Skip to Content Information Center
Markvision Enterprise

Markvision Enterprise

Création d'un fichier de configuration OpenSSL

  1. Exécutez la commande suivante :

    • nano /etc/certs/openxpki_ca-one/openssl.conf

    Remarque :  Si votre serveur est accessible à l'aide du nom de domaine complet (FQDN), utilisez le DNS du serveur au lieu de son adresse IP.

    Exemple de fichier

    # x509_extensions               = v3_ca_extensions
    # x509_extensions               = v3_issuing_extensions
    # x509_extensions               = v3_datavault_extensions
    # x509_extensions               = v3_scep_extensions
    # x509_extensions               = v3_web_extensions
    # x509_extensions               = v3_ca_reqexts # not for root self-signed, only for issuing
    ## x509_extensions              = v3_datavault_reqexts # not required self-signed
    # x509_extensions               = v3_scep_reqexts
    # x509_extensions               = v3_web_reqexts
    
    [ req ]
    default_bits            = 4096
    distinguished_name      = req_distinguished_name
    
    [ req_distinguished_name ]
    domainComponent         = Domain Component
    commonName              = Common Name
    
    [ v3_ca_reqexts ]
    subjectKeyIdentifier    = hash
    keyUsage                = digitalSignature, keyCertSign, cRLSign
    
    [ v3_datavault_reqexts ]
    subjectKeyIdentifier    = hash
    keyUsage                = keyEncipherment
    extendedKeyUsage        = emailProtection
    
    [ v3_scep_reqexts ]
    subjectKeyIdentifier    = hash
    
    [ v3_web_reqexts ]
    subjectKeyIdentifier    = hash
    keyUsage                = critical, digitalSignature, keyEncipherment
    extendedKeyUsage        = serverAuth, clientAuth
    
    [ v3_ca_extensions ]
    subjectKeyIdentifier    = hash
    keyUsage                = digitalSignature, keyCertSign, cRLSign
    basicConstraints        = critical,CA:TRUE
    authorityKeyIdentifier  = keyid:always,issuer
    
    [ v3_issuing_extensions ]
    subjectKeyIdentifier    = hash
    keyUsage                = digitalSignature, keyCertSign, cRLSign
    basicConstraints        = critical,CA:TRUE
    authorityKeyIdentifier  = keyid:always,issuer:always
    crlDistributionPoints   = URI:http://FQDN of the server/CertEnroll/MYOPENXPKI.crl
    authorityInfoAccess     = caIssuers;URI:http://FQDN of the server/CertEnroll/MYOPENXPKI.crt
    
    [ v3_datavault_extensions ]
    subjectKeyIdentifier    = hash
    keyUsage                = keyEncipherment
    extendedKeyUsage        = emailProtection
    basicConstraints        = CA:FALSE
    authorityKeyIdentifier  = keyid:always,issuer
    
    [ v3_scep_extensions ]
    subjectKeyIdentifier    = hash
    basicConstraints        = CA:FALSE
    authorityKeyIdentifier  = keyid,issuer
    
    [ v3_web_extensions ]
    subjectKeyIdentifier    = hash
    keyUsage                = critical, digitalSignature, keyEncipherment
    extendedKeyUsage        = serverAuth, clientAuth
    basicConstraints        = critical,CA:FALSE
    subjectAltName          = DNS:stlopenxpki.lexmark.com
    crlDistributionPoints   = URI:http://FQDN of the server/CertEnroll/MYOPENXPKI_ISSUINGCA.crl
    authorityInfoAccess     = caIssuers;URI:http://FQDN of the server/CertEnroll/MYOPENXPKI_ISSUINGCA.crt
    
  2. Modifiez l'adresse IP et le nom du certificat CA avec vos informations de configuration.

  3. Enregistrez le fichier.

Cet article vous a-t-il été utile ?
Top