补充:在签发证书的过程中容易出现的两个问题
[root@test1 ~]# openssl ca -in dovecot.csr -out dovecot.cst
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
unable to load number from /etc/pki/CA/serial
error while loading serial number
3078239980:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
提示error while loading serial number,一般是因为serial文件中没有赋初值
解决办法
[root@test1 ~]#cd /etc/pki/CA
[root@test1 CA]# echo "00" >serial
[root@test1 CA]# cat serial
00
还有一个问题在CA签名时,最后出现failed to update database错误
[root@test1 ~]#openssl ca -in dovecot.csr -out dovecot.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jan 23 02:23:39 2013 GMT
Not After : Jan 23 02:23:39 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = Hebei
organizationName = Tianli Company
commonName = test2
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
96:86:28:B7:ED:2E:96:79:32:88:7E:C3:23:37:02:BC:43:1C:76:87
X509v3 Authority Key Identifier:
keyid:4C:45:25:5F:60:7F:F8:6E:6F:B4:53:C4:FB:BD:A3:C6:82:AE:2A:62
Certificate is to be certified until Jan 23 02:23:39 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate is to be certified until Jan 23 02:17:38 2014 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
遇到这个错误,只需要清空/etc/pki/CA/index.txt的内容再签发就可以成功了。