我想从 CSR 创建 CA 证书。但是该过程失败且没有错误消息,所以我不知道在哪里可以找到解决方案。
[user@computer myca]$ openssl ca -config openssl.cnf -out user1cert.pem -in user1req.pem
Using configuration from openssl.cnf
[user@computer myca]$
我的配置文件如下所示:
[ca]
default_ca = CA_default
[CA_default]
dir = . # where everything is kept
new_certs_dir = $dir # default place for new certs
serial = $dir/serial # the current serial number
database = $dir/index # database index file
certificate = $dir/cacert.pem # The CA certificate
private_key = $dir/caprivkey.pem # The private key
RANDFILE = $dir/.rand # private random number file
default_days = 730 # how long to certify for
default_md = sha256 # which message digest to use
policy = policy_any # which policy is used
[policy_any]
countryName = supplied # country name is mandatory
stateOrProvinceName = optional # state is optional
organizationName = optional # organization name is optional
organizationalUnitName = optional # unit name is optional
commonName = optional # user name is mandatory
emailAddress = optional # email address is optional
配置文件中引用的文件(cacert.pem、caprivkey.pem和)都存在于当前目录中。如果我更改其中任何一个文件的名称,就会出现错误,提示文件不存在,所以我知道显示的是错误消息。当我尝试使用错误的私钥时,也会出现错误,我这样做只是为了测试是否收到错误消息。indexserial
我是否遗漏了什么?
答案1
检查您的设备序列号是否已经签名并出现在 index.txt 和 index.txt.old 中,还要检查 index.txt.attr 和 .old。
然后重试。