用openssl创建包含utf8字符的证书请求文件(csr)

从命令行创建CSR文件

$> openssl req -new -newkey rsa:2048 -nodes -keyout example.key -out example.csr
Generating a 2048 bit RSA private key
.........................+++
........................+++
writing new private key to 'example.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BEIJING
Locality Name (eg, city) []:BEIJING
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Beijing Example Technologies Inc.
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:*.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: 

文件生成好之后,可以用下面的命令检查生成的文件,也可以到http://certlogik.com/decoder/进行检查。

openssl req -in example.csr -noout -text

如果公司名称,城市等信息需要中文的话,上面的命令就不行了。
根据这篇帖子的提示,首先创建一个openssl.conf文件:

RANDFILE               = $ENV::HOME/.rnd

[ req ]
string_mask = utf8only
utf8        = yes
default_bits           = 2048
default_keyfile        = example.key
distinguished_name     = req_distinguished_name
prompt                 = no

[ req_distinguished_name ]
C                      = CN
ST                     = 北京
L                      = 北京
O                      = 北京XX科技有限公司
OU                     = IT
CN                     = *.example.com

然后使用命令生成CSR:

openssl req -config openssl.conf -new -newkey rsa:2048 -nodes -keyout example.key -out example.csr 

参考链接:

https://support.globalsign.com/customer/portal/articles/1221285-generate-csr---nginx
http://www.digicert.com/csr-creation-nginx.htm
http://wiki.nginx.org/HttpSslModule
http://stackoverflow.com/questions/13221554/how-to-generate-csr-for-ssl-that-works-with-nginx-apache
https://groups.google.com/forum/#!topic/mailing.openssl.users/X3xMfvCn1_I
http://www.openssl.org/docs/apps/req.html

Comments