#查看OpenSSL证书颁发机构(CA)的配置文件的示例文件[root@centos8 CA]#vim /etc/pki/tls/openssl.cnf 下面是一些关键内容[ CA_default ]dir= /etc/pki/CA # Where everything is kept
certs =$dir/certs # Where the issued certs are kept
crl_dir =$dir/crl # Where the issued crl are kept
database =$dir/index.txt # database index file.#unique_subject = no # Set to 'no' to allow creation of# several certs with same subject.
new_certs_dir =$dir/newcerts # default place for new certs.
certificate =$dir/cacert.pem # The CA certificate
serial =$dir/serial # The current serial number
crlnumber =$dir/crlnumber # the current crl number# must be commented out to leave a V1 CRL
crl =$dir/crl.pem # The current CRL
private_key =$dir/private/cakey.pem# The private key
x509_extensions = usr_cert # The extensions to add to the cert# Comment out the following two lines for the "traditional"# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options# Extension copying option: use with caution.# copy_extensions = copy# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs# so this is commented out by default to leave a V1 CRL.# crlnumber must also be commented out to leave a V1 CRL.# crl_extensions = crl_ext
default_days =365# how long to certify fordefault_crl_days=30# how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
#这个文件是OpenSSL证书颁发机构(CA)的配置文件的示例。它定义了生成CA和证书所需的各种参数和路径。
dir:存储所有内容的目录,所有其他的相对路径都是基于此目录。
certs:已颁发证书的存储位置。
crl_dir:已颁发证书撤销列表(CRL)的存储位置。
database:索引数据库文件的位置,它用来追踪已颁发的证书。
new_certs_dir:新证书的默认存储位置。
certificate:CA证书的位置。
serial:当前的序列号文件的位置。此文件包含了下一个将要被颁发的证书的序列号。
crlnumber:当前的CRL编号的位置。
crl:当前的CRL的位置。
private_key:私钥的位置。
x509_extensions:添加到证书中的X.509扩展。
name_opt 和 cert_opt:定义了证书中主题名称和证书字段的选项。
default_days:证书的默认有效期(天数)。
default_crl_days:下一个CRL之前的默认天数。
default_md:默认使用的消息摘要算法。
preserve:是否保留传递的DN排序。
#然后有一个名为 policy_match 的部分,这是一个策略段,它定义了在证书申请时需要匹配或供应的字段。
countryName、stateOrProvinceName、organizationName:在证书申请中必须匹配的字段。
organizationalUnitName、emailAddress:可选字段。
commonName:必须在证书申请中提供的字段