OpenSSL创建私有CA，签证和吊销证书

最新推荐文章于 2023-08-13 16:40:18 发布

VIP文章独孤柯灵

最新推荐文章于 2023-08-13 16:40:18 发布

阅读量3.4k

点赞数 1

分类专栏： OpenSSL 文章标签： openssl

本文链接：https://blog.csdn.net/u014721096/article/details/78571287

版权

CA(Certificate Authority)是数字证书认证中心的简称，是指发放、管理、废除数字证书的机构。CA的作用是检查证书持有者身份的合法性，并签发证书（在证书上签字），以防证书被伪造或篡改，以及对证书和密钥进行管理。使用OpenSSL可以创建CA，签证和吊销证书

一，OpenSSL配置文件为/etc/pki/tls/openssl.cnf，下面是此文件中关于CA的部分摘要

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept     <==默认工作目录，变量形式
certs           = $dir/certs            # Where the issued certs are kept   <==签发证书位置
crl_dir         = $dir/crl              # Where the issued crl are kept    <==吊销证书位置
database        = $dir/index.txt        # database index file.     <==颁发过的证书索引文件
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.  <==新的证书位置

certificate     = $dir/cacert.pem       # The CA certificate     <==CA的自签证书
serial          = $dir/serial           # The current serial number    <==当前证书序列号，第一次要指定
crlnumber       = $dir/crlnumber        # the current crl number  <==吊销证书序列号，第一次吊销要指定
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL     <==证书吊销列表文件
private_key     = $dir/private/cakey.pem# The private key     <==CA自己的私钥
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions        = crl_ext

default_days    = 365                   # how long to certify for     <==证书的默认有效期
default_crl_days= 30                    # how long before next CRL    <==默认声明有效期
default_md      = sha256                # use SHA-256 by default    <==默认的生成算法
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

# For the CA policy     <==CA策略相关属性
[ policy_match ]
countryName             = match     <==country name（国家名）必须匹配CA证书
stateOrProvinceName     = match     <==stateOrProvinceName（州或省名）必须匹配CA证书
organizationName        = match     <==organizationName（组织机构名称，例如公司名）必须匹配CA证书
organizationalUnitName  = optional     <==organizationalUnitName（组织单位，例如公司部门）可选
commonName              = supplied    <==commonName（通用名字，例如域名）必须提供
emailAddress            = optional    <==emailAddress（邮件地址）可选

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityN