Red Hat Training

A Red Hat training course is available for RHEL 8

49.2. 创建证书配置集

此流程描述了如何通过命令行创建证书配置集,方法是创建用于请求 S/MIME 证书的配置集配置文件。

流程

  1. 通过复制现有默认配置集来创建自定义配置集:

    $ ipa certprofile-show --out smime.cfg caIPAserviceCert
    ------------------------------------------------
    Profile configuration stored in file 'smime.cfg'
    ------------------------------------------------
      Profile ID: caIPAserviceCert
      Profile description: Standard profile for network services
      Store issued certificates: TRUE
  2. 在文本编辑器中打开新创建的配置集配置文件。

    $ vi  smime.cfg
  3. Profile ID 更改为反映配置集用法的名称,如 smime

    注意

    当您导入新创建的配置集时,profileId 字段必须与命令行中指定的 ID 匹配。

  4. 更新扩展密钥使用情况配置。默认的扩展密钥使用扩展配置用于 TLS 服务器和客户端身份验证。例如,对于 S/MIME,必须配置扩展密钥用法来保护电子邮件:

    policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4
  5. 导入新配置集:

    $ ipa certprofile-import smime --file smime.cfg \
      --desc "S/MIME certificates" --store TRUE
    
    ------------------------
    Imported profile "smime"
    ------------------------
      Profile ID: smime
      Profile description: S/MIME certificates
      Store issued certificates: TRUE

验证步骤

  • 验证新证书配置集已被导入:

    $ ipa certprofile-find
    
    ------------------
    4 profiles matched
    ------------------
      Profile ID: caIPAserviceCert
      Profile description: Standard profile for network services
      Store issued certificates: TRUE
    
      Profile ID: IECUserRoles
      Profile description: User profile that includes IECUserRoles extension from request
      Store issued certificates: TRUE
    
      Profile ID: KDCs_PKINIT_Certs
      Profile description: Profile for PKINIT support by KDCs
      Store issued certificates: TRUE
    
      Profile ID: smime
      Profile description: S/MIME certificates
      Store issued certificates: TRUE
    ----------------------------
    Number of entries returned 4
    ----------------------------

其它资源

  • 有关 certprofile 插件的详情,请运行 ipa help certprofile 命令。
  • 如需有关扩展密钥使用扩展的更多信息,请参阅 RFC 5280,第 4.2.1.12 节。