OpenSSL 签名认证机制

生成 CA 证书

生成客户端证书
OpenSSL 配置文件
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file               = $ENV::HOME/.oid
oid_section             = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions            =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

[ req ]
default_bits            = 2048
default_md              = sha1
distinguished_name      = req_distinguished_name
string_mask = default
x509_extensions = v3_req

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = ShangHai

localityName                    = Locality Name (eg, city)
localityName_default            = ShangHai

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = IdealGroup

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = IdealMobile

commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64

[ v3_server ]
subjectKeyIdentifier=hash
authorityKeyIdentifig=keyid:always,issuer
basicConstraints = CA:false
keyUsage = di`
italSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
#keyUsage = digitalSignature, keyEncipherment
#extendedKeyUsage = serverAuth

#subjectAltNam=DNS:win.linyiheng.cn
[ v3_req ]
basicConstraints = CA:FALSE


[ ca ]
default_ca      = foo                   # The default ca section

[ foo ]
dir            = /root/ca         # top dir
database       = /root/ca/index.txt          # index file.
new_certs_dir  = /root/ca/newcerts           # new certs dir

certificate    = /root/ca/private/ca.crt         # The CA cert
serial         = /root/ca/serial             # serial no file
private_key    = /root/ca/private/ca.key  # CA private key
RANDFILE       = /root/ca/private/.rand      # random number file

default_days   = 3650                     # how long to certify for
default_crl_days = 3000                     # how long before next CRL
default_md     = sha1                     # message digest method to use
unique_subject = no                      # Set to 'no' to allow creation of
                                         # several ctificates with same subject.
policy         = policy_any              # default policy

[ policy_any ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
localityName            = optional
commonName              = supplied
emailAddress            = optional