openssl ca签发证书

参数选项如下：

[root@localhost 2]# openssl ca -help
unknown option -help
usage: ca args

 -verbose        - Talk alot while doing things
 -config file    - A config file
 -name arg       - The particular CA definition to use
 -gencrl         - Generate a new CRL
 -crldays days   - Days is when the next CRL is due
 -crlhours hours - Hours is when the next CRL is due
 -startdate YYMMDDHHMMSSZ  - certificate validity notBefore
 -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)
 -days arg       - number of days to certify the certificate for
 -md arg         - md to use, see openssl dgst -h for list
 -policy arg     - The CA 'policy' to support
 -keyfile arg    - private key file
 -keyform arg    - private key file format (PEM or ENGINE)
 -key arg        - key to decode the private key if it is encrypted
 -cert file      - The CA certificate
 -selfsign       - sign a certificate with the key associated with it
 -in file        - The input PEM encoded certificate request(s)
 -out file       - Where to put the output file(s)
 -outdir dir     - Where to put output certificates
 -infiles ....   - The last argument, requests to process
 -spkac file     - File contains DN and signed public key and challenge
 -ss_cert file   - File contains a self signed cert to sign
 -preserveDN     - Don't re-order the DN
 -noemailDN      - Don't add the EMAIL field into certificate' subject
 -batch          - Don't ask questions
 -msie_hack      - msie modifications to handle all those universal strings
 -revoke file    - Revoke a certificate (given in file)
 -subj arg       - Use arg instead of request's subject
 -utf8           - input characters are UTF8 (default ASCII)
 -multivalue-rdn - enable support for multivalued RDNs
 -extensions ..  - Extension section (override value in config file)
 -extfile file   - Configuration file with X509v3 extentions to add
 -crlexts ..     - CRL extension section (override value in config file)
 -engine e       - use engine e, possibly a hardware device.
 -status serial  - Shows certificate status given the serial number
 -updatedb       - Updates db for expired certificates

用例：

[root@localhost 2]# openssl ca -in 2.csr -out 2.crt -name my_caset
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Mar  5 14:24:34 2018 GMT
            Not After : Mar  5 14:24:34 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = FJ
            organizationName          = YL
            organizationalUnitName    = YL
            commonName                = YLtls
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                0F:04:AD:BC:34:FF:F5:E4:5E:AB:F5:4B:27:2D:1A:07:74:8C:B9:94
            X509v3 Authority Key Identifier: 
                keyid:E2:61:AC:09:21:CF:80:0A:8F:CF:62:2B:79:81:49:DB:91:4C:60:34

Certificate is to be certified until Mar  5 14:24:34 2019 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

说明：

-name 为ca系统里指定的配置内容， 默认是[ CA_default ]，在/etc/pki/tls/openssl.cnf 增加一个section，

[ my_caset ]

dir             = /root/tls             # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/server.crt       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/server.key       # The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions        = crl_ext

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = sha256                # use SHA-256 by default
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

问题：

failed to update database
TXT_DB error number 2

参考: openssl生成CA的时候出错：TXT_DB error number 2， 请点击打开链接