openssl3.2 - helpdoc - P12证书操作

文章目录

openssl3.2 - helpdoc - P12证书操作

概述

D:\3rd_prj\crypt\openssl-3.2.0\demos\pkcs12目录下, 有2个实验(pkread.c, pkwrite.c), 需要PKCS12的证书.

但是官方给的demos/certs目录的脚本中, 并没有看到如何生成P12证书.

现在将openssl帮助文档整理出来后, 找到了如何生成P12证书.

做个实验先, 自己将P12证书生成出来, 给\demos\pkcs12目录下的实验用.

笔记

如何生成P12证书的帮助文档有2个

file:///D:/my_dev/my_local_git_prj/study/openSSL/openssl-3.2.0_for_doc/doc/html/man1/CA.pl.html

file:///D:/my_dev/my_local_git_prj/study/openSSL/openssl-3.2.0_for_doc/doc/html/man1/openssl-pkcs12.html

前面一个是用perl脚本来生成P12证书.

后面一个是如何用openssl命令行来操作P12证书.

/doc/html/man1/CA.pl.html

我自己改的openssl入口可以将openssl命令行参数记录下来, 官方调用CA.pl干的活就能看到了(而且不会遗漏openssl的命令行).

不过这个CA.pl好像每个调用openssl命令行的具体参数从UI上都看得到.

bash 复制代码
 CA.pl -newca
 CA.pl -newreq
 CA.pl -sign
 CA.pl -pkcs12 "My Test Certificate"

CA.pl -newca

执行了2句openssl命令行

bash 复制代码
openssl req -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem 
// CA certificate filename (or enter to create) 时, 回车, 别的不行(报错)
然后输入opensslUI提出的内容.


openssl ca -create_serial -out ./demoCA/cacert.pem -days 1095 -batch -keyfile ./demoCA/private/cakey.pem -selfsign -extensions v3_ca -infiles ./demoCA/careq.pem 

// Enter PEM pass phrase = 111111
A challenge password = 222222
Enter pass phrase for ./demoCA/private/cakey.pem = 111111 // 这个口令就是第一次建立CA时要求输入的私钥口令(Enter PEM pass phrase), 如果输入错误, 就报错结束了
bash 复制代码
D:\my_dev\my_local_git_prj\study\openSSL\help_doc_exp\pkcs12\ca_opt_v1>perl CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
====
c:\openssl_3d2\bin\openssl req  -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem
.+++++++++++++++++++++++++++++++++++++++*..+...+..+++++++++++++++++++++++++++++++++++++++*...+...+.....+....+......+..+....+........+.+......+........+...+....+.....+.........+.+.....+.+..+.+.........+...+.....+...............+...+....+.................+.........+..........+..+...+......+.+........+......+.+.................+.......+...........+............+.+..+.......+..+......+..........+........+....+......+......+.....+.+...+.................+.......+..+.+...+..+.........+.+..+..........+.....+.+..+...+.+.......................+......+.........+.............+..+...+...+.+..............+....+...+..+.+..+.......+.....+.+.....+....+...+.....+.............+....................+......+.+..+......+......+....+...............+...........+..........+...+........+.........+.+...............+..+......+.......+..+.......+.....+......+.............+...........+...+......+....+...+.....+...+......+..........+......+.........+.....+...+..........+..+......+.........+.............+...............+...+.....+.......+...+...+............+..+.+..+...+....+...+..+.......+...........+...+............+....+.....+....+..+....+...+............+.........+......+.....+...+..........+.....+................+.....+......+..........+.....+....+..+.......+...........+.+.........+......+......+..............+.+........+.+...+.......................+..................+.+........+.+.....+.+...+......+.....+............+...+.+.....+.+........+....+..+.+...............+.....+............+.+..+............+.......+...+.....+.......+.....+....+.....+......+...+.......+...+......+..+...+....+..+....+..+..................+.......+...+...............+.....+.+......+..+.......+.....+...+...+..........+..................+..+....+........+...+...+.+...+.....+..........+.....+.+......+.....+.+..+.+..+.........+...............+....+..+.............+......+...+..+.........+.......+...............+...+.................+...+......+..........+...+...........+.........+.+..+....+........+.+.........+...+.....+....+.....+.+..+.............+........+.+...+..................+...+...............+..+.........+..................+............+..................+.+..+...+....+...+.....+...+..........+.....+......+..................+.......+...+............+.....+.+..................+..+...+.+...+...........+.++++++
...+...+.+.........+.....+.+......+...+.....+.......+.....+++++++++++++++++++++++++++++++++++++++*....+......+...+.+...+...+...+...........+++++++++++++++++++++++++++++++++++++++*.......+..+...................+..+...+.......+...+............+...+......+...............+...+..+.+...+..+.......+..........................+....+...+...+......+.....+.........+.........+.+....................+.+.........+...........+.+.....+......................+.....+.+..+...+.+...+..+.+........+.........+..........+........+...+.+......+...+...........+....+..+.........+....+..+.......+...+........+..........+...............+.........+.....+...++++++
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:SX
Locality Name (eg, city) []:TY
Organization Name (eg, company) [Internet Widgits Pty Ltd]:KRGY
Organizational Unit Name (eg, section) []:RD
Common Name (e.g. server FQDN or YOUR name) []:MY_CA
Email Address []:test@sina.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:222222
An optional company name []:krgy
==> 0
====
====
c:\openssl_3d2\bin\openssl ca  -create_serial -out ./demoCA/cacert.pem -days 1095 -batch -keyfile ./demoCA/private/cakey.pem -selfsign -extensions v3_ca -infiles ./demoCA/careq.pem
Using configuration from C:\openssl_3d2\common\openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            04:ac:e1:ce:5b:5f:48:56:2c:45:92:46:fb:ed:ca:dc:0e:f2:4f:46
        Validity
            Not Before: Jan 31 10:44:29 2024 GMT
            Not After : Jan 30 10:44:29 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = SX
            organizationName          = KRGY
            organizationalUnitName    = RD
            commonName                = MY_CA
            emailAddress              = test@sina.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                55:39:9F:AA:3D:85:10:C2:72:E4:16:0E:7A:E4:E3:9E:69:37:8C:13
            X509v3 Authority Key Identifier:
                55:39:9F:AA:3D:85:10:C2:72:E4:16:0E:7A:E4:E3:9E:69:37:8C:13
            X509v3 Basic Constraints: critical
                CA:TRUE
Certificate is to be certified until Jan 30 10:44:29 2027 GMT (1095 days)

Write out database with 1 new entries
Database updated
==> 0
====
CA certificate is in ./demoCA/cacert.pem

D:\my_dev\my_local_git_prj\study\openSSL\help_doc_exp\pkcs12\ca_opt_v1>

CA.pl -newreq

bash 复制代码
openssl req -new -keyout newkey.pem -out newreq.pem -days 365 

// newreq.pem
Enter PEM pass phrase = 333333, 这是建立一张新的证书, 给的是要做的新证书的口令
A challenge password = 444444, 新作的证书的挑战口令

CA.pl -sign

bash 复制代码
openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem 

Enter pass phrase for ./demoCA/private/cakey.pem: 111111
对CA签发出的证书签名时, 只需要CA私钥的key密码

CA.pl -pkcs12 "My Test Certificate"

bash 复制代码
openssl pkcs12 -in newcert.pem -inkey newkey.pem -certfile ./demoCA/cacert.pem -out newcert.p12 -export -name My Test Certificate 

Enter pass phrase for newkey.pem: 333333 // 对哪张证书导出P12, 就需要哪张私钥证书的密码.
Enter Export Password:555555 // 对签发出的P12证书设置新的导出口令

/doc/html/man1/openssl-pkcs12.html

bash 复制代码
Parse a PKCS#12 file and output it to a PEM file:

 openssl pkcs12 -in file.p12 -out file.pem
Output only client certificates to a file:

 openssl pkcs12 -in file.p12 -clcerts -out file.pem
Don't encrypt the private key:

 openssl pkcs12 -in file.p12 -out file.pem -noenc
Print some info about a PKCS#12 file:

 openssl pkcs12 -in file.p12 -info -noout
Print some info about a PKCS#12 file in legacy mode:

 openssl pkcs12 -in file.p12 -info -noout -legacy
Create a PKCS#12 file from a PEM file that may contain a key and certificates:

 openssl pkcs12 -export -in file.pem -out file.p12 -name "My PSE"
Include some extra certificates:

 openssl pkcs12 -export -in file.pem -out file.p12 -name "My PSE" \
  -certfile othercerts.pem
Export a PKCS#12 file with data from a certificate PEM file and from a further PEM file containing a key, with default algorithms as in the legacy provider:

 openssl pkcs12 -export -in cert.pem -inkey key.pem -out file.p12 -legacy
bash 复制代码
file:///D:/my_dev/my_local_git_prj/study/openSSL/openssl-3.2.0_for_doc/doc/html/man1/openssl-pkcs12.html

Parse a PKCS#12 file and output it to a PEM file:

// 将 \help_doc_exp\pkcs12\ca_opt\newcert.p12 拷贝过来, 改名为file.p12
openssl pkcs12 -in file.p12 -out file.pem
Enter Import Password: 
导入密码为555555(操作P12证书时的导入密码, 就是前面签发P12证书时的导出密码)
Enter PEM pass phrase: 666666 设置导出的证书(file.pem)的密码, 这个是新的密码.

Output only client certificates to a file:

 openssl pkcs12 -in file.p12 -clcerts -out file1.pem
Enter Import Password: 555555
Enter PEM pass phrase: 777777 // 导出的新证书(file1.pem)的密码

Don't encrypt the private key:

 openssl pkcs12 -in file.p12 -out file2.pem -noenc
// 要求导出密码, 也是P12证书的导出密码555555
// 因为不用加密, 所以只要输入的P12证书的导出密码就够了


Print some info about a PKCS#12 file:

 openssl pkcs12 -in file.p12 -info -noout
// 要求导出密码, 也是P12证书的导出密码555555

Print some info about a PKCS#12 file in legacy mode:

 openssl pkcs12 -in file.p12 -info -noout -legacy
// 和不带 -legacy的输出是一样的

Create a PKCS#12 file from a PEM file that may contain a key and certificates:

 openssl pkcs12 -export -in file.pem -out file_pem_exp.p12 -name "My PSE"
// 需要file.pem的口令(666666)和导出口令(导出的file_pem_exp.p12的导出口令, 新设置的导出口令为888888)

Include some extra certificates:

 // openssl pkcs12 -export -in file.pem -out file_pem_exp1.p12 -name "My PSE" -certfile othercerts.pem
openssl pkcs12 -export -in file.pem -out file_pem_exp1.p12 -name "My PSE" -certfile file2.pem
// 需要file.pem的口令(666666), 导出口令(针对 file_pem_exp1.p12设置新的导出口令999999)

Export a PKCS#12 file with data from a certificate PEM file and from a further PEM file containing a key, with default algorithms as in the legacy provider:

 // openssl pkcs12 -export -in cert.pem -inkey key.pem -out file.p12 -legacy
// 将上一个CA实现生成的 newcert.pem和newkey.pem拷贝过来实验
openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out file_newcert_export.p12 -legacy
Enter pass phrase for newkey.pem 333333(CA做newkey.pem时, 指定的口令是333333)
Enter Export Password: 998888 (设置导出的P12证书(file.p12)的导出口令)

备注

现在有了自己做的P12证书, P12证书的口令也知道了, 就可以做官方给的PKCS12的C工程实验了.

今天运气还挺好, 按照字母序翻看整理好的官方帮助文件, 才看了4,5个帮助文件, 就找到了官方如何生成P12证书的说明.

END

相关推荐
fangeqin14 小时前
ubuntu源码安装python3.13遇到Could not build the ssl module!解决方法
linux·python·ubuntu·openssl
API开发11 天前
苹果芯片macOS安装版Homebrew(亲测) ,一键安装node、python、vscode等,比绿色软件还干净、无污染
vscode·python·docker·nodejs·openssl·brew·homebrew
码农不惑15 天前
Rust使用tokio(二)HTTPS相关
https·rust·web·openssl
liulilittle21 天前
通过高级处理器硬件指令集AES-NI实现AES-256-CFB算法并通过OPENSSL加密验证算法正确性。
linux·服务器·c++·算法·安全·加密·openssl
liulilittle22 天前
OpenSSL 的 AES-NI 支持机制
linux·运维·服务器·算法·加密·openssl·解密
liulilittle23 天前
通过高级处理器硬件指令集AES-NI实现AES-256-CFB算法。
linux·服务器·c++·算法·安全·加密·openssl
花花少年24 天前
Ubuntu系统下交叉编译openssl
openssl·交叉编译
什么名字都被用了2 个月前
编译openssl源码
c++·openssl
toooooop82 个月前
openssl_error_string() 不要依赖错误信息作为逻辑判断
php·openssl
whoarethenext2 个月前
加密认证库openssl初始附带c/c++的使用源码
c语言·网络·c++·openssl