Ssl
本地 SSL CA 始終在創建後 30 天過期
我正在按照與此答案類似的步驟來創建本地 CA。
儘管
default_days
在我的配置文件中將選項設置為 1825(天),但生成的 CA 證書始終設置為在創建後 30 天過期。我通過查看生成的 PEM 文件來確認這一點
openssl x509 -in ./cacert.pem -text -noout
這是我用來創建 CA 證書的配置文件:
HOME = . RANDFILE = $ENV::HOME/.rnd #################################################################### [ ca ] default_ca = CA_default # The default ca section [ CA_default ] default_days = 1825 # how long to certify for default_crl_days = 30 # how long before next CRL default_md = sha256 # use public key default MD preserve = no # keep passed DN ordering x509_extensions = ca_extensions # The extensions to add to the cert email_in_dn = no # Don't concat the email in the DN copy_extensions = copy # Required to copy SANs from CSR to cert base_dir = ./CA certificate = $base_dir/cacert.pem # The CA certifcate private_key = $base_dir/private/cakey.pem # The CA private key new_certs_dir = $base_dir/newcerts # Location for new certs after signing database = $base_dir/index.txt # Database index file serial = $base_dir/serial # The current serial number unique_subject = no # Set to 'no' to allow creation of # several certificates with same subject. #################################################################### [ req ] default_bits = 4096 default_keyfile = cakey.pem distinguished_name = ca_distinguished_name x509_extensions = ca_extensions string_mask = utf8only #################################################################### [ ca_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = CA localityName = Locality Name (eg, city) localityName_default = Bakersfield organizationName = Organization Name (eg, company) organizationName_default = Some Company organizationalUnitName = Organizational Unit (eg, division) organizationalUnitName_default = Some Org Unit commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = some-local-CA emailAddress = Email Address emailAddress_default = netadmin@domain.com #################################################################### [ ca_extensions ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer basicConstraints = critical, CA:true keyUsage = keyCertSign, cRLSign #################################################################### [ signing_policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ signing_req ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment
然後我使用此命令(同一目錄)創建本地 CA:
openssl req -x509 -config ./openssl-ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
我嘗試將
default_crl_days
選項設置為 30 以外的值,但似乎沒有任何效果。如何指定本地 CA 的到期日期(或到期前的天數)?
通過生成 CA 和 CA-INT 的設置,我的有效期得到以下資訊:
Validity Not Before: Jan 28 03:28:40 2018 GMT Not After : Jan 23 03:28:40 2038 GMT
我開始發現,我只能通過
openssl
直接通過-days
開關將其傳遞給它來使其工作。例如:
openssl req -config $topDir/openssl.cnf \ -key $ca_key_file \ -new -x509 -days 7300 -sha256 -extensions v3_ca \ -out $ca_cert_file -passin pass:casecret \ -subj "/C=US/ST=NC/L=Raleigh/O=APPS Security/OU=APPS/CN=APPS CA"