openssl3.2 - helpdoc - P12证书操作

文章目录

openssl3.2 - helpdoc - P12证书操作

概述

D:\3rd_prj\crypt\openssl-3.2.0\demos\pkcs12目录下, 有2个实验(pkread.c, pkwrite.c), 需要PKCS12的证书.

但是官方给的demos/certs目录的脚本中, 并没有看到如何生成P12证书.

现在将openssl帮助文档整理出来后, 找到了如何生成P12证书.

做个实验先, 自己将P12证书生成出来, 给\demos\pkcs12目录下的实验用.

笔记

如何生成P12证书的帮助文档有2个

file:///D:/my_dev/my_local_git_prj/study/openSSL/openssl-3.2.0_for_doc/doc/html/man1/CA.pl.html

file:///D:/my_dev/my_local_git_prj/study/openSSL/openssl-3.2.0_for_doc/doc/html/man1/openssl-pkcs12.html

前面一个是用perl脚本来生成P12证书.

后面一个是如何用openssl命令行来操作P12证书.

/doc/html/man1/CA.pl.html

我自己改的openssl入口可以将openssl命令行参数记录下来, 官方调用CA.pl干的活就能看到了(而且不会遗漏openssl的命令行).

不过这个CA.pl好像每个调用openssl命令行的具体参数从UI上都看得到.

bash 复制代码
 CA.pl -newca
 CA.pl -newreq
 CA.pl -sign
 CA.pl -pkcs12 "My Test Certificate"

CA.pl -newca

执行了2句openssl命令行

bash 复制代码
openssl req -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem 
// CA certificate filename (or enter to create) 时, 回车, 别的不行(报错)
然后输入opensslUI提出的内容.


openssl ca -create_serial -out ./demoCA/cacert.pem -days 1095 -batch -keyfile ./demoCA/private/cakey.pem -selfsign -extensions v3_ca -infiles ./demoCA/careq.pem 

// Enter PEM pass phrase = 111111
A challenge password = 222222
Enter pass phrase for ./demoCA/private/cakey.pem = 111111 // 这个口令就是第一次建立CA时要求输入的私钥口令(Enter PEM pass phrase), 如果输入错误, 就报错结束了
bash 复制代码
D:\my_dev\my_local_git_prj\study\openSSL\help_doc_exp\pkcs12\ca_opt_v1>perl CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
====
c:\openssl_3d2\bin\openssl req  -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem
.+++++++++++++++++++++++++++++++++++++++*..+...+..+++++++++++++++++++++++++++++++++++++++*...+...+.....+....+......+..+....+........+.+......+........+...+....+.....+.........+.+.....+.+..+.+.........+...+.....+...............+...+....+.................+.........+..........+..+...+......+.+........+......+.+.................+.......+...........+............+.+..+.......+..+......+..........+........+....+......+......+.....+.+...+.................+.......+..+.+...+..+.........+.+..+..........+.....+.+..+...+.+.......................+......+.........+.............+..+...+...+.+..............+....+...+..+.+..+.......+.....+.+.....+....+...+.....+.............+....................+......+.+..+......+......+....+...............+...........+..........+...+........+.........+.+...............+..+......+.......+..+.......+.....+......+.............+...........+...+......+....+...+.....+...+......+..........+......+.........+.....+...+..........+..+......+.........+.............+...............+...+.....+.......+...+...+............+..+.+..+...+....+...+..+.......+...........+...+............+....+.....+....+..+....+...+............+.........+......+.....+...+..........+.....+................+.....+......+..........+.....+....+..+.......+...........+.+.........+......+......+..............+.+........+.+...+.......................+..................+.+........+.+.....+.+...+......+.....+............+...+.+.....+.+........+....+..+.+...............+.....+............+.+..+............+.......+...+.....+.......+.....+....+.....+......+...+.......+...+......+..+...+....+..+....+..+..................+.......+...+...............+.....+.+......+..+.......+.....+...+...+..........+..................+..+....+........+...+...+.+...+.....+..........+.....+.+......+.....+.+..+.+..+.........+...............+....+..+.............+......+...+..+.........+.......+...............+...+.................+...+......+..........+...+...........+.........+.+..+....+........+.+.........+...+.....+....+.....+.+..+.............+........+.+...+..................+...+...............+..+.........+..................+............+..................+.+..+...+....+...+.....+...+..........+.....+......+..................+.......+...+............+.....+.+..................+..+...+.+...+...........+.++++++
...+...+.+.........+.....+.+......+...+.....+.......+.....+++++++++++++++++++++++++++++++++++++++*....+......+...+.+...+...+...+...........+++++++++++++++++++++++++++++++++++++++*.......+..+...................+..+...+.......+...+............+...+......+...............+...+..+.+...+..+.......+..........................+....+...+...+......+.....+.........+.........+.+....................+.+.........+...........+.+.....+......................+.....+.+..+...+.+...+..+.+........+.........+..........+........+...+.+......+...+...........+....+..+.........+....+..+.......+...+........+..........+...............+.........+.....+...++++++
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:SX
Locality Name (eg, city) []:TY
Organization Name (eg, company) [Internet Widgits Pty Ltd]:KRGY
Organizational Unit Name (eg, section) []:RD
Common Name (e.g. server FQDN or YOUR name) []:MY_CA
Email Address []:test@sina.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:222222
An optional company name []:krgy
==> 0
====
====
c:\openssl_3d2\bin\openssl ca  -create_serial -out ./demoCA/cacert.pem -days 1095 -batch -keyfile ./demoCA/private/cakey.pem -selfsign -extensions v3_ca -infiles ./demoCA/careq.pem
Using configuration from C:\openssl_3d2\common\openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            04:ac:e1:ce:5b:5f:48:56:2c:45:92:46:fb:ed:ca:dc:0e:f2:4f:46
        Validity
            Not Before: Jan 31 10:44:29 2024 GMT
            Not After : Jan 30 10:44:29 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = SX
            organizationName          = KRGY
            organizationalUnitName    = RD
            commonName                = MY_CA
            emailAddress              = test@sina.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                55:39:9F:AA:3D:85:10:C2:72:E4:16:0E:7A:E4:E3:9E:69:37:8C:13
            X509v3 Authority Key Identifier:
                55:39:9F:AA:3D:85:10:C2:72:E4:16:0E:7A:E4:E3:9E:69:37:8C:13
            X509v3 Basic Constraints: critical
                CA:TRUE
Certificate is to be certified until Jan 30 10:44:29 2027 GMT (1095 days)

Write out database with 1 new entries
Database updated
==> 0
====
CA certificate is in ./demoCA/cacert.pem

D:\my_dev\my_local_git_prj\study\openSSL\help_doc_exp\pkcs12\ca_opt_v1>

CA.pl -newreq

bash 复制代码
openssl req -new -keyout newkey.pem -out newreq.pem -days 365 

// newreq.pem
Enter PEM pass phrase = 333333, 这是建立一张新的证书, 给的是要做的新证书的口令
A challenge password = 444444, 新作的证书的挑战口令

CA.pl -sign

bash 复制代码
openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem 

Enter pass phrase for ./demoCA/private/cakey.pem: 111111
对CA签发出的证书签名时, 只需要CA私钥的key密码

CA.pl -pkcs12 "My Test Certificate"

bash 复制代码
openssl pkcs12 -in newcert.pem -inkey newkey.pem -certfile ./demoCA/cacert.pem -out newcert.p12 -export -name My Test Certificate 

Enter pass phrase for newkey.pem: 333333 // 对哪张证书导出P12, 就需要哪张私钥证书的密码.
Enter Export Password:555555 // 对签发出的P12证书设置新的导出口令

/doc/html/man1/openssl-pkcs12.html

bash 复制代码
Parse a PKCS#12 file and output it to a PEM file:

 openssl pkcs12 -in file.p12 -out file.pem
Output only client certificates to a file:

 openssl pkcs12 -in file.p12 -clcerts -out file.pem
Don't encrypt the private key:

 openssl pkcs12 -in file.p12 -out file.pem -noenc
Print some info about a PKCS#12 file:

 openssl pkcs12 -in file.p12 -info -noout
Print some info about a PKCS#12 file in legacy mode:

 openssl pkcs12 -in file.p12 -info -noout -legacy
Create a PKCS#12 file from a PEM file that may contain a key and certificates:

 openssl pkcs12 -export -in file.pem -out file.p12 -name "My PSE"
Include some extra certificates:

 openssl pkcs12 -export -in file.pem -out file.p12 -name "My PSE" \
  -certfile othercerts.pem
Export a PKCS#12 file with data from a certificate PEM file and from a further PEM file containing a key, with default algorithms as in the legacy provider:

 openssl pkcs12 -export -in cert.pem -inkey key.pem -out file.p12 -legacy
bash 复制代码
file:///D:/my_dev/my_local_git_prj/study/openSSL/openssl-3.2.0_for_doc/doc/html/man1/openssl-pkcs12.html

Parse a PKCS#12 file and output it to a PEM file:

// 将 \help_doc_exp\pkcs12\ca_opt\newcert.p12 拷贝过来, 改名为file.p12
openssl pkcs12 -in file.p12 -out file.pem
Enter Import Password: 
导入密码为555555(操作P12证书时的导入密码, 就是前面签发P12证书时的导出密码)
Enter PEM pass phrase: 666666 设置导出的证书(file.pem)的密码, 这个是新的密码.

Output only client certificates to a file:

 openssl pkcs12 -in file.p12 -clcerts -out file1.pem
Enter Import Password: 555555
Enter PEM pass phrase: 777777 // 导出的新证书(file1.pem)的密码

Don't encrypt the private key:

 openssl pkcs12 -in file.p12 -out file2.pem -noenc
// 要求导出密码, 也是P12证书的导出密码555555
// 因为不用加密, 所以只要输入的P12证书的导出密码就够了


Print some info about a PKCS#12 file:

 openssl pkcs12 -in file.p12 -info -noout
// 要求导出密码, 也是P12证书的导出密码555555

Print some info about a PKCS#12 file in legacy mode:

 openssl pkcs12 -in file.p12 -info -noout -legacy
// 和不带 -legacy的输出是一样的

Create a PKCS#12 file from a PEM file that may contain a key and certificates:

 openssl pkcs12 -export -in file.pem -out file_pem_exp.p12 -name "My PSE"
// 需要file.pem的口令(666666)和导出口令(导出的file_pem_exp.p12的导出口令, 新设置的导出口令为888888)

Include some extra certificates:

 // openssl pkcs12 -export -in file.pem -out file_pem_exp1.p12 -name "My PSE" -certfile othercerts.pem
openssl pkcs12 -export -in file.pem -out file_pem_exp1.p12 -name "My PSE" -certfile file2.pem
// 需要file.pem的口令(666666), 导出口令(针对 file_pem_exp1.p12设置新的导出口令999999)

Export a PKCS#12 file with data from a certificate PEM file and from a further PEM file containing a key, with default algorithms as in the legacy provider:

 // openssl pkcs12 -export -in cert.pem -inkey key.pem -out file.p12 -legacy
// 将上一个CA实现生成的 newcert.pem和newkey.pem拷贝过来实验
openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out file_newcert_export.p12 -legacy
Enter pass phrase for newkey.pem 333333(CA做newkey.pem时, 指定的口令是333333)
Enter Export Password: 998888 (设置导出的P12证书(file.p12)的导出口令)

备注

现在有了自己做的P12证书, P12证书的口令也知道了, 就可以做官方给的PKCS12的C工程实验了.

今天运气还挺好, 按照字母序翻看整理好的官方帮助文件, 才看了4,5个帮助文件, 就找到了官方如何生成P12证书的说明.

END

相关推荐
许野平8 天前
OpenSSL:生成 DER 格式的 RSA 密钥对
服务器·网络·openssl·rsa·pem·der
Xnah_9 天前
ubuntu 20.4 安装 openssl 3.x
ubuntu·openssl
redwingz15 天前
openssl签名报错
openssl·random
Anlige25 天前
PHP实现OPENSSL的EVP_BytesToKey
开发语言·php·openssl·evp
cooldream20091 个月前
升级 OpenSSL 的详细步骤(解决 SSH 漏洞的前提)
运维·ssh·openssl
年薪丰厚1 个月前
如何手动安装libcrypto.so.10和libssl.so.10这两个库?
openssl·libcrypto.so.10·libssl.so.10
恋喵大鲤鱼2 个月前
openssl(1) command
openssl
pzs02212 个月前
openssl的使用
openssl
小亦小亦_空中接力2 个月前
openssl+keepalived安装部署
openssl·keepalived
摸鱼手会滑2 个月前
源码编译安装python3.12没有ssl模块,python3.12 ModuleNotFoundError: No module named ‘_ssl‘
ssl·openssl·python3