[root@ CA]# vim /etc/pki/tls/openssl.cnf [ CA_default ] dir = ../../CA # Where everything is kept **************CA路径 ,修改为绝对路径 certs = $dir/certs # Where the issued certs are kept ×××××××发给其他的人的证书 ,该目录需要手动创建 crl_dir = $dir/crl # Where the issued crl are kept ××××××证书吊销列表 不属于必须创建的目录 database = $dir/index.txt # database index file. *****************存放生成证书文件索引 需要手动创建的文件 #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. ××××××××××x新生成的证书存放地 需要手动创建 certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number ××××××序列号,需要自己建每一个证书都有一个序列号需要自己建,并指定从几开始 crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # req_extensions = v3_req # The extensions to add to a certificate request #########修改证书CSR与自己的匹配 [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN #我修改为CN和CA的自签证书对应 countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Henan #同上 localityName = Locality Name (eg, city) localityName_default = Zhengzhou #同上 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Tech #同上
4.创建CA的相关目录和文件,指定序列号起始数字,在上一步已经说明,它们在CA所在目录创建