Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

证书能否支持增加 OCSP Must-Staple 标识? #292

Closed
jearton opened this issue Feb 18, 2024 · 2 comments
Closed

证书能否支持增加 OCSP Must-Staple 标识? #292

jearton opened this issue Feb 18, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@jearton
Copy link

jearton commented Feb 18, 2024

ocsp must staple 是在签发证书时,往证书里追加的相关标识,用于明确告诉浏览器,ocsp 请求必须由服务端装订,即由服务端去查询好证书状态,再返回给浏览器。

目前能够签署出该扩展的证书的CA只有Let's Encrypt

如果要设置OCSP Must-Staple,需要在使用openssl生成csr的时候,修改openssl.cnf中的内容:

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
1.3.6.1.5.5.7.1.24 = DER:30:03:02:01:05

v3_req中添加1.3.6.1.5.5.7.1.24 = DER:30:03:02:01:05

如果是使用openssl 1.1.0或更高的版本,可以这样设置:

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
tlsfeature = status_request

添加tlsfeature = status_request即可。

然后生成该csr文件,使用该csr文件,把改csr提交给支持Let's Encrypt证书签发的机构。
@jearton jearton added the enhancement New feature or request label Feb 18, 2024
0xJacky added a commit that referenced this issue Feb 18, 2024
@0xJacky
feat: add must staple flag for certificate obtaining request #292
1c4fb7a
@0xJacky
Copy link
Owner

0xJacky commented Feb 18, 2024

已在 1c4fb7a 中添加

@0xJacky 0xJacky closed this as completed Feb 18, 2024
@jearton
Copy link
Author

jearton commented Feb 18, 2024

已在 1c4fb7a 中添加

默认就自动加上了吗?不需要在UI页面上显式勾选吗?

@0xJacky 0xJacky reopened this Mar 14, 2024
0xJacky added a commit that referenced this issue Mar 14, 2024
@0xJacky
revert: add must staple flag for certificate obtaining request #292
22c6851
0xJacky added a commit that referenced this issue Mar 14, 2024
@0xJacky
revert: add must staple flag for certificate obtaining request #292
817eee3
0xJacky added a commit that referenced this issue Mar 14, 2024
@0xJacky
revert: add must staple flag for certificate obtaining request #292
46e2752
0xJacky added a commit that referenced this issue Mar 14, 2024
@0xJacky
revert: add must staple flag for certificate obtaining request #292
1e30804
0xJacky added a commit that referenced this issue Mar 14, 2024
@0xJacky
revert: add must staple flag for certificate obtaining request #292
1577eb1
@0xJacky 0xJacky mentioned this issue Apr 30, 2024
Merged
8 tasks
0xJacky added a commit that referenced this issue Jul 24, 2024
@0xJacky
refactor: auto certificate options
4660a46 
1. Add OCSP Must Staple options #292
2. Add LEGO_DISABLE_CNAME_SUPPORT options #407
@0xJacky 0xJacky closed this as completed Jul 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jearton @0xJacky