openssl3.2/test/certs - 053 - Name constraints subordinate CA. Adds

文章目录

    • [openssl3.2/test/certs - 053 - Name constraints subordinate CA. Adds](#openssl3.2/test/certs - 053 - Name constraints subordinate CA. Adds)
    • 概述
    • 笔记
    • END

openssl3.2/test/certs - 053 - Name constraints subordinate CA. Adds

概述

openssl3.2 - 官方demo学习 - test - certs

笔记

bash 复制代码
/*!
* \file D:\my_dev\my_local_git_prj\study\openSSL\test_certs\053\my_openssl_linux_doc_053.txt
* \note openssl3.2/test/certs - 053 - Name constraints subordinate CA. Adds
*/

// --------------------------------------------------------------------------------
// official bash script
// --------------------------------------------------------------------------------
#! /bin/bash

# \file setup053.sh

# openssl3.2/test/certs - 053 - Name constraints subordinate CA. Adds
# Name constraints subordinate CA. Adds www.good.net (which should be
# disallowed because parent CA doesn't permit it) adds ok.good.com
# (which should be allowed because parent allows *.good.com
# and now excludes bad.ok.good.com (allowed in permitted subtrees
# but explicitly excluded).

NC="permitted;DNS:www.good.net, permitted;DNS:ok.good.com, "
NC="$NC excluded;DNS:bad.ok.good.com"
NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \
        ncca1-key ncca1-cert

// --------------------------------------------------------------------------------
// openssl cmd line parse
// --------------------------------------------------------------------------------
// cmd 1
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out ncca3-key.pem 

// cmd 2
// cfg_exp053_cmd2.txt
string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = Test NC sub CA

openssl req -new -sha256 -key ncca3-key.pem -config cfg_exp053_cmd2.txt -out req_exp053_cmd2.pem

// cmd 3
// cfg_exp053_cmd3.txt
basicConstraints = critical,CA:true
keyUsage = keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
nameConstraints = permitted;DNS:www.good.net, permitted;DNS:ok.good.com,  excluded;DNS:bad.ok.good.com

openssl x509 -req -sha256 -out ncca3-cert.pem -extfile cfg_exp053_cmd3.txt -CA ncca1-cert.pem -CAkey ncca1-key.pem -set_serial 2 -days 36525 -in req_exp053_cmd2.pem

// --------------------------------------------------------------------------------
// openssl log
// --------------------------------------------------------------------------------

openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out ncca3-key.pem 
openssl req -new -sha256 -key ncca3-key.pem -config /dev/fd/63 

-config /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txt



string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = Test NC sub CA
openssl x509 -req -sha256 -out ncca3-cert.pem -extfile /dev/fd/63 -CA ncca1-cert.pem -CAkey ncca1-key.pem -set_serial 2 -days 36525 

-extfile /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txt



basicConstraints = critical,CA:true
keyUsage = keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
nameConstraints = permitted;DNS:www.good.net, permitted;DNS:ok.good.com,  excluded;DNS:bad.ok.good.com

END

相关推荐
王小义笔记4 天前
windows电脑如何执行openssl rand命令
windows·openssl
Humbunklung7 天前
VC++ 使用OpenSSL创建RSA密钥PEM文件
开发语言·c++·openssl
深耕AI1 个月前
Win64OpenSSL-3_5_2.exe【安装步骤】
openssl
看那山瞧那水1 个月前
DELPHI 利用OpenSSL实现加解密,证书(X.509)等功能
delphi·openssl
洋哥网络科技1 个月前
openssl升级
openssl
Lazy Dave2 个月前
gmssl私钥文件格式
网络安全·ssl·openssl
沉在嵌入式的鱼2 个月前
RK3588移植Openssl库
linux·rk3588·openssl
黑屋里的马3 个月前
ssl相关命令生成证书
服务器·网络·ssl·openssl·gmssl
fangeqin3 个月前
ubuntu源码安装python3.13遇到Could not build the ssl module!解决方法
linux·python·ubuntu·openssl
API开发3 个月前
苹果芯片macOS安装版Homebrew(亲测) ,一键安装node、python、vscode等,比绿色软件还干净、无污染
vscode·python·docker·nodejs·openssl·brew·homebrew