证书配置文件


 

NAME

openssl.cnf - OpenSSL configuration file

 


DESCRIPTION

The file openssl.cnf contains configuration information used by three openssl (sub-)commands: careq and x509. The file provides default values that are used when corresponding options are omitted from the three commands; it also provides default prompts and other values that affect the way the commands interact with the user.

openssl.cnf is divided into sections that begin with bracketed identifiers. Examples include [ ca ] and [ req ], which affect the behavior of openssl's caand req commands. The first bracketed identifier in the file can be preceded by directives that affect the entire configuration file.

Within each section, directives consist of attributes (on the left-hand side), an equals sign (``=''), and value(s) for the attribute (on the right-hand side.

 


CA CONFIGURATION DIRECTIVES

The directives below are used by the openssl ca (Certificate Authority) command. Many of them correspond to ca command options. In some cases, omitting the options when invoking the ca command will cause ca to use the values in the openssl.cnf file. In other cases, ca command options (-name [section]-clrexts [section]-extensions [section]) explicitly refer to sections of the openssl.cnf file that might otherwise be ignored.

 


[ ca ] Section

default_ca

On startup, the default behavior of openssl's ca command is to check the [ ca ] section for the value of the default_ca attribute, which references another section of the openssl.cnf file.

Thus, the following directive (in the sample openssl.cnf file shipped with OpenSSL)

default_ca = CA_default

tells the ca command to look for a section named [ CA-default ], which has the actual attributes used by the ca command.

You can override the value of the default_ca attribute by using the ca command's -name [section] option.

 


[ CA_default ] Section

In the default openssl.cnf file, directives for the ca command are in this section. You can change the name of this section by changing the value of the default_ca attribute in the [ ca ] section of the configuration file.

If you regularly need different sets of configuration options when issuing the ca command, you can create other sections whose contents parallel the contents of CA_default (but with different values specified). Then, when you issue the openssl ca command, specify a different section with the -name [section] option to the ca command.

oid_file

The name of a file that contains object identifier definitions. The format of this file is one definition per line, each line consisting of three columns. The first column is the numerical representation of the OID. The second column is the OID's short name, which sould be a single word composed of only upper- and lowercase letters. The third column is the OID's long name, which may be composed of multiple words and characters other than letters. (Source: Viega2002, p. 313)

oid_section

The name of a section (of the this configuration file) that contains object identifier definitions. Key names in the section should be the OID's short name, and the corresponding value should be the OID's numerical representation. Long names are the same as the short names for OIDs that are defined in this manner. (Source: Viega2002, p. 313)

dir

The default directory that ca reads from and writes to (unless told to do otherwise).

The sample openssl.cnf file has the line:

dir = ./demoCA

indicating that the demoCA directory (beneath whatever is the current working directory) contains files to be read. It is also the default directory to which new certs and keys are written.

You might want to change the value to something like ./ (the current directory).

certs

The directory where issued certs are kept.

The sample openssl.cnf file has the line:

certs = $dir/certs

crl_dir

The directory where issued certificate revocation lists are kept.

The sample openssl.cnf file has the line:

crl_dir = $dir/crl

database

A ``database index file''--an ASCII file with a line for every certificate issued. The third field of each entry is an index to the certs themselves, which are stored in the new_certs_dir (see below).

The sample openssl.cnf file has the line:

database = $dir/index.txt

new_certs_dir

A directory where a copy of each issued certificate is stored, with a name of the form nn.pem (nn = 00, 01, ... nn). The file names of the certs are indexed by the database index file (above).

You can view individual certs in the new_certs_dir by issuing a command something like:

# openssl x509 -noout -text -in <cert_file>

where: cert_file is one of the files nn.pem

The sample openssl.cnf file has the line:

new_certs_dir = $dir/newcerts

certificate

The name of the file that contains the certificate authority's certificate (the ``CA cert'') to be used in signing (or revoking, etc.) a cert.

The sample openssl.cnf file has the line:

certificate = $dir/cacert.pem

You can override the value of the certificate attribute by using the ca command's -cert <filename> option.

serial

The serial number to use for the next certificate issued. (The serial number appears in the cert's entry in the database index file (see ``database'' above) and in the cert's file name in the new_certs_dir (see above).

The sample openssl.cnf file has the line:

serial = $dir/serial

serialfile

The name of a file that will be used to keep track of the next serial number that will be assigned to a certificate when it is issued. This setting is mandatory and has no corresponding command-line option. (Source: Viega2002, p. 314) [Note: This option is apparently a synonym for the serialconfiguration option.]

crl

The file name of the current certificate revocation list.

The sample openssl.cnf file has the line:

crl = $dir/crl.pem

private_key

The private key of the certificate authority that corresponds to the CA certificate referenced by the ``certificate'' attribute (see above).

The sample openssl.cnf file has the line:

private_key = $dir/private/cakey.pem

RANDFILE

A private random number file.

The sample openssl.cnf file has the line:

RANDFILE = $dir/private/.rand

x509_extensions

The name of a section (in the configuration file) that contains directives for the ca command when it signs a cert.

The sample openssl.cnf file has the line:

x509_extensions = usr_cert

See the section [ usr_cert ] below.

You can override the name of this value by using the ca command's -extension [section] option.

crl_extensions

The name of a section (in the configuration file) that contains directives for the ca command when it revokes certificates.

The sample openssl.cnf file has the line (commented out):

crl_extensions = crl_ext

The sample notes: ``Netscape communicator chokes on V2 CRLs so this is commented out by default to leave a V1 CRL.''

default_days

The default number of days a signed cert will be valid.

The sample openssl.cnf file has the line:

default_days = 365

You can override this value with one of the following options to the ca command:

-enddate <YYMMDDHHMMSSZ> -days <num_days>

default_startdate

The default starting date for which issued certificates will be valid. This is the same as the startdate command-line option. (Source: Viega2002, p. 313)

The format of the date is YYMMDDHHMMSSZ, where ``Z'' is the capital letter Z.

default_enddate

The default ending date for which issued certificates will be valid. This is the same as the enddate command-line option. (Source: Viega2002, p. 313)

The format of the date is YYMMDDHHMMSSZ, where ``Z'' is the capital letter Z.

default_crl_days

The default number of days before the next certificate revocation list.

The sample openssl.cnf file has the line:

default_crl_days= 30

default_crl_hours

The default number of hours until a new certificate revocation list is generated. This is the same as the crlhours command-line option. (Source: Viega2002, p. 313)

default_md

The message digest algorithm to use. Possible values include md5, sha1 and mdc2.

The sample openssl.cnf file has the line:

default_md = md5

You can override this value by using the ca command's -md <algorithm> option.

preserve

Indicates whether to preserve the order of the Distinguished Name (DN) fields to match the order passed in.

The sample openssl.cnf file has the line:

preserve = no

You can override this value by using the ca command's -preserveDN option.

msie_hack

If set to yes, certificates that are issued will work with very old versions of the Internet Explorer certificate enrollment control ``certenr3''. Avoid using this option unless you know that you absolutely need it. (Source: Viega2002, p. 314)

policy

The name of another section in the openssl.cnf file that defines which fields are mandatory or which must match the CA certificate.

The sample openssl.cnf file has the line:

policy = policy_match

You can override this value by using the ca command's -policy [section] option.

See [ policy_match ] and [ policy_anything ] below for examples of two policy sections that appear in the sample openssl.cnf file. (You may choose other names for your policy sections, and reference those names with the ca command's -policy [section] option or as the value of the policy attribute in the openssl.cnf file.

 


[ policy_match ] and [ policy_anything ] Sections

The [ policy_match ] and [ policy_anything ] sections appear in the sample openssl.cnf file.

policy_match (in the sample) indicates OIDs (attributes) that must be the same (``match''), are optional, or as supplied:

match

The OID must be present in the certificate request and must match the same OID in the CA's distinguished name.

supplied

Must be present in the certificate request.

optional

May or may not be present in the certificate request.

A comment at the beginning of the [ policy_anything ] section indicates that for the [ policy_anything ] section, you must list all acceptable ``object'' types (i.e., countryName, stateOrProvinceName, localityName, organizationName, organizationalUnitName, commonName, emailAddress?)--even those that are optional. (Note that in the [ policy_match ] section, that restriction apparently doesn't apply, since the localityName attribute does not appear in the [ policy_match ] section ...)

countryName

In the [ policy_match ] section, the sample openssl.cnf file has a value of ``match'' for this attribute.

In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.

stateOrProvinceName

In the [ policy_match ] section, the sample openssl.cnf file has a value of ``match'' for this attribute.

In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.

localityName

This attribute does not appear in the [ policy_match ] section of the sample openssl.cnf file.

In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.

organizationName

In the [ policy_match ] section, the sample openssl.cnf file has a value of ``match'' for this attribute.

In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.

organizationalUnitName

This attribute has an ``optional'' value in both the policy_match and [ policy_anything ] sections of the sample openssl.cnf file.

commonName

This attribute has a ``supplied'' value in both the policy_match and [ policy_anything ] sections of the sample openssl.cnf file.

emailAddress

This attribute has an ``optional'' value in both the policy_match and [ policy_anything ] sections of the sample openssl.cnf file.

 


REQ CONFIGURATION DIRECTIVES

The directives below are used by the openssl req command, which creates and processes certificate requests in PKCS#10 (Public Key Cryptography Standard No. 10) format, creates self signed certificates for use as root CA certs, etc.

 


[ req ]

On startup, the openssl req command reads the [ req ] section of openssl.cnf for default values that are not specified as arguments or options to the reqcommand.

default_bits

The default key size in bits. This value is used when req is invoked with the -new option (for a new certificate request).

Default value: 512

The sample openssl.cnf file has the line:

default_bits = 1024

You can override this value by using the req command's -newkey option.

default_keyfile

The name of the file to which a newly generated private key will be written.

The sample openssl.cnf file has the line:

default_keyfile = privkey.pem

You can override this value by using the req command's -keyout <filename>

distinguished_name

The name of another section in the openssl.cnf file that defines the prompts used when asking the user for information needed to generate a cert. The referenced section also gives default values (if none are entered) and constraints on allowed values.

The sample openssl.cnf file has the line:

distinguished_name = req_distinguished_name

See the [ req_distinguished_name ] section (below) for a description of the abbributes and values that appear in the sample openssl.cnf file.

attributes

Like the distinguished_name attribute, attributes is the name of another section in the openssl.cnf file that defines the prompts used when asking the user for information needed to generate a cert. The referenced section also gives default values (if none are entered) and constraints on allowed values.

The sample openssl.cnf file has the line:

attributes = req_attributes

See the [ req_attributes ] section (below) for a description of the attributes and values that appear in the sample openssl.cnf file.

x509_extensions

The name of another section in the openssl.cnf file that contains a list of extensions to add to certificates generated when the req command is invoked with the -x509 option.

The sample openssl.cnf file has the line:

x509_extensions = v3_ca

See the [ v3_ca ] section (below) for a description of the attributes and values that appear in the sample openssl.cnf file.

You can override this value by using the req command's -extensions [section] option to specify the name of some other section of the file that lists extensions to add.

input_password
output_password

Passwords for private keys can be specified as values for the input_password and output_password attributes. If these lines are not present inopenssl.cnf, the user will be prompted for the password.

The sample openssl.cnf file has the lines (commented out):

# input_password = secret # output_password = secret

(If you decide to uncomment the above, be sure to change the password from ``secret''!)

If the above lines are not present in openssl.cnf, the user will be prompted for a password unless the req command is invoked with the -passin <filename> and/or -passout <filename> options.

string_mask

A mask for permitted string types.

Possible values:

default PrintableString, T61String, BMPString

pkix PrintableString, BMPString

utf8only only UTF8Strings

nombstr PrintableString, T61String (no BMPStrings or UTF8Strings)

MASK XXXX a literal mask value

The sample openssl.cnf file has the line:

string_mask = nombstr

WARNING: Current versions of Netscape crash on BMPStrings or UTF8Strings so use this option with caution!

req_extensions

The name of another section in the openssl.cnf file that contains a list of extensions to add to a certificate request.

The sample openssl.cnf file has the line (commented out):

# req_extensions = v3_req

See the [ v3_req ] section (below) for a description of the attributes and values that appear in the sample openssl.cnf file.

You can override this value by using the req command's -reqexts [section] option to specify the name of some other section of the file that lists extensions to add.

 


[ req_distinguished_name ] Section

This section defines the prompts when asking the user for information needed to generate a cert. It also gives default values (if the user doesn't enter any) and constraints on allowed values.

Note: If a set of related attributes includes one with a ``_default'' suffix, then if the user enters no value for the attribute, the default value will be used. To specify that no value is desired, enter ``.''

countryName

The text to display when prompting the user for the country name (C=) component of the distinguished name. In the sample openssl.cnf file, countryName has the value ``Country Name (2 letter code)''

countryName_default

The default country name. In the sample openssl.cnf file, countryName_default has the value ``AU''

countryName_min

The minimum allowable country name length. In the sample openssl.cnf file, countryName_min has the value 2.

countryName_max

The maximum allowable country name length. In the sample openssl.cnf file, countryName_max has the value 2.

The country name should be ISO 3166 two-letter country code.

Note: For the country name, be sure to specify the ISO 3166 country code. In cases where the ISO country code is different from the Internet country domain name, use the ISO 3166 code. (Example: The United Kingdom (Internet country domain: uk; ISO 3166 country code: GB. Use GB.)

stateOrProvinceName

The text to display when prompting the user for the state or province name (ST=) component of the distinguished name. In the sample openssl.cnf file, stateOrProvinceName has the value ``State or Province Name (full name)''

stateOrProvinceName_default

The default state or province name. In the sample openssl.cnf file, countryName_default has the value ``State or Province Name (full name)''

localityName

The text to display when prompting the user for the locality name (L=) component of the distinguished name. In the sample openssl.cnf file, localityName has the value ``Locality Name (eg, city)''

  • organizationName

    The text to display when prompting the user for the organization name (O=) component of the distinguished name. In the sample openssl.cnf file, 0.organizationName has the value ``Organization Name (eg, company)''

  • organizationName_default

    The default organization name. In the sample openssl.cnf file, 0.organizationName has the value ``Internet Widgits Pty Ltd''

  • organizationName

    The text to display when prompting the user for an additional organization name (O=) component of the distinguished name. In the sample openssl.cnffile, the commented out line for 1.organizationName has the value ``Second Organization Name (eg, company)''

  • organizationName_default

    The default second organization name. In the sample openssl.cnf file, 1.organizationName is commented out and has the value ``World Wide Web Pty Ltd''

organizationalUnitName

The text to display when prompting the user for the optional (in the sample openssl.cnf, at least) organizational unit name (OU=) component of the distinguished name. In the sample openssl.cnf file, organizationalUnitName has the value ``Organizational Unit Name (eg, section)''

organizationalUnitName_default

The default organizational unit name. In the sample openssl.cnf file, organizationalUnitName_default is commented out and has no value.

commonName

The text to display when prompting the user for the common name (CN=) component of the distinguished name. In the sample openssl.cnf file, commonName has the value ``Common Name (eg, YOUR name)''

Note: Even though the prompt indicates ``YOUR name'' as a possibility, it *might* be more appropriate for it to read something like ``Common Name (e.g., fully qualified domain name of the server to be secured)'' since, the common name generally corresponds to the server's name when generating certificates.

commonName_max

The maximum allowable common name length. In the sample openssl.cnf file, commonName_max has the value 64.

emailAddress

The text to display when prompting the user for the email address of the distinguished name. In the sample openssl.cnf file, emailAddress has the value ``Email Address''

 


[ req_attributes ] Section

This section defines the prompts when asking the user for certain information (in addition to the [ req_distinguished_name ] section above) needed to generate a cert. It also gives constraints on the allowed values.

challengePassword

The text to display when prompting the user for a challenge password. In the sample openssl.cnf file, challengePassword has the value ``A challenge password''

challengePassword_min

The minimum length of the challenge password. In the sample openssl.cnf file, challengePassword_min has a value of 4.

challengePassword_max

The maximum length of the challenge password. In the sample openssl.cnf file, challengePassword_max has a value of 20.

unstructuredName

The text to display when prompting the user for an unstructured name. In the sample openssl.cnf file, unstructuredName has the value ``An optional company name''

 


X.509 EXTENSION DIRECTIVES

The directives below are used when requesting or signing certs. Many of the attributes can appear in any of the sections [ usr_cert ], [ v3_req ] and [ v3_ca ], with different values on the right-hand side, depending on whether the operation is signing of certs ([ usr_cert ]), adding a certificate request ([ v3_req ]) or creating a CA cert ([ v3_ca ] )

 


[ usr_cert ] Section

This section is referenced by the x509_extensions attribute in the [ CA_default ] section (above) of the sample openssl.cnf file. It contains directives used by the ca command when it signs a request (cert).

In the sample openssl.cnf file, most of the directives in this section are commented out (because they are deprecated?). Only four directives actually appear uncommented: basicConstraints, nsComment, subjectKeyIdentifier and authorityKeyIdentifier.

basicConstraints

Is this certificate valid as a certificate authority cert? (Can this certificate be used to sign or revoke other certificates?)

Possible values are CA:FALSE and CA:TRUE.

The sample openssl.cnf file has the line:

basicConstraints= CA:FALSE

indicating that the certificate's purposes do not include signing/revoking other certificates.

subjectKeyIdentifier

Specifies how to identify the public key being certified (so that distinct keys used by the same subject can be differentiated--as key updating occurs, for example).

The sample openssl.cnf file has the line:

subjectKeyIdentifier=hash

The IETF Public Key Infrastructure (PKIX) working group recommends the above default.

authorityKeyIdentifier

Specifies how to identify the public key used to verify the signature on this certificate or certificate revocation list (CRL). Enables distinct keys used by the same CA to be distinguished (e.g. as keypair updating occurs).

The sample openssl.cnf file has the line:

authorityKeyIdentifier=keyid,issuer:always

The IETF Public Key Infrastructure (PKIX) working group recommends the above default.

nsComment

A comment to be displayed in Netscape's comment listbox for the certificate signer. Provide a suitable description for the certificate..

The sample openssl.cnf file has the line:

nsComment = ``OpenSSL Generated Certificate''

The following (mostly Netscape-specific) attributes are all commented out in the sample openssl.cnf file:

nsCertType

The nsCertType attribute can specify the cert's capabilities (purposes).

If nsCertType is omitted, the certificate can be used for anything except for object signing (CA use).

If nsCertType is included, one or more of the following (separated by commas) can appear as the value of this attribute: client, server, email, objsign, reserved, sslCA, emailCA, objCA.

Examples (commented out in sample openssl.cnf):

nsCertType = server for an SSL server

nsCertType = objsign for an object signing certificate

nsCertType = client, email for ``normal'' client use

nsCertType = client, email, objsign for ``everything including object signing''

subjectAltName

Relates to the alternate name for the certificate holder.

The format in the sample openssl.cnf:

subjectAltName=email:copy

causes OpenSSL to import the e-mail address.

issuerAltName

Relates to the alternate name for the certificate or CRL issuer (CA).

The format in the sample openssl.cnf:

issuerAltName=issuer:copy

causes OpenSSL to copy subject details.

nsCaRevocationUrl

The revocation URL for the Root CA Certificate The sample openssl.cnf file includes the following (commented out):

nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem

nsBaseUrl

Can give the general base URL. =item nsRevocationUrl

The revocation URL for other (non-Root CA) certificates. The URL is of the form ../foo.cgi?aaaa. ``aaaa'' is the ASCII-encoded serial number of the cert.

nsRenewalUrl

A URL to visit to renew SSL/TLS certificates.

nsCaPolicyUrl

Gives the URL of the CA's policy.

nsSslServerName

The name of the Netscape SSL Server. Be careful with this attribute--it can crash certain versions of Netscape.

keyUsage

Possible values: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly

 


[ v3_req ] Section

This section is referenced by the req section's req_extensions attribute (commented out in the sample openssl.cnf file; see the [ req ] section above).

If not commented out--or if referenced by the -extensions [section] option of the req command--it contains directives used by the req command when it requests certs.

In the sample openssl.cnf file, the [ v3_req ] section has only two directives: basicConstraints and keyUsage.

basicConstraints

See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line:

basicConstraints= CA:FALSE

keyUsage

See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line:

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

 


[ v3_ca ] Section

This section of extensions for a typical CA is referenced by the [ req ] section's x509_extensions attribute. It is a list of extensions to add to certificates generated when the req command is invoked with the -x509 option.

subjectKeyIdentifier

See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line:

subjectKeyIdentifier=hash

as recommended by the IETF Public Key Infrastructure (PKIX) working group.

authorityKeyIdentifier

See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line: authorityKeyIdentifier=keyid:always,issuer:always

as recommended by the IETF Public Key Infrastructure (PKIX) working group.

basicConstraints

See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line:

basicConstraints = CA:true

as well as a commented out:

basicConstraints = critical,CA:true

Although the PKIX recomments the commented out version, ``some broken software chokes on critical extensions,'' so the sample openssl.cnf omits ``critical.'' However, it *does* indicate that the purposes of this certificate should include Certificate Authority.

The sample openssl.cnf file also includes a commented out:

basicConstraints= critical, DER:30:03:01:01:FF

illustrating how to override a supported extension with a Distinguished Encoding Rules (DER) encoding of an extension.

keyUsage

See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line (commented out):

keyUsage = cRLSign, keyCertSign

(The sample openssl.cnf omits the above even though it is typical for a CA certificate, ``since it will prevent it being used as an test self-signed certificate.'')

nsCertType

See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line (commented out):

nsCertType = sslCA, emailCA

subjectAltName

See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line commented out:

subjectAltName=email:copy

even though it is a PKIX recommendation.

issuerAltName

See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line commented out:

issuerAltName=issuer:copy

even though it is a PKIX recommendation.

obj

Introduces an extension encoded in hex with DER.

The sample openssl.cnf file has the line (commented out):

obj=DER:02:03

where ``obj'' is a standard or added object. (``Beware experts only!''

 


[ crl_ext ] Section

This section of extensions associated with certificate revocation lists (CRLs). ``Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.''

The [ crl_ext ] section is referenced by the CA_default section's crl_extensions attribute (commented out in the sample openssl.cnf file; see the [ CA_default ] section above).

If not commented out--or if referenced by the -crlexts [section] option of the ca command--it contains directives used by the ca command when it revokes certs.

The sample openssl.cnf notes: ``Netscape communicator chokes on V2 CRLs so this is commented out by default to leave a V1 CRL.''

issuerAltName

See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line commented out:

issuerAltName=issuer:copy

authorityKeyIdentifier

See the description in the [ usr_cert ] section (above).

The sample openssl.cnf file has the line:

authorityKeyIdentifier=keyid:always,issuer:always

 


SEE ALSO

openssl(1), ca(1), req(1), x509(1)

 


HISTORY

 

 06 May 2003: First draft, based on sample openssl.cnf
 25 Jul 2003: Second draft, with additions from Appendix of Viega's OpenSSL book.

 


AUTHOR

Morris Inouye <minouye@technoids.org>

Copyright (c) 2003 Morris Inouye

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值