[root@dhcp conf]# openssl ca -in
ssl.csr/server.csr
Using configuration from
/usr/share/ssl/openssl.cnf
Enter pass phrase for
./demoCA/private/cakey.pem:
Check that the request matches the
signature
Signature
ok # 注释 :CSR 的签名通过
The stateOrProvinceName field needed to
be the same in the # 注释 :这里报错,因为要求 CSR 文件的 StateOrProvince 和
CA
certificate (GD) and the request
(BJ) CA
证书的必须一致,而 CSR 是 BJ ,但 CA 是 GD
[root@dhcp conf]#
可以看出这里的策略是 policy_match ,而不是 policy_anything ,所以
policy_match 应该是默认的策略
下面是从 openssl.cnf 中关于策略的设置部分 :
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
policy = policy_match # 注释 :默认的策略是 policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName =
match
organizationName = match
organizationalUnitName =
optional
commonName = supplied # 注释
:CN 字段必须给出值
emailAddress = optional
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
可以看到 policy_match 要求 CSR 文件中的国家、省份、组织这三个字段必须和 CA
证书的对应字段的值相同,、
否则就会出现上面这种错误
我们也可以定义自己的策略,例如
plicy = policy_customized
# For the CA policy
countryName =
match
stateOrProvinceName = supplied
organizationName =
supplied
organizationalUnitName = optional
commonName
= supplied
emailAddress =
supplied
现在再次执行上面的命令,可以看到不再报错了
[root@dhcp conf]# openssl ca -in
ssl.csr/server.csr -policy policy_customized
Using configuration
from /usr/share/ssl/openssl.cnf
Enter pass phrase for
./demoCA/private/cakey.pem:
Check that the request matches the
signature
Signature ok
Certificate Details:
Serial Number: 3
(0x3)
Validity
Not Before: Feb 23 13:48:08 2008
GMT
Not After : Feb 22 13:48:08 2009 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName =
BJNAP
organizationalUnitName = Maintenance
commonName = 172.17.64.39
emailAddress =
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EF:F1:8E:86:9D:94:77:EC:18:7F:A9:7A:E2:08:F1:7B:68:73:46:85
X509v3 Authority Key Identifier:
keyid:BE:07:0E:D7:A2:2A:CB:EA:60:CA:E6:45:6A:0C:BE:75:15:05:93:A2
DirName:/C=CN/ST=GD/L=GZ/O=GZNAP/OU=Maintenance/CN=mail.bob.com/emailAddress=ailms@qq.com
serial:00
Certificate is to be certified until Feb 22
13:48:08 2009 GMT (365 days)
Sign the certificate? [y/n]:n
CERTIFICATE
WILL NOT BE CERTIFIED
[root@dhcp conf]#
阅读(757) | 评论(0) | 转发(0) |