- 论坛徽章:
- 0
|
[ req ]
default_bits = 2048
default_keyfile = /u01/ca/private/cakey.pem
default_md = md5
prompt = no
distinguished_name = root_ca_distinguished_name
extensions = v3_req
[ root_ca_distinguished_name ]
commonName = My Test extension
stateOrProvinceName = jilin
countryName = CN
emailAddress = redogs@sina.com.cn
organizationName = jlu
[ v3_req ]
subjectAltName=email:steve@here,email:steve@there
basicConstraints = CA:FALSE
该文件保存为ext.cnf
生成证书请求:openssl req -config ext.conf -newkey rsa:1024 -keyout key.pem -out req.pem
下面是CA配置
[ myca ]
dir = /u01/ca
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
copy_extensions = copy
default_crl_days= 7
default_days = 365
default_md = md5
policy = myca_policy
x509_extensions = certificate_extensions
[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName= supplied
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints= CA:false
[ req ]
default_bits = 2048
default_keyfile = /u01/ca/private/cakey.pem
default_md = md5
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = My Test CA
stateOrProvinceName = jilin
countryName = CN
emailAddress = redogs@sina.com.cn
organizationName = jlu
[ root_ca_extensions ]
basicConstraints = CA:true
CA签证:
openssl ca -config ../openssl.conf -in req.pem
查看证书内容没有扩展部分
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=My Test CA, ST=jilin, C=CN/emailAddress=redogs@sina.com.cn, O=jlu
Validity
Not Before: May 8 13:05:09 2007 GMT
Not After : May 7 13:05:09 2008 GMT
Subject: CN=My Test extension, ST=jilin, C=CN/emailAddress=redogs@sina.com.cn, O=jlu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:9a:65:76:84:d9:2f:b8:77:be:b8:6e:73:d4:30:
3d:39:b7:a4:90:db:83:a6:eb:26:f8:34:d4:8a:0c:
31:cc:b2:ea:f3:02:23:46:e1:51:65:6d:81:12:6a:
b3:7f:32:c3:e4:c3:00:6c:3c:ca:3f:ee:26:24:01:
21:ed:7c:d3:1b:08:f1:bb:71:c9:e0:4b:ac:18:72:
70:43:93:0f:0d:f7:d7:42:b2:3e:f7:7f:2c:20:66:
b7:ec:57:41:f8:b4:43:cc:5b:26:0f:64:eb:6d:81:
57:be:80:ca:65:ae:06:96:53:1b:0e:82:d6:f9:f2:
09:88:3a:ac:ed:aa:dd:4a:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: md5WithRSAEncryption
03:41:eb:8c:83:b6:98:19:53:98:c1:ed:9a:32:71:55:59:9f:
f0:57:76:8d:78:fa:68:12:d8:bb:bb:ad:ef:f1:93:44:a0:32:
71:6f:52:bb:13:6b:68:23:4b:c1:4b:c6:a5:83:47:52:19:e9:
c3:fa:5c:d7:4a:5b:05:2e:55:7a:b7:5b:a8:b7:ea:05:32:7f:
df:5c:74:56:2f:98:62:a8:b0:4f:26:4d:fe:80:e3:a1:7f:9a:
59:6f:4d:af:f3:cb:b0:f2:b0:1e:1b:3f:69:9e:0b:a3:d0:89:
4c:5e:ef:10:01:3c:c1:8e:08:38:98:fe:a1:e0:ac:f1:1c:2f:
1a:e3:43:e0:14:94:05:0a:85:31:4f:a2:e8:29:f7:33:cd:70:
ae:10:64:9c:76:04:61:cb:7c:37:f5:8b:8a:92:2f:a2:e6:b9:
2a:95:71:fc:d5:67:3c:6d:35:20:cc:39:ff:a7:2d:f9:68:c4:
ab:2e:be:0e:60:54:ec:15:5e:7a:16:1f:cf:45:e5:50:d5:3b:
54:17:bd:83:31:af:f8:c8:0d:c3:23:78:60:ca:b8:8d:33:14:
43:95:06:5d:e2:65:1a:91:cb:b5:f4:43:ab:23:c3:8f:cc:8a:
81:76:c4:a1:2a:37:38:60:0a:fb:87:0c:b2:f6:f4:c3:64:76:
ca:73:a0:1e
-----BEGIN CERTIFICATE-----
MIIC0TCCAbmgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBjMRMwEQYDVQQDEwpNeSBU
ZXN0IENBMQ4wDAYDVQQIEwVqaWxpbjELMAkGA1UEBhMCQ04xITAfBgkqhkiG9w0B
CQEWEnJlZG9nc0BzaW5hLmNvbS5jbjEMMAoGA1UEChMDamx1MB4XDTA3MDUwODEz
MDUwOVoXDTA4MDUwNzEzMDUwOVowajEaMBgGA1UEAxMRTXkgVGVzdCBleHRlbnNp
b24xDjAMBgNVBAgTBWppbGluMQswCQYDVQQGEwJDTjEhMB8GCSqGSIb3DQEJARYS
cmVkb2dzQHNpbmEuY29tLmNuMQwwCgYDVQQKEwNqbHUwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAJpldoTZL7h3vrhuc9QwPTm3pJDbg6brJvg01IoMMcyy6vMC
I0bhUWVtgRJqs38yw+TDAGw8yj/uJiQBIe180xsI8btxyeBLrBhycEOTDw3310Ky
Pvd/LCBmt+xXQfi0Q8xbJg9k622BV76AymWuBpZTGw6C1vnyCYg6rO2q3Uo9AgMB
AAGjDTALMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEEBQADggEBAANB64yDtpgZU5jB
7ZoycVVZn/BXdo14+mgS2Lu7re/xk0SgMnFvUrsTa2gjS8FLxqWDR1IZ6cP6XNdK
WwUuVXq3W6i36gUyf99cdFYvmGKosE8mTf6A46F/mllvTa/zy7DysB4bP2meC6PQ
iUxe7xABPMGOCDiY/qHgrPEcLxrjQ+AUlAUKhTFPougp9zPNcK4QZJx2BGHLfDf1
i4qSL6LmuSqVcfzVZzxtNSDMOf+nLfloxKsuvg5gVOwVXnoWH89F5VDVO1QXvYMx
r/jIDcMjeGDKuI0zFEOVBl3iZRqRy7X0Q6sjw4/MioF2xKEqNzhgCvuHDLL29MNk
dspzoB4=
-----END CERTIFICATE-----
请高手赐教如何在请求中加入扩展部分,CA签证后仍保留该扩展部分?? |
|