6.2. 创建证书配置文件
按照以下流程,通过为请求 S/MIME 证书创建一个证书配置文件,通过命令行来创建一个配置文件。
步骤
通过复制现有的默认配置文件来创建自定义配置文件:
$ ipa certprofile-show --out smime.cfg caIPAserviceCert ------------------------------------------------ Profile configuration stored in file 'smime.cfg' ------------------------------------------------ Profile ID: caIPAserviceCert Profile description: Standard profile for network services Store issued certificates: TRUE
在文本编辑器中打开新创建的配置文件。
$ vi smime.cfg
将
Profile ID更改为反映配置文件用法的名称,如smime。注意当您导入新创建的配置文件时,如果有
profileId字段,则其必须与命令行中指定的 ID 匹配。更新扩展的密钥用法配置。默认的扩展的密钥用法扩展配置用于 TLS 服务器和客户端身份验证。例如,对于 S/MIME,必须为电子邮件保护配置扩展的密钥用法:
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4
导入新配置文件:
$ ipa certprofile-import smime --file smime.cfg \ --desc "S/MIME certificates" --store TRUE ------------------------ Imported profile "smime" ------------------------ Profile ID: smime Profile description: S/MIME certificates Store issued certificates: TRUE
验证
验证新证书配置文件已被导入:
$ ipa certprofile-find ------------------ 4 profiles matched ------------------ Profile ID: caIPAserviceCert Profile description: Standard profile for network services Store issued certificates: TRUE Profile ID: IECUserRoles Profile description: User profile that includes IECUserRoles extension from request Store issued certificates: TRUE Profile ID: KDCs_PKINIT_Certs Profile description: Profile for PKINIT support by KDCs Store issued certificates: TRUE Profile ID: smime Profile description: S/MIME certificates Store issued certificates: TRUE ---------------------------- Number of entries returned 4 ----------------------------
其他资源
-
请参阅
ipa help certprofile。 - 请参阅 RFC 5280 ,4.2.1.12 部分。
