openssl3.2/test/certs - 053 - Name constraints subordinate CA. Adds

文章目录

    • [openssl3.2/test/certs - 053 - Name constraints subordinate CA. Adds](#openssl3.2/test/certs - 053 - Name constraints subordinate CA. Adds)
    • 概述
    • 笔记
    • END

openssl3.2/test/certs - 053 - Name constraints subordinate CA. Adds

概述

openssl3.2 - 官方demo学习 - test - certs

笔记

bash 复制代码
/*!
* \file D:\my_dev\my_local_git_prj\study\openSSL\test_certs\053\my_openssl_linux_doc_053.txt
* \note openssl3.2/test/certs - 053 - Name constraints subordinate CA. Adds
*/

// --------------------------------------------------------------------------------
// official bash script
// --------------------------------------------------------------------------------
#! /bin/bash

# \file setup053.sh

# openssl3.2/test/certs - 053 - Name constraints subordinate CA. Adds
# Name constraints subordinate CA. Adds www.good.net (which should be
# disallowed because parent CA doesn't permit it) adds ok.good.com
# (which should be allowed because parent allows *.good.com
# and now excludes bad.ok.good.com (allowed in permitted subtrees
# but explicitly excluded).

NC="permitted;DNS:www.good.net, permitted;DNS:ok.good.com, "
NC="$NC excluded;DNS:bad.ok.good.com"
NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \
        ncca1-key ncca1-cert

// --------------------------------------------------------------------------------
// openssl cmd line parse
// --------------------------------------------------------------------------------
// cmd 1
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out ncca3-key.pem 

// cmd 2
// cfg_exp053_cmd2.txt
string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = Test NC sub CA

openssl req -new -sha256 -key ncca3-key.pem -config cfg_exp053_cmd2.txt -out req_exp053_cmd2.pem

// cmd 3
// cfg_exp053_cmd3.txt
basicConstraints = critical,CA:true
keyUsage = keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
nameConstraints = permitted;DNS:www.good.net, permitted;DNS:ok.good.com,  excluded;DNS:bad.ok.good.com

openssl x509 -req -sha256 -out ncca3-cert.pem -extfile cfg_exp053_cmd3.txt -CA ncca1-cert.pem -CAkey ncca1-key.pem -set_serial 2 -days 36525 -in req_exp053_cmd2.pem

// --------------------------------------------------------------------------------
// openssl log
// --------------------------------------------------------------------------------

openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out ncca3-key.pem 
openssl req -new -sha256 -key ncca3-key.pem -config /dev/fd/63 

-config /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txt



string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = Test NC sub CA
openssl x509 -req -sha256 -out ncca3-cert.pem -extfile /dev/fd/63 -CA ncca1-cert.pem -CAkey ncca1-key.pem -set_serial 2 -days 36525 

-extfile /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txt



basicConstraints = critical,CA:true
keyUsage = keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
nameConstraints = permitted;DNS:www.good.net, permitted;DNS:ok.good.com,  excluded;DNS:bad.ok.good.com

END

相关推荐
coder4_8 天前
OpenSSL 加密算法与证书管理全解析:从基础到私有 CA 实战
https·openssl·ssl/tls·加密算法·ca证书
王小义笔记15 天前
windows电脑如何执行openssl rand命令
windows·openssl
Humbunklung18 天前
VC++ 使用OpenSSL创建RSA密钥PEM文件
开发语言·c++·openssl
深耕AI1 个月前
Win64OpenSSL-3_5_2.exe【安装步骤】
openssl
看那山瞧那水1 个月前
DELPHI 利用OpenSSL实现加解密,证书(X.509)等功能
delphi·openssl
洋哥网络科技2 个月前
openssl升级
openssl
Lazy Dave2 个月前
gmssl私钥文件格式
网络安全·ssl·openssl
沉在嵌入式的鱼3 个月前
RK3588移植Openssl库
linux·rk3588·openssl
黑屋里的马3 个月前
ssl相关命令生成证书
服务器·网络·ssl·openssl·gmssl
fangeqin3 个月前
ubuntu源码安装python3.13遇到Could not build the ssl module!解决方法
linux·python·ubuntu·openssl