diff --git a/app.py b/app.py index 7b57660..834b1f1 100644 --- a/app.py +++ b/app.py @@ -385,38 +385,48 @@ def create_certificate(ca_id, common_name, san_dns, san_ip, organization, organi # 创建CSR配置文件 csr_config = f"""[req] -default_bits = {key_size} -prompt = no -default_md = sha256 -distinguished_name = dn -req_extensions = req_ext + default_bits = {key_size} + prompt = no + default_md = sha256 + distinguished_name = dn + """ -[dn] -CN = {common_name} -O = {organization} -OU = {organizational_unit} -C = {country} -ST = {state} -L = {locality} + # 只有在有SAN时才添加扩展部分 + has_san = bool(san_dns or san_ip) + if has_san: + csr_config += "req_extensions = req_ext\n" -[req_ext] -basicConstraints = CA:FALSE -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @alt_names -extendedKeyUsage = serverAuth, clientAuth + csr_config += f""" + [dn] + CN = {common_name} + O = {organization} + OU = {organizational_unit} + C = {country} + ST = {state} + L = {locality} + """ -[alt_names]""" + if has_san: + csr_config += """ + [req_ext] + basicConstraints = CA:FALSE + keyUsage = digitalSignature, keyEncipherment + subjectAltName = @alt_names + extendedKeyUsage = serverAuth, clientAuth - # 添加SAN条目 - if san_dns: - dns_entries = [dns.strip() for dns in san_dns.split(',') if dns.strip()] - for i, dns in enumerate(dns_entries, 1): - csr_config += f"\nDNS.{i} = {dns}" + [alt_names]""" - if san_ip: - ip_entries = [ip.strip() for ip in san_ip.split(',') if ip.strip()] - for i, ip in enumerate(ip_entries, 1): - csr_config += f"\nIP.{i} = {ip}" + # 添加DNS SAN条目 + if san_dns: + dns_entries = [dns.strip() for dns in san_dns.split(',') if dns.strip()] + for i, dns in enumerate(dns_entries, 1): + csr_config += f"\nDNS.{i} = {dns}" + + # 添加IP SAN条目 + if san_ip: + ip_entries = [ip.strip() for ip in san_ip.split(',') if ip.strip()] + for i, ip in enumerate(ip_entries, 1): + csr_config += f"\nIP.{i} = {ip}" # 确保配置文件不以空行结尾 csr_config = csr_config.strip()