x509 command and be able to command CA CA body parts to the customer issuing the certificate, this article describes the former, use the command CA see another blog post .
When -CA infile option, the behavior x509 command is like a "mini CA", the input file is signed, it did not need to pre CA command to create the directory structure defined in the profile, not to have signed certificate information into the database, a number of relatively easy to use.
Openssl.exe added to the folder where the PATH environment variable can be in any position to execute the batch (not recommended for installation on the C drive, because of permission issues that you may encounter in the process of generating the file), this experiment will be used with OpenSSL installed by default configuration file "C: \ Program files \ OpenSSL -Win64 \ bin \ cnf \ openssl.cnf", make sure the file exists.
In order to ensure a clean environment experiment, each batch will be executed first and then remove them rebuild, so do not keep important information in these directories. Remember!
OpenSSL version number for Windows version 1.1.1c 28 May 2019.
With x509 certificate was issued command
Root CA issues
Experimental scene: first establish a root CA: RCA, RCA signed by the then issued and HOST2 the host certificate HOST1
Before echo delete all the files d: & cd \ & RD / S / q host1 & RD / S / q host2 & RD / S / q RCA & md host1 & md host2 & md RCA & cd RCA echo to generate a self-signed root certificate, the private key and public key: OpenSSL REQ-x509--newkey rsa: 8192 -keyout rca.key -out rca.cer -days 3650 -subj / C = CN / ST = jiangsu / L = nanjing / O = Tiger / OU = T-CA / CN = RCA / emailAddress = ca @ tiger Pass -passout .com: ABCD OpenSSL RSA -IN rca.key -pubout -out rca.pub -passin Pass: ABCD echo RCA certificate and public key to be copied to the hOST1 and HOST2 copy rca.pub D: \ host1 & copy rca.cer D: \ host1 & Copy rca.pub D: \ host2 & Copy rca.cer D: \ host2 echo generated host1 and host2 certificate request, private and public openssl req -newkey rsa: 8192 -keyout host1.key -out host1.csr - subj / C = CN / ST = guangdong / L = shenzhen / O = SUN / OU = SUN-A / CN = host1 -passout pass: abcd REQ -newkey RSA OpenSSL: 8192 -keyout host2.key -out host2.csr -subj / the CN = C / O = Tiger / ST = jiangsu / host2 -passout the CN = Pass: ABCD OpenSSL RSA -IN host1.key -pubout -out host1.pub -passin Pass: ABCD OpenSSL RSA -IN host2.key -pubout - Pass host2.pub -passin OUT: ABCD echo request signed by the user with the private key of the RCA Openssl x509 -req -days 1095 -in host1.csr -CA rca.cer -CAkey rca.key -out host1.cer -passin pass: abcd -CAcreateserial the Openssl X509 -req -days 1095 -IN host2.csr -CA rca.cer -CAkey rca.key -out host2.cer -passin Pass: ABCD -CAcreateserial echo hOST1 and HOST2 to copy the file to a directory belongs copy host1 .. * d: \ host1 host2 & Copy * d: \ host2 echo verification certificate chain OpenSSL the verify -show_chain -CAfile rca.cer host1.cer OpenSSL X509 -IN rca.cer -noout -text | the Find "CA: TRUE" OpenSSL X509 - in host1.cer -noout -text | find "CA : TRUE" OpenSSL X509 -IN host2.cer -noout -text | the Find "CA: TRUE"
CA to issue two
Root CA: CA1
Intermediate CA: CA2
Issue a certificate of CA1 CA2, CA2 HOST1 and HOST2 to issue certificates.
Batch established under the root directory D directory CA1, CA2, HOST1, HOST2, each directory for the file name suggests, all of which keep a backup CA2 certificate was issued.
Before echo delete all the files d: & cd \ & RD / S / q host1 & RD / S / q host2 & RD / S / q CA1 & RD / S / q Ca2 & md host1 & md host2 & md CA1 & md Ca2 & cd CA1 echo to generate a self-signed CA1 root certificate, private key and public key : OpenSSL -newkey REQ -x509 The RSA: 8192 -keyout ca1.key -days 3650 -out ca1.cer -subj / C = the CN / ST = jiangsu / Nanjing = L / O = Tiger / T = the OU-the CA / the CN = Pass -passout CA1/[email protected]: ABCD OpenSSL RSA -IN ca1.key -pubout -out ca1.pub -passin Pass: ABCD echo CA1 of the certificate and public key to copy CA2, HOST1 and HOST2 copy CA1 d .cer: \ host1 & Copy ca1.pub d: \ host1 & Copy ca1.cer d: \ host2 & Copy ca1.pub d: \ host2 & Copy ca1.cer d: \ Ca2 & Copy ca1.pub d: \ Ca2 echo generation request CA2, the private key, and public openssl req -newkey rsa: 8192 -keyout ca2.key -out ca2.csr -days 3650 -subj / C = CN / ST = jiangsu / L = nanjing / O = Tiger / OU = T-CA / CN = CA2 / emailAddress = ca2 @ tiger.with pass -passout: abcd OpenSSL rsa -IN ca2.key -pubout ca2.pub -passin Pass -out: ABCD echo request signed with the private key CA1 CA2 of the Openssl X509 -req -days 1095 -IN ca2.csr -CA ca1.cer -CAkey ca1.key -out ca2.cer -passin Pass: -extfile ABCD "C: \ Program files \ OpenSSL-Win64 \ bin \ CNF \ openssl.cnf" -Extensions v3_ca -CAcreateserial echo the CA2 certificate and public key copied to HOST1 and HOST2, the files are copied to your CA2 CA2 copy ca2.cer D: \ host1 & Copy ca2.pub D: \ host1 & Copy ca2.cer D: \ host2 & Copy ca2.pub D: \ host2 & Copy ca2 of * \ ca2 of & CD \ ca2 of. echo generated hOST1 and hOST2 certificate request, private and public key openssl RSA -newkey REQ: 8192 -keyout host1.key -out host1.csr -subj / C = the CN / ST = Guangdong / Shenzhen = L / O = the SUN / = the OU the SUN-A / host1 -passout the CN = Pass: ABCD OpenSSL req -newkey rsa: 8192 -keyout host2.key -out host2.csr -subj / C = CN / O = Tiger / ST = jiangsu / CN = host2 -passout pass: abcd rsa -IN host1.key -pubout -out OpenSSL host1.pub -passin Pass: ABCD OpenSSL rsa -IN host2.key -pubout -out host2.pub -passin Pass: ABCD echo user certificate signed with the private key of CA2: Openssl X509 -days 1095 -IN host1.csr -CA -req ca2.cer -CAkey ca2.key -out host1.cer -passin Pass: ABCD -CAcreateserial Openssl X509 -req -days 1095 -IN host2.csr -CA ca2.cer - Pass -out host2.cer -passin ca2.key cakey: ABCD -CAcreateserial echo copy all files hOST1 and hOST2 to the corresponding directory copy host1 * D:.. \ host1 host2 & copy * D: \ host2 echo validates the certificate chain copy ca2. + ca1.cer CA-chain.cer CER OpenSSL -show_chain -CAfile the Verify CA-chain.cer host1.cer OpenSSL -show_chain -CAfile the Verify CA-chain.cer host2.cer OpenSSL X509 -IN ca1.cer -noout -text | find "CA: TRUE" OpenSSL X509 -IN ca2.cer -noout -text | the Find "CA: TRUE" OpenSSL X509 -IN host1.cer -noout -text | the Find "CA: TRUE" OpenSSL X509 -IN host2.cer -noout -text | find "CA: TRUE"
CA issued three
Root CA: CA1
Intermediate CA: CA2, CA3
Issue a certificate of CA1 CA2, CA2 issue certificates of CA3, CA3 and HOST2 HOST1 to issue certificates.
Batch build directory in the root directory D CA1, CA2, CA3, HOST1, HOST2, files stored in each directory name suggests, where the CA3 keep a backup of all the certificates have been issued.
echo 删除之前所有的文件 d:&cd\&rd/s/q host1&rd/s/q host2&rd/s/q ca1&rd/s/q ca2&rd/s/q ca3&md host1&md host2&md ca1&md ca2&md ca3&cd ca1 echo 生成自签名的CA1根证书、私钥和公钥: openssl req -x509 -newkey rsa:8192 -keyout ca1.key -out ca1.cer -days 3650 -subj /C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=T-CA/CN=CA1/[email protected] -passout pass:abcd openssl rsa -in ca1.key -pubout -out ca1.pub -passin pass:abcd echo 把CA1的证书和公钥拷贝到CA2,CA3,HOST1,HOST2 copy ca1.cer d:\ca2© ca1.pub d:\ca2© ca1.cer d:\ca3© ca1.pub d:\ca3© ca1.cer d:\host1© ca1.pub d:\host1© ca1.cer d:\host2© ca1.pub d:\host2 echo 生成CA2的请求,私钥和公钥 openssl req -newkey rsa:8192 -keyout ca2.key -out ca2.csr -days 3650 -subj /C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=T-CA/CN=CA2/[email protected] -passout pass:abcd openssl rsa -in ca2.key -pubout -out ca2.pub -passin pass:abcd echo 用CA1的私钥签署CA2的请求 Openssl x509 -req -days 1095 -in ca2.csr -CA ca1.cer -CAkey ca1.key -out ca2.cer -passin pass:abcd -extfile "C:\Program Files\OpenSSL-Win64\bin\cnf\openssl.cnf" -extensions v3_ca -CAcreateserial echo 把CA2的证书和公钥拷贝到CA3,HOST1和HOST2,把CA2所属文件都拷贝到CA2 copy ca2.cer d:\ca3© ca2.pub d:\ca3© ca2.cer d:\host1© ca2.pub d:\host1© ca2.cer d:\host2© ca2.pub d:\host2© ca2.* \ca2&cd\ca2 echo 生成CA3的请求,私钥和公钥 openssl req -newkey rsa:8192 -keyout ca3.key -out ca3.csr -days 3650 -subj /C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=T-CA/CN=CA3/[email protected] -passout pass:abcd openssl rsa -in ca3.key -pubout -out ca3.pub -passin pass:abcd echo 用CA2的私钥签署CA3的请求 Openssl x509 -req -days 1095 -in ca3.csr -CA ca2.cer -CAkey ca2.key -out ca3.cer -passin pass:abcd -extfile "C:\Program Files\OpenSSL-Win64\bin\cnf\openssl.cnf" -extensions v3_ca -CAcreateserial echo 把CA3的证书和公钥拷贝到HOST1和HOST2,把CA3所属文件都拷贝到CA3 copy ca3.cer d:\host1© ca3.pub d:\host1© ca3.cer d:\host2© ca3.pub d:\host2© ca3.* \ca3&cd\ca3 echo 生成HOST1与HOST2的证书请求、私钥和公钥 openssl req -newkey rsa:8192 -keyout host1.key -out host1.csr -subj /C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=SUN-A/CN=host1 -passout pass:abcd openssl req -newkey rsa:8192 -keyout host2.key -out host2.csr -subj /C=CN/O=Tiger/ST=jiangsu/CN=host2 -passout pass:abcd openssl rsa -in host1.key -pubout -out host1.pub -passin pass:abcd openssl rsa -in host2.key -pubout -out host2.pub -passin pass:abcd echo 用CA3的私钥签署用户证书: Openssl x509 -req -days 1095 -in host1.csr -CA ca3.cer -CAkey ca3.key -out host1.cer -passin pass:abcd -CAcreateserial Openssl x509 -req -days 1095 -in host2.csr -CA ca3.cer -CAkey ca3.key -out host2.cer -passin pass:abcd -CAcreateserial echo 把HOST1和HOST2的所有文件拷贝到对应目录 copy host1.* d:\host1© host2.* d:\host2 echo 验证证书链: copy ca3.cer+ca2.cer+ca1.cer ca-chain.cer openssl verify -show_chain -CAfile ca-chain.cer host1.cer openssl verify -show_chain -CAfile ca-chain.cer host2.cer openssl x509 -in ca1.cer -noout -text|find "CA:TRUE" openssl x509 -in ca2.cer -noout -text|find "CA:TRUE" openssl x509 -in ca3.cer -noout -text|find "CA:TRUE" openssl x509 -in host1.cer -noout -text|find "CA:TRUE" openssl x509 -in host2.cer -noout -text|find "CA:TRUE"