📄 1648.html
字号:
<br>
commonName = Common Name (eg, YOUR name) <br>
commonName_max = 64 <br>
emailAddress = Email Address <br>
emailAddress_max = 40 <br>
<br>
# SET-ex3 = SET extension number 3 <br>
<br>
[ req_attributes ] <br>
challengePassword = A challenge password <br>
challengePassword_min = 4 <br>
challengePassword_max = 20 <br>
<br>
unstructuredName = An optional company name <br>
<br>
[ usr_cert ] <br>
<br>
# These extensions are added when 'ca' signs a request. <br>
# This goes against PKIX guidelines but some CAs do it and some software <br>
# requires this to avoid interpreting an end user certificate as a CA. <br>
<br>
basicConstraints=CA:FALSE <br>
<br>
# Here are some examples of the usage of nsCertType. If it is omitted <br>
# the certificate can be used for anything *except* object signing. <br>
<br>
# This is OK for an SSL server. <br>
# nsCertType = server <br>
<br>
# For an object signing certificate this would be used. <br>
# nsCertType = objsign <br>
<br>
# For normal client use this is typical <br>
# nsCertType = client, email <br>
<br>
# and for everything including object signing: <br>
# nsCertType = client, email, objsign <br>
<br>
# This is typical in keyUsage for a client certificate. <br>
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment <br>
<br>
# This will be displayed in Netscape's comment listbox. <br>
nsComment = "Certificate issued by https://www.sopac.org/ssl/" <br>
<br>
# PKIX recommendations harmless if included in all certificates. <br>
subjectKeyIdentifier=hash <br>
<br>
authorityKeyIdentifier=keyid,issuer:always <br>
<br>
# This stuff is for subjectAltName and issuerAltname. <br>
# Import the email address. <br>
# subjectAltName=email:copy <br>
<br>
# Copy subject details <br>
# issuerAltName=issuer:copy <br>
<br>
# This is the base URL for all others URL addresses <br>
# if not supplied <br>
nsBaseUrl = https://www.sopac.org/ssl/ <br>
<br>
# This is the link where to download the latest Certificate <br>
# Revocation List (CRL) <br>
nsCaRevocationUrl = https://www.sopac.org/ssl/sopac-ca.crl <br>
<br>
# This is the link where to revoke the certificate <br>
nsRevocationUrl = https://www.sopac.org/ssl/revocation.html? <br>
<br>
# This is the location where the certificate can be renewed <br>
nsRenewalUrl = https://www.sopac.org/ssl/renewal.html? <br>
<br>
# This is the link where the CA policy can be found <br>
nsCaPolicyUrl = https://www.sopac.org/ssl/policy.html <br>
<br>
# This is the link where we can get the issuer certificate <br>
issuerAltName = URI:https://www.sopac.org/ssl/sopac.crt <br>
<br>
# This is the link where to get the latest CRL <br>
crlDistributionPoints = URI:https://www.sopac.org/ssl/sopac-ca.crl <br>
<br>
[ v3_ca ] <br>
<br>
# Extensions for a typical CA <br>
<br>
# PKIX recommendation. <br>
<br>
subjectKeyIdentifier=hash <br>
<br>
authorityKeyIdentifier=keyid:always,issuer:always <br>
<br>
# This is what PKIX recommends but some broken software chokes on critical <br>
# extensions. <br>
# basicConstraints = critical,CA:true <br>
# So we do this instead. <br>
basicConstraints = CA:true <br>
<br>
# Key usage: this is typical for a CA certificate. However since it will <br>
# prevent it being used as an test self-signed certificate it is best <br>
# left out by default. <br>
# keyUsage = cRLSign, keyCertSign <br>
<br>
# Some might want this also <br>
# nsCertType = sslCA, emailCA <br>
<br>
# Include email address in subject alt name: another PKIX recommendation <br>
# subjectAltName=email:copy <br>
# Copy issuer details <br>
# issuerAltName=issuer:copy <br>
<br>
# RAW DER hex encoding of an extension: beware experts only! <br>
# 1.2.3.5=RAW:02:03 <br>
# You can even override a supported extension: <br>
# basicConstraints= critical, RAW:30:03:01:01:FF <br>
<br>
# This will be displayed in Netscape's comment listbox. <br>
nsComment = "Certificate issued by https://www.sopac.org/ssl/" <br>
<br>
# This is the base URL for all others URL addresses <br>
# if not supplied <br>
nsBaseUrl = https://www.sopac.org/ssl/ <br>
<br>
# This is the link where to download the latest Certificate <br>
# Revocation List (CRL) <br>
nsCaRevocationUrl = https://www.sopac.org/ssl/sopac-ca.crl <br>
<br>
# This is the link where to revoke the certificate <br>
nsRevocationUrl = https://www.sopac.org/ssl/revocation.html? <br>
<br>
# This is the location where the certificate can be renewed <br>
nsRenewalUrl = https://www.sopac.org/ssl/renewal.html? <br>
<br>
# This is the link where the CA policy can be found <br>
nsCaPolicyUrl = https://www.sopac.org/ssl/policy.html <br>
<br>
# This is the link where we can get the issuer certificate <br>
issuerAltName = URI:https://www.sopac.org/ssl/sopac.crt <br>
<br>
# This is the link where to get the latest CRL <br>
crlDistributionPoints = URI:https://www.sopac.org/ssl/sopac-ca.crl <br>
<br>
[ crl_ext ] <br>
# CRL extensions. <br>
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. <br>
# issuerAltName=issuer:copy <br>
authorityKeyIdentifier=keyid:always,issuer:always <br>
<br>
<br>
#----End---- <br>
<br>
<br>
A few comments on openssl.cnf.<br>
<br>
* Variable names can use the suffixes _default for default value, _min for<br>
the minimum number of characters required and _max for the maximum number<br>
of characters required.<br>
<br>
* The file is composed of [Sections] of variables.<br>
<br>
<br>
dir:<br>
Specifies the base directory.<br>
<br>
default_ca:<br>
Specifies which section contains the variables for a default certificate.<br>
<br>
basicConstraints:<br>
Defines the usage of the certificate, for instance with CA:TRUE, the<br>
certificate is a root CA Certificate.<br>
<br>
<br>
-----------------------------------------------------------------------------<br>
2.1.3. Create the Certification Authority<br>
<br>
To create a certification authority, use the command after correctly editing<br>
openssl.cnf:<br>
CA.pl -newca <br>
<br>
-----------------------------------------------------------------------------<br>
<br>
2.2. Create a Root Certification Authority Certificate.<br>
<br>
CA.pl -newcert <br>
(openssl req -config /etc/openssl.cnf -new -x509 -keyout newreq.pem -out newreq.pem -days 365) <br>
<br>
<br>
creates a self signed certificate (for Certificate Authority). The resulting<br>
file goes into newreq.pem. For the common Name (CN) use something like ??ACME<br>
root Certificate??. This file needs to be split into 2 files cacert.pem and<br>
private/cakey.pem. The part -RSA PRIVATE KEY- goes into private/cakey.pem<br>
while the part -CERTIFICATE- goes into cacert.pem. Delete newreq.pem when<br>
finished.<br>
<br>
Now ensure that the file index.txt is empty and that the file serial contains<br>
1.<br>
<br>
You may want to increase the number of days so that your root certificate and<br>
all the certificates signed by this root does not have to be changed when the<br>
root certificate expires. I think professional companies work over 5 years to<br>
10 years for their root certificates.<br>
openssl req -config /etc/openssl.cnf-new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650 <br>
<br>
<br>
This last command is better than ??CA.pl -newcert?? as it will place the<br>
files in the required locations and create a root CA valid for 10 years.<br>
<br>
Now ensure that this self signed root certificate is used only to sign other<br>
certificates. The private key is highly sensible, never compromise it, by<br>
removing the passphrase that protects it. Some people will place the private<br>
key on a floppy and will load it only when signing other certificates. If you<br>
computer gets hacked they can't physically get hold of the private key, if it<br>
is on a floppy.<br>
<br>
Now you have a root Certification Authority. Other people need to trust your<br>
self-signed root CA Certificate, and therefore download it and register it on<br>
their browser.<br>
<br>
You will have to type the passphrase each time you want to sign another<br>
certificate with it.<br>
-----------------------------------------------------------------------------<br>
<br>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -