创建服务器证书的第一步是创建证书签名请求 (certificate signing request, CSR)。在设备上发布 CSR 并将其发送到您的 CA。从 CA 接收签名证书后,如上载密钥或证书中所述上载该签名证书。该签名证书将替换请求。
template 命令返回 CSR 的框架,包括最低必需属性的默认值。
请求示例:
GET /api/setting/v2/certificates/system/template HTTP/1.1 Host: alice.example.com:215 Authorization: Basic Tm8gcGVla2luZyE= Accept: application/json
结果示例:
HTTP/1.1 200 OK
Date: Thu, 13 May 2021 08:03:03 GMT
Content-Length: 261
Content-Type: application/json; charset=utf-8
X-Zfssa-Setting-Api: 2.0
X-Zfssa-Api-Version: 2.0
{
"request": {
"type": "request",
"data": {
"subject": [
{
"commonName": "alice.example.com"
}
],
"extensions": {
"subjectAltName": {
"value": [
{
"IP": "alice.example.com-ipaddr"
},
{
"DNS": "alice.example.com"
}
]
}
}
},
"href": "/api/setting/v2/certificates/system/template"
}
}
如果使用此 template 输出,则仅包括 data 元素。
对于您可能希望在 CSR 中指定的其他属性,请列出现有系统证书的属性,如列出证书中所示。
当您对 CSR 感到满意时,将该 CSR 上载到主机,如以下示例中所示。一旦上载了 CSR,就无法再对其进行更改。
请求示例:
POST /api/setting/v2/certificates/system HTTP/1.1
Host: alice.example.com:215
Authorization: Basic Tm8gcGVla2luZyE=
Content-type: application/json
{
"data": {
"subject": [
{
"commonName": "alice.example.com"
},
{
"organizationName": "Example Corp, Inc"
},
{
"localityName": "Exampleton"
},
{
"stateOrProvinceName": "CA"
},
{
"countryName": "US"
}
],
"extensions": {
"subjectAltName": {
"value": [
{
"DNS": "alice.example.com"
},
{
"IP": "alice.example.com-ipaddr"
}
]
}
}
}
}
结果示例:
HTTP/1.1 201 Created
Date: Fri, 14 May 2021 01:17:45 GMT
Content-Type: application/json; charset=utf-8
X-Zfssa-Api-Version: 2.0
X-Zfssa-Setting-Api: 2.0
Location: /api/setting/v2/certificates/system/65119889-98d3-4fc4-bff5-f007a55f6cb3
Content-Length: 379
{
"request": {
"uuid": "csr-uuid",
"type": "request",
"data": {
"subject": [
{
"commonName": "alice.example.com"
},
{
"organizationName": "Example Corp, Inc"
},
{
"localityName": "Exampleton"
},
{
"stateOrProvinceName": "CA"
},
{
"countryName": "US"
}
],
"extensions": {
"subjectAltName": {
"value": [
{
"DNS": "alice.example.com"
},
{
"IP": "alice.example.com-ipaddr"
}
]
}
}
},
"href": "/api/setting/v2/certificates/system/csr-uuid"
}
}
上载的 CSR 具有 UUID,您可以使用该 UUID 来显示属性或以 PEM 格式检索请求。
要返回 PEM 格式的 CSR,请在 Accept 标头中指定以下值之一:
application/pkcs10 application/x-pem-file
请求示例:
GET /api/setting/v2/certificates/system/csr-uuid HTTP/1.1 Host: alice.example.com:215 Authorization: Basic Tm8gcGVla2luZyE= Accept: application/x-pem-file
结果示例:
HTTP/1.1 200 OK Date: Fri, 14 May 2021 03:47:21 GMT Content-Type: application/x-pem-file; charset=utf-8 X-Zfssa-Api-Version: 2.0 X-Zfssa-Setting-Api: 2.0 Content-Length: 997 -----BEGIN CERTIFICATE REQUEST----- MIICpjCCAY4CAQAwJDEiMCAGA1UEAwwZYXJkb2NoLWt6LTIudWsub3JhY2xlLmNv ... Bc0Q9FVRVv89AkmeAlF7727aIqmgmFcIUIIrEKTG4PSacedaoBsbjpvrizCuMhyo vgUkOPE/0xLAfw== -----END CERTIFICATE REQUEST-----
以规定的方式将 CSR 传输给您的 CA。从 CA 接收签名证书时,如上载密钥或证书中所示上载该签名证书。