CA(Certificate Authority)是数字证书认证中心的简称,是指发放、管理、废除数字证书的机构。CA的作用是检查证书持有者身份的合法性,并签发证书(在证书上签字),以防证书被伪造或篡改,以及对证书和密钥进行管理。使用OpenSSL可以创建CA,签证和吊销证书
一 ,OpenSSL配置文件为/etc/pki/tls/openssl.cnf,下面是此文件中关于CA的部分摘要
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept <==默认工作目录,变量形式
certs = $dir/certs # Where the issued certs are kept <==签发证书位置
crl_dir = $dir/crl # Where the issued crl are kept <==吊销证书位置
database = $dir/index.txt # database index file. <==颁发过的证书索引文件
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs. <==新的证书位置
certificate = $dir/cacert.pem # The CA certificate <==CA的自签证书
serial = $dir/serial # The current serial number <==当前证书序列号,第一次要指定
crlnumber = $dir/crlnumber # the current crl number <==吊销证书序列号,第一次吊销要指定
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL <==证书吊销列表文件
private_key = $dir/private/cakey.pem# The private key <==CA自己的私钥
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for <==证书的默认有效期
default_crl_days= 30 # how long before next CRL <==默认声明有效期
default_md = sha256 # use SHA-256 by default <==默认的生成算法
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy <==CA策略相关属性
[ policy_match ]
countryName = match <==country name(国家名)必须匹配CA证书
stateOrProvinceName = match <==stateOrProvinceName(州或省名)必须匹配CA证书
organizationName = match <==organizationName(组织机构名称,例如公司名)必须匹配CA证书
organizationalUnitName = optional <==organizationalUnitName(组织单位,例如公司部门)可选
commonName = supplied <==commonName(通用名字,例如域名)必须提供
emailAddress = optional <==emailAddress(邮件地址)可选
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityN