0

我使用以下 openssl 命令生成 CSR:

openssl genrsa -out mytestdomain.key 2048
openssl req -new -sha256 -key mytestdomain.key -out mytestdomain.csr

我尝试使用“输入证书签名请求 (CSR)”下的 mytestdomain.csr 值从 SoftLayer 客户门户下达安全证书订单,我收到错误消息:

"必须匹配 CSR Base64 编码的 PEM 格式 ---BEGIN CERTIFICATE REQUEST--- Base64 Encoded String --End CERTIFICATE REQUEST ---

如何使用 openssl 生成 Base64 编码的 PEM CSR?

如果我从示例文件中输入正确的 csr 值,我可以看到 SoftLayer 执行验证请求为: https ://control.softlayer.com/security/sslorders/validatecsr

并且响应显示有效的电子邮件地址、国家/地区,例如:{"success":true,"result":{"X":"XX","xx":"XXXX, Europe","L":"XXXX City" ,"O":"我的测试","OU":"VPN","XX":"mytest.com","emailAddress":"test@mytest.com"}}

问题 2:我可以使用哪种方法来验证和提取 CSR 中的信息,类似于 SoftLayer 客户门户使用的方法?

4

2 回答 2

0

我不确定 SoftLayer 支持的 CSR 类型,如果您想了解更多信息,可以提交工单。但是,如果你想验证 CSR,你可以试试这个:SSL Decoder,它是基于 PHP 的。我还从那里提取了一小部分代码,以获得您期望的结果,请尝试以下操作:

<?php
/**
 * Function get_sans_from_csr
 */
function get_sans_from_csr($csr) {
  global $random_blurp;
  global $timeout;
  $sans = array();
  //openssl_csr_get_subject doesn't support SAN names.
  $filename = "C:/Csr/tmp/csr-" . $random_blurp . "-" . gen_uuid() . ".csr.pem";
  $write_csr = file_put_contents($filename, $csr);
  if($write_csr !== FALSE) {
    $openssl_csr_output = trim(shell_exec("timeout " . $timeout . " openssl req -noout -text -in " . $filename . " | grep -e 'DNS:' -e 'IP:'"));
  }
  unlink($filename);
  if($openssl_csr_output) {

    $csr_san_dns = explode("DNS:", $openssl_csr_output);
    $csr_san_ip = explode("IP:", $openssl_csr_output);
    if(count($csr_san_dns) > 1) {
      foreach ($csr_san_dns as $key => $value) {
        if($value) {
          $san = trim(str_replace(",", "", str_replace("DNS:", "", $value)));
          array_push($sans, $san);
        }
      }
    }
    if(count($csr_san_ip) > 1) {
      foreach ($csr_san_ip as $key => $value) {
        if($value) {
          $san = trim(str_replace(",", "", str_replace("IP:", "", $value)));
          array_push($sans, $san);
        }
      }
    } 
  }
  if(count($sans) >= 1) {
    return $sans;
  }
}

/**
 * Function csr_parse_json
 */
function csr_parse_json($csr) {
  // if csr or cert is pasted in form this function parses the csr or it send the cert to cert_parse.
  global $random_blurp;
  global $timeout;
  $result = array();
  if (strpos($csr, "BEGIN CERTIFICATE REQUEST") !== false) { 
    $cert_data = openssl_csr_get_public_key($csr);
    $cert_details = openssl_pkey_get_details($cert_data);
    $cert_key = $cert_details['key'];
    $cert_subject = openssl_csr_get_subject($csr);
    $result["subject"] = $cert_subject;
    $result["key"] = $cert_key;
    $result["details"] = $cert_details; 
    if ($cert_details) {
      $result["csr_pem"] = $csr;
      $sans = get_sans_from_csr($csr);
      if(count($sans) > 1) {
        $result["csr_sans"] = $sans;
      }
    }
  } elseif (strpos($csr, "BEGIN CERTIFICATE") !== false) { 
    $result = cert_parse_json($csr, null, null, null, null, true);
  } else {
    $result = array("error" => "data not valid csr");
  }
  return $result;
}

/**
 * Function gen_uuid
 */
function gen_uuid() {
  //from stack overflow.
  return sprintf( '%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
    // 32 bits for "time_low"
    mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff ),
    // 16 bits for "time_mid"
    mt_rand( 0, 0xffff ),
    // 16 bits for "time_hi_and_version",
    // four most significant bits holds version number 4
    mt_rand( 0, 0x0fff ) | 0x4000,
    // 16 bits, 8 bits for "clk_seq_hi_res",
    // 8 bits for "clk_seq_low",
    // two most significant bits holds zero and one for variant DCE1.1
    mt_rand( 0, 0x3fff ) | 0x8000,
    // 48 bits for "node"
    mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff )
  );
}

// Define your csr
$data = csr_parse_json("-----BEGIN CERTIFICATE REQUEST-----
MIIC9DCCAdwCAQAwga4xCzAJBgNVBAYTAkJPMRMwEQYDVQQIDApDb2NoYWJhbWJh
MRMwEQYDVQQHDApDb2NoYWJhbWJhMRkwFwYDVQQKDBBSdWJlclRlc3RDb21wYW55
MRAwDgYDVQQLDAdzZWN0aW9uMR0wGwYDVQQDDBR3d3cucnViZXJjdWVsbGFyLmNv
bTEpMCcGCSqGSIb3DQEJARYacnViZXIuY3VlbGxhckBqYWxhc29mdC5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDw8QIBguC4qRsvb3I9K/2qO50g
zB3hEwb0DOCWa5LXUgpq3SHYohtlEdneUiRiYtn4ggO0NjZ4f4hfvQ9iZ10zH8/v
W7DeElvdJBP0dHEInuhKGP6wjieR2IkkPzsOTCeVJ6FOnxsC192qgXG0O8WjquKh
g6NZKdW0oLtl1/mWFixmWFwcjh7IUWZ/J0NpAlHBtDpYILRD84rHv1XK9GE1JUfO
euSwq6K0jRmK388Xt37bxFj5iMMpHXI55+LIpA9ZoV9NffCiGoohwp45QgEXdkfm
1NBGVXiGaQzn1HgnpdnYR05tAScOkqJ4yRkCUatE8q3F9+u8KM2e+mIxHeflAgMB
AAGgADANBgkqhkiG9w0BAQsFAAOCAQEA3TRZYZuhsQHmZ8anuMHawCcu6He5g3Yg
hpV4O06Knzblvdy9OvK1+jEPUEpTUGgyty0kU5WCru8+FL8+2/ycrUN8bisYDHlG
7KuzOuMxsz2/U/Vj3KAerv+/sIv2oDUN7otjA5smK6769gO1NjPPSXe/nDOPh3WC
YeRYRkLqCuTG6GfqmMK/o4vHrYXyxu6apvMId6PFmAEHqMZorebo8NyqvMA3pT1D
p+LuLZsqZWNsfX9iN31+PNCWvVKaDzF3z9vWmaDV61jiteRt0gOzun9GnRV2QRpS
5GjdY64A7dpB7VuVsnXePb5RbeWQQtMwwhuW01TzzlwB9yHwlel/hQ==
-----END CERTIFICATE REQUEST-----");
// Print whole result
print_r($data);

// Print "subject" property from the result
print_r($data["subject"]);

?>

脚本中使用的所有方法均提取自:SSL Decoder

于 2016-01-04T18:55:36.090 回答
0

关于你的问题:

问题 1:我按照此链接中的步骤操作,它对我来说成功:

https://www.instantssl.com/ssl-certificate-support/csr-generation/ssl-certificate-mod-ssl.html

这将生成 .key 和 .csr 文件。您应该为 CSR 指定 .csr 文件内容。

问题 2: SoftLayer_Security_Certificate_Request ::validateCsr方法将有助于验证 CSR。

这是一个 PHP 示例:

<?php
/**
 * Validate Csr
 *
 * This script allows you to validate a Certificate Signing Request (CSR) required 
 * for an SSL certificate with the certificate authority (CA). This method sends the CSR, 
 * the length of the subscription in months, the certificate type, and the server type for 
 * validation against requirements of the CA. Returns true if valid.
 *
 * Important manual pages:
 * @see http://sldn.softlayer.com/reference/services/SoftLayer_Security_Certificate_Request/validateCsr
 *
 * @license <http://sldn.softlayer.com/wiki/index.php/license>
 * @author SoftLayer Technologies, Inc. <sldn@softlayer.com>
 */
require_once '\vendor\autoload.php';

/**
 * Your SoftLayer API username and apiKey
 * @var string
 * @var string
 */
$apiUsername = 'set me';
$apiKey = 'set me';

/**
 * The encoded CSR data string
 * @var string
 */
$csr = "-----BEGIN CERTIFICATE REQUEST-----
MIIC9TCCAd0CAQAwga8xCzAJBgNVBAYTAkJPMRMwEQYDVQQIDApDb2NoYWJhbWJh
MRMwEQYDVQQHDApDb2NoYWJhbWJhMRUwEwYDVQQKDAxSdWJlckNvbXBhbnkxFTAT
BgNVBAsMDHJ1YmVyU2VjdGlvbjEdMBsGA1UEAwwUd3d3LnJ1YmVyY3VlbGxhci5j
b20xKTAnBgkqhkiG9w0BCQEWGnJ1YmVyLmN1ZWxsYXJAamFsYXNvZnQuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw3WFBDFbqvk9O/6Wd+z0MsQQ
6WS5Vxw5iMVlo6J4xpoXqzA0FhuROv7IuJQ0rNvhDqTisMBLrUoDgvS6UgqM8RM9
DPNgGSdTVp0Z1Mt/qTavUPUfyT23msh5/Oqlo6/z+u23euKfTg4qhuVV7PG0eY6U
/GDumtmCk8+b33xzIBtLbfnB3119vRff9DmB6R7bSCzg+e8JnRycpSMKA8Egkw3N
O4k0mpvj5jR+FApFlTfKXcQU5xdEQYn1pe5+QLwSKJWP9iGEyiyFbvFVsYlKxKvh
RYEwuCqPAZBoWfO8zT4VPu2NO8QjDB55LX5xNAq2ZvHekbtWUtAzMeD6h2O04wID
AQABoAAwDQYJKoZIhvcNAQELBQADggEBAKcYJHvIvYzD+XssGHbfbyK7/arjGgyB
YyA5dx2DvwvdUGpIQyKCWyLyk10brObGoBGMtt5raxqI19UqnOpsOAJ5lF3fsM0B
mNQTAlsen/Ove/K+40Ycg1tYjLZN8vHebKvLyjENdeX4HgN+cTK030iUQq+ObwjB
te4UZsDhWlMijMay5gOcVZLI2D9uQzzMBgfymuuwync5m0ia1lmbNOmF9j9bNC5G
uN/rDbzGG4WEzbFmj/ERYgx7UGH9WkvEQA2+Dhj26SC3K9zgYkKMbaF3Kx49cBxj
xVtZtg+DLTQ8Ee5R/wB0YfGw1W3gYcVUBL/EZWv7PuqzKnBro09iuHA=
-----END CERTIFICATE REQUEST-----";

/**
 * The product item identifier for the type of SSL certificate
 * E.g: Item Id: 965 Description: RapidSSL - 2 year
 * @var int
 */
$itemId = 965;

 /**
 * The type of server in which the certificate will be installed
 * @var string
 */
$serverType = "apache2";

/**
 * The length of the certificate subscription desired in months. Typically 12 or 24 months
 * @var int
 */
$validityMonths = 24;

// Create a SoftLayer API client object for "SoftLayer_Security_Certificate_Request" service
$client = \SoftLayer\SoapClient::getClient('SoftLayer_Security_Certificate_Request', null, $apiUsername, $apiKey);

try {
    $result = $client->validateCsr($csr, $validityMonths, $itemId, $serverType);
    print_r($result);
} catch (\Exception $e) {
    die('Unable to validated CSR: ' . $e->getMessage());
}

我希望这些信息可以帮助你。

于 2015-12-23T15:43:50.877 回答