Chinaunix首页 | 论坛 | 博客
  • 博客访问: 561381
  • 博文数量: 375
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 15
  • 用 户 组: 普通用户
  • 注册时间: 2013-09-20 10:21
文章分类

全部博文(375)

文章存档

2015年(1)

2014年(374)

分类: LINUX

2014-08-18 11:24:52

[root@dhcp conf]# openssl ca -in ssl.csr/server.csr
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok                                                                        # 注释 :CSR 的签名通过
The stateOrProvinceName field needed to be the same in the        # 注释 :这里报错,因为要求 CSR 文件的 StateOrProvince 和
CA certificate (GD) and the request (BJ)                                                CA 证书的必须一致,而 CSR 是 BJ ,但 CA 是 GD
[root@dhcp conf]#
 
可以看出这里的策略是 policy_match ,而不是 policy_anything ,所以 policy_match 应该是默认的策略
 
下面是从 openssl.cnf 中关于策略的设置部分 :
 
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
policy          = policy_match            # 注释 :默认的策略是 policy_match
 
# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match

organizationalUnitName  = optional
commonName              = supplied        # 注释 :CN 字段必须给出值
emailAddress                = optional
 
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
 
可以看到 policy_match 要求 CSR 文件中的国家、省份、组织这三个字段必须和 CA 证书的对应字段的值相同,、
 
否则就会出现上面这种错误
 
我们也可以定义自己的策略,例如
 
plicy    =    policy_customized
 
# For the CA policy
countryName             = match
stateOrProvinceName     = supplied
organizationName        = supplied
organizationalUnitName  = optional
commonName              = supplied
emailAddress                = supplied
 
现在再次执行上面的命令,可以看到不再报错了
 
[root@dhcp conf]# openssl ca -in ssl.csr/server.csr -policy policy_customized
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 3 (0x3)
        Validity
            Not Before: Feb 23 13:48:08 2008 GMT
            Not After : Feb 22 13:48:08 2009 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BJ
            organizationName          = BJNAP
            organizationalUnitName    = Maintenance
            commonName                = 172.17.64.39
            emailAddress              =

        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            EF:F1:8E:86:9D:94:77:EC:18:7F:A9:7A:E2:08:F1:7B:68:73:46:85
            X509v3 Authority Key Identifier:
            keyid:BE:07:0E:D7:A2:2A:CB:EA:60:CA:E6:45:6A:0C:BE:75:15:05:93:A2
            DirName:/C=CN/ST=GD/L=GZ/O=GZNAP/OU=Maintenance/CN=mail.bob.com/emailAddress=ailms@qq.com
            serial:00
 
Certificate is to be certified until Feb 22 13:48:08 2009 GMT (365 days)
Sign the certificate? [y/n]:n
CERTIFICATE WILL NOT BE CERTIFIED
[root@dhcp conf]#
阅读(757) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~