在前面的文章中介绍了非交互方式生成CSR证书签名文件的方式,方法的本质是通过-subject选项传入dn的信息,而实际上openssl更为通用的方式是通过配置文件方式来进行,用过将promopt选项设定为no,同时传入dn所需要的各项设定值,则可以很容易地实现非交互方式生成CSR文件了,而且在openssl命令这种方式使用的更为常见,而且关联起来更加容易。
[root@liumiaocn csr]# openssl genrsa -out ca.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) .........................................................................+++++ ......+++++ e is 65537 (0x010001) [root@liumiaocn csr]# ls ca.key [root@liumiaocn csr]#事前准备: CSR文件的配置设定
[root@liumiaocn csr]# cat csr_config.cnf [ req ] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn [ dn ] C = CN ST = LiaoNing L = DaLian O = devops OU = unicorn CN = devops.com [root@liumiaocn csr]#CSR文件生成
[root@liumiaocn csr]# openssl req -new -key ca.key -config csr_config.cnf -out request.csr [root@liumiaocn csr]# ls ca.key csr_config.cnf request.csr [root@liumiaocn csr]#结果确认
[root@liumiaocn csr]# cat request.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICrjCCAZYCAQAwaTELMAkGA1UEBhMCQ04xETAPBgNVBAgMCExpYW9OaW5nMQ8w
DQYDVQQHDAZEYUxpYW4xDzANBgNVBAoMBmRldm9wczEQMA4GA1UECwwHdW5pY29y
bjETMBEGA1UEAwwKZGV2b3BzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANDIqkTjy6R7p3OWeSXXdqnsNB6mNvr3HD7e6FXlu5Eb/RhQor/y7Q+6
LenB4cEIIIBDoRm4rhU4TC49+bzqDa85YQ/EaWCB9yoB6/djii9vN6HZCIYsiZCD
GZw1wT7cGHpZWZGVY+oCJx2ditajVGgjsZWP6KcjiME8mJIAPz1R24hRpO77IpJ2
j1DG+j1O68JRiZwXWVW30/0RyKOITEUZKEkoYxQQItt6fhH8AGc6ufLHWYjdw0gq
u0PIZ4FKNlTqayDhTEa8MnnNASot2jwIxrm6YHp4Dyj/BRFfRgvI1XkCTKiJKOFJ
dBi6hwpz5r9UlRFRqzL29E9BAVSaSm0CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB
AQAlSk24dBQ4DkbYR0scU8x2RRCJgfhEKezVHmAxa7uV9aDZpQPkfWzSB4S9PQLk
UVayfgdG9+H7lP2Dim3DXYBer6tW+QihlizqUWk0qw+iOGCncYHeH9X8qZ118s6a
o2qv6VXrhDg7+t9dFpvgc+/qylUe3NEk3pgW1ZC3fteFLhafZuXmousMZIto/8FM
Eswj1SRJD/ZUczO1N9MKEMJShAO2JQGDhTaGi1bKnI8du9NVod4Jzy/v2WYboy9q
tKiNS7pLHDxMB/+HQg4yoyhdjBxBY9yyP29nLuPAVD35XA51YI11gGfBvfNdZCSO
Cm/t0cdqMmtf4FO22EMCMkFa
-----END CERTIFICATE REQUEST-----
[root@liumiaocn csr]#
[root@liumiaocn csr]# openssl req -verify -in request.csr -noout -text
verify OK
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d0:c8:aa:44:e3:cb:a4:7b:a7:73:96:79:25:d7:
76:a9:ec:34:1e:a6:36:fa:f7:1c:3e:de:e8:55:e5:
bb:91:1b:fd:18:50:a2:bf:f2:ed:0f:ba:2d:e9:c1:
e1:c1:08:20:80:43:a1:19:b8:ae:15:38:4c:2e:3d:
f9:bc:ea:0d:af:39:61:0f:c4:69:60:81:f7:2a:01:
eb:f7:63:8a:2f:6f:37:a1:d9:08:86:2c:89:90:83:
19:9c:35:c1:3e:dc:18:7a:59:59:91:95:63:ea:02:
27:1d:9d:8a:d6:a3:54:68:23:b1:95:8f:e8:a7:23:
88:c1:3c:98:92:00:3f:3d:51:db:88:51:a4:ee:fb:
22:92:76:8f:50:c6:fa:3d:4e:eb:c2:51:89:9c:17:
59:55:b7:d3:fd:11:c8:a3:88:4c:45:19:28:49:28:
63:14:10:22:db:7a:7e:11:fc:00:67:3a:b9:f2:c7:
59:88:dd:c3:48:2a:bb:43:c8:67:81:4a:36:54:ea:
6b:20:e1:4c:46:bc:32:79:cd:01:2a:2d:da:3c:08:
c6:b9:ba:60:7a:78:0f:28:ff:05:11:5f:46:0b:c8:
d5:79:02:4c:a8:89:28:e1:49:74:18:ba:87:0a:73:
e6:bf:54:95:11:51:ab:32:f6:f4:4f:41:01:54:9a:
4a:6d
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
25:4a:4d:b8:74:14:38:0e:46:d8:47:4b:1c:53:cc:76:45:10:
89:81:f8:44:29:ec:d5:1e:60:31:6b:bb:95:f5:a0:d9:a5:03:
e4:7d:6c:d2:07:84:bd:3d:02:e4:51:56:b2:7e:07:46:f7:e1:
fb:94:fd:83:8a:6d:c3:5d:80:5e:af:ab:56:f9:08:a1:96:2c:
ea:51:69:34:ab:0f:a2:38:60:a7:71:81:de:1f:d5:fc:a9:9d:
75:f2:ce:9a:a3:6a:af:e9:55:eb:84:38:3b:fa:df:5d:16:9b:
e0:73:ef:ea:ca:55:1e:dc:d1:24:de:98:16:d5:90:b7:7e:d7:
85:2e:16:9f:66:e5:e6:a2:eb:0c:64:8b:68:ff:c1:4c:12:cc:
23:d5:24:49:0f:f6:54:73:33:b5:37:d3:0a:10:c2:52:84:03:
b6:25:01:83:85:36:86:8b:56:ca:9c:8f:1d:bb:d3:55:a1:de:
09:cf:2f:ef:d9:66:1b:a3:2f:6a:b4:a8:8d:4b:ba:4b:1c:3c:
4c:07:ff:87:42:0e:32:a3:28:5d:8c:1c:41:63:dc:b2:3f:6f:
67:2e:e3:c0:54:3d:f9:5c:0e:75:60:8d:75:80:67:c1:bd:f3:
5d:64:24:8e:0a:6f:ed:d1:c7:6a:32:6b:5f:e0:53:b6:d8:43:
02:32:41:5a
[root@liumiaocn csr]#
总结
通过将req段中prompt选项设定为no,然后将DN信息通过dn段传入distinguished_name字段,整体使用config选项将信息传递给openssl命令,即可非交互方式生成CSR证书签名文件。
