openssl的 openssl.cnf配置文件详解

背景:在上一篇文中,提到要写一篇openssl 配置文件详解的,这就来了~~~

find / -name openssl.cnf

/etc/pki/tls/openssl.cnf

/etc/pki/tls/openssl.cnf,该文件主要设置了证书请求、签名、crl相关的配置。主要相关的伪命令为ca和req。。

该文件从功能结构上分为4个段落:默认段、ca相关的段、req相关的段、tsa相关的段。每个段中都以name=value的格式定义.

以下是我将文件分段摘抄出来,并进行解释的:

默认段:

#

# OpenSSL example configuration file.

# This is mostly being used for generation of certificate requests.

#

# This definition stops the following lines choking if HOME isn't

# defined.  定义当前目录变量,以及随机数的文件路径变量

HOME                    = .

RANDFILE                = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:

#oid_file               = $ENV::HOME/.oid

oid_section             = new_oids

# To use this configuration file with the "-extfile" option of the

# "openssl x509" utility, name here the section containing the

# X.509v3 extensions to use:

# extensions            =

# (Alternatively, use a configuration file that has only

# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.

# Add a simple OID like this:

# testoid1=1.2.3.4

# Or use config file substitution like this:

# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.

tsa_policy1 = 1.2.3.4.1

tsa_policy2 = 1.2.3.4.5.6

tsa_policy3 = 1.2.3.4.5.7

CA段:

####################################################################

[ ca ]

default_ca      = CA_default            # The default ca section

####################################################################

[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept

certs           = $dir/certs   # Where the issued certs are kept已颁发的证书路径即CA或者自签的

crl_dir         = $dir/crl         # Where the issued crl are kept 已颁发的crl存放目录

database        = $dir/index.txt        # database index file.

#unique_subject = no                    # Set to 'no' to allow creation of

                                        # several ctificates with same subject.

new_certs_dir   = $dir/newcerts         # default place for new certs.将来颁发的证书存放路径

certificate     = $dir/cacert.pem       # The CA certificate CA自己的证书文件

serial          = $dir/serial           # The current serial number提供序列号的文件路径

crlnumber       = $dir/crlnumber        # the current crl number 当前crl序列号

                                        # must be commented out to leave a V1 CRL

crl             = $dir/crl.pem          # The current CRL 当前crl文件

private_key     = $dir/private/cakey.pem# The private key 签名时需要的私钥即CA自己的私钥

RANDFILE        = $dir/private/.rand    # private random number file 提供随机数的文件

x509_extensions = usr_cert              # The extentions to add to the cert添加到证书中的扩展项

# Comment out the following two lines for the "traditional" 证书展示格式,一般不用修改,使用默认即可

# (and highly broken) format.

name_opt        = ca_default            # Subject Name options

cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.扩展项的使用,需要谨慎 生成证书时扩展项的扩展可复制属性copy_extensions,取值为none/copy或copyall。 如不设置则默认为none,简单使用时设置为none或者不设置,不建议设置为copyall

# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

# so this is commented out by default to leave a V1 CRL.

# crlnumber must also be commented out to leave a V1 CRL.

# crl_extensions        = crl_ext

default_days    = 365                   # how long to certify for 默认的证书有效期

default_crl_days= 30                    # how long before next CRL CRL的有效期

default_md      = sha256                # use SHA-256 by default 默认摘要算法

preserve        = no                    # keep passed DN ordering Distinguished Name顺序,一般设置为no

# A few difference way of specifying how similar the request should look

# For type CA, the listed attributes must be the same, and the optional

# and supplied fields are just that :-)

policy          = policy_match  #证书匹配策略,对比的是[ policy_match ]

的设定

#证书匹配策略定义了证书请求的DN字段(field)被CA签署时和CA证书的匹配规则

# 对于CA证书请求,这些匹配规则必须要和父CA完全相同

# For the CA policy

[ policy_match ]

countryName             = match  #match表示请求中填写的Country字段信息要和CA证书中的匹配

stateOrProvinceName     = match  #match表示请求中填写的stateOrProvinceName字段信息要和CA证书中的匹配

organizationName        = match   #match表示请求中填写的organizationName字段信息要和CA证书中的匹配

organizationalUnitName  = optional # optional表示生成证书请求文件时该organizationalUnitName字段可选

commonName              = supplied # supplied 表示生成证书请求文件时该字段必须提供

emailAddress            = optional

# For the 'anything' policy

# At this point in time, you must list all acceptable 'object'

#没有被引用的策略扩展 就是被忽略的???(这个地方暂时没搞懂)

# types.

[ policy_anything ]

countryName             = optional

stateOrProvinceName     = optional

localityName            = optional

organizationName        = optional

organizationalUnitName  = optional

commonName              = supplied

emailAddress            = optional

####################################################################

req 段:

####################################################################

[ req ]

default_bits            = 2048  #生成的证书请求文件时的密钥长度 (网上有的资料说是私钥的密钥长度,但我觉得应该是 生成的证书请求文件的密钥长度)

default_md              = sha256 #默认的证书请求签名时使用的加密算法

default_keyfile         = privkey.pem  #生成证书请求文件时默认使用的私钥存放位置如-new选项没指定-key时会自动创建私钥 -newkey选项也会自动创建私钥???

distinguished_name      = req_distinguished_name #可识别的字段名(常被简称为DN,引用req_distinguished_name段的设置)

attributes              = req_attributes  #证书请求的属性,引用req_attributes段的设置,可以不设置它

x509_extensions = v3_ca # The extentions to add to the self signed cert加入到自签证书中的扩展项

# Passwords for private keys if not present they will be prompted for

#输入和输出私钥文件的密码,如果该私钥文件有密码,不写该设置则会提示输入

# input_password = secret

# output_password = secret

# This sets a mask for permitted string types. There are several options.

# default: PrintableString, T61String, BMPString.

# pkix   : PrintableString, BMPString (PKIX recommendation before 2004)

# utf8only: only UTF8Strings (PKIX recommendation after 2004).

# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).

# MASK:XXXX a literal mask value.

# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.

string_mask = utf8only

# req_extensions = v3_req # The extensions to add to a certificate request

# req_distinguished_name 指定请求证书文件中的信息,可在配置文件中指定也可不在配置文件中指定。如果配置文件中没有指定,则需要在生成证书请求文件时输入,生成证书请求文件时的信息必须与CA的证书一致才可以

[ req_distinguished_name ]

countryName                     = Country Name (2 letter code)

countryName_default             = XX

countryName_min                 = 2

countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)

#stateOrProvinceName_default    = Default Province

localityName                    = Locality Name (eg, city)

localityName_default            = Default City

0.organizationName              = Organization Name (eg, company)

0.organizationName_default      = Default Company Ltd

# we can do this but it is not needed normally :-)

#1.organizationName             = Second Organization Name (eg, company)

#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)

#organizationalUnitName_default =

commonName                      = Common Name (eg, your name or your server\'s hostname)

commonName_max                  = 64

emailAddress                    = Email Address

emailAddress_max                = 64

# SET-ex3                       = SET extension number 3

[ req_attributes ]   /*某些特定软件的运行需要而设定的, */

                   /* 现在一般都不需要提供challengepassword */

                   /* 所以该段几乎用不上 */

                   /* 所以不用管这段 */

challengePassword               = A challenge password

challengePassword_min           = 4

challengePassword_max           = 20

unstructuredName                = An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software

# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted

# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.

# nsCertType                    = server

# For an object signing certificate this would be used.

# nsCertType = objsign

# For normal client use this is typical

# nsCertType = client, email

# and for everything including object signing:

# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.这个地方是设定证书使用范围的,对应的是 通过证书查看器查看到的密钥用法信息 当证书需要用于签名时,就需要证书的密钥用法为Digital Signature,如果只是其他的就不能用于签名,当要制作用于签名的证书时,需要开放此处

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.

nsComment                       = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.

# Import the email address.

# subjectAltName=email:copy

# An alternative to produce certificates that aren't

# deprecated according to PKIX.

# subjectAltName=email:move

# Copy subject details

# issuerAltName=issuer:copy

#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem

#nsBaseUrl

#nsRevocationUrl

#nsRenewalUrl

#nsCaPolicyUrl

#nsSslServerName

# This is required for TSA certificates. #以下是TSA证书所需要的

# extendedKeyUsage = critical,timeStamping

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]

# Extensions for a typical CA

# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

# This is what PKIX recommends but some broken software chokes on critical

# extensions.

#basicConstraints = critical,CA:true

# So we do this instead.

basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will

# prevent it being used as an test self-signed certificate it is best

# left out by default.

# keyUsage = cRLSign, keyCertSign

# Some might want this also

# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation

# subjectAltName=email:copy

# Copy issuer details

# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!

# obj=DER:02:03

# Where 'obj' is a standard or added object

# You can even override a supported extension:

# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

# CRL extensions.

# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy

authorityKeyIdentifier=keyid:always

[ proxy_cert_ext ]

# These extensions should be added when creating a proxy certificate

# This goes against PKIX guidelines but some CAs do it and some software

# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted

# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.

# nsCertType                    = server

# For an object signing certificate this would be used.

# nsCertType = objsign

# For normal client use this is typical

# nsCertType = client, email

# and for everything including object signing:

# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.

# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.

nsComment                       = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.

# Import the email address.

# subjectAltName=email:copy

# An alternative to produce certificates that aren't

# deprecated according to PKIX.

# subjectAltName=email:move

# Copy subject details

# issuerAltName=issuer:copy

#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem

#nsBaseUrl

#nsRevocationUrl

#nsRenewalUrl

#nsCaPolicyUrl

#nsSslServerName

# This really needs to be in place for it to be a proxy certificate.

proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

####################################################################

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/585003.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

HarmonyOS page生命周期函数讲解

下面 我们又要看一个比较重要的点了 页面生命周期 页面组件有三个生命周期 onPageShow 页面显示时触发 onPageHide 页面隐藏时触发 onBackPress 页面返回时触发 这里 我们准备两个组件 首先是 index.ets 参考代码如下 import router from ohos.router Entry Component struc…

js+css实现颜色选择器

<!DOCTYPE html> <html> <head><meta charset"UTF-8"><title>颜色选择器</title><style>.color-box {width: 50px;height: 50px;border: 1px solid #000;cursor: pointer;}</style> </head> <body><…

小米电脑管家 - 手机平板电脑家居互联

系列文章目录 前言 联想电脑安装小米电脑管家实现设备互联 如图&#xff0c;将 小米平板 5 Pro 作为联想笔记本 GeekPro 5000 &#xff08;这垃圾电脑&#xff09;的副屏。 可以在小米平板控制笔记本&#xff0c;如图所示 一、官方使用手册 参考&#xff1a;小米电脑管家帮助 …

AtCoder ABC186

E题和F题两个绿题。 C - Unlucky 7 单纯的模拟一下。 # -*- coding: utf-8 -*- # time : 2023/6/2 13:30 # file : atcoder.py # software : PyCharmimport bisect import copy import sys from itertools import permutations from sortedcontainers import Sorted…

最新GPT4教程,GPT语音对话使用,Midjourney绘画,ChatFile文档对话总结+DALL-E3文生图教程工具

一、前言 ChatGPT3.5、GPT4.0、GPT语音对话、Midjourney绘画&#xff0c;文档对话总结DALL-E3文生图&#xff0c;相信对大家应该不感到陌生吧&#xff1f;简单来说&#xff0c;GPT-4技术比之前的GPT-3.5相对来说更加智能&#xff0c;会根据用户的要求生成多种内容甚至也可以和…

【前端面经】即时设计

目录 前言一面git 常见命令跨窗口通信vue 响应式原理发布订阅模式翻转二叉树Promise.all()扁平化数组面试官建议 二面Event Loop 原理Promise 相关css 描边方式requestAnimationReact 18 新特性JSX 相关react 输出两次函数式编程React 批处理机制http请求头有哪些本地存储性能优…

Go语言中关于go get, go install, go build, go run指令

go get go get 它会执行两个操作 第一个, 是先将远程的代码克隆到Go Path的 src 目录那二个, 是执行go install命令 那如果指定的包可以生成二进制文件那它就会把这个二进制文件保存到这个 Go Path 的bin目录下面这是 go install 命令执行的操作 如果只需要下载包&#xff0c…

Java核心技术卷接口的实现与继承多态知识梳理总结

Java核心技术卷接口的实现与继承多态知识梳理总结 接口的概念 在Java程序设计语言中&#xff0c;接口不是类&#xff0c;而是对希望符合这个接口的类的一组需求。 form&#xff1a; Java核心技术卷 I&#xff08;原书第11版&#xff09; 基础知识 by 凯 S.霍斯特曼 在Java中&a…

Spring Boot整合GraphQL

RPC选型入门测试系列文章 GraphQL是一种用于API开发的查询语言和运行时环境。它由Facebook开发并于2015年开源。GraphQL的主要目标是提供一种更高效、灵活和易于使用的方式来获取和操作数据。与传统的RESTful API相比&#xff0c;GraphQL允许客户端精确地指定需要的数据&#…

Unity中Shader裁剪空间推导(在Shader中使用)

文章目录 前言一、在Shader中使用转化矩阵1、在顶点着色器中定义转化矩阵2、用 UNITY_NEAR_CLIP_VALUE 区分平台矩阵3、定义一个枚举用于区分当前是处于什么相机 二、我们在DirectX平台下&#xff0c;看看效果1、正交相机下2、透视相机下3、最终代码 前言 在上一篇文章中&…

高光回眸:阿里云容器服务如何全面助力精彩亚运

作者&#xff1a;刘佳旭 谢乘胜 贤维 引言 2023 年&#xff0c;第 19 届杭州亚运会在杭州成功举办。在亚运之光和科技之光的交相辉映下&#xff0c;这届亚运会成为亚运史上首届“云上亚运”&#xff0c;用云计算创造了历史&#xff0c;赛事核心系统和转播全面上云&#xff0c…

[足式机器人]Part2 Dr. CAN学习笔记-自动控制原理Ch1-6根轨迹Root locus

本文仅供学习使用 本文参考&#xff1a; B站&#xff1a;DR_CAN Dr. CAN学习笔记-自动控制原理Ch1-6根轨迹Root locus 1. 根的作用2. 手绘技巧3. 分离点/汇合点&根轨迹的几何性质 1. 根的作用 G ( s ) s 3 s 2 2 s 4 G\left( s \right) \frac{s3}{s^22s4} G(s)s22s4s3​…

5-Docker实例-安装mysql

1.拉取mysql镜像 命令: docker search mysql docker pull mysql:5.6 [root@centos79 run]# docker pull mysql:5.6 5.6: Pulling from library/mysql 35b2232c987e: Pull complete fc55c00e48f2: Pull complete 0030405130e3: Pull complete e1fef7f6a8d1: Pull comple…

Qt Quick 用cmake怎么玩子项目

以下内容为本人的著作&#xff0c;如需要转载&#xff0c;请声明原文链接 微信公众号「ENG八戒」https://mp.weixin.qq.com/s/o-_aGqreuQda-ZmKktvxwA 以往在公司开发众多的项目中&#xff0c;都会出现要求本项目里部分功能模块代码需要具备保密性。如果需要对外输出demo工程&…

图像识别的技术前沿:人工智能与机器学习的融合

图像识别的技术前沿在于人工智能&#xff08;AI&#xff09;与机器学习&#xff08;ML&#xff09;的融合。这种融合使得图像识别系统能够从大量数据中自动学习并识别出各种模式&#xff0c;从而在复杂和动态的环境中实现更高的准确性和鲁棒性。 机器学习在图像识别中发挥着越…

Thinkphp 5框架学习

TP框架主要是通过URL实现操作 http://servername/index.php/模块/控制器/操作/参数/值.. index.php 为入口文件&#xff0c;在 public 目录内的 index.php 文件; 模块在 application 目录下默认有一个 index 目录&#xff0c;这就是一个模块; 而在 index 目录下有一个 contro…

如何拍摄好VR全景图片,VR全景图片后期处理有什么技巧

引言&#xff1a; VR全景图片是一种以全景视角呈现场景的图片&#xff0c;通过VR技术可以将用户带入虚拟的环境中&#xff0c;给人一种身临其境的感觉&#xff0c;那么如何才能更好的制作让人满意的全景图片呢&#xff1f; 一&#xff0e;如何拍摄好VR全景图片 1.选择合适的拍…

vue中常见的指令

简单介绍一下常见的vue中用到的指令 v-on 指定当前的事件&#xff0c;语法糖为&#xff0c;如例子所示&#xff0c;指定按钮的事件为addCounter&#xff0c;点击会使变量counter 1 <!DOCTYPE html> <html><head><meta charset"utf-8" />…

Unity JSON编码解码之LitJson 深度剖析

把LitJson的代码库放入到项目中&#xff0c;如图所示:JSON在游戏开发中是一种序列化/反序列化常用的技术&#xff0c;把游戏相关的数据,如地图组成,通过JSON编码&#xff0c;序列化成JSON文本&#xff0c;传输或存储, 要使用的时候再通过JSON技术把文本解析成数据对象&#xff…

2023-12-29 服务器开发-centos-安装php8

摘要: 2023-12-29 服务器开发-centos-安装php8 centos-安装php8 必备条件 Minimal CentOS 8 / RHEL 8User with sudo rightsInternet Connection (1) 更新系统 更新系统 $ sudo dnf update $ sudo dnf upgrade 重启系统 $ sudo reboot (2) 启用 EPEL & Remi 软件库…