In the learning process in OpenSSL often need to establish CA, then this CA issues certificates to users, this process is always repeated, tawdry, so wrote this more than the batch process automation.
Openssl.exe added to the folder where the PATH environment variable can be in any position to execute the batch (not recommended for installation on the C drive, because of permission issues that you may encounter in the process of generating the file), this experiment OpenSSL version number Windows version 1.1.1c 28 May 2019.
There are two commands you can use CA's identity certificate issued to the customer: CA x509 command and command, will be divided into two documents were introduced; for each command subdivided into CA root certificate issuance and certificate chain issued in two parts, both given the implementation of the code, which you can copy and paste it into the Windows command line window to perform (the final countdown to the first to have a carriage return line of code), or it can be saved as a batch.
Note that, the batch will be created in the root directory D RCA, CA1, Ca2, CA3, host1, H OST2 these directories, in order to ensure clean experimental environment, the implementation of each batch will delete them and then rebuild, so do not keep important information in these directories. Remember!
Ca certificate issued by the command
Experimental scene: first establish a root CA, the host certificate HOST1 and HOST2 re-issued by the root CA
Experimental preparation: Certificate signed by ca command will use the configuration file, the default is C: \ Program Files \ Common Files \ SSL \ openssl.cnf (openssl_conf may be specified by the environment variable), the file has three "sections" (section, Central parentheses delineation) requires special attention, if you modify values different from this, because the code is designed in accordance with these values, followed by the # is a comment, do not have to fill in the configuration file.
[ CA_default ]
dir = ./demoCA # top-level directory, save where it starts
Database = $ dir / index.txt # indexed database file name and location directory
new_certs_dir = $ dir / newcerts # storage directory new certificate
ertificate = $ dir / cacert.pem # CA certificate file name and location directory
private_key = $ dir / Private / cakey.pem # CA private key file name and directory
Serial = $ dir / Serial # has been issued certificate's serial number (16 hex ) directory
[ policy_match ]
countryName = optional # State
stateOrProvinceName = optional # 省
organizationName = optional # Organization Name
organizationalUnitName = optional # OrganizationalUnitName
commonName = supplied # FQDN
emailAddress = optional # email
[V3_c]
basicConstraints = critical,CA:true
After more than ready to create CA and give other users a signature, the batch will create three directories under the root directory in D: RCA, HOST1 and HOST2, where the CA directory structure is as follows:
cacert.pem is CA's root certificate, index.txt a database, record the history of the certificate has been signed and had revoked; serial is the serial number of files under a certificate prepared (in this case the initial sequence number is set to 01), each time after the signing of the serial number will be increased by one; cakey.pem new CA certificate private key, leaving the backup in private output, the main file name is the serial number.
In addition, R under the CA root directory as well as CA certificates, private keys, public key, and back up all the certificates issued to the user.
HOST1 / HOST2 directories are stored six documents: certificate HOST1 / HOST2, the private, public, request documents, as well as CA root certificate and CA's public key.
Root CA certificate issued directly
根CA:RCA
echo 删除之前所有的文件 d:&cd\&rd/s/q host1&rd/s/q host2&rd/s/q rca&md host1&md host2&md rca&cd rca&md democa&md democa\newcerts&md democa\private echo 生成自签名的根证书,私钥和公钥: openssl req -x509 -newkey rsa:8192 -keyout rca.key -out rca.cer -days 3650 -subj /C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=T-CA/CN=RCA/[email protected] -passout pass:abcd openssl rsa -in rca.key -pubout -out rca.pub -passin pass:abcd echo 把RCA的证书和公钥拷贝到HOST1和HOST2 copy rca.cer d:\host1© rca.pub d:\host1© rca.cer d:\host2© rca.pub d:\host2 echo 把rca的证书和私钥拷贝到配置文件要求的目录,并建立数据库文件和序列号文件,以便给用户签发证书 copy rca.cer democa\cacert.pem© rca.key democa\private\cakey.pem&cd.>democa\index.txt&echo 01>democa\serial echo 生成HOST1与HOST2的证书请求和私钥 openssl req -newkey rsa:8192 -keyout host1.key -out host1.csr -subj /C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=SUN-A/CN=host1 -passout pass:abcd openssl req -newkey rsa:8192 -keyout host2.key -out host2.csr -subj /C=CN/O=Tiger/ST=jiangsu/CN=host2 -passout pass:abcd echo 用RCA的私钥签署用户请求 openssl ca -batch -notext -in host1.csr -out host1.cer -passin pass:abcd openssl ca -batch -notext -in host2.csr -out host2.cer -passin pass:abcd openssl rsa -in host1.key -pubout -out host1.pub -passin pass:abcd openssl rsa -in host2.key -pubout -out host2.pub -passin pass:abcd copy host1.* d:\host1© host2.* d:\host2 echo 验证证书链 openssl verify -CAfile rca.cer host1.cer openssl verify -CAfile rca.cer host2.cer
二级CA签发证书
根CA:CA1
中间CA:CA2
CA2签发主机HOST1和HOST2的证书。
批处理在D盘根目录下建立目录CA1、CA2、HOST1、HOST2,各目录存放的文件顾名思义,其中CA2保留所签发的所有证书的备份。
echo 删除之前所有的文件 d:&cd\&rd/s/q host1&rd/s/q host2&rd/s/q ca1&rd/s/q ca2&md host1&md host2&md ca1&md ca2&cd ca1&md democa&md democa\newcerts&md democa\private&cd\ca2&md democa&md democa\newcerts&md democa\private&cd\ca1 echo 生成自签名的CA1根证书,私钥和公钥: openssl req -x509 -newkey rsa:8192 -keyout ca1.key -out ca1.cer -days 3650 -subj /C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=T-CA/CN=CA1/[email protected] -passout pass:abcd openssl rsa -in ca1.key -pubout -out ca1.pub -passin pass:abcd echo 把CA1的证书和公钥拷贝到HOST1和HOST2 copy ca1.cer d:\host1© ca1.pub d:\host1© ca1.cer d:\host2© ca1.pub d:\host2 echo 把CA1的证书和私钥拷贝到配置文件指定的目录,并建立数据库文件和序列号文件,以便给CA2签发证书 copy ca1.cer democa\cacert.pem© ca1.key democa\private\cakey.pem&cd.>democa\index.txt&echo 01>democa\serial echo 生成CA2的请求,私钥和公钥 openssl req -newkey rsa:8192 -keyout ca2.key -out ca2.csr -days 3650 -subj /C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=T-CA/CN=CA2/[email protected] -passout pass:abcd openssl rsa -in ca2.key -pubout -out ca2.pub -passin pass:abcd echo 用CA1的私钥签署CA2的请求 openssl ca -extensions v3_ca -batch -notext -in ca2.csr -out ca2.cer -passin pass:abcd echo把CA2的证书和公钥拷贝到HOST1和HOST2 copy ca2.cer d:\host1© ca2.pub d:\host1© ca2.cer d:\host2© ca2.pub d:\host2 echo 把属于CA2的所有文件拷贝到CA2目录,同时把CA2的证书和私钥拷贝到配置文件指出的目录,以便用CA2的私钥给用户签发证书 copy ca2.* \ca2© ca2.cer \ca2\democa\cacert.pem© ca2.key \ca2\democa\private\cakey.pem&cd\ca2&cd.>democa\index.txt&echo 01>democa\serial© \ca1\ca1.cer© \ca1\ca1.pub echo 生成HOST1与HOST2的证书请求和私钥 openssl req -newkey rsa:8192 -keyout host1.key -out host1.csr -subj /C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=SUN-A/CN=host1 -passout pass:abcd openssl req -newkey rsa:8192 -keyout host2.key -out host2.csr -subj /C=CN/O=Tiger/ST=jiangsu/CN=host2 -passout pass:abcd echo 用CA2的私钥签发用户证书: openssl ca -batch -notext -in host1.csr -out host1.cer -passin pass:abcd openssl ca -batch -notext -in host2.csr -out host2.cer -passin pass:abcd openssl rsa -in host1.key -pubout -out host1.pub -passin pass:abcd openssl rsa -in host2.key -pubout -out host2.pub -passin pass:abcd echo 把HOST1和HOST2的所有文件拷贝到对应目录 copy host1.* d:\host1© host2.* d:\host2 echo 验证证书链 copy ca2.cer+ca1.cer ca-chain.cer openssl verify -CAfile ca-chain.cer host1.cer openssl verify -CAfile ca-chain.cer host2.cer
三级CA签发证书
根CA:CA1
中间CA:CA2和CA3
CA3给HOST1和HOST2签发证书。
批处理在D盘根目录下建立目录CA1、CA2、CA3、HOST1、HOST2,各目录存放的文件顾名思义,其中CA3保留所签发的所有证书的备份。
echo 删除之前所有的文件 d:&cd\&rd/s/q host1&rd/s/q host2&rd/s/q ca1&rd/s/q ca2&rd/s/q ca3&md host1&md host2&md ca1&md ca2&md ca3&cd ca1&md democa&md democa\newcerts&md democa\private&cd\ca2&md democa&md democa\newcerts&md democa\private&cd \ca3&md democa&md democa\newcerts&md democa\private&cd\ca1 echo 生成自签名的CA1根证书,私钥和公钥: openssl req -x509 -newkey rsa:8192 -keyout ca1.key -out ca1.cer -days 3650 -subj /C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=T-CA/CN=CA1/[email protected] -passout pass:abcd openssl rsa -in ca1.key -pubout -out ca1.pub -passin pass:abcd echo 把CA1的证书和公钥拷贝到HOST1和HOST2 copy ca1.cer d:\host1© ca1.pub d:\host1© ca1.cer d:\host2© ca1.pub d:\host2 echo 把CA1的证书和私钥拷贝到配置文件指出的目录,并建立数据库文件和序列号文件,以便给CA2签发证书 copy ca1.cer democa\cacert.pem© ca1.key democa\private\cakey.pem&cd.>democa\index.txt&echo 01>democa\serial echo 生成CA2的请求,私钥和公钥 openssl req -newkey rsa:8192 -keyout ca2.key -out ca2.csr -days 3650 -subj /C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=T-CA/CN=CA2/[email protected] -passout pass:abcd openssl rsa -in ca2.key -pubout -out ca2.pub -passin pass:abcd echo 用CA1的私钥签署CA2的请求 openssl ca -extensions v3_ca -batch -notext -in ca2.csr -out ca2.cer -passin pass:abcd echo 把CA2的证书和公钥拷贝到HOST1和HOST2 copy ca2.cer d:\host1© ca2.pub d:\host1© ca2.cer d:\host2© ca2.pub d:\host2 echo 把属于CA2的所有文件拷贝到CA2目录,同时把CA2的证书和私钥拷贝到配置文件指出的目录,以便用CA2的私钥给CA3签发证书 copy ca2.* \ca2© ca2.cer \ca2\democa\cacert.pem© ca2.key \ca2\democa\private\cakey.pem&cd\ca2&cd.>democa\index.txt&echo 01>democa\serial© \ca1\ca1.cer© \ca1\ca1.pub echo 生成CA3的请求,私钥和公钥 openssl req -newkey rsa:8192 -keyout ca3.key -out ca3.csr -days 3650 -subj /C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=T-CA/CN=CA3/[email protected] -passout pass:abcd openssl rsa -in ca3.key -pubout -out ca3.pub -passin pass:abcd echo 用CA2的私钥签署CA3的请求 openssl ca -extensions v3_ca -batch -notext -in ca3.csr -out ca3.cer -passin pass:abcd echo 把CA3的证书和公钥拷贝到HOST1和HOST2 copy ca3.cer d:\host1© ca3.pub d:\host1© ca3.cer d:\host2© ca3.pub d:\host2 echo 用把属于CA3的所有文件拷贝到CA3,同时把CA3的证书和私钥拷贝到配置文件指出的目录,以便用CA3的私钥给用户签发证书 copy ca3.* \ca3© ca3.cer \ca3\democa\cacert.pem© ca3.key \ca3\democa\private\cakey.pem&cd\ca3&cd.>democa\index.txt&echo 01>democa\serial© ca3.cer \ca1© ca3.pub \ca1© \ca1\ca1.cer© \ca1\ca1.pub© \ca2\ca2.cer© \ca2\ca2.pub echo 生成HOST1与HOST2的证书请求和私钥 openssl req -newkey rsa:8192 -keyout host1.key -out host1.csr -subj /C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=SUN-A/CN=host1 -passout pass:abcd openssl req -newkey rsa:8192 -keyout host2.key -out host2.csr -subj /C=CN/O=Tiger/ST=jiangsu/CN=host2 -passout pass:abcd echo 用CA3的私钥签署用户的请求 openssl ca -batch -notext -in host1.csr -out host1.cer -passin pass:abcd openssl ca -batch -notext -in host2.csr -out host2.cer -passin pass:abcd openssl rsa -in host1.key -pubout -out host1.pub -passin pass:abcd openssl rsa -in host2.key -pubout -out host2.pub -passin pass:abcd copy host1.* d:\host1© host2.* d:\host2 echo 验证证书链: copy ca3.cer+ca2.cer+ca1.cer ca-chain.cer openssl verify -CAfile ca-chain.cer host1.cer openssl verify -CAfile ca-chain.cer host2.cer