在 MinGW 中使用 OpenSSL 创建证书时的 BUG

calendar Sep 12, 2016 · 1 min read · OpenSSL Bug MinGW  ·
Share on: linkedin copy

该文章根据 CC-BY-4.0 协议发表,转载请遵循该协议。
本文地址:https://fenying.net/post/2016/09/12/openssl-bug-for-certificate-in-mingw/

openssl req 命令在 MinGW 环境下无法正确生成证书的 Bug。

以下面的命令为例

1openssl req -new -newkey rsa:2048 -sha256 -nodes \
2  -out sample.com.csr \
3  -keyout sample.com.key \
4  -subj "/C=CountryShortName/ST=ProvinceName/L=CityName/O=Example Inc./OU=Web Security/CN=sample.com"

执行后报错

1Generating a 2048 bit RSA private key
2...............................................................................+++
3................................................................................................................+++
4writing new private key to 'sample.com.key'
5-----
6Subject does not start with '/'.
7problems making Certificate Request

问题出在 MingW 身上,需要在 -subj 的参数前面加一个斜杠 /:

1openssl req -new -newkey rsa:2048 -sha256 -nodes \
2  -out sample.com.csr \
3  -keyout sample.com.key \
4  -subj "//C=CountryShortName/ST=ProvinceName/L=CityName/O=Example Inc./OU=Web Security/CN=sample.com"

但是第一个 / 使得后面的 / 被认为是 NID 的一部分,这又会导致第一段主题信息被视为 /C=CountryShortName 而不是 C=CountryShortName

结果得到下面的错误:

1Generating a 2048 bit RSA private key
2.+++
3................................................................................................................................................+++
4writing new private key to 'sample.com.key'
5-----
6Subject Attribute /C has no known NID, skipped

为了解决这个问题,可以在 /C=CountryShortName,前面再加一段 /skip=yes

1openssl req -new -newkey rsa:2048 -sha256 -nodes \
2  -out sample.com.csr \
3  -keyout sample.com.key \
4  -subj "//skip=yes/C=CountryShortName/ST=ProvinceName/L=CityName/O=Example Inc./OU=Web Security/CN=sample.com"

就保护了 C=CountryShortName 不被影响。

comments powered by Disqus