我想将 EmailAddress 添加到我的 PKCS10 CSR:
.addRDN( BCStrictStyle.EmailAddress, emailAddr )
为什么 Bouncy/Spongey 规范这么说?:
org.spongycastle.asn1.x500.style.BCStyle public static final org.spongycastle.asn1.ASN1ObjectIdentifier EmailAddress Email address (RSA PKCS#9 extension) - IA5String. Note: if you're trying to be ultra orthodox, don't use this! It shouldn't be in here.
将 EmailAddr 添加到 x500name 作为 CSR 的一部分是否存在“错误”?
如果有,那么我应该如何正确地将 EmailAddr 添加到我的 CSR 中?
最佳答案
出现警告的原因是最新的 X.509 规范要求将邮件地址放在 subjectAlternativeName 扩展名中。
引自RFC5280 :
Legacy implementations exist where an electronic mail address is embedded in the subject distinguished name as an emailAddress attribute [RFC2985]. The attribute value for emailAddress is of type IA5String to permit inclusion of the character '@', which is not part of the PrintableString character set. emailAddress attribute values are not case-sensitive (e.g., "[email protected]" is the same as "[email protected]").
Conforming implementations generating new certificates with electronic mail addresses MUST use the rfc822Name in the subject alternative name extension (Section 4.2.1.6) to describe such identities. Simultaneous inclusion of the emailAddress attribute in the subject distinguished name to support legacy implementations is deprecated but permitted.
由于您正在创建 CSR 而不是证书,因此我不会太担心。无论如何,很少有 CA 能够(或者更愿意)处理 CSR 中的扩展。
关于bouncycaSTLe - 用于 CSR 的 x500name 中的电子邮件地址?弹力1.54,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/36900531/