- 浏览: 187918 次
- 性别:
- 来自: 深圳
文章分类
最新评论
-
hayoouch:
很好,赞!!!
SSL双向认证Java实现 Tomcat篇 -
springdata:
springmvc相关demo源代码下载地址:http://w ...
在spring MVC中配置多个视图 -
冷静:
javax.net.ssl.SSLException: hos ...
SSL双向认证Java实现 Tomcat篇 -
浅绘墨漠:
你好。按照你的方法进行了试验,出现的错误就是hostname ...
SSL双向认证Java实现 Tomcat篇 -
fpplzw:
...
通过Filter实现二级域名和URLRewrite
openssl.cnf 下载
Note:
创建多少OU的时候, 可以顺序如下的方式进行增加
0.organizationalUnitName = Level 0 Organizational Unit
1.organizationalUnitName = Level 1 Organizational Unit
2.organizationalUnitName = Level 2 Organizational Unit
********************************************************************
NAME
openssl.cnf - OpenSSL configuration file
--------------------------------------------------------------------------------
DESCRIPTION
The file openssl.cnf contains configuration information used by three openssl (sub-)commands: ca, req and x509. The file provides default values that are used when corresponding options are omitted from the three commands; it also provides default prompts and other values that affect the way the commands interact with the user.
openssl.cnf is divided into sections that begin with bracketed identifiers. Examples include [ ca ] and [ req ], which affect the behavior of openssl's ca and req commands. The first bracketed identifier in the file can be preceded by directives that affect the entire configuration file.
Within each section, directives consist of attributes (on the left-hand side), an equals sign (``=''), and value(s) for the attribute (on the right-hand side.
--------------------------------------------------------------------------------
CA CONFIGURATION DIRECTIVES
The directives below are used by the openssl ca (Certificate Authority) command. Many of them correspond to ca command options. In some cases, omitting the options when invoking the ca command will cause ca to use the values in the openssl.cnf file. In other cases, ca command options (-name [section], -clrexts [section], -extensions [section]) explicitly refer to sections of the openssl.cnf file that might otherwise be ignored.
--------------------------------------------------------------------------------
[ ca ] Section
default_ca
On startup, the default behavior of openssl's ca command is to check the [ ca ] section for the value of the default_ca attribute, which references another section of the openssl.cnf file.
Thus, the following directive (in the sample openssl.cnf file shipped with OpenSSL)
default_ca = CA_default
tells the ca command to look for a section named [ CA-default ], which has the actual attributes used by the ca command.
You can override the value of the default_ca attribute by using the ca command's -name [section] option.
--------------------------------------------------------------------------------
[ CA_default ] Section
In the default openssl.cnf file, directives for the ca command are in this section. You can change the name of this section by changing the value of the default_ca attribute in the [ ca ] section of the configuration file.
If you regularly need different sets of configuration options when issuing the ca command, you can create other sections whose contents parallel the contents of CA_default (but with different values specified). Then, when you issue the openssl ca command, specify a different section with the -name [section] option to the ca command.
oid_file
The name of a file that contains object identifier definitions. The format of this file is one definition per line, each line consisting of three columns. The first column is the numerical representation of the OID. The second column is the OID's short name, which sould be a single word composed of only upper- and lowercase letters. The third column is the OID's long name, which may be composed of multiple words and characters other than letters. (Source: Viega2002, p. 313)
oid_section
The name of a section (of the this configuration file) that contains object identifier definitions. Key names in the section should be the OID's short name, and the corresponding value should be the OID's numerical representation. Long names are the same as the short names for OIDs that are defined in this manner. (Source: Viega2002, p. 313)
dir
The default directory that ca reads from and writes to (unless told to do otherwise).
The sample openssl.cnf file has the line:
dir = ./demoCA
indicating that the demoCA directory (beneath whatever is the current working directory) contains files to be read. It is also the default directory to which new certs and keys are written.
You might want to change the value to something like ./ (the current directory).
certs
The directory where issued certs are kept.
The sample openssl.cnf file has the line:
certs = $dir/certs
crl_dir
The directory where issued certificate revocation lists are kept.
The sample openssl.cnf file has the line:
crl_dir = $dir/crl
database
A ``database index file''--an ASCII file with a line for every certificate issued. The third field of each entry is an index to the certs themselves, which are stored in the new_certs_dir (see below).
The sample openssl.cnf file has the line:
database = $dir/index.txt
new_certs_dir
A directory where a copy of each issued certificate is stored, with a name of the form nn.pem (nn = 00, 01, ... nn). The file names of the certs are indexed by the database index file (above).
You can view individual certs in the new_certs_dir by issuing a command something like:
# openssl x509 -noout -text -in <cert_file>
where: cert_file is one of the files nn.pem
The sample openssl.cnf file has the line:
new_certs_dir = $dir/newcerts
certificate
The name of the file that contains the certificate authority's certificate (the ``CA cert'') to be used in signing (or revoking, etc.) a cert.
The sample openssl.cnf file has the line:
certificate = $dir/cacert.pem
You can override the value of the certificate attribute by using the ca command's -cert <filename> option.
serial
The serial number to use for the next certificate issued. (The serial number appears in the cert's entry in the database index file (see ``database'' above) and in the cert's file name in the new_certs_dir (see above).
The sample openssl.cnf file has the line:
serial = $dir/serial
serialfile
The name of a file that will be used to keep track of the next serial number that will be assigned to a certificate when it is issued. This setting is mandatory and has no corresponding command-line option. (Source: Viega2002, p. 314) [Note: This option is apparently a synonym for the serial configuration option.]
crl
The file name of the current certificate revocation list.
The sample openssl.cnf file has the line:
crl = $dir/crl.pem
private_key
The private key of the certificate authority that corresponds to the CA certificate referenced by the ``certificate'' attribute (see above).
The sample openssl.cnf file has the line:
private_key = $dir/private/cakey.pem
RANDFILE
A private random number file.
The sample openssl.cnf file has the line:
RANDFILE = $dir/private/.rand
x509_extensions
The name of a section (in the configuration file) that contains directives for the ca command when it signs a cert.
The sample openssl.cnf file has the line:
x509_extensions = usr_cert
See the section [ usr_cert ] below.
You can override the name of this value by using the ca command's -extension [section] option.
crl_extensions
The name of a section (in the configuration file) that contains directives for the ca command when it revokes certificates.
The sample openssl.cnf file has the line (commented out):
crl_extensions = crl_ext
The sample notes: ``Netscape communicator chokes on V2 CRLs so this is commented out by default to leave a V1 CRL.''
default_days
The default number of days a signed cert will be valid.
The sample openssl.cnf file has the line:
default_days = 365
You can override this value with one of the following options to the ca command:
-enddate <YYMMDDHHMMSSZ> -days <num_days>
default_startdate
The default starting date for which issued certificates will be valid. This is the same as the startdate command-line option. (Source: Viega2002, p. 313)
The format of the date is YYMMDDHHMMSSZ, where ``Z'' is the capital letter Z.
default_enddate
The default ending date for which issued certificates will be valid. This is the same as the enddate command-line option. (Source: Viega2002, p. 313)
The format of the date is YYMMDDHHMMSSZ, where ``Z'' is the capital letter Z.
default_crl_days
The default number of days before the next certificate revocation list.
The sample openssl.cnf file has the line:
default_crl_days= 30
default_crl_hours
The default number of hours until a new certificate revocation list is generated. This is the same as the crlhours command-line option. (Source: Viega2002, p. 313)
default_md
The message digest algorithm to use. Possible values include md5, sha1 and mdc2.
The sample openssl.cnf file has the line:
default_md = md5
You can override this value by using the ca command's -md <algorithm> option.
preserve
Indicates whether to preserve the order of the Distinguished Name (DN) fields to match the order passed in.
The sample openssl.cnf file has the line:
preserve = no
You can override this value by using the ca command's -preserveDN option.
msie_hack
If set to yes, certificates that are issued will work with very old versions of the Internet Explorer certificate enrollment control ``certenr3''. Avoid using this option unless you know that you absolutely need it. (Source: Viega2002, p. 314)
policy
The name of another section in the openssl.cnf file that defines which fields are mandatory or which must match the CA certificate.
The sample openssl.cnf file has the line:
policy = policy_match
You can override this value by using the ca command's -policy [section] option.
See [ policy_match ] and [ policy_anything ] below for examples of two policy sections that appear in the sample openssl.cnf file. (You may choose other names for your policy sections, and reference those names with the ca command's -policy [section] option or as the value of the policy attribute in the openssl.cnf file.
--------------------------------------------------------------------------------
[ policy_match ] and [ policy_anything ] Sections
The [ policy_match ] and [ policy_anything ] sections appear in the sample openssl.cnf file.
policy_match (in the sample) indicates OIDs (attributes) that must be the same (``match''), are optional, or as supplied:
match
The OID must be present in the certificate request and must match the same OID in the CA's distinguished name.
supplied
Must be present in the certificate request.
optional
May or may not be present in the certificate request.
A comment at the beginning of the [ policy_anything ] section indicates that for the [ policy_anything ] section, you must list all acceptable ``object'' types (i.e., countryName, stateOrProvinceName, localityName, organizationName, organizationalUnitName, commonName, emailAddress?)--even those that are optional. (Note that in the [ policy_match ] section, that restriction apparently doesn't apply, since the localityName attribute does not appear in the [ policy_match ] section ...)
countryName
In the [ policy_match ] section, the sample openssl.cnf file has a value of ``match'' for this attribute.
In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.
stateOrProvinceName
In the [ policy_match ] section, the sample openssl.cnf file has a value of ``match'' for this attribute.
In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.
localityName
This attribute does not appear in the [ policy_match ] section of the sample openssl.cnf file.
In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.
organizationName
In the [ policy_match ] section, the sample openssl.cnf file has a value of ``match'' for this attribute.
In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.
organizationalUnitName
This attribute has an ``optional'' value in both the policy_match and [ policy_anything ] sections of the sample openssl.cnf file.
commonName
This attribute has a ``supplied'' value in both the policy_match and [ policy_anything ] sections of the sample openssl.cnf file.
emailAddress
This attribute has an ``optional'' value in both the policy_match and [ policy_anything ] sections of the sample openssl.cnf file.
--------------------------------------------------------------------------------
REQ CONFIGURATION DIRECTIVES
The directives below are used by the openssl req command, which creates and processes certificate requests in PKCS#10 (Public Key Cryptography Standard No. 10) format, creates self signed certificates for use as root CA certs, etc.
--------------------------------------------------------------------------------
[ req ]
On startup, the openssl req command reads the [ req ] section of openssl.cnf for default values that are not specified as arguments or options to the req command.
default_bits
The default key size in bits. This value is used when req is invoked with the -new option (for a new certificate request).
Default value: 512
The sample openssl.cnf file has the line:
default_bits = 1024
You can override this value by using the req command's -newkey option.
default_keyfile
The name of the file to which a newly generated private key will be written.
The sample openssl.cnf file has the line:
default_keyfile = privkey.pem
You can override this value by using the req command's -keyout <filename>
distinguished_name
The name of another section in the openssl.cnf file that defines the prompts used when asking the user for information needed to generate a cert. The referenced section also gives default values (if none are entered) and constraints on allowed values.
The sample openssl.cnf file has the line:
distinguished_name = req_distinguished_name
See the [ req_distinguished_name ] section (below) for a description of the abbributes and values that appear in the sample openssl.cnf file.
attributes
Like the distinguished_name attribute, attributes is the name of another section in the openssl.cnf file that defines the prompts used when asking the user for information needed to generate a cert. The referenced section also gives default values (if none are entered) and constraints on allowed values.
The sample openssl.cnf file has the line:
attributes = req_attributes
See the [ req_attributes ] section (below) for a description of the attributes and values that appear in the sample openssl.cnf file.
x509_extensions
The name of another section in the openssl.cnf file that contains a list of extensions to add to certificates generated when the req command is invoked with the -x509 option.
The sample openssl.cnf file has the line:
x509_extensions = v3_ca
See the [ v3_ca ] section (below) for a description of the attributes and values that appear in the sample openssl.cnf file.
You can override this value by using the req command's -extensions [section] option to specify the name of some other section of the file that lists extensions to add.
input_password
output_password
Passwords for private keys can be specified as values for the input_password and output_password attributes. If these lines are not present in openssl.cnf, the user will be prompted for the password.
The sample openssl.cnf file has the lines (commented out):
# input_password = secret # output_password = secret
(If you decide to uncomment the above, be sure to change the password from ``secret''!)
If the above lines are not present in openssl.cnf, the user will be prompted for a password unless the req command is invoked with the -passin <filename> and/or -passout <filename> options.
string_mask
A mask for permitted string types.
Possible values:
default PrintableString, T61String, BMPString
pkix PrintableString, BMPString
utf8only only UTF8Strings
nombstr PrintableString, T61String (no BMPStrings or UTF8Strings)
MASK XXXX a literal mask value
The sample openssl.cnf file has the line:
string_mask = nombstr
WARNING: Current versions of Netscape crash on BMPStrings or UTF8Strings so use this option with caution!
req_extensions
The name of another section in the openssl.cnf file that contains a list of extensions to add to a certificate request.
The sample openssl.cnf file has the line (commented out):
# req_extensions = v3_req
See the [ v3_req ] section (below) for a description of the attributes and values that appear in the sample openssl.cnf file.
You can override this value by using the req command's -reqexts [section] option to specify the name of some other section of the file that lists extensions to add.
--------------------------------------------------------------------------------
[ req_distinguished_name ] Section
This section defines the prompts when asking the user for information needed to generate a cert. It also gives default values (if the user doesn't enter any) and constraints on allowed values.
Note: If a set of related attributes includes one with a ``_default'' suffix, then if the user enters no value for the attribute, the default value will be used. To specify that no value is desired, enter ``.''
countryName
The text to display when prompting the user for the country name (C=) component of the distinguished name. In the sample openssl.cnf file, countryName has the value ``Country Name (2 letter code)''
countryName_default
The default country name. In the sample openssl.cnf file, countryName_default has the value ``AU''
countryName_min
The minimum allowable country name length. In the sample openssl.cnf file, countryName_min has the value 2.
countryName_max
The maximum allowable country name length. In the sample openssl.cnf file, countryName_max has the value 2.
The country name should be ISO 3166 two-letter country code.
Note: For the country name, be sure to specify the ISO 3166 country code. In cases where the ISO country code is different from the Internet country domain name, use the ISO 3166 code. (Example: The United Kingdom (Internet country domain: uk; ISO 3166 country code: GB. Use GB.)
stateOrProvinceName
The text to display when prompting the user for the state or province name (ST=) component of the distinguished name. In the sample openssl.cnf file, stateOrProvinceName has the value ``State or Province Name (full name)''
stateOrProvinceName_default
The default state or province name. In the sample openssl.cnf file, countryName_default has the value ``State or Province Name (full name)''
localityName
The text to display when prompting the user for the locality name (L=) component of the distinguished name. In the sample openssl.cnf file, localityName has the value ``Locality Name (eg, city)''
organizationName
The text to display when prompting the user for the organization name (O=) component of the distinguished name. In the sample openssl.cnf file, 0.organizationName has the value ``Organization Name (eg, company)''
organizationName_default
The default organization name. In the sample openssl.cnf file, 0.organizationName has the value ``Internet Widgits Pty Ltd''
organizationName
The text to display when prompting the user for an additional organization name (O=) component of the distinguished name. In the sample openssl.cnf file, the commented out line for 1.organizationName has the value ``Second Organization Name (eg, company)''
organizationName_default
The default second organization name. In the sample openssl.cnf file, 1.organizationName is commented out and has the value ``World Wide Web Pty Ltd''
organizationalUnitName
The text to display when prompting the user for the optional (in the sample openssl.cnf, at least) organizational unit name (OU=) component of the distinguished name. In the sample openssl.cnf file, organizationalUnitName has the value ``Organizational Unit Name (eg, section)''
organizationalUnitName_default
The default organizational unit name. In the sample openssl.cnf file, organizationalUnitName_default is commented out and has no value.
commonName
The text to display when prompting the user for the common name (CN=) component of the distinguished name. In the sample openssl.cnf file, commonName has the value ``Common Name (eg, YOUR name)''
Note: Even though the prompt indicates ``YOUR name'' as a possibility, it *might* be more appropriate for it to read something like ``Common Name (e.g., fully qualified domain name of the server to be secured)'' since, the common name generally corresponds to the server's name when generating certificates.
commonName_max
The maximum allowable common name length. In the sample openssl.cnf file, commonName_max has the value 64.
emailAddress
The text to display when prompting the user for the email address of the distinguished name. In the sample openssl.cnf file, emailAddress has the value ``Email Address''
--------------------------------------------------------------------------------
[ req_attributes ] Section
This section defines the prompts when asking the user for certain information (in addition to the [ req_distinguished_name ] section above) needed to generate a cert. It also gives constraints on the allowed values.
challengePassword
The text to display when prompting the user for a challenge password. In the sample openssl.cnf file, challengePassword has the value ``A challenge password''
challengePassword_min
The minimum length of the challenge password. In the sample openssl.cnf file, challengePassword_min has a value of 4.
challengePassword_max
The maximum length of the challenge password. In the sample openssl.cnf file, challengePassword_max has a value of 20.
unstructuredName
The text to display when prompting the user for an unstructured name. In the sample openssl.cnf file, unstructuredName has the value ``An optional company name''
--------------------------------------------------------------------------------
X.509 EXTENSION DIRECTIVES
The directives below are used when requesting or signing certs. Many of the attributes can appear in any of the sections [ usr_cert ], [ v3_req ] and [ v3_ca ], with different values on the right-hand side, depending on whether the operation is signing of certs ([ usr_cert ]), adding a certificate request ([ v3_req ]) or creating a CA cert ([ v3_ca ] )
--------------------------------------------------------------------------------
[ usr_cert ] Section
This section is referenced by the x509_extensions attribute in the [ CA_default ] section (above) of the sample openssl.cnf file. It contains directives used by the ca command when it signs a request (cert).
In the sample openssl.cnf file, most of the directives in this section are commented out (because they are deprecated?). Only four directives actually appear uncommented: basicConstraints, nsComment, subjectKeyIdentifier and authorityKeyIdentifier.
basicConstraints
Is this certificate valid as a certificate authority cert? (Can this certificate be used to sign or revoke other certificates?)
Possible values are CA:FALSE and CA:TRUE.
The sample openssl.cnf file has the line:
basicConstraints= CA:FALSE
indicating that the certificate's purposes do not include signing/revoking other certificates.
subjectKeyIdentifier
Specifies how to identify the public key being certified (so that distinct keys used by the same subject can be differentiated--as key updating occurs, for example).
The sample openssl.cnf file has the line:
subjectKeyIdentifier=hash
The IETF Public Key Infrastructure (PKIX) working group recommends the above default.
authorityKeyIdentifier
Specifies how to identify the public key used to verify the signature on this certificate or certificate revocation list (CRL). Enables distinct keys used by the same CA to be distinguished (e.g. as keypair updating occurs).
The sample openssl.cnf file has the line:
authorityKeyIdentifier=keyid,issuer:always
The IETF Public Key Infrastructure (PKIX) working group recommends the above default.
nsComment
A comment to be displayed in Netscape's comment listbox for the certificate signer. Provide a suitable description for the certificate..
The sample openssl.cnf file has the line:
nsComment = ``OpenSSL Generated Certificate''
The following (mostly Netscape-specific) attributes are all commented out in the sample openssl.cnf file:
nsCertType
The nsCertType attribute can specify the cert's capabilities (purposes).
If nsCertType is omitted, the certificate can be used for anything except for object signing (CA use).
If nsCertType is included, one or more of the following (separated by commas) can appear as the value of this attribute: client, server, email, objsign, reserved, sslCA, emailCA, objCA.
Examples (commented out in sample openssl.cnf):
nsCertType = server for an SSL server
nsCertType = objsign for an object signing certificate
nsCertType = client, email for ``normal'' client use
nsCertType = client, email, objsign for ``everything including object signing''
subjectAltName
Relates to the alternate name for the certificate holder.
The format in the sample openssl.cnf:
subjectAltName=email:copy
causes OpenSSL to import the e-mail address.
issuerAltName
Relates to the alternate name for the certificate or CRL issuer (CA).
The format in the sample openssl.cnf:
issuerAltName=issuer:copy
causes OpenSSL to copy subject details.
nsCaRevocationUrl
The revocation URL for the Root CA Certificate The sample openssl.cnf file includes the following (commented out):
nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
nsBaseUrl
Can give the general base URL. =item nsRevocationUrl
The revocation URL for other (non-Root CA) certificates. The URL is of the form ../foo.cgi?aaaa. ``aaaa'' is the ASCII-encoded serial number of the cert.
nsRenewalUrl
A URL to visit to renew SSL/TLS certificates.
nsCaPolicyUrl
Gives the URL of the CA's policy.
nsSslServerName
The name of the Netscape SSL Server. Be careful with this attribute--it can crash certain versions of Netscape.
keyUsage
Possible values: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly
--------------------------------------------------------------------------------
[ v3_req ] Section
This section is referenced by the req section's req_extensions attribute (commented out in the sample openssl.cnf file; see the [ req ] section above).
If not commented out--or if referenced by the -extensions [section] option of the req command--it contains directives used by the req command when it requests certs.
In the sample openssl.cnf file, the [ v3_req ] section has only two directives: basicConstraints and keyUsage.
basicConstraints
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line:
basicConstraints= CA:FALSE
keyUsage
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line:
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
--------------------------------------------------------------------------------
[ v3_ca ] Section
This section of extensions for a typical CA is referenced by the [ req ] section's x509_extensions attribute. It is a list of extensions to add to certificates generated when the req command is invoked with the -x509 option.
subjectKeyIdentifier
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line:
subjectKeyIdentifier=hash
as recommended by the IETF Public Key Infrastructure (PKIX) working group.
authorityKeyIdentifier
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line: authorityKeyIdentifier=keyid:always,issuer:always
as recommended by the IETF Public Key Infrastructure (PKIX) working group.
basicConstraints
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line:
basicConstraints = CA:true
as well as a commented out:
basicConstraints = critical,CA:true
Although the PKIX recomments the commented out version, ``some broken software chokes on critical extensions,'' so the sample openssl.cnf omits ``critical.'' However, it *does* indicate that the purposes of this certificate should include Certificate Authority.
The sample openssl.cnf file also includes a commented out:
basicConstraints= critical, DER:30:03:01:01:FF
illustrating how to override a supported extension with a Distinguished Encoding Rules (DER) encoding of an extension.
keyUsage
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line (commented out):
keyUsage = cRLSign, keyCertSign
(The sample openssl.cnf omits the above even though it is typical for a CA certificate, ``since it will prevent it being used as an test self-signed certificate.'')
nsCertType
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line (commented out):
nsCertType = sslCA, emailCA
subjectAltName
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line commented out:
subjectAltName=email:copy
even though it is a PKIX recommendation.
issuerAltName
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line commented out:
issuerAltName=issuer:copy
even though it is a PKIX recommendation.
obj
Introduces an extension encoded in hex with DER.
The sample openssl.cnf file has the line (commented out):
obj=DER:02:03
where ``obj'' is a standard or added object. (``Beware experts only!''
--------------------------------------------------------------------------------
[ crl_ext ] Section
This section of extensions associated with certificate revocation lists (CRLs). ``Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.''
The [ crl_ext ] section is referenced by the CA_default section's crl_extensions attribute (commented out in the sample openssl.cnf file; see the [ CA_default ] section above).
If not commented out--or if referenced by the -crlexts [section] option of the ca command--it contains directives used by the ca command when it revokes certs.
The sample openssl.cnf notes: ``Netscape communicator chokes on V2 CRLs so this is commented out by default to leave a V1 CRL.''
issuerAltName
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line commented out:
issuerAltName=issuer:copy
authorityKeyIdentifier
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line:
authorityKeyIdentifier=keyid:always,issuer:always
# ================================================= # OpenSSL configuration file # ================================================= #RANDFILE = $ENV::SSLDIR/.rnd [ ca ] default_ca = CA_default [ CA_default ] #dir = $ENV::SSLDIR dir =F:/IBM/ssl/ca/new certs = $dir/certs new_certs_dir = $dir/newcerts crl_dir = $dir/crl database = $dir/index.txt private_key = $dir/private/ca.key certificate = $dir/ca.crt serial = $dir/serial crl = $dir/crl.pem RANDFILE = $dir/private/.rand default_days = 365 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_anything name_opt = ca_default cert_opt = ca_default [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied #emailAddress = optional [ req ] default_bits = 1024 default_md = sha1 default_keyfile = privkey.pem distinguished_name = req_distinguished_name x509_extensions = v3_ca string_mask = nombstr [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = HK countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name stateOrProvinceName_default = HONG KONG localityName = Locality Name localityName_default = HONG KONG 0.organizationName = Organization Name 0.organizationName_default = IBM 0.organizationalUnitName = Level 0 Organizational Unit 0.organizationalUnitName_default = IBM AS 1.organizationalUnitName = Level 1 Organizational Unit 1.organizationalUnitName_default = IBM AS DBS commonName = Common Name (eg, YOUR name) commonName_default = IST.UAT.HK.DBS.COM commonName_max = 64 emailAddress = likun35@163.com emailAddress_max = 64 [ usr_cert ] basicConstraints = CA:FALSE # nsCaRevocationUrl = https://url-to-exposed-clr-list/crl.pem [ ssl_server ] basicConstraints = CA:FALSE nsCertType = server keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, nsSGC, msSGC nsComment = "OpenSSL Certificate for SSL Web Server" [ ssl_client ] basicConstraints = CA:FALSE nsCertType = client keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth nsComment = "OpenSSL Certificate for SSL Client" [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] basicConstraints = critical, CA:true, pathlen:0 nsCertType = sslCA keyUsage = cRLSign, keyCertSign extendedKeyUsage = serverAuth, clientAuth nsComment = "OpenSSL CA Certificate" [ crl_ext ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment nsComment = "OpenSSL generated CRL"
Note:
创建多少OU的时候, 可以顺序如下的方式进行增加
0.organizationalUnitName = Level 0 Organizational Unit
1.organizationalUnitName = Level 1 Organizational Unit
2.organizationalUnitName = Level 2 Organizational Unit
********************************************************************
NAME
openssl.cnf - OpenSSL configuration file
--------------------------------------------------------------------------------
DESCRIPTION
The file openssl.cnf contains configuration information used by three openssl (sub-)commands: ca, req and x509. The file provides default values that are used when corresponding options are omitted from the three commands; it also provides default prompts and other values that affect the way the commands interact with the user.
openssl.cnf is divided into sections that begin with bracketed identifiers. Examples include [ ca ] and [ req ], which affect the behavior of openssl's ca and req commands. The first bracketed identifier in the file can be preceded by directives that affect the entire configuration file.
Within each section, directives consist of attributes (on the left-hand side), an equals sign (``=''), and value(s) for the attribute (on the right-hand side.
--------------------------------------------------------------------------------
CA CONFIGURATION DIRECTIVES
The directives below are used by the openssl ca (Certificate Authority) command. Many of them correspond to ca command options. In some cases, omitting the options when invoking the ca command will cause ca to use the values in the openssl.cnf file. In other cases, ca command options (-name [section], -clrexts [section], -extensions [section]) explicitly refer to sections of the openssl.cnf file that might otherwise be ignored.
--------------------------------------------------------------------------------
[ ca ] Section
default_ca
On startup, the default behavior of openssl's ca command is to check the [ ca ] section for the value of the default_ca attribute, which references another section of the openssl.cnf file.
Thus, the following directive (in the sample openssl.cnf file shipped with OpenSSL)
default_ca = CA_default
tells the ca command to look for a section named [ CA-default ], which has the actual attributes used by the ca command.
You can override the value of the default_ca attribute by using the ca command's -name [section] option.
--------------------------------------------------------------------------------
[ CA_default ] Section
In the default openssl.cnf file, directives for the ca command are in this section. You can change the name of this section by changing the value of the default_ca attribute in the [ ca ] section of the configuration file.
If you regularly need different sets of configuration options when issuing the ca command, you can create other sections whose contents parallel the contents of CA_default (but with different values specified). Then, when you issue the openssl ca command, specify a different section with the -name [section] option to the ca command.
oid_file
The name of a file that contains object identifier definitions. The format of this file is one definition per line, each line consisting of three columns. The first column is the numerical representation of the OID. The second column is the OID's short name, which sould be a single word composed of only upper- and lowercase letters. The third column is the OID's long name, which may be composed of multiple words and characters other than letters. (Source: Viega2002, p. 313)
oid_section
The name of a section (of the this configuration file) that contains object identifier definitions. Key names in the section should be the OID's short name, and the corresponding value should be the OID's numerical representation. Long names are the same as the short names for OIDs that are defined in this manner. (Source: Viega2002, p. 313)
dir
The default directory that ca reads from and writes to (unless told to do otherwise).
The sample openssl.cnf file has the line:
dir = ./demoCA
indicating that the demoCA directory (beneath whatever is the current working directory) contains files to be read. It is also the default directory to which new certs and keys are written.
You might want to change the value to something like ./ (the current directory).
certs
The directory where issued certs are kept.
The sample openssl.cnf file has the line:
certs = $dir/certs
crl_dir
The directory where issued certificate revocation lists are kept.
The sample openssl.cnf file has the line:
crl_dir = $dir/crl
database
A ``database index file''--an ASCII file with a line for every certificate issued. The third field of each entry is an index to the certs themselves, which are stored in the new_certs_dir (see below).
The sample openssl.cnf file has the line:
database = $dir/index.txt
new_certs_dir
A directory where a copy of each issued certificate is stored, with a name of the form nn.pem (nn = 00, 01, ... nn). The file names of the certs are indexed by the database index file (above).
You can view individual certs in the new_certs_dir by issuing a command something like:
# openssl x509 -noout -text -in <cert_file>
where: cert_file is one of the files nn.pem
The sample openssl.cnf file has the line:
new_certs_dir = $dir/newcerts
certificate
The name of the file that contains the certificate authority's certificate (the ``CA cert'') to be used in signing (or revoking, etc.) a cert.
The sample openssl.cnf file has the line:
certificate = $dir/cacert.pem
You can override the value of the certificate attribute by using the ca command's -cert <filename> option.
serial
The serial number to use for the next certificate issued. (The serial number appears in the cert's entry in the database index file (see ``database'' above) and in the cert's file name in the new_certs_dir (see above).
The sample openssl.cnf file has the line:
serial = $dir/serial
serialfile
The name of a file that will be used to keep track of the next serial number that will be assigned to a certificate when it is issued. This setting is mandatory and has no corresponding command-line option. (Source: Viega2002, p. 314) [Note: This option is apparently a synonym for the serial configuration option.]
crl
The file name of the current certificate revocation list.
The sample openssl.cnf file has the line:
crl = $dir/crl.pem
private_key
The private key of the certificate authority that corresponds to the CA certificate referenced by the ``certificate'' attribute (see above).
The sample openssl.cnf file has the line:
private_key = $dir/private/cakey.pem
RANDFILE
A private random number file.
The sample openssl.cnf file has the line:
RANDFILE = $dir/private/.rand
x509_extensions
The name of a section (in the configuration file) that contains directives for the ca command when it signs a cert.
The sample openssl.cnf file has the line:
x509_extensions = usr_cert
See the section [ usr_cert ] below.
You can override the name of this value by using the ca command's -extension [section] option.
crl_extensions
The name of a section (in the configuration file) that contains directives for the ca command when it revokes certificates.
The sample openssl.cnf file has the line (commented out):
crl_extensions = crl_ext
The sample notes: ``Netscape communicator chokes on V2 CRLs so this is commented out by default to leave a V1 CRL.''
default_days
The default number of days a signed cert will be valid.
The sample openssl.cnf file has the line:
default_days = 365
You can override this value with one of the following options to the ca command:
-enddate <YYMMDDHHMMSSZ> -days <num_days>
default_startdate
The default starting date for which issued certificates will be valid. This is the same as the startdate command-line option. (Source: Viega2002, p. 313)
The format of the date is YYMMDDHHMMSSZ, where ``Z'' is the capital letter Z.
default_enddate
The default ending date for which issued certificates will be valid. This is the same as the enddate command-line option. (Source: Viega2002, p. 313)
The format of the date is YYMMDDHHMMSSZ, where ``Z'' is the capital letter Z.
default_crl_days
The default number of days before the next certificate revocation list.
The sample openssl.cnf file has the line:
default_crl_days= 30
default_crl_hours
The default number of hours until a new certificate revocation list is generated. This is the same as the crlhours command-line option. (Source: Viega2002, p. 313)
default_md
The message digest algorithm to use. Possible values include md5, sha1 and mdc2.
The sample openssl.cnf file has the line:
default_md = md5
You can override this value by using the ca command's -md <algorithm> option.
preserve
Indicates whether to preserve the order of the Distinguished Name (DN) fields to match the order passed in.
The sample openssl.cnf file has the line:
preserve = no
You can override this value by using the ca command's -preserveDN option.
msie_hack
If set to yes, certificates that are issued will work with very old versions of the Internet Explorer certificate enrollment control ``certenr3''. Avoid using this option unless you know that you absolutely need it. (Source: Viega2002, p. 314)
policy
The name of another section in the openssl.cnf file that defines which fields are mandatory or which must match the CA certificate.
The sample openssl.cnf file has the line:
policy = policy_match
You can override this value by using the ca command's -policy [section] option.
See [ policy_match ] and [ policy_anything ] below for examples of two policy sections that appear in the sample openssl.cnf file. (You may choose other names for your policy sections, and reference those names with the ca command's -policy [section] option or as the value of the policy attribute in the openssl.cnf file.
--------------------------------------------------------------------------------
[ policy_match ] and [ policy_anything ] Sections
The [ policy_match ] and [ policy_anything ] sections appear in the sample openssl.cnf file.
policy_match (in the sample) indicates OIDs (attributes) that must be the same (``match''), are optional, or as supplied:
match
The OID must be present in the certificate request and must match the same OID in the CA's distinguished name.
supplied
Must be present in the certificate request.
optional
May or may not be present in the certificate request.
A comment at the beginning of the [ policy_anything ] section indicates that for the [ policy_anything ] section, you must list all acceptable ``object'' types (i.e., countryName, stateOrProvinceName, localityName, organizationName, organizationalUnitName, commonName, emailAddress?)--even those that are optional. (Note that in the [ policy_match ] section, that restriction apparently doesn't apply, since the localityName attribute does not appear in the [ policy_match ] section ...)
countryName
In the [ policy_match ] section, the sample openssl.cnf file has a value of ``match'' for this attribute.
In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.
stateOrProvinceName
In the [ policy_match ] section, the sample openssl.cnf file has a value of ``match'' for this attribute.
In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.
localityName
This attribute does not appear in the [ policy_match ] section of the sample openssl.cnf file.
In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.
organizationName
In the [ policy_match ] section, the sample openssl.cnf file has a value of ``match'' for this attribute.
In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.
organizationalUnitName
This attribute has an ``optional'' value in both the policy_match and [ policy_anything ] sections of the sample openssl.cnf file.
commonName
This attribute has a ``supplied'' value in both the policy_match and [ policy_anything ] sections of the sample openssl.cnf file.
emailAddress
This attribute has an ``optional'' value in both the policy_match and [ policy_anything ] sections of the sample openssl.cnf file.
--------------------------------------------------------------------------------
REQ CONFIGURATION DIRECTIVES
The directives below are used by the openssl req command, which creates and processes certificate requests in PKCS#10 (Public Key Cryptography Standard No. 10) format, creates self signed certificates for use as root CA certs, etc.
--------------------------------------------------------------------------------
[ req ]
On startup, the openssl req command reads the [ req ] section of openssl.cnf for default values that are not specified as arguments or options to the req command.
default_bits
The default key size in bits. This value is used when req is invoked with the -new option (for a new certificate request).
Default value: 512
The sample openssl.cnf file has the line:
default_bits = 1024
You can override this value by using the req command's -newkey option.
default_keyfile
The name of the file to which a newly generated private key will be written.
The sample openssl.cnf file has the line:
default_keyfile = privkey.pem
You can override this value by using the req command's -keyout <filename>
distinguished_name
The name of another section in the openssl.cnf file that defines the prompts used when asking the user for information needed to generate a cert. The referenced section also gives default values (if none are entered) and constraints on allowed values.
The sample openssl.cnf file has the line:
distinguished_name = req_distinguished_name
See the [ req_distinguished_name ] section (below) for a description of the abbributes and values that appear in the sample openssl.cnf file.
attributes
Like the distinguished_name attribute, attributes is the name of another section in the openssl.cnf file that defines the prompts used when asking the user for information needed to generate a cert. The referenced section also gives default values (if none are entered) and constraints on allowed values.
The sample openssl.cnf file has the line:
attributes = req_attributes
See the [ req_attributes ] section (below) for a description of the attributes and values that appear in the sample openssl.cnf file.
x509_extensions
The name of another section in the openssl.cnf file that contains a list of extensions to add to certificates generated when the req command is invoked with the -x509 option.
The sample openssl.cnf file has the line:
x509_extensions = v3_ca
See the [ v3_ca ] section (below) for a description of the attributes and values that appear in the sample openssl.cnf file.
You can override this value by using the req command's -extensions [section] option to specify the name of some other section of the file that lists extensions to add.
input_password
output_password
Passwords for private keys can be specified as values for the input_password and output_password attributes. If these lines are not present in openssl.cnf, the user will be prompted for the password.
The sample openssl.cnf file has the lines (commented out):
# input_password = secret # output_password = secret
(If you decide to uncomment the above, be sure to change the password from ``secret''!)
If the above lines are not present in openssl.cnf, the user will be prompted for a password unless the req command is invoked with the -passin <filename> and/or -passout <filename> options.
string_mask
A mask for permitted string types.
Possible values:
default PrintableString, T61String, BMPString
pkix PrintableString, BMPString
utf8only only UTF8Strings
nombstr PrintableString, T61String (no BMPStrings or UTF8Strings)
MASK XXXX a literal mask value
The sample openssl.cnf file has the line:
string_mask = nombstr
WARNING: Current versions of Netscape crash on BMPStrings or UTF8Strings so use this option with caution!
req_extensions
The name of another section in the openssl.cnf file that contains a list of extensions to add to a certificate request.
The sample openssl.cnf file has the line (commented out):
# req_extensions = v3_req
See the [ v3_req ] section (below) for a description of the attributes and values that appear in the sample openssl.cnf file.
You can override this value by using the req command's -reqexts [section] option to specify the name of some other section of the file that lists extensions to add.
--------------------------------------------------------------------------------
[ req_distinguished_name ] Section
This section defines the prompts when asking the user for information needed to generate a cert. It also gives default values (if the user doesn't enter any) and constraints on allowed values.
Note: If a set of related attributes includes one with a ``_default'' suffix, then if the user enters no value for the attribute, the default value will be used. To specify that no value is desired, enter ``.''
countryName
The text to display when prompting the user for the country name (C=) component of the distinguished name. In the sample openssl.cnf file, countryName has the value ``Country Name (2 letter code)''
countryName_default
The default country name. In the sample openssl.cnf file, countryName_default has the value ``AU''
countryName_min
The minimum allowable country name length. In the sample openssl.cnf file, countryName_min has the value 2.
countryName_max
The maximum allowable country name length. In the sample openssl.cnf file, countryName_max has the value 2.
The country name should be ISO 3166 two-letter country code.
Note: For the country name, be sure to specify the ISO 3166 country code. In cases where the ISO country code is different from the Internet country domain name, use the ISO 3166 code. (Example: The United Kingdom (Internet country domain: uk; ISO 3166 country code: GB. Use GB.)
stateOrProvinceName
The text to display when prompting the user for the state or province name (ST=) component of the distinguished name. In the sample openssl.cnf file, stateOrProvinceName has the value ``State or Province Name (full name)''
stateOrProvinceName_default
The default state or province name. In the sample openssl.cnf file, countryName_default has the value ``State or Province Name (full name)''
localityName
The text to display when prompting the user for the locality name (L=) component of the distinguished name. In the sample openssl.cnf file, localityName has the value ``Locality Name (eg, city)''
organizationName
The text to display when prompting the user for the organization name (O=) component of the distinguished name. In the sample openssl.cnf file, 0.organizationName has the value ``Organization Name (eg, company)''
organizationName_default
The default organization name. In the sample openssl.cnf file, 0.organizationName has the value ``Internet Widgits Pty Ltd''
organizationName
The text to display when prompting the user for an additional organization name (O=) component of the distinguished name. In the sample openssl.cnf file, the commented out line for 1.organizationName has the value ``Second Organization Name (eg, company)''
organizationName_default
The default second organization name. In the sample openssl.cnf file, 1.organizationName is commented out and has the value ``World Wide Web Pty Ltd''
organizationalUnitName
The text to display when prompting the user for the optional (in the sample openssl.cnf, at least) organizational unit name (OU=) component of the distinguished name. In the sample openssl.cnf file, organizationalUnitName has the value ``Organizational Unit Name (eg, section)''
organizationalUnitName_default
The default organizational unit name. In the sample openssl.cnf file, organizationalUnitName_default is commented out and has no value.
commonName
The text to display when prompting the user for the common name (CN=) component of the distinguished name. In the sample openssl.cnf file, commonName has the value ``Common Name (eg, YOUR name)''
Note: Even though the prompt indicates ``YOUR name'' as a possibility, it *might* be more appropriate for it to read something like ``Common Name (e.g., fully qualified domain name of the server to be secured)'' since, the common name generally corresponds to the server's name when generating certificates.
commonName_max
The maximum allowable common name length. In the sample openssl.cnf file, commonName_max has the value 64.
emailAddress
The text to display when prompting the user for the email address of the distinguished name. In the sample openssl.cnf file, emailAddress has the value ``Email Address''
--------------------------------------------------------------------------------
[ req_attributes ] Section
This section defines the prompts when asking the user for certain information (in addition to the [ req_distinguished_name ] section above) needed to generate a cert. It also gives constraints on the allowed values.
challengePassword
The text to display when prompting the user for a challenge password. In the sample openssl.cnf file, challengePassword has the value ``A challenge password''
challengePassword_min
The minimum length of the challenge password. In the sample openssl.cnf file, challengePassword_min has a value of 4.
challengePassword_max
The maximum length of the challenge password. In the sample openssl.cnf file, challengePassword_max has a value of 20.
unstructuredName
The text to display when prompting the user for an unstructured name. In the sample openssl.cnf file, unstructuredName has the value ``An optional company name''
--------------------------------------------------------------------------------
X.509 EXTENSION DIRECTIVES
The directives below are used when requesting or signing certs. Many of the attributes can appear in any of the sections [ usr_cert ], [ v3_req ] and [ v3_ca ], with different values on the right-hand side, depending on whether the operation is signing of certs ([ usr_cert ]), adding a certificate request ([ v3_req ]) or creating a CA cert ([ v3_ca ] )
--------------------------------------------------------------------------------
[ usr_cert ] Section
This section is referenced by the x509_extensions attribute in the [ CA_default ] section (above) of the sample openssl.cnf file. It contains directives used by the ca command when it signs a request (cert).
In the sample openssl.cnf file, most of the directives in this section are commented out (because they are deprecated?). Only four directives actually appear uncommented: basicConstraints, nsComment, subjectKeyIdentifier and authorityKeyIdentifier.
basicConstraints
Is this certificate valid as a certificate authority cert? (Can this certificate be used to sign or revoke other certificates?)
Possible values are CA:FALSE and CA:TRUE.
The sample openssl.cnf file has the line:
basicConstraints= CA:FALSE
indicating that the certificate's purposes do not include signing/revoking other certificates.
subjectKeyIdentifier
Specifies how to identify the public key being certified (so that distinct keys used by the same subject can be differentiated--as key updating occurs, for example).
The sample openssl.cnf file has the line:
subjectKeyIdentifier=hash
The IETF Public Key Infrastructure (PKIX) working group recommends the above default.
authorityKeyIdentifier
Specifies how to identify the public key used to verify the signature on this certificate or certificate revocation list (CRL). Enables distinct keys used by the same CA to be distinguished (e.g. as keypair updating occurs).
The sample openssl.cnf file has the line:
authorityKeyIdentifier=keyid,issuer:always
The IETF Public Key Infrastructure (PKIX) working group recommends the above default.
nsComment
A comment to be displayed in Netscape's comment listbox for the certificate signer. Provide a suitable description for the certificate..
The sample openssl.cnf file has the line:
nsComment = ``OpenSSL Generated Certificate''
The following (mostly Netscape-specific) attributes are all commented out in the sample openssl.cnf file:
nsCertType
The nsCertType attribute can specify the cert's capabilities (purposes).
If nsCertType is omitted, the certificate can be used for anything except for object signing (CA use).
If nsCertType is included, one or more of the following (separated by commas) can appear as the value of this attribute: client, server, email, objsign, reserved, sslCA, emailCA, objCA.
Examples (commented out in sample openssl.cnf):
nsCertType = server for an SSL server
nsCertType = objsign for an object signing certificate
nsCertType = client, email for ``normal'' client use
nsCertType = client, email, objsign for ``everything including object signing''
subjectAltName
Relates to the alternate name for the certificate holder.
The format in the sample openssl.cnf:
subjectAltName=email:copy
causes OpenSSL to import the e-mail address.
issuerAltName
Relates to the alternate name for the certificate or CRL issuer (CA).
The format in the sample openssl.cnf:
issuerAltName=issuer:copy
causes OpenSSL to copy subject details.
nsCaRevocationUrl
The revocation URL for the Root CA Certificate The sample openssl.cnf file includes the following (commented out):
nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
nsBaseUrl
Can give the general base URL. =item nsRevocationUrl
The revocation URL for other (non-Root CA) certificates. The URL is of the form ../foo.cgi?aaaa. ``aaaa'' is the ASCII-encoded serial number of the cert.
nsRenewalUrl
A URL to visit to renew SSL/TLS certificates.
nsCaPolicyUrl
Gives the URL of the CA's policy.
nsSslServerName
The name of the Netscape SSL Server. Be careful with this attribute--it can crash certain versions of Netscape.
keyUsage
Possible values: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly
--------------------------------------------------------------------------------
[ v3_req ] Section
This section is referenced by the req section's req_extensions attribute (commented out in the sample openssl.cnf file; see the [ req ] section above).
If not commented out--or if referenced by the -extensions [section] option of the req command--it contains directives used by the req command when it requests certs.
In the sample openssl.cnf file, the [ v3_req ] section has only two directives: basicConstraints and keyUsage.
basicConstraints
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line:
basicConstraints= CA:FALSE
keyUsage
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line:
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
--------------------------------------------------------------------------------
[ v3_ca ] Section
This section of extensions for a typical CA is referenced by the [ req ] section's x509_extensions attribute. It is a list of extensions to add to certificates generated when the req command is invoked with the -x509 option.
subjectKeyIdentifier
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line:
subjectKeyIdentifier=hash
as recommended by the IETF Public Key Infrastructure (PKIX) working group.
authorityKeyIdentifier
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line: authorityKeyIdentifier=keyid:always,issuer:always
as recommended by the IETF Public Key Infrastructure (PKIX) working group.
basicConstraints
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line:
basicConstraints = CA:true
as well as a commented out:
basicConstraints = critical,CA:true
Although the PKIX recomments the commented out version, ``some broken software chokes on critical extensions,'' so the sample openssl.cnf omits ``critical.'' However, it *does* indicate that the purposes of this certificate should include Certificate Authority.
The sample openssl.cnf file also includes a commented out:
basicConstraints= critical, DER:30:03:01:01:FF
illustrating how to override a supported extension with a Distinguished Encoding Rules (DER) encoding of an extension.
keyUsage
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line (commented out):
keyUsage = cRLSign, keyCertSign
(The sample openssl.cnf omits the above even though it is typical for a CA certificate, ``since it will prevent it being used as an test self-signed certificate.'')
nsCertType
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line (commented out):
nsCertType = sslCA, emailCA
subjectAltName
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line commented out:
subjectAltName=email:copy
even though it is a PKIX recommendation.
issuerAltName
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line commented out:
issuerAltName=issuer:copy
even though it is a PKIX recommendation.
obj
Introduces an extension encoded in hex with DER.
The sample openssl.cnf file has the line (commented out):
obj=DER:02:03
where ``obj'' is a standard or added object. (``Beware experts only!''
--------------------------------------------------------------------------------
[ crl_ext ] Section
This section of extensions associated with certificate revocation lists (CRLs). ``Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.''
The [ crl_ext ] section is referenced by the CA_default section's crl_extensions attribute (commented out in the sample openssl.cnf file; see the [ CA_default ] section above).
If not commented out--or if referenced by the -crlexts [section] option of the ca command--it contains directives used by the ca command when it revokes certs.
The sample openssl.cnf notes: ``Netscape communicator chokes on V2 CRLs so this is commented out by default to leave a V1 CRL.''
issuerAltName
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line commented out:
issuerAltName=issuer:copy
authorityKeyIdentifier
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line:
authorityKeyIdentifier=keyid:always,issuer:always
发表评论
-
JKS convert to PFX
2011-02-20 23:05 1431package com.ssl; import java ... -
SSL双向认证Java实现 - CertPath证书链
2010-05-24 21:34 9257双向验证中, 如果服务端证书过期更新了,客户端的信任证书都得一 ... -
SSL双向认证Java实现 Tomcat篇
2010-05-15 19:50 9564双向验证,在客户机连接服务器时,客户机验证服务器的证书,服务器 ... -
SSL单向认证Java实现 Tomcat篇
2010-05-15 18:47 10194单向验证,客户机只验证服务器的证书,服务器不验证客户机的证书。 ... -
openssl简明使用手册
2008-03-29 10:22 6182简要介绍了使用openssl来 ...
相关推荐
openssl-devel-1.0.1e-57.el6.x86_64.rpm离线安装时的相关依赖库: openssl-devel-packages\e2fsprogs-1.41.12-22.el6.x86_64.rpm openssl-devel-packages\e2fsprogs-libs-1.41.12-22.el6.x86_64.rpm openssl-...
1. **openssl-1.0.0.tar.gz** 至 **openssl-1.0.2.tar.gz**:这些属于OpenSSL的1.0.x系列版本。 2.openssl-1.1.0.tar.gz 和 openssl-1.1.1.tar.gz:这些属于OpenSSL的1.1.x系列版本。 3.openssl-3.0.14.tar.gz 至 ...
`openssl.cnf` 文件是 OpenSSL 工具集中的一个配置文件,它包含了各种设置和指令,用于指导 OpenSSL 库在执行各种操作时的行为,比如创建证书、密钥、CSR(Certificate Signing Request)等。当你尝试使用 OpenSSL ...
标题中的"openssl-1.0.2k-24.el7-9.x86_64.rpm"是一款针对Linux操作系统的OpenSSL软件包,适用于Red Hat Enterprise Linux (RHEL) 7.9版本。OpenSSL是一个强大的安全套接字层(SSL)密码库,包含了各种主要的密码...
在使用openssl创建证书时,显示无法打开openssl.cnf文件,下载后放到显示缺少的目录中
openssl-devel-1.1.1o-1.el7.x86_64 openssl-devel openssl openssl rpm包
标题中的"openssl-1.1.1-stable-SNAP-202"可能表示这是一个OpenSSL的稳定版本,版本号为1.1.1,SNAP可能代表“Snapshot”,即快照版本,意味着这是该版本的一个特定时刻的构建。 OpenSSL的编译过程对于开发者来说是...
《OpenSSL配置文件openssl.cnf详解》 OpenSSL是一个强大的安全套接字层密码库,包含各种主要的密码算法、常用的密钥和证书封装管理功能以及SSL协议,并提供丰富的应用程序供测试或其他目的使用。在使用OpenSSL进行...
openssl 3.0.10 开发包 适用于centos 7 redhat 7 操作系统 ,当前2023年9月8日最新版
openssl 3.0.10 版本 x86架构cpu 2023年9月8日 当前最新版本,适用与centos7 操作系统 redhat7 操作系统
openssl-1.1.1.g-2-x86_64.pkg.taropenssl-1.1.1.g-2-x86_64.pkg.tar
c++windows openSSL编译(ActivePerl-5.8.8.822-MSWin32-x86-280952.msi+openssl-1.0.2) https://blog.csdn.net/greless/article/details/115657319
安装ngix需要安装的辅助类openssl-fips-2.0.12.tar.gz--pcre-8.36.tar.gz---zlib-1.2.8.tar.gz(详情查看https://www.cnblogs.com/taiyonghai/p/6728707.html)
适用于centos 7 redhat 7 x86架构的openssl rpm a二进制包 安全漏洞修复
官方离线安装包,亲测可用。使用rpm -ivh [rpm完整包名] 进行安装
**openssl-1.1.1w-1.el6.x86-64-centos6.tgz** 是一个针对CentOS 6和Red Hat Enterprise Linux 6(RHEL 6)x86架构操作系统的软件包,它包含了OpenSSL库的更新版本——1.1.1w。OpenSSL是一款强大的安全套接层(SSL)...
centos 7 redhat 7 x86架构 openssl 1.1.1w 当前最新版本 可用于修复安全漏洞、升级更新openssl版本
openEuler 20.03 SP3 安装gp时会提示缺少openssl1.0,可以用此包进行尝试平替
210-openssl-1.1.x-compat.patch