SSL基础：17:自定义配置文件的使用

openssl.cnf是openssl命令的配置文件，系统级的配置文件/etc/pki/tls/openssl.cnf对所有用户起作用，在实际使用中可以通过生成特定的配置文件设定用户的缺省配置。

交互方式 设定选项 设定选项说明 openssl req 创建证书签名请求等功能 -nodes 对私钥不进行加密 -new 创建CSR证书签名文件 -out 指定CSR输出文件名 -subj 指定证书Subject内容 配置文件说明 设定项目 设定项目说明 default_bits 生成证书签名请求CSR时所使用到的RSA私钥的长度，与-newkey选项对应 default_md 签名使用的默认消息摘要算法 default_keyfile 默认的密钥文件使用的文件名，比如使用-newkey选项或者-new选项不指定-key时都会自动创建私钥，与-newkey选项对应 distinguished_name 用户DN信息，在req_distinguished_name段展开 attributes 证书请求的属性(在req_attributes段展开)，但在openssl证书签发工具中并没有用到此扩展选项 input_password 设定输入密钥的文件密码，对应选项-passin output_password 设定输出密钥的文件密码，对应选项-passout x509_extensions 证书请求的扩展项，通过v3_req段进行扩展 string_mask 定义了证书一些字段的默认字符串类型，比如可设定为utf8only

• req_distinguished_name段设置

设定项目 设定项目说明 countryName 国家代码，（两个字母的国家代码比如 CN） stateOrProvinceName 州、省份或直辖市名称 localityName 城市名称 organizationName 组织或者公司名称 organizationalUnitName 部门名称 commonName CN内容 commonName_max commonName设定值的最大长度 emailAddress Email地址 emailAddress_max Email地址设定值的最大长度 配置文件示例

[root@host121 csr]# cat openssl.cnf 
[ req ]
default_bits            = 2048
default_md              = sha256
default_keyfile         = ca.pem
distinguished_name      = req_distinguished_name
string_mask = utf8only
[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= CN
countryName_min			= 2
countryName_max			= 2
stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= LiaoNing
localityName			= Locality Name (eg, city)
localityName_default		= DaLian
0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= devops
organizationalUnitName		= Organizational Unit Name (eg, section)
organizationalUnitName_default	= unicorn
commonName			= Common Name (eg, your name or your server\'s hostname)
commonName_default      = devops.com
commonName_max			= 64
emailAddress			= Email Address
emailAddress_max		= 64
[root@host121 csr]#

生成私钥

[root@host121 csr]# openssl genrsa -out ca.key
Generating RSA private key, 2048 bit long modulus (2 primes)
......................................................................+++++
.............................+++++
e is 65537 (0x010001)
[root@host121 csr]# ls ca.key
ca.key
[root@host121 csr]#

生成CSR文件

[root@host121 csr]# openssl req -new -config openssl.cnf -key ca.key -out request-using-cnf.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [LiaoNing]:
Locality Name (eg, city) [DaLian]:
Organization Name (eg, company) [devops]:
Organizational Unit Name (eg, section) [unicorn]:
Common Name (eg, your name or your server's hostname) [devops.com]:
Email Address []:
[root@host121 csr]# ls request-using-cnf.csr 
request-using-cnf.csr
[root@host121 csr]#

确认CSR内容

[root@host121 csr]# openssl req -text -noout -verify -in request-using-cnf.csr 
verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:cc:9b:68:0c:81:af:60:92:b9:96:73:4f:26:2e:
                    4d:23:8b:b8:41:41:44:85:a8:5a:74:38:8a:fc:83:
                    ca:e3:82:f5:51:93:0d:b8:a2:1d:df:b4:08:2f:7c:
                    7e:85:45:92:a1:cd:87:c8:f4:32:b3:c1:81:42:c7:
                    32:b9:a7:f4:27:f3:9c:35:c9:ba:07:2c:9a:9d:fa:
                    e3:f4:52:b3:5d:ff:b8:67:78:93:4b:18:d6:27:c8:
                    b5:c6:74:3e:0b:f4:01:77:6e:75:30:e7:8e:07:37:
                    ce:cc:62:dd:56:2c:8f:f1:93:af:49:3a:2a:ea:e2:
                    39:71:34:f1:bc:6f:47:21:bd:ba:f7:50:8f:0a:34:
                    5e:6d:02:b7:e2:8b:51:b3:f2:46:fd:54:87:aa:8e:
                    f8:31:73:b0:69:3e:2f:dc:6f:22:90:a3:2b:89:3a:
                    8e:55:1e:29:10:7f:2f:2f:25:08:01:93:09:35:d8:
                    c0:3c:b8:25:1b:88:e6:6d:ac:88:2b:48:a0:0b:3b:
                    83:65:b2:35:0e:dc:a1:a7:8b:e2:53:69:f5:ac:88:
                    69:f1:3a:e3:1f:25:2e:10:0b:60:0f:9a:62:bd:c0:
                    7d:00:a6:67:fc:6e:6a:34:73:d8:0c:40:14:8a:42:
                    76:9e:07:1d:1f:61:35:ea:73:fd:58:40:e8:2c:6c:
                    18:79
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         16:b1:6e:28:b9:6c:5b:ab:ba:53:f3:5d:7a:cb:78:f4:0b:92:
         2f:b4:66:83:dd:5e:8c:55:db:f1:85:4f:f5:c4:ed:74:da:96:
         af:7e:b4:75:9c:3a:b2:1a:38:3b:95:42:c6:95:18:70:27:27:
         a3:96:ab:f4:e4:1c:eb:12:c2:14:75:e0:b4:ab:3e:39:7d:cd:
         01:8f:b0:92:49:35:18:fa:83:e8:98:30:be:cd:e6:88:71:1b:
         35:a6:26:5b:9a:16:52:61:ba:18:02:b0:28:63:1d:20:cd:cc:
         c4:00:40:2a:af:c8:fe:86:1e:72:79:ea:f3:fa:01:eb:fc:fe:
         11:dc:7d:36:ba:d3:a6:86:ea:ff:23:ec:fa:e6:7f:70:c6:04:
         f5:b1:2d:9c:07:78:bb:42:d1:3b:ca:2a:37:48:9d:4f:6d:a8:
         69:5e:cc:da:4e:75:00:80:fa:de:6e:79:81:e0:c3:93:49:4e:
         c0:03:18:db:9d:57:0a:8d:c0:6f:fe:c9:b0:60:b8:58:cf:d6:
         20:6a:11:ea:33:22:77:1a:e5:8d:84:c5:15:91:bc:1a:89:2f:
         16:d0:38:31:3d:cc:2d:7d:83:12:ae:a6:01:4b:e7:3d:ed:92:
         27:14:d1:0c:01:fb:c0:ed:0f:2e:f3:c2:39:d8:e8:25:34:cb:
         0d:32:88:0c
[root@host121 csr]#