Menu Close

5.2. 创建证书配置文件

此流程描述了如何通过命令行创建证书配置文件,方法是创建用于请求 S/MIME 证书的配置文件。

步骤

  1. 通过复制现有的默认配置文件来创建自定义配置文件:

    $ ipa certprofile-show --out smime.cfg caIPAserviceCert
    ------------------------------------------------
    Profile configuration stored in file 'smime.cfg'
    ------------------------------------------------
      Profile ID: caIPAserviceCert
      Profile description: Standard profile for network services
      Store issued certificates: TRUE
  2. 在文本编辑器中打开新创建的配置文件。

    $ vi  smime.cfg
  3. Profile ID 更改为反映配置文件用法的名称,如 smime

    注意

    当您导入新创建的配置文件时,如果有profileId 字段,则其必须与命令行中指定的 ID 匹配。

  4. 更新扩展的密钥用法配置。默认的扩展的密钥用法扩展配置用于 TLS 服务器和客户端身份验证。例如,对于 S/MIME,必须为电子邮件保护配置扩展的密钥用法:

    policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4
  5. 导入新配置文件:

    $ ipa certprofile-import smime --file smime.cfg \
      --desc "S/MIME certificates" --store TRUE
    
    ------------------------
    Imported profile "smime"
    ------------------------
      Profile ID: smime
      Profile description: S/MIME certificates
      Store issued certificates: TRUE

验证步骤

  • 验证新证书配置文件已被导入:

    $ ipa certprofile-find
    
    ------------------
    4 profiles matched
    ------------------
      Profile ID: caIPAserviceCert
      Profile description: Standard profile for network services
      Store issued certificates: TRUE
    
      Profile ID: IECUserRoles
      Profile description: User profile that includes IECUserRoles extension from request
      Store issued certificates: TRUE
    
      Profile ID: KDCs_PKINIT_Certs
      Profile description: Profile for PKINIT support by KDCs
      Store issued certificates: TRUE
    
      Profile ID: smime
      Profile description: S/MIME certificates
      Store issued certificates: TRUE
    ----------------------------
    Number of entries returned 4
    ----------------------------

其他资源