我在尝试生成 TSA 回复时收到以下错误。
$ openssl ts -reply -queryfile test.tsq -out test.tsr -inkey private/tsakey.pem -signer tsa.crt.pem
140234774902432:error:2F083075:time stamp routines:TS_RESP_CTX_set_signer_cert:invalid signer certificate purpose:ts_rsp_sign.c:206:
下面是遵循的程序...
$ openssl req -new -newkey rsa:2048 -keyout private/tsakey.pem -out tsareq.pem -nodes
$ openssl ca -in tsareq.pem -out tsa.crt.pem -extensions mytsa -extfile tsa.x509config
$ openssl ts -query -data test.txt -no_nonce -out test.tsq
$ openssl ts -reply -queryfile test.tsq -out test.tsr -inkey private/tsakey.pem -signer tsa.crt.pem
扩展文件是:
[mytsa]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage=timeStamping
最佳答案
您需要按照 RFC 3161, Section 2.3 将扩展 key 用法标记为关键 (extendedKeyUsage=ritic,timeStamping) .
关于openssl - 使用 openssl 配置 TSA,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/22436452/