openssl3.2 - 官方demo学习 - certs

文章目录

    • openssl3.2 - 官方demo学习 - certs
    • 概述
    • 笔记
    • 官方的实验流程
    • mkcerts.sh - 整理
    • ocsprun.sh - 整理
    • ocspquery.sh - 整理
    • 从mkcerts.sh整理出来的27个.bat
    • a1_create_certificate_directly.cmd
    • a2_Intermediate_CA_request_first.cmd
    • a3_Sign_request_CA_extensions.cmd
    • a4_Server_certificate_create_request_first.cmd
    • a5_Sign_request_end_entity_extensions.cmd
    • a6_Client_certificate_request_first.cmd
    • a7_Sign_using_intermediate_CA.cmd
    • a8_Revoked_certificate_request_first.cmd
    • a9_Sign_using_intermediate_CA.cmd
    • a10_OCSP_responder_certificate_request_first.cmd
    • a11_Sign_using_intermediate_CA_and_responder_extensions.cmd
    • a12_First_DH_parameters.cmd
    • a13_Now_a_DH_private_key.cmd
    • a14_Create_DH_public_key_file.cmd
    • a15_dh_cert_req.cmd
    • a16_Sign_dh_req.cmd
    • a17_gen_dh_client_priv_key.cmd
    • a18_gen_dh_client_pub_key.cmd
    • a19_dh_clint_cert_req.cmd
    • a20_dh_client_cert_sign.cmd
    • a21_gen_crl_without_ca.cmd
    • a22_add_cert_sha1_server.cmd
    • a23_add_cert_sha1_client.cmd
    • a24_add_cert_sha1_revoke.cmd
    • a25_gen_crl.cmd
    • a26_revoke_cert.cmd
    • a27_gen_crl_new_one.cmd
    • run_ax_bat.cmd
    • 从ocsprun.sh整理出来的1个.bat
    • ocsprun.cmd
    • 从ocspquery.sh整理出来的4个.bat
    • query1.cmd
    • query2.cmd
    • query3.cmd
    • query_all.cmd
    • 备注
    • 生成测试用的根CA证书
    • 生成二级CA(中间CA)
    • 应用服务器的证书
    • 客户端的证书
    • 用于吊销演示的证书
    • OCSP证书
    • DH服务器证书
    • DH客户端证书
    • 建立本地CA需要的数据库
    • 向本地CA数据库中登记服务器证书
    • 向本地CA数据库登记客户端证书
    • 向本地数据库登记用于吊销演示用的证书
    • 产生证书吊销列表
    • 吊销一个证书
    • 产生(更新)证书吊销列表
    • 本地实验需要的文件列表
    • END

openssl3.2 - 官方demo学习 - certs

概述

打开官方demos的certs目录, 没看到.c. 茫然了一下.
官方在这个目录中要展示啥呢?
看了readme, 懂了.
原来官方在这个目录中, 要展示如何使用openssl.exe的命令行来操作证书(建立证书, 证书入库, 吊销证书, 查询证书).
官方通过3个.sh来展示证书操作.
mkcerts.sh - 一组操作, 用来建立证书, 证书入库
ocsprun.sh - 建立一个ocsp查询的服务器.
ocspquery.sh - 向ocsp服务器查询证书的有效性.
在cygwin64下, 这3个.sh都好使.
但是, 如果只是运行一下这3个.sh学不到东西. 如果自己有自签名的证书要操作, 还是得一个一个命令的都搞懂才行.

我先将这3个.sh翻译成.bat, 然后每一条命令做一个.bat, 一个一个.bat来运行, 观察运行结果.
整了一遍之后, 再整理.bat, 证书操作基本懂了. 用了2天时间.

如果不整理官方的.sh, 命令行参数中的的文件官方命名很容易将自己看糊涂.
在保证和官方实现一致的前提下, 将文件名改为自己能懂的. 加上注释, 以后就能知道, 每个命令行干啥活.

笔记

官方的实验流程

先运行 mkcerts.sh, 将后续要操作的证书都做出来.
再运行ocsprun.sh, 建立ocsp服务器.
最后运行 ocspquery.sh, 查询证书的有效性.

在mkcerts.sh中, 如果只是运行一次听个响, 27个操作, 一堆操作输出, 根本不能理解这个.sh到底干了啥.
同理, ocspquery.sh有4个操作, 只是运行一次, 啥也不懂.

所以要想理解官方的这3个.sh展示了啥, 需要将这3个.sh中, 每个命令行都自己单独做一次, 每个命令行执行完, 都观察一下有啥输出.

mkcerts.sh - 整理

#!/bin/sh

# \file mkcerts.sh

OPENSSL=./openssl
OPENSSL_CONF=./openssl.cnf
export OPENSSL_CONF

# Root CA: create certificate directly
# a1_create_certificate_directly.cmd
# 生成测试用的根证书, 私钥和证书都在一个文件(.pem)中
# %OPENSSL%                req -config ca.cnf -x509 -nodes -keyout root_ca.pem -out root_ca.pem -newkey rsa:2048 -days 3650 > opt_log_A1.txt 2>&1
CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes -keyout root.pem    -out root.pem    -newkey rsa:2048 -days 3650

# Intermediate CA: request first
# a2_Intermediate_CA_request_first.cmd
# 中间CA证书 - 请求
# %OPENSSL%                        req -config ca.cnf -nodes -keyout inter_ca_priv_key.pem -out inter_ca_req.pem -newkey rsa:2048 > opt_log_A2.txt 2>&1
CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes -keyout intkey.pem            -out intreq.pem       -newkey rsa:2048

# Sign request: CA extensions
# a3_Sign_request_CA_extensions.cmd
# 中间CA证书请求 - 签名
# %OPENSSL% x509 -req -in inter_ca_req.pem -CA root_ca.pem -days 3600 -extfile ca.cnf -extensions v3_ca -CAcreateserial -out inter_ca_req_sign.pem > opt_log_A3.txt 2>&1
$OPENSSL    x509 -req -in intreq.pem       -CA root.pem    -days 3600 -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem

# Server certificate: create request first
# a4_Server_certificate_create_request_first.cmd
# 服务器证书请求
# %OPENSSL%                    req -config ca.cnf -nodes -keyout server_priv_key.pem -out server_req.pem -newkey rsa:1024 > opt_log_A4.txt 2>&1
CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes -keyout skey.pem            -out req.pem        -newkey rsa:1024

# Sign request: end entity extensions
# a5_Sign_request_end_entity_extensions.cmd
# 对服务器证书请求 进行 签名
# %OPENSSL% x509 -req -in server_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server_req_sign.pem > opt_log_A5.txt 2>&1
$OPENSSL    x509 -req -in req.pem        -CA intca.pem             -CAkey intkey.pem            -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem

# Client certificate: request first
# a6_Client_certificate_request_first.cmd
# 客户端证书申请
# %OPENSSL%                    req -config ca.cnf -nodes -keyout client_priv_key.pem -out client_req.pem -newkey rsa:1024 > opt_log_A6.txt 2>&1
CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes -keyout ckey.pem            -out creq.pem       -newkey rsa:1024

# Sign using intermediate CA
# a7_Sign_using_intermediate_CA.cmd
# 用中间CA签名客户端证书请求
# %OPENSSL% x509 -req -in client_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client_req_sign.pem > opt_log_A7.txt 2>&1
$OPENSSL    x509 -req -in creq.pem       -CA intca.pem             -CAkey intkey.pem            -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem

# Revoked certificate: request first
# a8_Revoked_certificate_request_first.cmd
# 吊销证书的申请
# %OPENSSL%                     req -config ca.cnf -nodes -keyout revoke_priv_key.pem -out revoke_req.pem -newkey rsa:1024 > opt_log_A8.txt 2>&1
CN="Test Revoked Cert" $OPENSSL req -config ca.cnf -nodes -keyout revkey.pem          -out rreq.pem       -newkey rsa:1024

# Sign using intermediate CA
# a9_Sign_using_intermediate_CA.cmd
# 吊销证书申请的签名
# %OPENSSL% x509 -req -in revoke_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out revoke_req_sign.pem > opt_log_A9.txt 2>&1
$OPENSSL    x509 -req -in rreq.pem       -CA intca.pem              -CAkey intkey.pem           -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem

# OCSP responder certificate: request first
# a10_OCSP_responder_certificate_request_first.cmd
# OCSP证书申请
# %OPENSSL%                            req -config ca.cnf -nodes -keyout ocsp_priv_key.pem -out ocsp_req.pem -newkey rsa:1024 > opt_log_A10.txt 2>&1
CN="Test OCSP Responder Cert" $OPENSSL req -config ca.cnf -nodes -keyout respkey.pem       -out respreq.pem  -newkey rsa:1024

# Sign using intermediate CA and responder extensions
# a11_Sign_using_intermediate_CA_and_responder_extensions.cmd
# OCSP证书申请的签名
# %OPENSSL% x509 -req -in ocsp_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out ocsp_req_sign.pem > opt_log_A11.txt 2>&1
$OPENSSL    x509 -req -in respreq.pem  -CA intca.pem             -CAkey intkey.pem            -days 3600 -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem

# Example creating a PKCS#3 DH certificate.

# First DH parameters
# a12_First_DH_parameters.cmd
# 产生DH证书参数文件
# %OPENSSL%                genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dh_param.pem > opt_log_A12.txt 2>&1
[ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem

# Now a DH private key
# a13_Now_a_DH_private_key.cmd
# 产生DH证书私钥
# %OPENSSL% genpkey -paramfile dh_param.pem -out dh_priv_key.pem > opt_log_A13.txt 2>&1
$OPENSSL    genpkey -paramfile dhp.pem      -out dhskey.pem


# Create DH public key file
# a14_Create_DH_public_key_file.cmd
# 产生DH证书公钥
# %OPENSSL% pkey -in dh_priv_key.pem -pubout -out dh_pub_key.pem > opt_log_A14.txt 2>&1
$OPENSSL  pkey -in dhskey.pem      -pubout -out dhspub.pem


# Certificate request, key just reuses old one as it is ignored when the request is signed
# a15_dh_cert.cmd
# DH证书申请
# %OPENSSL%                       req -config ca.cnf -new -key server_priv_key.pem -out dh_req.pem > opt_log_A15.txt 2>&1
CN="Test Server DH Cert" $OPENSSL req -config ca.cnf -new -key skey.pem -out dhsreq.pem


# Sign request: end entity DH extensions
# a16_Sign_dh_req.cmd
# DH证书申请的签名
# %OPENSSL% x509 -req -in dh_req.pem -CA root_ca.pem -days 3600 -force_pubkey dh_pub_key.pem -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dh_req_sign.pem > opt_log_A16.txt 2>&1
$OPENSSL    x509 -req -in dhsreq.pem -CA root.pem    -days 3600 -force_pubkey dhspub.pem     -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem

# DH client certificate
# a17_gen_dh_client_priv_key.cmd
# 产生DH客户端私钥
# %OPENSSL% genpkey -paramfile dh_param.pem -out dh_client_priv_key.pem > opt_log_A17.txt 2>&1
$OPENSSL    genpkey -paramfile dhp.pem      -out dhckey.pem

# a18_gen_dh_client_pub_key.cmd
# 产生DH客户端公钥
# %OPENSSL% pkey -in dh_client_priv_key.pem -pubout -out dh_client_pub_key.pem > opt_log_A18.txt 2>&1
$OPENSSL    pkey -in dhckey.pem             -pubout -out dhcpub.pem

# a19_dh_clint_cert_req.cmd
# DH客户端证书请求
# %OPENSSL%                       req -config ca.cnf -new -key server_priv_key.pem -out dh_client_req.pem > opt_log_A19.txt 2>&1
CN="Test Client DH Cert" $OPENSSL req -config ca.cnf -new -key skey.pem            -out dhcreq.pem

# a20_dh_client_cert_sign.cmd
# 对DH客户端证书请求进行签名
# %OPENSSL% x509 -req -in dh_client_req.pem -CA root_ca.pem -days 3600 -force_pubkey dh_client_pub_key.pem -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dh_client_req_sign.pem > opt_log_A20.txt 2>&1
$OPENSSL    x509 -req -in dhcreq.pem        -CA root.pem    -days 3600 -force_pubkey dhcpub.pem            -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem

# Examples of CRL generation without the need to use 'ca' to issue certificates.
# Create zero length index file
# a21_gen_crl_without_ca.cmd
# 建立本地CA需要的数据库(产生一个空的index.txt 和一个里面内容为01的crlnum.txt)
>index.txt
# Create initial crl number file
echo 01 >crlnum.txt

# Add entries for server and client certs
# a22_add_cert_sha1_server.cmd
# 向本地CA数据库中登记服务器证书(将服务器证书登记信息写入 index.txt)
# %OPENSSL% ca -valid server_req_sign.pem -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A22.txt 2>&1
$OPENSSL    ca -valid server.pem          -keyfile root.pem    -cert root.pem    -config ca.cnf -md sha1

# a23_add_cert_sha1_client.cmd
# 向本地CA数据库登记客户端证书(将服务器证书登记信息写入 index.txt)
# %OPENSSL% ca -valid client_req_sign.pem -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A23.txt 2>&1
$OPENSSL    ca -valid client.pem          -keyfile root.pem    -cert root.pem    -config ca.cnf -md sha1

# a24_add_cert_sha1_revoke.cmd
# 向本地数据库等级吊销用的证书(将吊销用的证书登记信息吸入 index.txt)
# %OPENSSL% ca -valid revoke_req_sign.pem -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A24.txt 2>&1
$OPENSSL    ca -valid rev.pem             -keyfile root.pem    -cert root.pem    -config ca.cnf -md sha1

# Generate a CRL.
# a25_gen_crl.cmd
# 产生证书吊销列表
# %OPENSSL% ca -gencrl -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 -crldays 1 -out crl_cert_list.pem > opt_log_A25.txt 2>&1
$OPENSSL    ca -gencrl -keyfile root.pem    -cert root.pem    -config ca.cnf -md sha1 -crldays 1 -out crl1.pem

# Revoke a certificate
# a26_revoke_cert.cmd
# 吊销一个证书
# %OPENSSL% ca -revoke revoke_req_sign.pem -crl_reason superseded -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A26.txt 2>&1
openssl     ca -revoke rev.pem             -crl_reason superseded -keyfile root.pem    -cert root.pem    -config ca.cnf -md sha1

# Generate another CRL
# a27_gen_crl_new_one.cmd
# 吊销一个证书后, 要产生新的吊销证书列表供其他应用验证证书是否被吊销.
# 证书吊销列表的名称, 在实际应用中, 应该是一个名字, 这里是实验, 就重新命令一个吊销列表文件的名称, 表示这是在吊销证书后, 新产生的证书吊销列表
# %OPENSSL% ca -gencrl -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 -crldays 1 -out crl_cert_list_1.pem > opt_log_A27.txt 2>&1
$OPENSSL    ca -gencrl -keyfile root.pem    -cert root.pem    -config ca.cnf -md sha1 -crldays 1 -out crl2.pem


ocsprun.sh - 整理

# Example of running an querying OpenSSL test OCSP responder.
# This assumes "mkcerts.sh" or similar has been run to set up the
# necessary file structure.

OPENSSL=../../apps/openssl
OPENSSL_CONF=../../apps/openssl.cnf
export OPENSSL_CONF

# Run OCSP responder.

PORT=8888

# %OPENSSL% ocsp -port %PORT% -index index.txt -CA inter_ca_req_sign.pem -rsigner ocsp_req_sign.pem  -rkey ocsp_priv_key.pem -rother inter_ca_req_sign.pem
$OPENSSL    ocsp -port $PORT  -index index.txt -CA intca.pem             -rsigner resp.pem           -rkey respkey.pem       -rother intca.pem $*

ocspquery.sh - 整理

# Example querying OpenSSL test responder. Assumes ocsprun.sh has been
# called.

OPENSSL=../../apps/openssl
OPENSSL_CONF=../../apps/openssl.cnf
export OPENSSL_CONF

# Send responder queries for each certificate.

echo "Requesting OCSP status for each certificate"
# query1.cmd
# %OPENSSL% ocsp -issuer inter_ca_req_sign.pem  -cert client_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query1.txt 2>&1
$OPENSSL    ocsp -issuer intca.pem              -cert client.pem          -CAfile root.pem    -url http://127.0.0.1:8888/

# query2.cmd
# %OPENSSL% ocsp -issuer inter_ca_req_sign.pem  -cert server_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query2.txt 2>&1
$OPENSSL    ocsp -issuer intca.pem              -cert server.pem          -CAfile root.pem    -url http://127.0.0.1:8888/

#query3.cmd
# %OPENSSL% ocsp -issuer inter_ca_req_sign.pem  -cert revoke_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query3.txt 2>&1
$OPENSSL    ocsp -issuer intca.pem              -cert rev.pem             -CAfile root.pem    -url http://127.0.0.1:8888/

# One query for all three certificates.
echo "Requesting OCSP status for three certificates in one request"
# %OPENSSL% ocsp -issuer inter_ca_req_sign.pem  -cert client_req_sign.pem -cert server_req_sign.pem -cert revoke_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query_all.txt 2>&1
$OPENSSL    ocsp -issuer intca.pem              -cert client.pem          -cert server.pem          -cert rev.pem             -CAfile root.pem -url http://127.0.0.1:8888/

从mkcerts.sh整理出来的27个.bat

a1_create_certificate_directly.cmd

@echo off
rem \file a1_create_certificate_directly.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem Root CA: create certificate directly
set CN="Test Root CA"

rem # 生成测试用的根证书, 私钥和证书都在一个文件(.pem)中

%OPENSSL% req -config ca.cnf -x509 -nodes -keyout root_ca.pem -out root_ca.pem -newkey rsa:2048 -days 3650 > opt_log_A1.txt 2>&1

a2_Intermediate_CA_request_first.cmd

@echo off
rem \file a2_Intermediate_CA_request_first.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem Intermediate CA: request first
set CN="Test Intermediate CA"

rem # 中间CA证书 - 请求

%OPENSSL% req -config ca.cnf -nodes -keyout inter_ca_priv_key.pem -out inter_ca_req.pem -newkey rsa:2048 > opt_log_A2.txt 2>&1


a3_Sign_request_CA_extensions.cmd

@echo off
rem \file a3_Sign_request_CA_extensions.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem Sign request: CA extensions
rem # 中间CA证书请求 - 签名

%OPENSSL% x509 -req -in inter_ca_req.pem -CA root_ca.pem -days 3600 -extfile ca.cnf -extensions v3_ca -CAcreateserial -out inter_ca_req_sign.pem > opt_log_A3.txt 2>&1


a4_Server_certificate_create_request_first.cmd

@echo off

rem \file a4_Server_certificate_create_request_first.cmd

set OPENSSL=.\openssl

set OPENSSL_CONF=.\openssl.cnf

rem Server certificate: create request first

set CN="Test Server Cert"

rem # 服务器证书请求

rem # 除了根CA, 其他CA/服务器的私钥和证书都要分开, 不能是一个.pem

%OPENSSL% req -config ca.cnf -nodes -keyout server_priv_key.pem -out server_req.pem -newkey rsa:1024 > opt_log_A4.txt 2>&1

a5_Sign_request_end_entity_extensions.cmd

@echo off
rem \file a5_Sign_request_end_entity_extensions.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem Sign request: end entity extensions
rem # 对服务器证书请求 进行 签名

%OPENSSL% x509 -req -in server_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 ^
-extfile ca.cnf -extensions usr_cert -CAcreateserial -out server_req_sign.pem > opt_log_A5.txt 2>&1

a6_Client_certificate_request_first.cmd

@echo off
rem \file a6_Client_certificate_request_first.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem echo OPENSSL_CONF = %OPENSSL_CONF%

rem Client certificate: request first
set CN="Test Client Cert"

rem # 客户端证书申请

%OPENSSL% req -config ca.cnf -nodes -keyout client_priv_key.pem -out client_req.pem -newkey rsa:1024 > opt_log_A6.txt 2>&1

a7_Sign_using_intermediate_CA.cmd

@echo off
rem \file a7_Sign_using_intermediate_CA.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem Sign using intermediate CA
rem # 用中间CA签名客户端证书请求

%OPENSSL% x509 -req -in client_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client_req_sign.pem > opt_log_A7.txt 2>&1

a8_Revoked_certificate_request_first.cmd

@echo off
rem \file a8_Revoked_certificate_request_first.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem Revoked certificate: request first
set CN="Test Revoked Cert"

rem # 吊销证书的申请

%OPENSSL% req -config ca.cnf -nodes -keyout revoke_priv_key.pem -out revoke_req.pem -newkey rsa:1024 > opt_log_A8.txt 2>&1

a9_Sign_using_intermediate_CA.cmd

@echo off
rem \file a9_Sign_using_intermediate_CA.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem Sign using intermediate CA
rem # 吊销证书申请的签名

%OPENSSL% x509 -req -in revoke_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out revoke_req_sign.pem > opt_log_A9.txt 2>&1

a10_OCSP_responder_certificate_request_first.cmd

@echo off
rem \file a10_OCSP_responder_certificate_request_first.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem OCSP responder certificate: request first
set CN="Test OCSP Responder Cert"

rem # OCSP证书申请

%OPENSSL% req -config ca.cnf -nodes -keyout ocsp_priv_key.pem -out ocsp_req.pem -newkey rsa:1024 > opt_log_A10.txt 2>&1

a11_Sign_using_intermediate_CA_and_responder_extensions.cmd

@echo off
rem \file a11_Sign_using_intermediate_CA_and_responder_extensions.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem Sign using intermediate CA and responder extensions
rem # OCSP证书申请的签名

%OPENSSL% x509 -req -in ocsp_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out ocsp_req_sign.pem > opt_log_A11.txt 2>&1

a12_First_DH_parameters.cmd

@echo off
rem \file a12_First_DH_parameters.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem echo OPENSSL_CONF = %OPENSSL_CONF%
rem First DH parameters

del /Q .\dh_param.pem > nul 2>&1
rem # 产生DH证书参数文件

%OPENSSL% genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dh_param.pem > opt_log_A12.txt 2>&1

a13_Now_a_DH_private_key.cmd

@echo off
rem \file a13_Now_a_DH_private_key.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem Now a DH private key
rem # 产生DH证书私钥

%OPENSSL% genpkey -paramfile dh_param.pem -out dh_priv_key.pem > opt_log_A13.txt 2>&1

a14_Create_DH_public_key_file.cmd

@echo off
rem \file a14_Create_DH_public_key_file.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem Create DH public key file
rem # 产生DH证书公钥

%OPENSSL% pkey -in dh_priv_key.pem -pubout -out dh_pub_key.pem > opt_log_A14.txt 2>&1

a15_dh_cert_req.cmd

@echo off
rem \file a15_dh_cert_req.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem Certificate request, key just reuses old one as it is ignored when the request is signed

set CN="Test Server DH Cert"

rem 使用的key必须是服务器证书的私钥, 而不是dh证书的私钥, 否则报错

rem # DH证书申请

%OPENSSL% req -config ca.cnf -new -key server_priv_key.pem -out dh_req.pem > opt_log_A15.txt 2>&1

a16_Sign_dh_req.cmd

@echo off
rem \file a16_Sign_dh_req.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem Sign request: end entity DH extensions
rem # DH证书申请的签名

rem 使用的key必须是服务器证书的私钥, 而不是dh证书的私钥, 否则报错

%OPENSSL% x509 -req -in dh_req.pem -CA root_ca.pem -days 3600 -force_pubkey dh_pub_key.pem -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dh_req_sign.pem > opt_log_A16.txt 2>&1

a17_gen_dh_client_priv_key.cmd

@echo off
rem \file a17_gen_dh_client_priv_key.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem DH client certificate
rem # 产生DH客户端私钥

%OPENSSL% genpkey -paramfile dh_param.pem -out dh_client_priv_key.pem > opt_log_A17.txt 2>&1

a18_gen_dh_client_pub_key.cmd

@echo off
rem \file a18_gen_dh_client_pub_key.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem DH client certificate
rem # 产生DH客户端公钥

%OPENSSL% pkey -in dh_client_priv_key.pem -pubout -out dh_client_pub_key.pem > opt_log_A18.txt 2>&1

a19_dh_clint_cert_req.cmd

@echo off
rem \file a19_dh_clint_cert_req.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem echo OPENSSL_CONF = %OPENSSL_CONF%
rem DH client certificate

set CN="Test Client DH Cert"

rem # DH客户端证书请求

%OPENSSL% req -config ca.cnf -new -key server_priv_key.pem -out dh_client_req.pem > opt_log_A19.txt 2>&1

a20_dh_client_cert_sign.cmd

@echo off
rem \file a20_dh_client_cert_sign.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem DH client certificate
rem # 对DH客户端证书请求进行签名

%OPENSSL% x509 -req -in dh_client_req.pem -CA root_ca.pem -days 3600 -force_pubkey dh_client_pub_key.pem -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dh_client_req_sign.pem > opt_log_A20.txt 2>&1

a21_gen_crl_without_ca.cmd

@echo off
rem \file a21_gen_crl_without_ca.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem # Examples of CRL generation without the need to use 'ca' to issue certificates.
rem # 建立本地CA需要的数据库(产生一个空的index.txt 和一个里面内容为01的crlnum.txt)

rem # Create zero length index file

cd. > index.txt

rem # Create initial crl number file

echo 01 > crlnum.txt


a22_add_cert_sha1_server.cmd

@echo off

rem \file a22_add_cert_sha1_server.cmd

set OPENSSL=.\openssl

set OPENSSL_CONF=.\openssl.cnf

rem Add entries for server and client certs

rem # 向本地CA数据库中登记服务器证书(将服务器证书登记信息写入 index.txt)

%OPENSSL% ca -valid server_req_sign.pem -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A22.txt 2>&1

a23_add_cert_sha1_client.cmd

@echo off
rem \file a23_add_cert_sha1_client.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem Add entries for server and client certs
rem set CN="Test Client DH Cert"
rem # 向本地CA数据库登记客户端证书(将服务器证书登记信息写入 index.txt)

%OPENSSL% ca -valid client_req_sign.pem -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A23.txt 2>&1


a24_add_cert_sha1_revoke.cmd

@echo off
rem \file a24_add_cert_sha1_revoke.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem Add entries for server and client certs
rem set CN="Test Client DH Cert"
rem # 向本地数据库等级吊销用的证书(将吊销用的证书登记信息写入 index.txt)

%OPENSSL% ca -valid revoke_req_sign.pem -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A24.txt 2>&1

a25_gen_crl.cmd

@echo off
rem \file a25_gen_crl.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem Add entries for server and client certs
rem set CN="Test Client DH Cert"
rem # 产生证书吊销列表

%OPENSSL% ca -gencrl -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 -crldays 1 -out crl_cert_list.pem > opt_log_A25.txt 2>&1

a26_revoke_cert.cmd

@echo off
rem \file a26_revoke_cert.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem Revoke a certificate
rem set CN="Test Client DH Cert"
rem # 吊销一个证书

%OPENSSL% ca -revoke revoke_req_sign.pem -crl_reason superseded -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A26.txt 2>&1

a27_gen_crl_new_one.cmd

@echo off
rem \file a25_gen_crl.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf

rem Add entries for server and client certs

rem # 吊销一个证书后, 要产生新的吊销证书列表供其他应用验证证书是否被吊销.

rem # 证书吊销列表的名称, 在实际应用中, 应该是一个名字, 这里是实验, 就重新命令一个吊销列表文件的名称, 表示这是在吊销证书后, 新产生的证书吊销列表

%OPENSSL% ca -gencrl -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 -crldays 1 -out crl_cert_list_1.pem > opt_log_A27.txt 2>&1

run_ax_bat.cmd

模拟mkcerts.sh, 将做的27个单独的.bat一起都调用了.

call a1_create_certificate_directly.cmd
call a2_Intermediate_CA_request_first.cmd
call a3_Sign_request_CA_extensions.cmd
call a4_Server_certificate_create_request_first.cmd
call a5_Sign_request_end_entity_extensions.cmd
call a6_Client_certificate_request_first.cmd
call a7_Sign_using_intermediate_CA.cmd
call a8_Revoked_certificate_request_first.cmd
call a9_Sign_using_intermediate_CA.cmd
call a10_OCSP_responder_certificate_request_first.cmd
call a11_Sign_using_intermediate_CA_and_responder_extensions.cmd
call a12_First_DH_parameters.cmd
call a13_Now_a_DH_private_key.cmd
call a14_Create_DH_public_key_file.cmd
call a15_dh_cert_req.cmd
call a16_Sign_dh_req.cmd
call a17_gen_dh_client_priv_key.cmd
call a18_gen_dh_client_pub_key.cmd
call a19_dh_clint_cert_req.cmd
call a20_dh_client_cert_sign.cmd
call a21_gen_crl_without_ca.cmd
call a22_add_cert_sha1_server.cmd
call a23_add_cert_sha1_client.cmd
call a24_add_cert_sha1_revoke.cmd
call a25_gen_crl.cmd
call a26_revoke_cert.cmd
call a27_gen_crl_new_one.cmd
ECHO END
pause

从ocsprun.sh整理出来的1个.bat

ocsprun.cmd

@echo off

rem \file ocsprun.cmd

rem # Example of running an querying OpenSSL test OCSP responder.
rem # This assumes "mkcerts.sh" or similar has been run to set up the
rem # necessary file structure.

set OPENSSL= .\openssl
set OPENSSL_CONF=.\openssl.cnf

rem # Run OCSP responder.

set PORT=8888

%OPENSSL% ocsp -port %PORT% -index index.txt -CA inter_ca_req_sign.pem -rsigner ocsp_req_sign.pem  -rkey ocsp_priv_key.pem -rother inter_ca_req_sign.pem

从ocspquery.sh整理出来的4个.bat

query1.cmd

@echo off
rem \file query1.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem echo OPENSSL_CONF = %OPENSSL_CONF%

rem Revoke a certificate
rem set CN="Test Client DH Cert"

@echo "Requesting OCSP status for each certificate"
%OPENSSL% ocsp -issuer inter_ca_req_sign.pem  -cert client_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query1.txt 2>&1


query2.cmd

@echo off
rem \file query2.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem echo OPENSSL_CONF = %OPENSSL_CONF%

rem Revoke a certificate
rem set CN="Test Client DH Cert"

@echo "Requesting OCSP status for each certificate"
%OPENSSL% ocsp -issuer inter_ca_req_sign.pem  -cert server_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query2.txt 2>&1

query3.cmd

@echo off
rem \file query3.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem echo OPENSSL_CONF = %OPENSSL_CONF%

rem Revoke a certificate
rem set CN="Test Client DH Cert"

@echo "Requesting OCSP status for each certificate"
%OPENSSL% ocsp -issuer inter_ca_req_sign.pem  -cert revoke_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query3.txt 2>&1

query_all.cmd

@echo off
rem \file query3.cmd

set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem echo OPENSSL_CONF = %OPENSSL_CONF%

rem Revoke a certificate
rem set CN="Test Client DH Cert"

@echo "Requesting OCSP status for three certificates in one request"
%OPENSSL% ocsp -issuer inter_ca_req_sign.pem  -cert client_req_sign.pem -cert server_req_sign.pem -cert revoke_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query_all.txt 2>&1

备注

即使是发一个证书出来, 一个openssl.exe命令行也搞不定的.
将官方证书操作分类来备注.

生成测试用的根CA证书

a1_create_certificate_directly.cmd 这个一步搞定, 生成了根CA的证书和私钥.

生成二级CA(中间CA)

a2_Intermediate_CA_request_first.cmd 中间CA证书 - 请求, 生成了中间CA的私钥和请求
a3_Sign_request_CA_extensions.cmd 中间CA证书请求 - 签名, 将请求签名, 生成最终的中间CA证书

应用服务器的证书

a4_Server_certificate_create_request_first.cmd 服务器证书请求, 生成服务器证书私钥和请求.
a5_Sign_request_end_entity_extensions.cmd 对服务器证书请求 进行 签名, 得到最终可用的服务器证书

客户端的证书

a6_Client_certificate_request_first.cmd 客户端证书申请, 生成客户端证书私钥和请求
a7_Sign_using_intermediate_CA.cmd 用中间CA签名客户端证书请求, 生成最终可用的客户端证书.

用于吊销演示的证书

a8_Revoked_certificate_request_first.cmd 用于吊销证书的申请, 生成私钥和申请
a9_Sign_using_intermediate_CA.cmd 吊销证书申请的签名, 得到最终用于吊销演示操作的证书.

OCSP证书

a10_OCSP_responder_certificate_request_first.cmd OCSP证书申请, 得到私钥和申请
a11_Sign_using_intermediate_CA_and_responder_extensions.cmd OCSP证书申请的签名, 得到最终可用的OCSP证书

DH服务器证书

a12_First_DH_parameters.cmd 产生DH证书参数文件
a13_Now_a_DH_private_key.cmd 产生DH证书私钥
a14_Create_DH_public_key_file.cmd 产生DH证书公钥
a15_dh_cert.cmd 产生DH证书申请
a16_Sign_dh_req.cmd DH证书申请的签名, 得到最终可用的DH服务器证书

DH客户端证书

a17_gen_dh_client_priv_key.cmd 产生DH客户端私钥
a18_gen_dh_client_pub_key.cmd 产生DH客户端公钥
a19_dh_clint_cert_req.cmd DH客户端证书请求
a20_dh_client_cert_sign.cmd 对DH客户端证书请求进行签名, 得到最终可用的DH客户端证书

建立本地CA需要的数据库

a21_gen_crl_without_ca.cmd 建立本地CA需要的数据库(产生一个空的index.txt 和一个里面内容为01的crlnum.txt)

向本地CA数据库中登记服务器证书

a22_add_cert_sha1_server.cmd 向本地CA数据库中登记服务器证书(将服务器证书登记信息写入 index.txt)

向本地CA数据库登记客户端证书

a23_add_cert_sha1_client.cmd 向本地CA数据库登记客户端证书(将服务器证书登记信息写入 index.txt)

向本地数据库登记用于吊销演示用的证书

a24_add_cert_sha1_revoke.cmd 向本地数据库等级吊销用的证书(将吊销用的证书登记信息吸入 index.txt)

产生证书吊销列表

a25_gen_crl.cmd 产生证书吊销列表(新建立了N张证书后, 都要登记入库, 然后重新生成证书吊销列表).

吊销一个证书

a26_revoke_cert.cmd 吊销证书后, 这张证书就废了.

产生(更新)证书吊销列表

a27_gen_crl_new_one.cmd 吊销一个证书后, 要产生新的吊销证书列表供其他应用验证证书是否被吊销. 证书吊销列表的名称, 在实际应用中, 应该是同一个名字, 这里是实验, 就重新命令一个吊销列表文件的名称, 表示这是在吊销证书后, 新产生的证书吊销列表

本地实验需要的文件列表

tree /A /F
D:.
    a10_OCSP_responder_certificate_request_first.cmd
    a11_Sign_using_intermediate_CA_and_responder_extensions.cmd
    a12_First_DH_parameters.cmd
    a13_Now_a_DH_private_key.cmd
    a14_Create_DH_public_key_file.cmd
    a15_dh_cert_req.cmd
    a16_Sign_dh_req.cmd
    a17_gen_dh_client_priv_key.cmd
    a18_gen_dh_client_pub_key.cmd
    a19_dh_clint_cert_req.cmd
    a1_create_certificate_directly.cmd
    a20_dh_client_cert_sign.cmd
    a21_gen_crl_without_ca.cmd
    a22_add_cert_sha1_server.cmd
    a23_add_cert_sha1_client.cmd
    a24_add_cert_sha1_revoke.cmd
    a25_gen_crl.cmd
    a26_revoke_cert.cmd
    a27_gen_crl_new_one.cmd
    a2_Intermediate_CA_request_first.cmd
    a3_Sign_request_CA_extensions.cmd
    a4_Server_certificate_create_request_first.cmd
    a5_Sign_request_end_entity_extensions.cmd
    a6_Client_certificate_request_first.cmd
    a7_Sign_using_intermediate_CA.cmd
    a8_Revoked_certificate_request_first.cmd
    a9_Sign_using_intermediate_CA.cmd
    ca.cnf
    libcrypto-3-x64.dll
    libssl-3-x64.dll
    mkcerts.sh
    ocspquery.sh
    ocsprun.cmd
    ocsprun.sh
    openssl.cnf
    openssl.exe
    query1.cmd
    query2.cmd
    query3.cmd
    query_all.cmd
    README.txt
    run_ax_bat.cmd

END

你可能感兴趣的:(openSSL,openSSL)