX.com.cn X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://cdp.geotrust.com/GeoTrustRSACA2018.crl X509v3 Certificate Policies: Policy: 2.16.840.1.114412.1.1 CPS: https://www.digicert.com/CPS Policy: 2.23.140.1.2.2 Authority Information Access: OCSP - URI:http://status.geotrust.com CA Issuers - URI:http://cacerts.geotrust.com/GeoTrustRSACA2018.crt X509v3 Basic Constraints: CA:FALSE CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1(0) Log ID : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A: 3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10 Timestamp : Mar 19 06:46:27.553 2018 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:B9:C3:81:22:4D:74:B5:26:D3:7A:F4: 68:0E:D8:7C:DC:11:B5:F5:95:56:70:D6:51:96:1B:B9: EF:BC:58:91:D0:02:21:00:8F:A0:62:66:7E:84:97:E2: F6:4E:75:6D:9B:B2:DE:1E:F5:1E:FB:F9:99:33:C2:55: 96:9C:6C:18:4E:D8:6C:1A Signed Certificate Timestamp: Version : v1(0) Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77: 15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13 Timestamp : Mar 19 06:46:27.916 2018 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:0C:C8:B0:17:B1:22:C7:55:8E:2C:10:C7: 46:AE:18:40:EA:38:E8:4F:86:DB:66:CD:91:69:EC:04: 6F:EA:F1:B7:02:21:00:BE:99:12:DF:FA:59:AB:DE:56: FE:78:C1:F4:4B:3F:3C:3D:37:32:42:80:37:DA:B8:FF: CD:14:74:A5:F2:4F:30 Signature Algorithm: sha256WithRSAEncryption 1f:d1:27:4e:33:49:1b:5f:12:06:be:a3:b4:3d:d6:00:0a:01: 47:6a:f7:c4:6f:9a:f8:77:b0:79:d0:f6:8c:0d:20:3b:8c:dd: b4:5b:1b:63:9d:c3:9f:10:2f:91:ce:6c:a5:46:cf:94:e7:17: 54:37:dd:4f:1a:ba:f4:df:af:e3:a3:95:c5:90:35:fb:07:7a: de:f4:ed:1c:bb:18:01:91:a7:a3:90:07:eb:d0:cc:eb:2a:4f: fe:33:78:49:ec:a0:e5:0c:09:d4:7a:d8:30:86:1e:6c:aa:a8: 11:03:21:31:ad:1b:63:2f:88:09:51:de:00:fc:4c:44:1b:44: 4e:04:27:78:6b:de:43:c8:79:6e:f9:b6:e5:12:3b:61:47:68: e1:50:2b:89:64:26:94:a9:ee:b9:f4:55:d0:1a:96:75:74:4f: 2c:80:9d:e5:ae:02:65:a7:82:c9:2b:ab:11:55:b9:8b:32:c6: 52:fe:99:80:13:5f:47:17:f0:f5:7c:f3:81:a5:03:1e:7e:05: ad:78:89:ba:a0:b6:b0:69:b2:03:de:2c:39:c5:04:16:e5:81: 73:49:9b:b3:b5:e9:b6:1b:d7:4e:e2:94:83:3f:e4:8c:ce:81: b4:15:7e:4c:f5:fa:c9:cf:20:16:ca:18:92:5a:1a:9d:70:9d: ef:ed:18:95
参考:
https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
https://zh.wikipedia.org/wiki/X.509
共 0 条评论