x509命令和CA命令都能以CA身份給客戶簽發證書,本文介紹前者,CA命令的用法見另一篇博文。
當使用-CA infile選項時,x509命令的行爲就像是一個“迷你CA”,對輸入的文件進行簽名,它不像CA命令那樣需要預先建立配置文件定義的目錄結構,也不把曾經簽署的證書信息寫入數據庫,使用上相對方便一些。
把openssl.exe所在文件夾加入PATH環境變量,就可以在任何位置執行批處理(不建議安裝於C盤,因爲在生成文件的過程中可能會遇到的權限問題),本實驗會用到隨OpenSSL默認安裝的配置文件"C:\Program Files\OpenSSL-Win64\bin\cnf\openssl.cnf",請確保該文件存在。
爲了保證乾淨的實驗環境,每次執行批處理都會先刪除它們然後重建,所以不要在這些目錄裏保存重要資料。切記!
OpenSSL版本號爲Windows版1.1.1c 28 May 2019。
用x509命令簽發證書
根CA簽發
實驗場景:先建立根CA:RCA,再由RCA籤發主機HOST1和HOST2的證書
echo 刪除之前所有的文件 d:&cd\&rd/s/q host1&rd/s/q host2&rd/s/q rca&md host1&md host2&md rca&cd rca echo 生成自簽名的根證書,私鑰和公鑰: openssl req -x509 -newkey rsa:8192 -keyout rca.key -out rca.cer -days 3650 -subj /C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=T-CA/CN=RCA/[email protected] -passout pass:abcd openssl rsa -in rca.key -pubout -out rca.pub -passin pass:abcd echo 把RCA的證書和公鑰拷貝到HOST1和HOST2 copy rca.pub d:\host1© rca.cer d:\host1© rca.pub d:\host2© rca.cer d:\host2 echo 生成host1與host2的證書請求、私鑰和公鑰 openssl req -newkey rsa:8192 -keyout host1.key -out host1.csr -subj /C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=SUN-A/CN=host1 -passout pass:abcd openssl req -newkey rsa:8192 -keyout host2.key -out host2.csr -subj /C=CN/O=Tiger/ST=jiangsu/CN=host2 -passout pass:abcd openssl rsa -in host1.key -pubout -out host1.pub -passin pass:abcd openssl rsa -in host2.key -pubout -out host2.pub -passin pass:abcd echo 用RCA的私鑰簽署用戶請求 Openssl x509 -req -days 1095 -in host1.csr -CA rca.cer -CAkey rca.key -out host1.cer -passin pass:abcd -CAcreateserial Openssl x509 -req -days 1095 -in host2.csr -CA rca.cer -CAkey rca.key -out host2.cer -passin pass:abcd -CAcreateserial echo 把HOST1和HOST2的所屬文件拷貝到對應目錄 copy host1.* d:\host1© host2.* d:\host2 echo 驗證證書鏈 openssl verify -show_chain -CAfile rca.cer host1.cer openssl x509 -in rca.cer -noout -text|find "CA:TRUE" openssl x509 -in host1.cer -noout -text|find "CA:TRUE" openssl x509 -in host2.cer -noout -text|find "CA:TRUE"
二級CA簽發
根CA:CA1
中間CA:CA2
CA1簽發CA2的證書,CA2給HOST1和HOST2簽發證書。
批處理在D盤根目錄下建立目錄CA1、CA2、HOST1、HOST2,各目錄存放的文件顧名思義,其中CA2保留曾簽發的所有證書的備份。
echo 刪除之前所有的文件 d:&cd\&rd/s/q host1&rd/s/q host2&rd/s/q ca1&rd/s/q ca2&md host1&md host2&md ca1&md ca2&cd ca1 echo 生成自簽名的CA1根證書、私鑰和公鑰: openssl req -x509 -newkey rsa:8192 -keyout ca1.key -out ca1.cer -days 3650 -subj /C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=T-CA/CN=CA1/[email protected] -passout pass:abcd openssl rsa -in ca1.key -pubout -out ca1.pub -passin pass:abcd echo 把CA1的證書和公鑰拷貝到CA2,HOST1和HOST2 copy ca1.cer d:\host1© ca1.pub d:\host1© ca1.cer d:\host2© ca1.pub d:\host2© ca1.cer d:\ca2© ca1.pub d:\ca2 echo 生成CA2的請求,私鑰和公鑰 openssl req -newkey rsa:8192 -keyout ca2.key -out ca2.csr -days 3650 -subj /C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=T-CA/CN=CA2/[email protected] -passout pass:abcd openssl rsa -in ca2.key -pubout -out ca2.pub -passin pass:abcd echo 用CA1的私鑰簽署CA2的請求 Openssl x509 -req -days 1095 -in ca2.csr -CA ca1.cer -CAkey ca1.key -out ca2.cer -passin pass:abcd -extfile "C:\Program Files\OpenSSL-Win64\bin\cnf\openssl.cnf" -extensions v3_ca -CAcreateserial echo 把CA2的證書和公鑰拷貝到HOST1和HOST2,把CA2所屬文件都拷貝到CA2 copy ca2.cer d:\host1© ca2.pub d:\host1© ca2.cer d:\host2© ca2.pub d:\host2© ca2.* \ca2&cd\ca2 echo 生成HOST1與HOST2的證書請求、私鑰和公鑰 openssl req -newkey rsa:8192 -keyout host1.key -out host1.csr -subj /C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=SUN-A/CN=host1 -passout pass:abcd openssl req -newkey rsa:8192 -keyout host2.key -out host2.csr -subj /C=CN/O=Tiger/ST=jiangsu/CN=host2 -passout pass:abcd openssl rsa -in host1.key -pubout -out host1.pub -passin pass:abcd openssl rsa -in host2.key -pubout -out host2.pub -passin pass:abcd echo 用CA2的私鑰簽署用戶證書: Openssl x509 -req -days 1095 -in host1.csr -CA ca2.cer -CAkey ca2.key -out host1.cer -passin pass:abcd -CAcreateserial Openssl x509 -req -days 1095 -in host2.csr -CA ca2.cer -CAkey ca2.key -out host2.cer -passin pass:abcd -CAcreateserial echo 把HOST1和HOST2的所有文件拷貝到對應目錄 copy host1.* d:\host1© host2.* d:\host2 echo 驗證證書鏈 copy ca2.cer+ca1.cer ca-chain.cer openssl verify -show_chain -CAfile ca-chain.cer host1.cer openssl verify -show_chain -CAfile ca-chain.cer host2.cer openssl x509 -in ca1.cer -noout -text|find "CA:TRUE" openssl x509 -in ca2.cer -noout -text|find "CA:TRUE" openssl x509 -in host1.cer -noout -text|find "CA:TRUE" openssl x509 -in host2.cer -noout -text|find "CA:TRUE"
三級CA簽發
根CA:CA1
中間CA:CA2,CA3
CA1簽發CA2的證書,CA2簽發CA3的證書,CA3給HOST1和HOST2簽發證書。
批處理在D盤根目錄下建立目錄CA1、CA2、CA3、HOST1、HOST2,各目錄存放的文件顧名思義,其中CA3保留曾簽發的所有證書的備份。
echo 刪除之前所有的文件 d:&cd\&rd/s/q host1&rd/s/q host2&rd/s/q ca1&rd/s/q ca2&rd/s/q ca3&md host1&md host2&md ca1&md ca2&md ca3&cd ca1 echo 生成自簽名的CA1根證書、私鑰和公鑰: openssl req -x509 -newkey rsa:8192 -keyout ca1.key -out ca1.cer -days 3650 -subj /C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=T-CA/CN=CA1/[email protected] -passout pass:abcd openssl rsa -in ca1.key -pubout -out ca1.pub -passin pass:abcd echo 把CA1的證書和公鑰拷貝到CA2,CA3,HOST1,HOST2 copy ca1.cer d:\ca2© ca1.pub d:\ca2© ca1.cer d:\ca3© ca1.pub d:\ca3© ca1.cer d:\host1© ca1.pub d:\host1© ca1.cer d:\host2© ca1.pub d:\host2 echo 生成CA2的請求,私鑰和公鑰 openssl req -newkey rsa:8192 -keyout ca2.key -out ca2.csr -days 3650 -subj /C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=T-CA/CN=CA2/[email protected] -passout pass:abcd openssl rsa -in ca2.key -pubout -out ca2.pub -passin pass:abcd echo 用CA1的私鑰簽署CA2的請求 Openssl x509 -req -days 1095 -in ca2.csr -CA ca1.cer -CAkey ca1.key -out ca2.cer -passin pass:abcd -extfile "C:\Program Files\OpenSSL-Win64\bin\cnf\openssl.cnf" -extensions v3_ca -CAcreateserial echo 把CA2的證書和公鑰拷貝到CA3,HOST1和HOST2,把CA2所屬文件都拷貝到CA2 copy ca2.cer d:\ca3© ca2.pub d:\ca3© ca2.cer d:\host1© ca2.pub d:\host1© ca2.cer d:\host2© ca2.pub d:\host2© ca2.* \ca2&cd\ca2 echo 生成CA3的請求,私鑰和公鑰 openssl req -newkey rsa:8192 -keyout ca3.key -out ca3.csr -days 3650 -subj /C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=T-CA/CN=CA3/[email protected] -passout pass:abcd openssl rsa -in ca3.key -pubout -out ca3.pub -passin pass:abcd echo 用CA2的私鑰簽署CA3的請求 Openssl x509 -req -days 1095 -in ca3.csr -CA ca2.cer -CAkey ca2.key -out ca3.cer -passin pass:abcd -extfile "C:\Program Files\OpenSSL-Win64\bin\cnf\openssl.cnf" -extensions v3_ca -CAcreateserial echo 把CA3的證書和公鑰拷貝到HOST1和HOST2,把CA3所屬文件都拷貝到CA3 copy ca3.cer d:\host1© ca3.pub d:\host1© ca3.cer d:\host2© ca3.pub d:\host2© ca3.* \ca3&cd\ca3 echo 生成HOST1與HOST2的證書請求、私鑰和公鑰 openssl req -newkey rsa:8192 -keyout host1.key -out host1.csr -subj /C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=SUN-A/CN=host1 -passout pass:abcd openssl req -newkey rsa:8192 -keyout host2.key -out host2.csr -subj /C=CN/O=Tiger/ST=jiangsu/CN=host2 -passout pass:abcd openssl rsa -in host1.key -pubout -out host1.pub -passin pass:abcd openssl rsa -in host2.key -pubout -out host2.pub -passin pass:abcd echo 用CA3的私鑰簽署用戶證書: Openssl x509 -req -days 1095 -in host1.csr -CA ca3.cer -CAkey ca3.key -out host1.cer -passin pass:abcd -CAcreateserial Openssl x509 -req -days 1095 -in host2.csr -CA ca3.cer -CAkey ca3.key -out host2.cer -passin pass:abcd -CAcreateserial echo 把HOST1和HOST2的所有文件拷貝到對應目錄 copy host1.* d:\host1© host2.* d:\host2 echo 驗證證書鏈: copy ca3.cer+ca2.cer+ca1.cer ca-chain.cer openssl verify -show_chain -CAfile ca-chain.cer host1.cer openssl verify -show_chain -CAfile ca-chain.cer host2.cer openssl x509 -in ca1.cer -noout -text|find "CA:TRUE" openssl x509 -in ca2.cer -noout -text|find "CA:TRUE" openssl x509 -in ca3.cer -noout -text|find "CA:TRUE" openssl x509 -in host1.cer -noout -text|find "CA:TRUE" openssl x509 -in host2.cer -noout -text|find "CA:TRUE"