📄 openssl-cnf-configuration.htm
字号:
<HTML><HEAD><TITLE>openssl.cnf configuration for OpenCA</TITLE><METANAME="GENERATOR"CONTENT="Modular DocBook HTML Stylesheet Version 1.55"><LINKREL="HOME"TITLE="The Open–source PKI Book"HREF="ospki-book.htm"><LINKREL="UP"TITLE="OpenCA Installation details"HREF="openca-installation.htm"><LINKREL="PREVIOUS"TITLE="OpenCA Installation details"HREF="openca-installation.htm"><LINKREL="NEXT"TITLE="License"HREF="license.htm"></HEAD><BODYCLASS="SECT1"BGCOLOR="#FFFFFF"TEXT="#000000"LINK="#0000FF"VLINK="#840084"ALINK="#0000FF"><DIVCLASS="NAVHEADER"><TABLEWIDTH="100%"BORDER="0"CELLPADDING="0"CELLSPACING="0"><TR><THCOLSPAN="3"ALIGN="center">The Open–source PKI Book: A guide to PKIs and Open–source Implementations</TH></TR><TR><TDWIDTH="10%"ALIGN="left"VALIGN="bottom"><AHREF="openca-installation.htm">Prev</A></TD><TDWIDTH="80%"ALIGN="center"VALIGN="bottom">Appendix D. OpenCA Installation details</TD><TDWIDTH="10%"ALIGN="right"VALIGN="bottom"><AHREF="license.htm">Next</A></TD></TR></TABLE><HRALIGN="LEFT"WIDTH="100%"></DIV><DIVCLASS="SECT1"><H1CLASS="SECT1"><ANAME="OPENSSL-CNF-CONFIGURATION"><TTCLASS="FILENAME">openssl.cnf</TT> configuration for OpenCA</A></H1><P> These are configuration instructions for the <TTCLASS="FILENAME">openssl.cnf </TT> of the CAServer. </P><P> We describe the values in this file that require modification. Most of the default values remain the same. <P></P><UL><LI><P> In the <TTCLASS="LITERAL">[ CA_default ]</TT> section, the value of <TTCLASS="VARNAME">dir</TT> should be changed to the directory that has the Certification Authority installed. Typically, it is <TTCLASS="FILENAME">/usr/local/OpenCA</TT>. </P></LI><LI><P> In the <TTCLASS="LITERAL">[ req ]</TT> section, you should modify all the variables that their name ends with <ICLASS="EMPHASIS">_default </I>. The default values of these variables serve as an example. These are: <DIVCLASS="TABLE"><P><B>Table D-7. <TTCLASS="FILENAME">openssl.cnf</TT> default values</B></P><TABLEBORDER="1"CLASS="CALSTABLE"><THEAD><TR><THALIGN="LEFT"VALIGN="TOP">Variable</TH><THALIGN="LEFT"VALIGN="TOP">Sample value</TH></TR></THEAD><TBODY><TR><TDALIGN="LEFT"VALIGN="TOP">organizationalUnitName_default</TD><TDALIGN="LEFT"VALIGN="TOP">OpenCA User</TD></TR><TR><TDALIGN="LEFT"VALIGN="TOP">0.organizationName_default</TD><TDALIGN="LEFT"VALIGN="TOP">OpenCA</TD></TR><TR><TDALIGN="LEFT"VALIGN="TOP">countryName_default</TD><TDALIGN="LEFT"VALIGN="TOP">GB</TD></TR><TR><TDALIGN="LEFT"VALIGN="TOP">stateOrProvinceName_default</TD><TDALIGN="LEFT"VALIGN="TOP">Surrey</TD></TR><TR><TDALIGN="LEFT"VALIGN="TOP">1.organizationName_default</TD><TDALIGN="LEFT"VALIGN="TOP">Arts Buildings Ltd</TD></TR></TBODY></TABLE></DIV> </P><DIVCLASS="NOTE"><P></P><TABLECLASS="NOTE"WIDTH="90%"BORDER="0"><TR><TDWIDTH="25"ALIGN="CENTER"VALIGN="TOP"><IMGSRC="stylesheet-images/note.gif"HSPACE="5"ALT="Note"></TD><TDALIGN="LEFT"VALIGN="TOP"><P> The essence of the default values is that when you create new users, you are prompted with these values. If this value applies to the user, you can accept it without having to retype it. </P></TD></TR></TABLE></DIV><DIVCLASS="NOTE"><P></P><TABLECLASS="NOTE"WIDTH="90%"BORDER="0"><TR><TDWIDTH="25"ALIGN="CENTER"VALIGN="TOP"><IMGSRC="stylesheet-images/note.gif"HSPACE="5"ALT="Note"></TD><TDALIGN="LEFT"VALIGN="TOP"><P> For the country name, you need to specify the <AHREF="ftp://ftp.ripe.net/iso3166-countrycodes"TARGET="_top"> ISO 3166 country code</A>. There are two- and three-letter country codes. The current configuration supports two-letter codes. </P></TD></TR></TABLE></DIV><DIVCLASS="NOTE"><P></P><TABLECLASS="NOTE"WIDTH="90%"BORDER="0"><TR><TDWIDTH="25"ALIGN="CENTER"VALIGN="TOP"><IMGSRC="stylesheet-images/note.gif"HSPACE="5"ALT="Note"></TD><TDALIGN="LEFT"VALIGN="TOP"><P> Notice that in some cases, the ISO 3166 is not the same with the Internet country domain name. For example, for the United Kingdom, the ISO 3166 country code is <ICLASS="EMPHASIS">GB</I>. </P></TD></TR></TABLE></DIV></LI><LI><P> In the <TTCLASS="LITERAL">[ user_cert ]</TT> section, you may need to modify the <TTCLASS="VARNAME">nsCertType</TT> variable. With this variable, you specify the capabilities of the certificate. This area will be tackled in future versions of this document. </P></LI><LI><P> In the <TTCLASS="LITERAL">[ user_cert ]</TT> section, you can set the comment that appears in the <SPANCLASS="GUILABEL">Certificate Signers' Certificate</SPAN> window. The variable is <TTCLASS="VARNAME"> nsComment</TT> and you should provide a suitable description for the certificate. </P></LI><LI><P> In the <TTCLASS="LITERAL">[ user_cert ]</TT> section, you can specify the revocation URLs for both the <SPANCLASS="ACRONYM">Root CA</SPAN> Certificate and the other certificates. </P><DIVCLASS="NOTE"><P></P><TABLECLASS="NOTE"WIDTH="90%"BORDER="0"><TR><TDWIDTH="25"ALIGN="CENTER"VALIGN="TOP"><IMGSRC="stylesheet-images/note.gif"HSPACE="5"ALT="Note"></TD><TDALIGN="LEFT"VALIGN="TOP"><P> In the same group of variables, care should be taken with the <TTCLASS="VARNAME">nsSslServerName</TT> variable as it crashes certain versions of the <SPANCLASS="TRADEMARK">Netscape</SPAN>® WWW browser, if it is set. </P></TD></TR></TABLE></DIV></LI></UL> </P></DIV><DIVCLASS="NAVFOOTER"><HRALIGN="LEFT"WIDTH="100%"><TABLEWIDTH="100%"BORDER="0"CELLPADDING="0"CELLSPACING="0"><TR><TDWIDTH="33%"ALIGN="left"VALIGN="top"><AHREF="openca-installation.htm">Prev</A></TD><TDWIDTH="34%"ALIGN="center"VALIGN="top"><AHREF="ospki-book.htm">Home</A></TD><TDWIDTH="33%"ALIGN="right"VALIGN="top"><AHREF="license.htm">Next</A></TD></TR><TR><TDWIDTH="33%"ALIGN="left"VALIGN="top">OpenCA Installation details</TD><TDWIDTH="34%"ALIGN="center"VALIGN="top"><AHREF="openca-installation.htm">Up</A></TD><TDWIDTH="33%"ALIGN="right"VALIGN="top">License</TD></TR></TABLE></DIV></BODY></HTML>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -