openssl ca
来源:互联网 发布:苹果授权网络经销商 编辑:程序博客网 时间:2024/05/23 00:09
openssl.cnf
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /usr/app/ca/dc=nodomain/cn=admin/cn=ROOT
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
unique_subject = yes
new_certs_dir = $dir/newcerts
certificate = /usr/app/ca/dc=nodomain/cn=admin/ROOT.crt
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $crl_dir/ROOT.crl
private_key = /usr/app/ca/dc=nodomain/cn=admin/ROOT.key
RANDFILE = $dir/private/ca.rand
name_opt = ca_default
cert_opt = ca_default
x509_extensions = usr_cert
default_days = 365
default_crl_days= 1
default_md = sha1
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
default_keyfile = private.key
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max= 2
stateOrProvinceName= State or Province Name (full name)
stateOrProvinceName_default= Some-State
localityName= Locality Name (eg, city)
0.organizationName= Organization Name (eg, company)
0.organizationName_default= Internet Widgits Pty Ltd
organizationalUnitName= Organizational Unit Name (eg, section)
commonName= Common Name (eg, YOUR name)
commonName_max= 64
emailAddress= Email Address
emailAddress_max= 64
[ req_attributes ]
challengePassword= A challenge password
challengePassword_min= 4
challengePassword_max= 20
unstructuredName= An optional company name
[ usr_cert ]
authorityInfoAccess = OCSP;URI:http://192.168.1.232:8000/publicca/OcspUtils_ocsp.action
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
authorityInfoAccess = OCSP;URI:http://192.168.1.232:8000/publicca/OcspUtils_ocsp.action
basicConstraints = CA:FALSE
[ v3_ca ]
authorityInfoAccess = OCSP;URI:http://192.168.1.232:8000/publicca/OcspUtils_ocsp.action
basicConstraints = CA:true
subjectKeyIdentifier = hash
issuerAltName=issuer:copy
nsCaRevocationUrl= http://192.168.1.232:8000/publicca/Crl_downloadCRL.action?DN=cn%3DROOT%2Ccn%3Dadmin%2Cdc%3Dnodomain&CN=ROOT
ROOT.cnf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
x509_extensions = v3_ca
output_password = 123qwe
[ req_distinguished_name ]
C = CN
ST = 浙江省
L = 浙江省杭州市滨江区
O = 杭州创谐
OU = 研发部
CN = ROOT
[ req_attributes ]
challengePassword = A challenge password
[ v3_ca ]
basicConstraints = CA:true
authorityInfoAccess = OCSP;URI:http://192.168.1.232:8000/publicca/OcspUtils_ocsp.action
subjectKeyIdentifier = hash
issuerAltName=issuer:copy
nsCaRevocationUrl= http://192.168.1.232:8000/publicca/Crl_downloadCRL.action?DN=cn%3DROOT%2Ccn%3Dadmin%2Cdc%3Dnodomain&CN=ROOT
Device.cnf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
x509_extensions = v3_ca
output_password = 123qwe
[ req_distinguished_name ]
C = CN
ST = 浙江省
L = 浙江省杭州市滨江区
O = 杭州创谐
OU = 研发部
CN = Device 192.168.1.232
[ req_attributes ]
challengePassword = A challenge password
[ v3_ca ]
basicConstraints = CA:true
subjectKeyIdentifier = hash
User.cnf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
x509_extensions = usr_cert
output_password = 123qwe
[ req_distinguished_name ]
C = CN
ST = 浙江省
L = 浙江省杭州市滨江区
O = 杭州创谐
OU = 研发部
CN = User 430725199002093279
[ req_attributes ]
challengePassword = A challenge password
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType= server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# This will be displayed in Netscape's comment listbox.
nsComment= "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
1.生成根证书
openssl req -x509 -newkey rsa:$4 -keyout $1.key -out $1.crt -days $3 -config $2.cnf
2.生成子证书
openssl req -newkey rsa:$7 -keyout $1.key -passin pass:$2 -out $1.csr -config $1.cnf
openssl x509 -req -in $1.csr -sha1 -extfile $6 -extensions v3_ca -CA $3.crt -CAkey $3.key -passin pass:$4 -CAcreateserial -out $1.crt -days $5
3.生成用户证书
openssl req -newkey rsa:$7 -keyout $1.key -passin pass:$2 -out $1.csr -config $1.cnf
openssl x509 -req -in $1.csr -sha1 -extfile $6 -extensions usr_cert -CA $3.crt -CAkey $3.key -passin pass:$4 -CAcreateserial -out $1.crt -days $5
4.生成crl列表
openssl ca -gencrl -out $1.crl -keyfile $1.key -passin pass:$2 -cert $1.crt -config $3
5.生成android bks
$1jre/bin/keytool -keystore $2.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass hzihca -importcert -noprompt -alias $3 -file $4
6.生成PKCS文件
openssl pkcs12 -export -inkey $1.key -passin pass:$2 -in $1.crt -out $1.p12 -passout pass:$2
7.吊销证书
openssl ca -revoke $1.crt -keyfile $2.key -passin pass:$3 -cert $2.crt -config $4
- openssl ca
- openssl CA
- 用 openssl 签发CA
- OpenSSL和CA认证
- Apache + OpenSSL + CA
- 使用OpenSSL建立CA
- openssl ca 证书管理
- Openssl建立CA系统
- 利用openssl搭建CA
- OpenSSL命令---CA.pl
- OpenSSL命令--ca
- openssl ca 命令
- linux openssl ca shell
- SSL、openSSL、CA
- OpenSSL创建私有CA
- OpenSSL及CA加密
- OpenSSL与CA认证
- OpenSSL建立自己的CA
- 几种不同类型的Singleton
- Bloom Filter and Counting Bloom Filter
- 隐藏HWND窗口的标题栏
- Monitoring Cloud Foundry On System Level
- 第二次c语言上机设计报告
- openssl ca
- 整数的逆序输出
- 修正版---三角形类
- HDU4500:小Q系列故事——屌丝的逆袭
- myEclipse注册码生成器
- 【Python】关键字import与super介绍
- POI 设置Excel单元格为文本格式
- c语言课堂作业2
- CSS中背景图片定位方法