半自動(dòng)化創(chuàng)建CA和申請(qǐng)證書(shū)

1 概述

本文之所以稱(chēng)之為半自動(dòng)化,是因?yàn)樽C書(shū)的申請(qǐng)并非日常工作,只是一段時(shí)間才需要申請(qǐng),同時(shí),在創(chuàng)建證書(shū)和辦法證書(shū)的時(shí)候,有些參數(shù)需要根據(jù)用戶(hù)的需求自己調(diào)整,如證書(shū)的有效時(shí)間,還有,是否給私鑰加密等等,因?yàn)榻心_本設(shè)置為半自動(dòng)化,手動(dòng)輸入一些參數(shù),到達(dá)用戶(hù)的需求。當(dāng)然如果環(huán)境是固定,參數(shù)也是固定,有效時(shí)間固定,該腳本配合crontab也可以實(shí)現(xiàn)自動(dòng)化申請(qǐng)和頒發(fā)等操作

CA中心又稱(chēng)CA機(jī)構(gòu),即證書(shū)授權(quán)中心(Certificate Authority ),或稱(chēng)證書(shū)授權(quán)機(jī)構(gòu)。本文將介紹通過(guò)openssl這個(gè)工具如何創(chuàng)建根CA,子CA,證書(shū)申請(qǐng),證書(shū)頒發(fā) 和吊銷(xiāo)證書(shū)等操作進(jìn)行介紹

2 概念

2.1創(chuàng)建私有CA

openssl的配置文件:/etc/pki/tls/openssl.cnf.這個(gè)配置文件里的相關(guān)配置,如證書(shū)信息匹配策略,證書(shū)的相關(guān)文件保存路徑和命名都在這里做規(guī)定,本文將在文末附屬該配置文件部分重要參數(shù)的介紹

其中,證書(shū)信息匹配策略有三種:匹配、支持和可選

匹配指要求申請(qǐng)?zhí)顚?xiě)的信息跟CA設(shè)置信息必須一致,支持指必須填寫(xiě)這項(xiàng)申請(qǐng)信息,可選指可有可無(wú)

用戶(hù)在自己機(jī)器生成證書(shū)請(qǐng)求文件后,將對(duì)應(yīng)請(qǐng)求文件發(fā)給服務(wù)器,服務(wù)器收到請(qǐng)求文件后,確認(rèn)無(wú)誤,將對(duì)于進(jìn)行簽發(fā),并把證書(shū)發(fā)給申請(qǐng)主機(jī)

2.2 證書(shū)申請(qǐng)步驟

證書(shū)的申請(qǐng)有如下四個(gè)步驟

a. 生成申請(qǐng)請(qǐng)求

由客戶(hù)端自己創(chuàng)建,完成后將生成的文件發(fā)送到證書(shū)簽發(fā)機(jī)構(gòu)

b. RA核驗(yàn),

RA(Registration Authority),數(shù)字證書(shū)注冊(cè)審批機(jī)構(gòu)。RA系統(tǒng)是CA的證書(shū)發(fā)放、管理的延伸。它負(fù)責(zé)證書(shū)申請(qǐng)者的信息錄入、審核以及證書(shū)發(fā)放等工作(安全審計(jì))。同時(shí),對(duì)發(fā)放的證書(shū)完成相應(yīng)的管理功能(安全管理)。

c. CA簽署

核驗(yàn)通過(guò)后,在CA服務(wù)器生成證書(shū)

d. 獲取證書(shū)

將創(chuàng)建完成的證書(shū)發(fā)給申請(qǐng)者

3. 實(shí)驗(yàn)步驟

3.1 創(chuàng)建根CA

3.1.1、創(chuàng)建所需要的文件

touch?/etc/pki/CA/index.txt

#生成證書(shū)索引數(shù)據(jù)庫(kù)文件

echo 01 >/etc/pki/CA/serial

#指定第一個(gè)頒發(fā)證書(shū)的序列號(hào)

3.1.2 CA自簽證書(shū)

要先有私鑰,才能給自己頒發(fā)證書(shū)

生成私鑰,文件名是固定的,而且目錄也是當(dāng)前固定的目錄,因?yàn)樵谂渲梦募镏付寺窂胶兔Q(chēng)

cd /etc/pki/CA/

執(zhí)行以下這步后會(huì)在該目錄下生成加密的文件

(umask 066; openssl? genrsa? -out ?/etc/pki/CA/private/cakey.pem? -des 3? 2048)

.生成自簽名證書(shū),給自己簽名,-x509是關(guān)鍵字,表示要自己申請(qǐng),而且給自己頒發(fā)證書(shū)

這里文件的路徑都是有要求的,以下要輸入密碼

openssl? req -new -x509 -key? /etc/pki/CA/private/cakey.pem?? -days 7300 -out ?/etc/pki/CA/cacert.pem

要輸入密碼,然后要提交信息

-new: 生成新證書(shū)簽署請(qǐng)求

-x509: 專(zhuān)用于CA生成自簽證書(shū)

-key: 生成請(qǐng)求時(shí)用到的私鑰文件

-days n:證書(shū)的有效期限

-out /PATH/TO/SOMECERTFILE: 證書(shū)的保存路徑

3.2 創(chuàng)建子CA

3.2.1子CA上創(chuàng)建私鑰和證書(shū)請(qǐng)求文件

方法和根CA基本一致

在 /etc/pki/CA下創(chuàng)建serial 和index.txt

以下加密des3,如果加密,每次辦法都要輸入密碼

作為子CA,不能給自己頒發(fā)證書(shū),要向根CA申請(qǐng)證書(shū),不加x509選項(xiàng)

生成subca.csr文件,把這個(gè)文件復(fù)制到服務(wù)器根CA對(duì)應(yīng)的目錄/etc/kpi/CA/下

3.2.2根CA上頒發(fā)證書(shū)給子CA

這里對(duì)根私鑰加了口令,所有要先輸入密碼,才能輸入信息

生成文件subca.crt,把這個(gè)文件拷貝到子CA上,注意,這個(gè)文件拷貝到子CA上的時(shí)候,要把名稱(chēng)改成

cacert.pem,才能作為服務(wù)器端的私鑰給客戶(hù)端來(lái)簽名頒發(fā)

到這里服務(wù)器端根CA操作完成,此時(shí)子CA可以給其他的客戶(hù)端頒發(fā)證書(shū)了

3.2.3驗(yàn)證

找一臺(tái)機(jī)器,向子CA申請(qǐng)證書(shū)

生成請(qǐng)求文件,這里輸入的選項(xiàng)要和根CA的配置文件策略一致

完成后,將這個(gè)請(qǐng)求文件發(fā)送到子CA上

這個(gè)操作在3.3里講到

3.2.4子CA頒發(fā)證書(shū)給客戶(hù)端

建議頒發(fā)的證書(shū)文件都放在統(tǒng)一的目錄下,頒發(fā)的第一個(gè)證書(shū)是在serial從01開(kāi)始

openssl? ca -in rhel5.csr -out certs/rhel5.crt -days 300

出現(xiàn)如下報(bào)錯(cuò),有的奇怪,都是henan,但是還是報(bào)錯(cuò),因?yàn)檫@客戶(hù)端版本5上的openssl版本和子CA上版本不一致,

導(dǎo)致不兼容。解決頒發(fā)是升級(jí)openssl的版本為同一版本

3.3頒發(fā)證書(shū)

3.3.1?在需要使用證書(shū)的主機(jī)生成證書(shū)請(qǐng)求

給web服務(wù)器生成私鑰,test.key這個(gè)名字可以自命名,但是后綴不能該,2048是長(zhǎng)度

(umask066; opensslgenrsa-out /etc/pki/tls/private/test.key2048)

生成證書(shū)申請(qǐng)文件,用私鑰來(lái)生成請(qǐng)求文件,后綴一般建議為csr,和服務(wù)器生成基本一致,少了關(guān)鍵字-x509,表示不是自簽名,而是申請(qǐng)證書(shū)

-days 365申請(qǐng)時(shí)間,這個(gè)時(shí)間是沒(méi)有意義的,因?yàn)槭怯煞?wù)器端頒發(fā)的時(shí)候指定,客戶(hù)端指定時(shí)間是沒(méi)有意義的

openssl? req? -new -key /etc/pki/tls/private/test.key -days 365 -out /etc/pki/tls/test.csr

這里的請(qǐng)求文件名(key名)每一次是默認(rèn)要不一樣的,如果要運(yùn)行,需要更改index.txt.attr里的yes改成no

這里私鑰文件沒(méi)有加密des,所以和服務(wù)器不一樣,不需要回車(chē)后填密碼,只需要回車(chē)后填入信息

國(guó)家,省,公司這三項(xiàng)是配置模板里規(guī)定match的,所以要和服務(wù)器端一樣

3.3.2?發(fā)送請(qǐng)求文件給CA

將證書(shū)請(qǐng)求文件傳輸給CA,可以用scp拷貝到服務(wù)器端對(duì)應(yīng)的路徑

3.3.3CA簽署證書(shū),并將證書(shū)頒發(fā)給請(qǐng)求者

-days 365這里指定的時(shí)間是有效期,讓客戶(hù)端用多久的時(shí)間,有效的,不指定默認(rèn)就是服務(wù)配置文件設(shè)定的時(shí)間

commonName = supplied這個(gè)字段是supplied,如果新的證書(shū)請(qǐng)求的信息的commonName和之前的請(qǐng)求信息一樣,,那么當(dāng)上一個(gè)請(qǐng)求信息生成的證書(shū)還沒(méi)有被吊銷(xiāo)的時(shí)候,新的證書(shū)將不再生成,生成0字節(jié)的文件

openssl? ca -in /tmp/test.csr?-out /etc/pki/CA/certs/test.crt -days 365

完成后把證書(shū)文件發(fā)回給客戶(hù)端

3.4吊銷(xiāo)證書(shū)

當(dāng)客戶(hù)出現(xiàn)異常,服務(wù)器端可以吊銷(xiāo)證書(shū)

3.4.1在客戶(hù)端獲取要吊銷(xiāo)的證書(shū)的serial

openssl? x509 -in /PATH/FROM/CERT_FILE? [-noout|-serial|-subject]

3.4.2在CA上吊銷(xiāo)

根據(jù)客戶(hù)提交的serial與subject信息,對(duì)比檢驗(yàn)是

否與index.txt文件中的信息一致,吊銷(xiāo)證書(shū):

這一步是在CA服務(wù)上操作的,吊銷(xiāo)后證書(shū)狀態(tài)為R

openssl? ca -revoke /etc/pki/CA/newcerts/SERIAL.pem

吊銷(xiāo)后,要把這個(gè)信息發(fā)布出去。客戶(hù)端才知道哪些證書(shū)被吊銷(xiāo)

3.4.3指定第一個(gè)吊銷(xiāo)證書(shū)的編號(hào)

在服務(wù)器根CA上操作

crlnumber證書(shū)吊銷(xiāo)列表編號(hào),在index.txt這個(gè)文件里可以看到證書(shū)的狀態(tài)

echo 01 > /etc/pki/CA/crlnumber

/etc/pki/CA/crlnumber里保存的數(shù)字表示

接下去要吊銷(xiāo)的是第幾個(gè)證書(shū),如已經(jīng)吊銷(xiāo)了5個(gè)證書(shū),則當(dāng)前文件保存的就是06,表示接下去要吊銷(xiāo)第6個(gè)證書(shū)

注意:第一次更新證書(shū)吊銷(xiāo)列表前,才需要執(zhí)行,如果之前已經(jīng)吊銷(xiāo)過(guò)證書(shū),這個(gè)語(yǔ)句就不需要執(zhí)行了

3.4.4更新證書(shū)吊銷(xiāo)列表

把這個(gè)文件發(fā)布到官方網(wǎng)站上,讓所有使用者都知道證書(shū)被吊銷(xiāo)了

openssl ca? -gencrl? -out? /etc/pki/CA/crl/crl.pem

3.4.5查看crl文件

執(zhí)行如下語(yǔ)句進(jìn)行查看,不是必須的步驟

openssl crl?-in? /etc/pki/CA/crl/crl.pem?-noout? -text

4 半自動(dòng)化腳本

以下的腳本,將實(shí)現(xiàn)以上5個(gè)步驟,為了方便演示,將操作寫(xiě)在同一腳本里。通過(guò)選項(xiàng)操作對(duì)應(yīng)的操作。

用戶(hù)只需要輸入相關(guān)操作,就可以完成CA的搭建和證書(shū)申請(qǐng),頒發(fā),吊銷(xiāo)等操作

腳本如下

#!/bin/bash

#

#******************************************************************************

#Author:? ? ? ? ? ? ? Sunny

#Date:? ? ? ? ? ? ? ? 2017-09-09

#FileName:? ? ? ? ? ? install_ca.sh

#version:? ? ? ? ? ? ? 1.0

#Your change info:

#Description:? ? ? ? ? For auto create CA,subCA,generate and revoke cert

#Copyright(C):? ? ? ? 2017? All rihts reserved

#*****************************************************************************

CApath=/etc/pki/CA

certpath=/etc/pki/CA/certs

tlspath=/etc/pki/tls

tlsprivatepath=/etc/pki/tls/private

caprivatepate=/etc/pki/CA/private

#check certification info,run below cmd

#openssl x509 -in cent7bbaa.crt -noout -text

#check certification request infomation,run cmd as below

#openssl req -noout -text -in aa.csr

#check certification status,run cmd as below,01 is serial number

#openssl ca -status 01

active_ip(){

actip=$(ip a| grep -E "[0-9]+\/"| cut -d / -f1|sed -nr? 's@.*( [0-9]+\.[^0][0-9]*\.[0-9]+\.[0-9]+)@\1@p'|cut -d " " -f2|head -1)

}

pri_key_name(){

echo "private key name should end with .key,such as clent.key"

read -p "enter your private key name(default:client."$actip".key) " prikey

if [ -z ${prikey:-} ];then

prikey=client."$actip".key

fi

}

cli_csr_name(){

echo "Cert request name should end with .crs,such as clent.csr"

read -p "enter your cert request name(default:client."$actip".csr) " clicsr

if [ -z ${clicsr:-} ];then

clicsr=client."$actip".csr

fi

}

key_length(){

echo "key length should be one of 1024,2048,4096"

read -p "enter your private key length(default:2048): " length

if [ -z ${length:-} ]; then

length=2048

fi

}

root_pre(){

[ -e "$CApath"/index.txt ] || touch? "$CApath"/index.txt

[ -e "$CApath"/serial ] || echo 01 >? "$CApath"/serial

#create a server private key

echo "unless you have modify ca private key name in /etc/pki/tls/openssl.cnf,only use default cakey.pem"read -p "enter your ca private key name accord to openssl.cnf (default:cakey.pem) " cakey

if [ -z ${cakey:-} ];then

cakey=cakey.pem

fi

key_length

if [ -e "$caprivatepate"/"$cakey"? ] ;then

echo "The server already have private key,$cakey, under "$caprivatepate"/,please check"

else

umask 066;

read -p "enter yes to encrypt private key,other enter will no enrypt: " yorn

if [ "$yorn" = yes ];then

read -p "enter encrypt key word(eg:-des3): " encry

openssl genrsa -out "$caprivatepate"/"$cakey" "$encry" "$length"

else

openssl genrsa -out "$caprivatepate"/"$cakey"? "$length"

fi

umask 022;

fi

}

echo "Enter 1 : run at root CA server and rootca_sig_itself"

echo "Enter 2 : run at sub_server,generate a private key and signature request file,and send request file to root CA "

echo "Enter 3 : run at client host,generate certification requst file and send to server auto"

echo "Enter 4 : run at server,generate certification and send to client auto"

echo "Enter 5 : run at server,to revoke some certification"

read -p "Please input your choice: " choice

case $choice in

1)

root_pre;

#generate a signature certificate for itself,-x509 is key work,means it signature to itself

echo "unless you have modify ca? signature certificate name in /etc/pki/tls/openssl.cnf,only use default cacert.pem"

read -p "enter your ca signature cer name accord to openssl.cnf (default:cacert.pem) " cacert

if [ -z ${cacert:-} ];then

cacert=cacert.pem

fi

if [ -e "$CApath"/"$cacert"? ] ;then

echo "The server already have signature certificate,"$cacert" under "$CApath",please check"

else

openssl? req -new -x509 -key "$caprivatepate"/"$cakey"? -days 7300 -out? "$CApath"/"$cacert"

fi

;;

2)

root_pre;

#generate a signature certificate request file and send to root CA

read -p "enter your ca signature cer request file? (default:subca.csr): " subcacert

if [ -z ${subcacert:-} ];then

subcacert=subca.csr

fi

if [ -e "$CApath"/"$subcacert"? ] ;then

echo "The sub ca already have signature certificate,"$subcacert"under "$CApath",please check"

else

openssl? req -new? -key "$caprivatepate"/"$cakey"? -days 7300 -out? "$CApath"/"$subcacert"

fi

#send request file to root CA

read -p "which root CA would you send(default:192.168.32.61): " serip

if [ -z ${serip:-} ];then

serip=192.168.32.61

fi

expect -c "

spawn? scp? "$CApath"/"$subcacert"? root@"$serip":"$CApath"/certs/

expect {

\"*assword\" {set timeout 500; send \"Pass1234\r\"; }

\"yes/no\" { send \"yes\r\"; exp_continue; }

}

expect eof"

;;

3)

echo "Please check whether you are in client"

#client generate private key

active_ip

pri_key_name

cli_csr_name

key_length

if [ -e "$tlsprivatepath"/"$prikey"? ] ;then

echo "The client already have private key "$prikey" under "$tlsprivatepat",please check"

else

umask 066;

if [ "$yorn" = yes ];then

read -p "enter encrypt key word(eg:-des3): " encry

openssl genrsa -out "$tlsprivatepath"/"$prikey" "$encry" "$length"

else

openssl genrsa -out "$tlsprivatepath"/"$prikey"? "$length"

fi

umask 022;

fi

#generate a signature certificate to root ca,without -x509.

if [ -e "$tlspath"/"$clicsr"? ] ;then

echo "The client already have signature certificate request file,"$clicsr" under "$tlspath",please check"

else

openssl req -new -key "$tlsprivatepath"/"$prikey" -out "$tlspath"/"$clicsr"

fi

#send request file to CA

read -p "which CA would you send(default:192.168.32.61): " serip

if [ -z ${serip:-} ];then

serip=192.168.32.61

fi

expect -c "

spawn? scp? "$tlspath"/"$clicsr" root@"$serip":"$CApath"/certs/

expect {

\"*assword\" {set timeout 500; send \"Pass1234\r\"; }

\"yes/no\" { send \"yes\r\"; exp_continue; }

}

expect eof"

;;

4)

read -p "enter which requst file in "$CApath"/certs you want want server to generate as certification(eg:cent7.csr): " clientrsq

read -p "enter new client cetification name(eg:cent7.crt): " crtname

[ -e "$CApath"/certs/"$crtname" ] && { echo $crtname exist,please check;exit 6; }

read -p "enter many days would the cert be avlid(eg:365): " days

if [ -e "$CApath"/certs/"$clientrsq" ];then

#attention,no only $crtname be generated,but also serial.pem file will be generate under dir newcerts

openssl ca -in? "$CApath"/certs/"$clientrsq" -out "$CApath"/certs/"$crtname" -days "$days"

else

echo "$clientrsq does no exist in "$CApath"/certs,please check"

fi

read -p "which client would you send(eg:192.168.32.61): " clip

expect -c "

spawn? scp? "$CApath"/certs/"$crtname"? root@"$clip":"$tlspath"

expect {

\"*assword\" {set timeout 500; send \"Pass1234\r\"; }

\"yes/no\" { send \"yes\r\"; exp_continue; }

}

expect eof"

;;

5)

read -p "Please input the serial number you want to revoke(eg:03): " sernum

echo "you can run cmd? openssl x509 -in cent7bt.crt -noout -text? to check the serial number,cent7bt.crt is the certification you want to revoke"

openssl ca -revoke /etc/pki/CA/newcerts/"$sernum".pem

crlnum=$(cat /etc/pki/CA/crlnumber)

[ -z $crlnum ] && echo 01 > /etc/pki/CA/crlnumber;

openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem;

#check the the crl list

#openssl? crl? -in /etc/pki/CA/crl/crl.pem? -noout? -text

;;

*)

echo? "your input is wrong,please check"

;;

esac

unset ip

unset crtname

unset CApath

unset clinetsrq

?

5?/etc/pki/tls/openssl.cnf 講解

本附錄只針對(duì)一些重要字段用中文做了備注,內(nèi)容如下

/etc/pki/tls/openssl.cnf

CA的配置文件,這個(gè)文件文件很關(guān)鍵,配置和CA密切相關(guān)

[ CA_default ]? 這里新創(chuàng)建的文件名必須一樣,如果要改,就要跟defaults一樣

dir? ? = /etc/pki/CA? ? ? # Where everything is kept,CA工作目錄,CA信息保存的目錄

#

certs? ? ? = $dir/certs? ? ? ? # Where the issued certs are kept,定義一個(gè)變量

crl_dir? ? = $dir/crl? ? ? # Where the issued crl are kept,證書(shū)吊銷(xiāo)列表

database? ? = $dir/index.txt? ? # database index file.這個(gè)是一個(gè)文件,保存證書(shū)數(shù)據(jù)庫(kù),如頒發(fā)了哪些證書(shū),證書(shū)編號(hào),證書(shū)狀態(tài)等信息保存在這里,這個(gè)文件默認(rèn)沒(méi)有,要手工創(chuàng)建一個(gè)空文件,頒發(fā)證書(shū)的時(shí)候,會(huì)手動(dòng)頒發(fā),沒(méi)有空文件的話,頒發(fā)的時(shí)候會(huì)報(bào)錯(cuò)

#unique_subject = no? ? ? ? ? ? # Set to 'no' to allow creation of

# several ctificates with same subject.

new_certs_dir? = $dir/newcerts? ? # default place for new certs.默認(rèn)新證書(shū)的放置目錄,這個(gè)文件是自動(dòng)生成的,用數(shù)字編號(hào)

certificate = $dir/cacert.pem? # The CA certificate,CA自己的證書(shū),根CA自己給自己頒發(fā),子CA上級(jí)頒發(fā)

serial? ? ? = $dir/serial? ? ? # The current serial number,要手動(dòng)創(chuàng)建,當(dāng)前系列號(hào),是一個(gè)16進(jìn)制數(shù),實(shí)際意義是下一個(gè)證書(shū)的編號(hào),默認(rèn)是從00開(kāi)始,可以自己指定開(kāi)始的值,必須是16進(jìn)制數(shù)

crlnumber? = $dir/crlnumber? ? # the current crl number,證書(shū)吊銷(xiāo)編號(hào),也是指下一個(gè)證書(shū)被吊銷(xiāo)的編號(hào),即下一個(gè)被吊銷(xiāo)的證書(shū)的編號(hào)

# must be commented out to leave a V1 CRL

crl? ? = $dir/crl.pem? ? ? # The current CRL

private_key = $dir/private/cakey.pem# The private key。CA的私鑰

RANDFILE? ? = $dir/private/.rand? ? # private random number file,隨機(jī)數(shù)

x509_extensions = usr_cert? ? ? # The extentions to add to the cert

# Comment out the following two lines for the "traditional"

# (and highly broken) format.

name_opt? ? = ca_default? ? ? ? # Subject Name options,命名方式

cert_opt? ? = ca_default? ? ? ? # Certificate field options

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

# so this is commented out by default to leave a V1 CRL.

# crlnumber must also be commented out to leave a V1 CRL.

# crl_extensions? ? = crl_ext

default_days? ? = 365? ? ? ? ? # how long to certify for,證書(shū)的有效期,可以指定

default_crl_days= 30? ? ? ? ? ? # how long before next CRL,CRL的有效期

default_md? = default? ? ? # use public key default MD

preserve? ? = no? ? ? ? ? ? # keep passed DN ordering

# A few difference way of specifying how similar the request should look

# For type CA, the listed attributes must be the same, and the optional

# and supplied fields are just that :-)

policy? ? ? = policy_match,策略,由下面來(lái)指定,表示客戶(hù)要申請(qǐng)證書(shū)的時(shí)候,要求客戶(hù)提供的信息

# For the CA policy

[ policy_match ]? 這個(gè)是系統(tǒng)默認(rèn)的策略

countryName? ? = match? 國(guó)家,match是必須匹配,兩邊都是同樣的信息,其他的可以不一樣

stateOrProvinceName = match? 省,match如果不一樣,就會(huì)拒絕,不會(huì)頒發(fā)證書(shū)

organizationName? ? = match? 組織

organizationalUnitName? = optional 部門(mén)

commonName? ? ? = supplied? 通用名,如網(wǎng)站服務(wù)器的域名,一般是嚴(yán)格匹配,也可以寫(xiě)成泛域名,申請(qǐng)費(fèi)用比較貴

emailAddress? ? ? ? = optional? ,可選項(xiàng),不強(qiáng)制要求一樣

# For the 'anything' policy

# At this point in time, you must list all acceptable 'object'

# types.

[ policy_anything ] 給外部使用,不用match選項(xiàng),都不要求完全一樣

countryName? ? = optional

stateOrProvinceName = optional

localityName? ? ? ? = optional

organizationName? ? = optional

organizationalUnitName? = optional

commonName? ? ? = supplied

emailAddress? ? ? ? = optional

[ req ]

default_bits? ? ? ? = 2048

default_md? ? ? = sha1

default_keyfile? ? = privkey.pem

distinguished_name? = req_distinguished_name

attributes? ? ? = req_attributes

x509_extensions = v3_ca # The extentions to add to the self signed cert

6 總結(jié)

由于openssl這個(gè)命令很強(qiáng)大,有大量的參數(shù),本文只是列出的參數(shù)是生成很頒發(fā)等必須用到的幾個(gè)參數(shù),如果需要有更多其他選項(xiàng),用戶(hù)可自行添加

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

  • CA和證書(shū)安全協(xié)議(SSL/TLS)OpenSSH 一、CA和證書(shū) (一) PKI(Public Key Infr...
    哈嘍別樣閱讀 1,536評(píng)論 0 0
  • 1.PKI: Public Key Infrastructure 簽證機(jī)構(gòu):CA(Certificate Auth...
    尛尛大尹閱讀 996評(píng)論 0 0
  • 年過(guò)花甲心不花 柴米油鹽操持家 閑來(lái)常學(xué)劉玲醉 臥起搔首對(duì)晚霞 莫道君王御黔首 剎那...
    狼的傳人說(shuō)事閱讀 190評(píng)論 0 0
  • 雨天可以做許多美妙的事情,看看電影、長(zhǎng)長(zhǎng)的午休、看看小說(shuō)、喝茶聊天、雨中漫步……當(dāng)然,畫(huà)禪繞畫(huà)也是不錯(cuò)的選擇。 我...
    繁花塢閱讀 761評(píng)論 14 14
  • 詩(shī)意的棲居 是自然賦予過(guò)客的芬芳水土 土地親親 聞不夠的淳樸濃郁 碧藍(lán)的天 跳進(jìn)碧藍(lán)的海里嬉戲 銀鈴般的笑聲 飄蕩...
    抱一閱讀 208評(píng)論 0 1

友情鏈接更多精彩內(nèi)容