文章目录
-
- [openssl3.2 - 官方demo学习 - certs](#openssl3.2 - 官方demo学习 - certs)
- 概述
- 笔记
- 官方的实验流程
- [mkcerts.sh - 整理](#mkcerts.sh - 整理)
- [ocsprun.sh - 整理](#ocsprun.sh - 整理)
- [ocspquery.sh - 整理](#ocspquery.sh - 整理)
- 从mkcerts.sh整理出来的27个.bat
- a1_create_certificate_directly.cmd
- a2_Intermediate_CA_request_first.cmd
- a3_Sign_request_CA_extensions.cmd
- a4_Server_certificate_create_request_first.cmd
- a5_Sign_request_end_entity_extensions.cmd
- a6_Client_certificate_request_first.cmd
- a7_Sign_using_intermediate_CA.cmd
- a8_Revoked_certificate_request_first.cmd
- a9_Sign_using_intermediate_CA.cmd
- a10_OCSP_responder_certificate_request_first.cmd
- a11_Sign_using_intermediate_CA_and_responder_extensions.cmd
- a12_First_DH_parameters.cmd
- a13_Now_a_DH_private_key.cmd
- a14_Create_DH_public_key_file.cmd
- a15_dh_cert_req.cmd
- a16_Sign_dh_req.cmd
- a17_gen_dh_client_priv_key.cmd
- a18_gen_dh_client_pub_key.cmd
- a19_dh_clint_cert_req.cmd
- a20_dh_client_cert_sign.cmd
- a21_gen_crl_without_ca.cmd
- a22_add_cert_sha1_server.cmd
- a23_add_cert_sha1_client.cmd
- a24_add_cert_sha1_revoke.cmd
- a25_gen_crl.cmd
- a26_revoke_cert.cmd
- a27_gen_crl_new_one.cmd
- run_ax_bat.cmd
- 从ocsprun.sh整理出来的1个.bat
- ocsprun.cmd
- 从ocspquery.sh整理出来的4个.bat
- query1.cmd
- query2.cmd
- query3.cmd
- query_all.cmd
- 备注
- 生成测试用的根CA证书
- 生成二级CA(中间CA)
- 应用服务器的证书
- 客户端的证书
- 用于吊销演示的证书
- OCSP证书
- DH服务器证书
- DH客户端证书
- 建立本地CA需要的数据库
- 向本地CA数据库中登记服务器证书
- 向本地CA数据库登记客户端证书
- 向本地数据库登记用于吊销演示用的证书
- 产生证书吊销列表
- 吊销一个证书
- 产生(更新)证书吊销列表
- 本地实验需要的文件列表
- END
openssl3.2 - 官方demo学习 - certs
概述
打开官方demos的certs目录, 没看到.c. 茫然了一下.
官方在这个目录中要展示啥呢?
看了readme, 懂了.
原来官方在这个目录中, 要展示如何使用openssl.exe的命令行来操作证书(建立证书, 证书入库, 吊销证书, 查询证书).
官方通过3个.sh来展示证书操作.
mkcerts.sh - 一组操作, 用来建立证书, 证书入库
ocsprun.sh - 建立一个ocsp查询的服务器.
ocspquery.sh - 向ocsp服务器查询证书的有效性.
在cygwin64下, 这3个.sh都好使.
但是, 如果只是运行一下这3个.sh学不到东西. 如果自己有自签名的证书要操作, 还是得一个一个命令的都搞懂才行.
我先将这3个.sh翻译成.bat, 然后每一条命令做一个.bat, 一个一个.bat来运行, 观察运行结果.
整了一遍之后, 再整理.bat, 证书操作基本懂了. 用了2天时间.
如果不整理官方的.sh, 命令行参数中的的文件官方命名很容易将自己看糊涂.
在保证和官方实现一致的前提下, 将文件名改为自己能懂的. 加上注释, 以后就能知道, 每个命令行干啥活.
笔记
官方的实验流程
先运行 mkcerts.sh, 将后续要操作的证书都做出来.
再运行ocsprun.sh, 建立ocsp服务器.
最后运行 ocspquery.sh, 查询证书的有效性.
在mkcerts.sh中, 如果只是运行一次听个响, 27个操作, 一堆操作输出, 根本不能理解这个.sh到底干了啥.
同理, ocspquery.sh有4个操作, 只是运行一次, 啥也不懂.
所以要想理解官方的这3个.sh展示了啥, 需要将这3个.sh中, 每个命令行都自己单独做一次, 每个命令行执行完, 都观察一下有啥输出.
mkcerts.sh - 整理
bash
#!/bin/sh
# \file mkcerts.sh
OPENSSL=./openssl
OPENSSL_CONF=./openssl.cnf
export OPENSSL_CONF
# Root CA: create certificate directly
# a1_create_certificate_directly.cmd
# 生成测试用的根证书, 私钥和证书都在一个文件(.pem)中
# %OPENSSL% req -config ca.cnf -x509 -nodes -keyout root_ca.pem -out root_ca.pem -newkey rsa:2048 -days 3650 > opt_log_A1.txt 2>&1
CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes -keyout root.pem -out root.pem -newkey rsa:2048 -days 3650
# Intermediate CA: request first
# a2_Intermediate_CA_request_first.cmd
# 中间CA证书 - 请求
# %OPENSSL% req -config ca.cnf -nodes -keyout inter_ca_priv_key.pem -out inter_ca_req.pem -newkey rsa:2048 > opt_log_A2.txt 2>&1
CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes -keyout intkey.pem -out intreq.pem -newkey rsa:2048
# Sign request: CA extensions
# a3_Sign_request_CA_extensions.cmd
# 中间CA证书请求 - 签名
# %OPENSSL% x509 -req -in inter_ca_req.pem -CA root_ca.pem -days 3600 -extfile ca.cnf -extensions v3_ca -CAcreateserial -out inter_ca_req_sign.pem > opt_log_A3.txt 2>&1
$OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem
# Server certificate: create request first
# a4_Server_certificate_create_request_first.cmd
# 服务器证书请求
# %OPENSSL% req -config ca.cnf -nodes -keyout server_priv_key.pem -out server_req.pem -newkey rsa:1024 > opt_log_A4.txt 2>&1
CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes -keyout skey.pem -out req.pem -newkey rsa:1024
# Sign request: end entity extensions
# a5_Sign_request_end_entity_extensions.cmd
# 对服务器证书请求 进行 签名
# %OPENSSL% x509 -req -in server_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server_req_sign.pem > opt_log_A5.txt 2>&1
$OPENSSL x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem
# Client certificate: request first
# a6_Client_certificate_request_first.cmd
# 客户端证书申请
# %OPENSSL% req -config ca.cnf -nodes -keyout client_priv_key.pem -out client_req.pem -newkey rsa:1024 > opt_log_A6.txt 2>&1
CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes -keyout ckey.pem -out creq.pem -newkey rsa:1024
# Sign using intermediate CA
# a7_Sign_using_intermediate_CA.cmd
# 用中间CA签名客户端证书请求
# %OPENSSL% x509 -req -in client_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client_req_sign.pem > opt_log_A7.txt 2>&1
$OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem
# Revoked certificate: request first
# a8_Revoked_certificate_request_first.cmd
# 吊销证书的申请
# %OPENSSL% req -config ca.cnf -nodes -keyout revoke_priv_key.pem -out revoke_req.pem -newkey rsa:1024 > opt_log_A8.txt 2>&1
CN="Test Revoked Cert" $OPENSSL req -config ca.cnf -nodes -keyout revkey.pem -out rreq.pem -newkey rsa:1024
# Sign using intermediate CA
# a9_Sign_using_intermediate_CA.cmd
# 吊销证书申请的签名
# %OPENSSL% x509 -req -in revoke_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out revoke_req_sign.pem > opt_log_A9.txt 2>&1
$OPENSSL x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem
# OCSP responder certificate: request first
# a10_OCSP_responder_certificate_request_first.cmd
# OCSP证书申请
# %OPENSSL% req -config ca.cnf -nodes -keyout ocsp_priv_key.pem -out ocsp_req.pem -newkey rsa:1024 > opt_log_A10.txt 2>&1
CN="Test OCSP Responder Cert" $OPENSSL req -config ca.cnf -nodes -keyout respkey.pem -out respreq.pem -newkey rsa:1024
# Sign using intermediate CA and responder extensions
# a11_Sign_using_intermediate_CA_and_responder_extensions.cmd
# OCSP证书申请的签名
# %OPENSSL% x509 -req -in ocsp_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out ocsp_req_sign.pem > opt_log_A11.txt 2>&1
$OPENSSL x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem
# Example creating a PKCS#3 DH certificate.
# First DH parameters
# a12_First_DH_parameters.cmd
# 产生DH证书参数文件
# %OPENSSL% genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dh_param.pem > opt_log_A12.txt 2>&1
[ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem
# Now a DH private key
# a13_Now_a_DH_private_key.cmd
# 产生DH证书私钥
# %OPENSSL% genpkey -paramfile dh_param.pem -out dh_priv_key.pem > opt_log_A13.txt 2>&1
$OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem
# Create DH public key file
# a14_Create_DH_public_key_file.cmd
# 产生DH证书公钥
# %OPENSSL% pkey -in dh_priv_key.pem -pubout -out dh_pub_key.pem > opt_log_A14.txt 2>&1
$OPENSSL pkey -in dhskey.pem -pubout -out dhspub.pem
# Certificate request, key just reuses old one as it is ignored when the request is signed
# a15_dh_cert.cmd
# DH证书申请
# %OPENSSL% req -config ca.cnf -new -key server_priv_key.pem -out dh_req.pem > opt_log_A15.txt 2>&1
CN="Test Server DH Cert" $OPENSSL req -config ca.cnf -new -key skey.pem -out dhsreq.pem
# Sign request: end entity DH extensions
# a16_Sign_dh_req.cmd
# DH证书申请的签名
# %OPENSSL% x509 -req -in dh_req.pem -CA root_ca.pem -days 3600 -force_pubkey dh_pub_key.pem -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dh_req_sign.pem > opt_log_A16.txt 2>&1
$OPENSSL x509 -req -in dhsreq.pem -CA root.pem -days 3600 -force_pubkey dhspub.pem -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem
# DH client certificate
# a17_gen_dh_client_priv_key.cmd
# 产生DH客户端私钥
# %OPENSSL% genpkey -paramfile dh_param.pem -out dh_client_priv_key.pem > opt_log_A17.txt 2>&1
$OPENSSL genpkey -paramfile dhp.pem -out dhckey.pem
# a18_gen_dh_client_pub_key.cmd
# 产生DH客户端公钥
# %OPENSSL% pkey -in dh_client_priv_key.pem -pubout -out dh_client_pub_key.pem > opt_log_A18.txt 2>&1
$OPENSSL pkey -in dhckey.pem -pubout -out dhcpub.pem
# a19_dh_clint_cert_req.cmd
# DH客户端证书请求
# %OPENSSL% req -config ca.cnf -new -key server_priv_key.pem -out dh_client_req.pem > opt_log_A19.txt 2>&1
CN="Test Client DH Cert" $OPENSSL req -config ca.cnf -new -key skey.pem -out dhcreq.pem
# a20_dh_client_cert_sign.cmd
# 对DH客户端证书请求进行签名
# %OPENSSL% x509 -req -in dh_client_req.pem -CA root_ca.pem -days 3600 -force_pubkey dh_client_pub_key.pem -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dh_client_req_sign.pem > opt_log_A20.txt 2>&1
$OPENSSL x509 -req -in dhcreq.pem -CA root.pem -days 3600 -force_pubkey dhcpub.pem -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem
# Examples of CRL generation without the need to use 'ca' to issue certificates.
# Create zero length index file
# a21_gen_crl_without_ca.cmd
# 建立本地CA需要的数据库(产生一个空的index.txt 和一个里面内容为01的crlnum.txt)
>index.txt
# Create initial crl number file
echo 01 >crlnum.txt
# Add entries for server and client certs
# a22_add_cert_sha1_server.cmd
# 向本地CA数据库中登记服务器证书(将服务器证书登记信息写入 index.txt)
# %OPENSSL% ca -valid server_req_sign.pem -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A22.txt 2>&1
$OPENSSL ca -valid server.pem -keyfile root.pem -cert root.pem -config ca.cnf -md sha1
# a23_add_cert_sha1_client.cmd
# 向本地CA数据库登记客户端证书(将服务器证书登记信息写入 index.txt)
# %OPENSSL% ca -valid client_req_sign.pem -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A23.txt 2>&1
$OPENSSL ca -valid client.pem -keyfile root.pem -cert root.pem -config ca.cnf -md sha1
# a24_add_cert_sha1_revoke.cmd
# 向本地数据库等级吊销用的证书(将吊销用的证书登记信息吸入 index.txt)
# %OPENSSL% ca -valid revoke_req_sign.pem -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A24.txt 2>&1
$OPENSSL ca -valid rev.pem -keyfile root.pem -cert root.pem -config ca.cnf -md sha1
# Generate a CRL.
# a25_gen_crl.cmd
# 产生证书吊销列表
# %OPENSSL% ca -gencrl -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 -crldays 1 -out crl_cert_list.pem > opt_log_A25.txt 2>&1
$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf -md sha1 -crldays 1 -out crl1.pem
# Revoke a certificate
# a26_revoke_cert.cmd
# 吊销一个证书
# %OPENSSL% ca -revoke revoke_req_sign.pem -crl_reason superseded -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A26.txt 2>&1
openssl ca -revoke rev.pem -crl_reason superseded -keyfile root.pem -cert root.pem -config ca.cnf -md sha1
# Generate another CRL
# a27_gen_crl_new_one.cmd
# 吊销一个证书后, 要产生新的吊销证书列表供其他应用验证证书是否被吊销.
# 证书吊销列表的名称, 在实际应用中, 应该是一个名字, 这里是实验, 就重新命令一个吊销列表文件的名称, 表示这是在吊销证书后, 新产生的证书吊销列表
# %OPENSSL% ca -gencrl -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 -crldays 1 -out crl_cert_list_1.pem > opt_log_A27.txt 2>&1
$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf -md sha1 -crldays 1 -out crl2.pem
ocsprun.sh - 整理
bash
# Example of running an querying OpenSSL test OCSP responder.
# This assumes "mkcerts.sh" or similar has been run to set up the
# necessary file structure.
OPENSSL=../../apps/openssl
OPENSSL_CONF=../../apps/openssl.cnf
export OPENSSL_CONF
# Run OCSP responder.
PORT=8888
# %OPENSSL% ocsp -port %PORT% -index index.txt -CA inter_ca_req_sign.pem -rsigner ocsp_req_sign.pem -rkey ocsp_priv_key.pem -rother inter_ca_req_sign.pem
$OPENSSL ocsp -port $PORT -index index.txt -CA intca.pem -rsigner resp.pem -rkey respkey.pem -rother intca.pem $*
ocspquery.sh - 整理
bash
# Example querying OpenSSL test responder. Assumes ocsprun.sh has been
# called.
OPENSSL=../../apps/openssl
OPENSSL_CONF=../../apps/openssl.cnf
export OPENSSL_CONF
# Send responder queries for each certificate.
echo "Requesting OCSP status for each certificate"
# query1.cmd
# %OPENSSL% ocsp -issuer inter_ca_req_sign.pem -cert client_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query1.txt 2>&1
$OPENSSL ocsp -issuer intca.pem -cert client.pem -CAfile root.pem -url http://127.0.0.1:8888/
# query2.cmd
# %OPENSSL% ocsp -issuer inter_ca_req_sign.pem -cert server_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query2.txt 2>&1
$OPENSSL ocsp -issuer intca.pem -cert server.pem -CAfile root.pem -url http://127.0.0.1:8888/
#query3.cmd
# %OPENSSL% ocsp -issuer inter_ca_req_sign.pem -cert revoke_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query3.txt 2>&1
$OPENSSL ocsp -issuer intca.pem -cert rev.pem -CAfile root.pem -url http://127.0.0.1:8888/
# One query for all three certificates.
echo "Requesting OCSP status for three certificates in one request"
# %OPENSSL% ocsp -issuer inter_ca_req_sign.pem -cert client_req_sign.pem -cert server_req_sign.pem -cert revoke_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query_all.txt 2>&1
$OPENSSL ocsp -issuer intca.pem -cert client.pem -cert server.pem -cert rev.pem -CAfile root.pem -url http://127.0.0.1:8888/
从mkcerts.sh整理出来的27个.bat
a1_create_certificate_directly.cmd
bash
@echo off
rem \file a1_create_certificate_directly.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Root CA: create certificate directly
set CN="Test Root CA"
rem # 生成测试用的根证书, 私钥和证书都在一个文件(.pem)中
%OPENSSL% req -config ca.cnf -x509 -nodes -keyout root_ca.pem -out root_ca.pem -newkey rsa:2048 -days 3650 > opt_log_A1.txt 2>&1
a2_Intermediate_CA_request_first.cmd
bash
@echo off
rem \file a2_Intermediate_CA_request_first.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Intermediate CA: request first
set CN="Test Intermediate CA"
rem # 中间CA证书 - 请求
%OPENSSL% req -config ca.cnf -nodes -keyout inter_ca_priv_key.pem -out inter_ca_req.pem -newkey rsa:2048 > opt_log_A2.txt 2>&1
a3_Sign_request_CA_extensions.cmd
bash
@echo off
rem \file a3_Sign_request_CA_extensions.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Sign request: CA extensions
rem # 中间CA证书请求 - 签名
%OPENSSL% x509 -req -in inter_ca_req.pem -CA root_ca.pem -days 3600 -extfile ca.cnf -extensions v3_ca -CAcreateserial -out inter_ca_req_sign.pem > opt_log_A3.txt 2>&1
a4_Server_certificate_create_request_first.cmd
bash
@echo off
rem \file a4_Server_certificate_create_request_first.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Server certificate: create request first
set CN="Test Server Cert"
rem # 服务器证书请求
rem # 除了根CA, 其他CA/服务器的私钥和证书都要分开, 不能是一个.pem
%OPENSSL% req -config ca.cnf -nodes -keyout server_priv_key.pem -out server_req.pem -newkey rsa:1024 > opt_log_A4.txt 2>&1
a5_Sign_request_end_entity_extensions.cmd
bash
@echo off
rem \file a5_Sign_request_end_entity_extensions.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Sign request: end entity extensions
rem # 对服务器证书请求 进行 签名
%OPENSSL% x509 -req -in server_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 ^
-extfile ca.cnf -extensions usr_cert -CAcreateserial -out server_req_sign.pem > opt_log_A5.txt 2>&1
a6_Client_certificate_request_first.cmd
bash
@echo off
rem \file a6_Client_certificate_request_first.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem echo OPENSSL_CONF = %OPENSSL_CONF%
rem Client certificate: request first
set CN="Test Client Cert"
rem # 客户端证书申请
%OPENSSL% req -config ca.cnf -nodes -keyout client_priv_key.pem -out client_req.pem -newkey rsa:1024 > opt_log_A6.txt 2>&1
a7_Sign_using_intermediate_CA.cmd
bash
@echo off
rem \file a7_Sign_using_intermediate_CA.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Sign using intermediate CA
rem # 用中间CA签名客户端证书请求
%OPENSSL% x509 -req -in client_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client_req_sign.pem > opt_log_A7.txt 2>&1
a8_Revoked_certificate_request_first.cmd
bash
@echo off
rem \file a8_Revoked_certificate_request_first.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Revoked certificate: request first
set CN="Test Revoked Cert"
rem # 吊销证书的申请
%OPENSSL% req -config ca.cnf -nodes -keyout revoke_priv_key.pem -out revoke_req.pem -newkey rsa:1024 > opt_log_A8.txt 2>&1
a9_Sign_using_intermediate_CA.cmd
bash
@echo off
rem \file a9_Sign_using_intermediate_CA.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Sign using intermediate CA
rem # 吊销证书申请的签名
%OPENSSL% x509 -req -in revoke_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out revoke_req_sign.pem > opt_log_A9.txt 2>&1
a10_OCSP_responder_certificate_request_first.cmd
bash
@echo off
rem \file a10_OCSP_responder_certificate_request_first.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem OCSP responder certificate: request first
set CN="Test OCSP Responder Cert"
rem # OCSP证书申请
%OPENSSL% req -config ca.cnf -nodes -keyout ocsp_priv_key.pem -out ocsp_req.pem -newkey rsa:1024 > opt_log_A10.txt 2>&1
a11_Sign_using_intermediate_CA_and_responder_extensions.cmd
bash
@echo off
rem \file a11_Sign_using_intermediate_CA_and_responder_extensions.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Sign using intermediate CA and responder extensions
rem # OCSP证书申请的签名
%OPENSSL% x509 -req -in ocsp_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out ocsp_req_sign.pem > opt_log_A11.txt 2>&1
a12_First_DH_parameters.cmd
bash
@echo off
rem \file a12_First_DH_parameters.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem echo OPENSSL_CONF = %OPENSSL_CONF%
rem First DH parameters
del /Q .\dh_param.pem > nul 2>&1
rem # 产生DH证书参数文件
%OPENSSL% genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dh_param.pem > opt_log_A12.txt 2>&1
a13_Now_a_DH_private_key.cmd
bash
@echo off
rem \file a13_Now_a_DH_private_key.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Now a DH private key
rem # 产生DH证书私钥
%OPENSSL% genpkey -paramfile dh_param.pem -out dh_priv_key.pem > opt_log_A13.txt 2>&1
a14_Create_DH_public_key_file.cmd
bash
@echo off
rem \file a14_Create_DH_public_key_file.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Create DH public key file
rem # 产生DH证书公钥
%OPENSSL% pkey -in dh_priv_key.pem -pubout -out dh_pub_key.pem > opt_log_A14.txt 2>&1
a15_dh_cert_req.cmd
bash
@echo off
rem \file a15_dh_cert_req.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Certificate request, key just reuses old one as it is ignored when the request is signed
set CN="Test Server DH Cert"
rem 使用的key必须是服务器证书的私钥, 而不是dh证书的私钥, 否则报错
rem # DH证书申请
%OPENSSL% req -config ca.cnf -new -key server_priv_key.pem -out dh_req.pem > opt_log_A15.txt 2>&1
a16_Sign_dh_req.cmd
bash
@echo off
rem \file a16_Sign_dh_req.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Sign request: end entity DH extensions
rem # DH证书申请的签名
rem 使用的key必须是服务器证书的私钥, 而不是dh证书的私钥, 否则报错
%OPENSSL% x509 -req -in dh_req.pem -CA root_ca.pem -days 3600 -force_pubkey dh_pub_key.pem -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dh_req_sign.pem > opt_log_A16.txt 2>&1
a17_gen_dh_client_priv_key.cmd
bash
@echo off
rem \file a17_gen_dh_client_priv_key.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem DH client certificate
rem # 产生DH客户端私钥
%OPENSSL% genpkey -paramfile dh_param.pem -out dh_client_priv_key.pem > opt_log_A17.txt 2>&1
a18_gen_dh_client_pub_key.cmd
bash
@echo off
rem \file a18_gen_dh_client_pub_key.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem DH client certificate
rem # 产生DH客户端公钥
%OPENSSL% pkey -in dh_client_priv_key.pem -pubout -out dh_client_pub_key.pem > opt_log_A18.txt 2>&1
a19_dh_clint_cert_req.cmd
bash
@echo off
rem \file a19_dh_clint_cert_req.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem echo OPENSSL_CONF = %OPENSSL_CONF%
rem DH client certificate
set CN="Test Client DH Cert"
rem # DH客户端证书请求
%OPENSSL% req -config ca.cnf -new -key server_priv_key.pem -out dh_client_req.pem > opt_log_A19.txt 2>&1
a20_dh_client_cert_sign.cmd
bash
@echo off
rem \file a20_dh_client_cert_sign.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem DH client certificate
rem # 对DH客户端证书请求进行签名
%OPENSSL% x509 -req -in dh_client_req.pem -CA root_ca.pem -days 3600 -force_pubkey dh_client_pub_key.pem -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dh_client_req_sign.pem > opt_log_A20.txt 2>&1
a21_gen_crl_without_ca.cmd
bash
@echo off
rem \file a21_gen_crl_without_ca.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem # Examples of CRL generation without the need to use 'ca' to issue certificates.
rem # 建立本地CA需要的数据库(产生一个空的index.txt 和一个里面内容为01的crlnum.txt)
rem # Create zero length index file
cd. > index.txt
rem # Create initial crl number file
echo 01 > crlnum.txt
a22_add_cert_sha1_server.cmd
bash
@echo off
rem \file a22_add_cert_sha1_server.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Add entries for server and client certs
rem # 向本地CA数据库中登记服务器证书(将服务器证书登记信息写入 index.txt)
%OPENSSL% ca -valid server_req_sign.pem -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A22.txt 2>&1
a23_add_cert_sha1_client.cmd
bash
@echo off
rem \file a23_add_cert_sha1_client.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Add entries for server and client certs
rem set CN="Test Client DH Cert"
rem # 向本地CA数据库登记客户端证书(将服务器证书登记信息写入 index.txt)
%OPENSSL% ca -valid client_req_sign.pem -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A23.txt 2>&1
a24_add_cert_sha1_revoke.cmd
bash
@echo off
rem \file a24_add_cert_sha1_revoke.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Add entries for server and client certs
rem set CN="Test Client DH Cert"
rem # 向本地数据库等级吊销用的证书(将吊销用的证书登记信息写入 index.txt)
%OPENSSL% ca -valid revoke_req_sign.pem -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A24.txt 2>&1
a25_gen_crl.cmd
bash
@echo off
rem \file a25_gen_crl.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Add entries for server and client certs
rem set CN="Test Client DH Cert"
rem # 产生证书吊销列表
%OPENSSL% ca -gencrl -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 -crldays 1 -out crl_cert_list.pem > opt_log_A25.txt 2>&1
a26_revoke_cert.cmd
bash
@echo off
rem \file a26_revoke_cert.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Revoke a certificate
rem set CN="Test Client DH Cert"
rem # 吊销一个证书
%OPENSSL% ca -revoke revoke_req_sign.pem -crl_reason superseded -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A26.txt 2>&1
a27_gen_crl_new_one.cmd
bash
@echo off
rem \file a25_gen_crl.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem Add entries for server and client certs
rem # 吊销一个证书后, 要产生新的吊销证书列表供其他应用验证证书是否被吊销.
rem # 证书吊销列表的名称, 在实际应用中, 应该是一个名字, 这里是实验, 就重新命令一个吊销列表文件的名称, 表示这是在吊销证书后, 新产生的证书吊销列表
%OPENSSL% ca -gencrl -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 -crldays 1 -out crl_cert_list_1.pem > opt_log_A27.txt 2>&1
run_ax_bat.cmd
模拟mkcerts.sh, 将做的27个单独的.bat一起都调用了.
bash
call a1_create_certificate_directly.cmd
call a2_Intermediate_CA_request_first.cmd
call a3_Sign_request_CA_extensions.cmd
call a4_Server_certificate_create_request_first.cmd
call a5_Sign_request_end_entity_extensions.cmd
call a6_Client_certificate_request_first.cmd
call a7_Sign_using_intermediate_CA.cmd
call a8_Revoked_certificate_request_first.cmd
call a9_Sign_using_intermediate_CA.cmd
call a10_OCSP_responder_certificate_request_first.cmd
call a11_Sign_using_intermediate_CA_and_responder_extensions.cmd
call a12_First_DH_parameters.cmd
call a13_Now_a_DH_private_key.cmd
call a14_Create_DH_public_key_file.cmd
call a15_dh_cert_req.cmd
call a16_Sign_dh_req.cmd
call a17_gen_dh_client_priv_key.cmd
call a18_gen_dh_client_pub_key.cmd
call a19_dh_clint_cert_req.cmd
call a20_dh_client_cert_sign.cmd
call a21_gen_crl_without_ca.cmd
call a22_add_cert_sha1_server.cmd
call a23_add_cert_sha1_client.cmd
call a24_add_cert_sha1_revoke.cmd
call a25_gen_crl.cmd
call a26_revoke_cert.cmd
call a27_gen_crl_new_one.cmd
ECHO END
pause
从ocsprun.sh整理出来的1个.bat
ocsprun.cmd
bash
@echo off
rem \file ocsprun.cmd
rem # Example of running an querying OpenSSL test OCSP responder.
rem # This assumes "mkcerts.sh" or similar has been run to set up the
rem # necessary file structure.
set OPENSSL= .\openssl
set OPENSSL_CONF=.\openssl.cnf
rem # Run OCSP responder.
set PORT=8888
%OPENSSL% ocsp -port %PORT% -index index.txt -CA inter_ca_req_sign.pem -rsigner ocsp_req_sign.pem -rkey ocsp_priv_key.pem -rother inter_ca_req_sign.pem
从ocspquery.sh整理出来的4个.bat
query1.cmd
bash
@echo off
rem \file query1.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem echo OPENSSL_CONF = %OPENSSL_CONF%
rem Revoke a certificate
rem set CN="Test Client DH Cert"
@echo "Requesting OCSP status for each certificate"
%OPENSSL% ocsp -issuer inter_ca_req_sign.pem -cert client_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query1.txt 2>&1
query2.cmd
bash
@echo off
rem \file query2.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem echo OPENSSL_CONF = %OPENSSL_CONF%
rem Revoke a certificate
rem set CN="Test Client DH Cert"
@echo "Requesting OCSP status for each certificate"
%OPENSSL% ocsp -issuer inter_ca_req_sign.pem -cert server_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query2.txt 2>&1
query3.cmd
bash
@echo off
rem \file query3.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem echo OPENSSL_CONF = %OPENSSL_CONF%
rem Revoke a certificate
rem set CN="Test Client DH Cert"
@echo "Requesting OCSP status for each certificate"
%OPENSSL% ocsp -issuer inter_ca_req_sign.pem -cert revoke_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query3.txt 2>&1
query_all.cmd
bash
@echo off
rem \file query3.cmd
set OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem echo OPENSSL_CONF = %OPENSSL_CONF%
rem Revoke a certificate
rem set CN="Test Client DH Cert"
@echo "Requesting OCSP status for three certificates in one request"
%OPENSSL% ocsp -issuer inter_ca_req_sign.pem -cert client_req_sign.pem -cert server_req_sign.pem -cert revoke_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query_all.txt 2>&1
备注
即使是发一个证书出来, 一个openssl.exe命令行也搞不定的.
将官方证书操作分类来备注.
生成测试用的根CA证书
a1_create_certificate_directly.cmd 这个一步搞定, 生成了根CA的证书和私钥.
生成二级CA(中间CA)
a2_Intermediate_CA_request_first.cmd 中间CA证书 - 请求, 生成了中间CA的私钥和请求
a3_Sign_request_CA_extensions.cmd 中间CA证书请求 - 签名, 将请求签名, 生成最终的中间CA证书
应用服务器的证书
a4_Server_certificate_create_request_first.cmd 服务器证书请求, 生成服务器证书私钥和请求.
a5_Sign_request_end_entity_extensions.cmd 对服务器证书请求 进行 签名, 得到最终可用的服务器证书
客户端的证书
a6_Client_certificate_request_first.cmd 客户端证书申请, 生成客户端证书私钥和请求
a7_Sign_using_intermediate_CA.cmd 用中间CA签名客户端证书请求, 生成最终可用的客户端证书.
用于吊销演示的证书
a8_Revoked_certificate_request_first.cmd 用于吊销证书的申请, 生成私钥和申请
a9_Sign_using_intermediate_CA.cmd 吊销证书申请的签名, 得到最终用于吊销演示操作的证书.
OCSP证书
a10_OCSP_responder_certificate_request_first.cmd OCSP证书申请, 得到私钥和申请
a11_Sign_using_intermediate_CA_and_responder_extensions.cmd OCSP证书申请的签名, 得到最终可用的OCSP证书
DH服务器证书
a12_First_DH_parameters.cmd 产生DH证书参数文件
a13_Now_a_DH_private_key.cmd 产生DH证书私钥
a14_Create_DH_public_key_file.cmd 产生DH证书公钥
a15_dh_cert.cmd 产生DH证书申请
a16_Sign_dh_req.cmd DH证书申请的签名, 得到最终可用的DH服务器证书
DH客户端证书
a17_gen_dh_client_priv_key.cmd 产生DH客户端私钥
a18_gen_dh_client_pub_key.cmd 产生DH客户端公钥
a19_dh_clint_cert_req.cmd DH客户端证书请求
a20_dh_client_cert_sign.cmd 对DH客户端证书请求进行签名, 得到最终可用的DH客户端证书
建立本地CA需要的数据库
a21_gen_crl_without_ca.cmd 建立本地CA需要的数据库(产生一个空的index.txt 和一个里面内容为01的crlnum.txt)
向本地CA数据库中登记服务器证书
a22_add_cert_sha1_server.cmd 向本地CA数据库中登记服务器证书(将服务器证书登记信息写入 index.txt)
向本地CA数据库登记客户端证书
a23_add_cert_sha1_client.cmd 向本地CA数据库登记客户端证书(将服务器证书登记信息写入 index.txt)
向本地数据库登记用于吊销演示用的证书
a24_add_cert_sha1_revoke.cmd 向本地数据库等级吊销用的证书(将吊销用的证书登记信息吸入 index.txt)
产生证书吊销列表
a25_gen_crl.cmd 产生证书吊销列表(新建立了N张证书后, 都要登记入库, 然后重新生成证书吊销列表).
吊销一个证书
a26_revoke_cert.cmd 吊销证书后, 这张证书就废了.
产生(更新)证书吊销列表
a27_gen_crl_new_one.cmd 吊销一个证书后, 要产生新的吊销证书列表供其他应用验证证书是否被吊销. 证书吊销列表的名称, 在实际应用中, 应该是同一个名字, 这里是实验, 就重新命令一个吊销列表文件的名称, 表示这是在吊销证书后, 新产生的证书吊销列表
本地实验需要的文件列表
bash
tree /A /F
D:.
a10_OCSP_responder_certificate_request_first.cmd
a11_Sign_using_intermediate_CA_and_responder_extensions.cmd
a12_First_DH_parameters.cmd
a13_Now_a_DH_private_key.cmd
a14_Create_DH_public_key_file.cmd
a15_dh_cert_req.cmd
a16_Sign_dh_req.cmd
a17_gen_dh_client_priv_key.cmd
a18_gen_dh_client_pub_key.cmd
a19_dh_clint_cert_req.cmd
a1_create_certificate_directly.cmd
a20_dh_client_cert_sign.cmd
a21_gen_crl_without_ca.cmd
a22_add_cert_sha1_server.cmd
a23_add_cert_sha1_client.cmd
a24_add_cert_sha1_revoke.cmd
a25_gen_crl.cmd
a26_revoke_cert.cmd
a27_gen_crl_new_one.cmd
a2_Intermediate_CA_request_first.cmd
a3_Sign_request_CA_extensions.cmd
a4_Server_certificate_create_request_first.cmd
a5_Sign_request_end_entity_extensions.cmd
a6_Client_certificate_request_first.cmd
a7_Sign_using_intermediate_CA.cmd
a8_Revoked_certificate_request_first.cmd
a9_Sign_using_intermediate_CA.cmd
ca.cnf
libcrypto-3-x64.dll
libssl-3-x64.dll
mkcerts.sh
ocspquery.sh
ocsprun.cmd
ocsprun.sh
openssl.cnf
openssl.exe
query1.cmd
query2.cmd
query3.cmd
query_all.cmd
README.txt
run_ax_bat.cmd