我认为我有正确的 OpenSSL 命令来签署证书,但我陷入了困境,并且我发现的教程使用了不同的参数格式(我使用的是 OpenSSL 0.9.8o 01 Jun 2010)。
openssl ca -cert cert.pem -keyfile key.pem
(私钥未加密,CSR 位于标准输入上。)
它给出了这个错误
Using configuration from /usr/lib/ssl/openssl.cnf
./demoCA/index.txt: No such file or directory
unable to open './demoCA/index.txt'
查看该配置文件:
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kepp
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
我没有任何这样的设置。我不想设置任何这些。
是严格必要的,还是有“不打扰”的选项?
我尝试创建空目录和文件,但我陷入了困境。我真正想要的是像上面这样的命令能够工作,输出在标准输出上,而不需要接触anything在文件系统上。
我不知道有什么“不用打扰”的选项,但以下是如何设置快速演示 CA:
#!/bin/bash
CAROOT=/path/to/ca
mkdir -p ${CAROOT}/ca.db.certs # Signed certificates storage
touch ${CAROOT}/ca.db.index # Index of signed certificates
echo 01 > ${CAROOT}/ca.db.serial # Next (sequential) serial number
# Configuration
cat>${CAROOT}/ca.conf<<'EOF'
[ ca ]
default_ca = ca_default
[ ca_default ]
dir = REPLACE_LATER
certs = $dir
new_certs_dir = $dir/ca.db.certs
database = $dir/ca.db.index
serial = $dir/ca.db.serial
RANDFILE = $dir/ca.db.rand
certificate = $dir/ca.crt
private_key = $dir/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOF
sed -i "s|REPLACE_LATER|${CAROOT}|" ${CAROOT}/ca.conf
cd ${CAROOT}
# Generate CA private key
openssl genrsa -out ca.key 1024
# Create Certificate Signing Request
openssl req -new -key ca.key \
-out ca.csr
# Create self-signed certificate
openssl x509 -req -days 10000 \
-in ca.csr \
-out ca.crt \
-signkey ca.key
现在您可以生成并签署密钥:
# Create private/public key pair
openssl genrsa -out server.key 1024
# Create Certificate Signing Request
openssl req -new -key server.key \
-out server.csr
# Sign key
openssl ca -config ${CAROOT}/ca.conf \
-in server.csr \
-cert ${CAROOT}/ca.crt \
-keyfile ${CAROOT}/ca.key \
-out server.crt
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)