Fenying

Angus’ Home.


12 Sep 2016

在 MinGW 中使用 OpenSSL 创建证书时的 BUG

openssl req 命令在 MinGW 环境下无法正确生成证书的 Bug。

以下面的命令为例

openssl req -new -newkey rsa:2048 -sha256 -nodes \
  -out sample.com.csr \
  -keyout sample.com.key \
  -subj "/C=CountryShortName/ST=ProvinceName/L=CityName/O=Example Inc./OU=Web Security/CN=sample.com"

执行后报错

Generating a 2048 bit RSA private key
...............................................................................+++
................................................................................................................+++
writing new private key to 'sample.com.key'
-----
Subject does not start with '/'.
problems making Certificate Request

问题出在 MingW 身上,需要在 -subj 的参数前面加一个斜杠 /:

openssl req -new -newkey rsa:2048 -sha256 -nodes \
  -out sample.com.csr \
  -keyout sample.com.key \
  -subj "//C=CountryShortName/ST=ProvinceName/L=CityName/O=Example Inc./OU=Web Security/CN=sample.com"

但是第一个 / 使得后面的 / 被认为是 NID 的一部分,这又会导致第一段主题信息被视为 /C=CountryShortName 而不是 C=CountryShortName

结果得到下面的错误:

Generating a 2048 bit RSA private key
.+++
................................................................................................................................................+++
writing new private key to 'sample.com.key'
-----
Subject Attribute /C has no known NID, skipped

为了解决这个问题,可以在 /C=CountryShortName,前面再加一段 /skip=yes

openssl req -new -newkey rsa:2048 -sha256 -nodes \
  -out sample.com.csr \
  -keyout sample.com.key \
  -subj "//skip=yes/C=CountryShortName/ST=ProvinceName/L=CityName/O=Example Inc./OU=Web Security/CN=sample.com"

就保护了 C=CountryShortName 不被影响。

该文章根据 CC-BY-4.0 协议发表,转载请遵循该协议。
本文地址:https://fenying.net/post/2016/09/12/openssl-bug-for-certificate-in-mingw/

comments powered by Disqus