在學習OpenSSL的過程中經常需要建立CA,再用此CA給客戶簽發證書,這個過程總是反覆進行,讓人不勝其煩。
所以寫下了這個文檔把以上過程自動化,分爲CA根證書籤發和證書鏈簽發兩個部分。
有些命令行很長,看起來是多行,所以不要單行復制,而是從頭至尾複製全部代碼,然後粘貼到Windows命令行窗口執行即可(注意倒數第一行代碼的最後要有回車),或者也可保存爲批處理。
把openssl.exe所在文件夾(默認是C:\Program Files\OpenSSL-Win64\bin)加入PATH環境變量,就可以在任何位置執行批處理,每次執行都會先清空之前生成的全部文件,然後再生成新的文件,所以如果有需要保存的文件,先要將其拷出來。CA的私鑰保護密碼是abcd。
CA根證書籤發:
實驗場景:建立根CA,並由CA給主機HOST1和HOST2簽發證書
批處理在D盤根目錄下建立三個目錄:CA,HOST1和HOST2
CA目錄下關鍵的四個文件:CA的根證書、私鑰、公鑰、序列號文件(記錄上次簽發的最後一張證書的序列號,每次加1),除此之外,還有給用戶簽發的所有文件的備份;
HOST1目錄下存放了六個文件:HOST1的證書、私鑰、公鑰,請求文件,以及CA根證書和CA的公鑰;
HOST2目錄下存放了六個文件:HOST2的證書、私鑰、公鑰,請求文件,以及CA根證書和CA的公鑰;
批處理如下:
md d:\host1&md d:\host2&md d:\ca&del/q d:\host2\*.*&del/q d:\host1\*.*&del/q d:\ca\*.*&d:&cd\ca
openssl req -x509 -newkey rsa:8192 -keyout ca.key -out ca.cer -days 3650 -subj /C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=T-CA/CN=CA/[email protected] -passout pass:abcd
openssl rsa -in ca.key -pubout -out ca.pub -passin pass:abcd
copy ca.pub d:\host1© ca.cer d:\host1© ca.pub d:\host2© ca.cer d:\host2
openssl req -newkey rsa:8192 -keyout host1.key -out host1.csr -subj /CN=host1 -nodes
openssl req -newkey rsa:8192 -keyout host2.key -out host2.csr -subj /CN=host2 -nodes
openssl x509 -req -in host1.csr -out host1.cer -CA ca.cer -CAkey ca.key -CAcreateserial -passin pass:abcd
openssl x509 -req -in host2.csr -out host2.cer -CA ca.cer -CAkey ca.key -CAcreateserial -passin pass:abcd
openssl rsa -in host1.key -pubout -out host1.pub -passin pass:abcd
openssl rsa -in host2.key -pubout -out host2.pub -passin pass:abcd
copy host1.* d:\host1
copy host2.* d:\host2
二級證書鏈簽發,以方便做證書鏈的實驗
實驗場景:建立根CA1,CA1簽發CA2的證書,CA2簽發主機HOST1和HOST2的證書
批處理在D盤根目錄下建立目錄CA1、CA2、HOST1、HOST2,各目錄存放的文件顧名思義,其中CA2保留所簽發的所有證書的備份。
md d:\host1&md d:\host2&md d:\ca1&md d:\ca2&del/q d:\host1\*.*&del/q d:\host2\*.*&del/q d:\ca1\*.*&del/q d:\ca2\*.*&d:&cd\ca1
openssl req -x509 -newkey rsa:8192 -keyout ca1.key -out ca1.cer -days 3650 -subj /C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=T-CA/CN=CA1/[email protected] -passout pass:abcd
openssl rsa -in ca1.key -pubout -out ca1.pub -passin pass:abcd
openssl req -newkey rsa:8192 -keyout ca2.key -out ca2.csr -subj /CN=CA2 -nodes
openssl rsa -in ca2.key -pubout -out ca2.pub -passin pass:abcd
openssl x509 -req -in ca2.csr -out ca2.cer -CA ca1.cer -CAkey ca1.key -CAcreateserial -passin pass:abcd
move ca2.* d:\ca2&cd d:\ca2
openssl req -newkey rsa:8192 -keyout host1.key -out host1.csr -subj /CN=host1 -nodes
openssl req -newkey rsa:8192 -keyout host2.key -out host2.csr -subj /CN=host2 -nodes
openssl x509 -req -in host1.csr -out host1.cer -CA ca2.cer -CAkey ca2.key -CAcreateserial -passin pass:abcd
openssl x509 -req -in host2.csr -out host2.cer -CA ca2.cer -CAkey ca2.key -CAcreateserial -passin pass:abcd
openssl rsa -in host1.key -pubout -out host1.pub -passin pass:abcd
openssl rsa -in host2.key -pubout -out host2.pub -passin pass:abcd
copy host1.* d:\host1© ca2.cer d:\host1© ca2.pub d:\host1
copy host2.* d:\host2© ca2.cer d:\host2© ca2.pub d:\host2
三級證書鏈簽發,以方便做證書鏈的實驗
實驗場景:建立根CA1,CA1簽發CA2的證書,CA2簽發CA3的證書,CA3簽發主機HOST1和HOST2的證書
批處理在D盤根目錄下建立目錄CA1、CA2、CA3、HOST1、HOST2,各目錄存放的文件顧名思義,其中CA3保留所簽發的所有證書的備份。
md d:\host1&md d:\host2&md d:\ca1&md d:\ca2&md d:\ca3&del/q d:\host1\*.*&del/q d:\host2\*.*&del/q d:\ca1\*.*&del/q d:\ca2\*.*&del/q d:\ca3\*.*&d:&cd\ca1
openssl req -x509 -newkey rsa:8192 -keyout ca1.key -out ca1.cer -days 3650 -subj /C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=T-CA/CN=CA1/[email protected] -passout pass:abcd
openssl rsa -in ca1.key -pubout -out ca1.pub -passin pass:abcd
openssl req -newkey rsa:8192 -keyout ca2.key -out ca2.csr -subj /CN=CA2 -nodes
openssl rsa -in ca2.key -pubout -out ca2.pub -passin pass:abcd
openssl x509 -req -in ca2.csr -out ca2.cer -CA ca1.cer -CAkey ca1.key -CAcreateserial -passin pass:abcd
move ca2.* d:\ca2
openssl req -newkey rsa:8192 -keyout ca3.key -out ca3.csr -subj /CN=CA3 -nodes
openssl rsa -in ca3.key -pubout -out ca3.pub -passin pass:abcd
openssl x509 -req -in ca3.csr -out ca3.cer -CA d:\ca2\ca2.cer -CAkey d:\ca2\ca2.key -CAcreateserial -passin pass:abcd
move ca3.* d:\ca3
cd d:\ca3
openssl req -newkey rsa:8192 -keyout host1.key -out host1.csr -subj /CN=host1 -nodes
openssl req -newkey rsa:8192 -keyout host2.key -out host2.csr -subj /CN=host2 -nodes
openssl x509 -req -in host1.csr -out host1.cer -CA ca3.cer -CAkey ca3.key -CAcreateserial -passin pass:abcd
openssl x509 -req -in host2.csr -out host2.cer -CA ca3.cer -CAkey ca3.key -CAcreateserial -passin pass:abcd
openssl rsa -in host1.key -pubout -out host1.pub -passin pass:abcd
openssl rsa -in host2.key -pubout -out host2.pub -passin pass:abcd
copy host1.* d:\host1© ca3.cer d:\host1© ca3.pub d:\host1
copy host2.* d:\host2© ca3.cer d:\host2© ca3.pub d:\host2