In the learning process in OpenSSL often need to establish CA, then this CA issues certificates to users, this process is always repeated, tawdry, so wrote this more than the batch process automation.
Bunch openssl.exe folder where your PATH environment variable, you can perform batch at any location (not recommended for installation on the C drive, because the rights issue in the process of generating the file may be encountered), this experiment OpenSSL version number for Windows Version 1.1.1c 28 May 2019.
There are two commands you can use CA's identity certificate issued to the customer: CA x509 command and command, this article will introduce respectively, which is subdivided into CA root certificate issuance and certificate chain issued in two parts, but also execute the code are given, Note that some command line is very long, appears to be multi-line, so do not copy a single line, but from start to finish copying all the code, and then paste it into the Windows command line window to execute (the inverse of the first line of the last to have a carriage return code) , or it can be saved as a batch.
Note that the batch will create the D root directory rca, ca1, ca2, ca3, host1, host2 these directories, in order to ensure a clean environment experiment, each batch will be executed first and then remove them rebuild, so Do not keep important information in these directories. Remember!
Ca certificate issued by the command
Experimental scene: first establish a root CA, the host certificate HOST1 and HOST2 re-issued by the root CA
Experimental preparation: a signed certificate ca command will use the configuration file, the default is C: \ Program Files \ Common Files \ SSL \ openssl.cnf ( by the environment variable openssl_conf be specified), the document of several "Festival" ( section, the delineation of the Central parentheses ) requires special attention, if you value different from this modify because the code is designed in accordance with these values, followed by the # is a comment, do not bother.
[ CA_default ]
dir = ./demoCA # top-level directory, save where it starts
Database = $ dir / index.txt # indexed database file name and location directory
new_certs_dir = $ dir / newcerts # storage directory new certificate
ertificate = $ dir / cacert.pem # CA certificate file name and location directory
private_key = $ dir / Private / cakey.pem # CA private key file name and directory
Serial = $ dir / Serial # has been issued certificate's serial number (16 hex ) directory
[ policy_match ]
countryName = optional # State
stateOrProvinceName = optional # 省
organizationName = optional # Organization Name
organizationalUnitName = optional # OrganizationalUnitName
commonName = supplied # FQDN
emailAddress = optional # email
[V3_c]
basicConstraints = critical,CA:true