x509命令和CA命令都能以CA身份給客戶簽發(fā)證書，本文介紹前者，CA命令的用法見另一篇博文。

創(chuàng)新互聯(lián)堅(jiān)持“要么做到，要么別承諾”的工作理念，服務(wù)領(lǐng)域包括：成都網(wǎng)站建設(shè)、成都網(wǎng)站設(shè)計(jì)、企業(yè)官網(wǎng)、英文網(wǎng)站、手機(jī)端網(wǎng)站、網(wǎng)站推廣等服務(wù)，滿足客戶于互聯(lián)網(wǎng)時(shí)代的儋州網(wǎng)站設(shè)計(jì)、移動(dòng)媒體設(shè)計(jì)的需求，幫助企業(yè)找到有效的互聯(lián)網(wǎng)解決方案。努力成為您成熟可靠的網(wǎng)絡(luò)建設(shè)合作伙伴！

當(dāng)使用-CA infile選項(xiàng)時(shí)，x509命令的行為就像是一個(gè)“迷你CA”，對(duì)輸入的文件進(jìn)行簽名，它不像CA命令那樣需要預(yù)先建立配置文件定義的目錄結(jié)構(gòu)，也不把曾經(jīng)簽署的證書信息寫入數(shù)據(jù)庫，使用上相對(duì)方便一些。

把openssl.exe所在文件夾加入PATH環(huán)境變量，就可以在任何位置執(zhí)行批處理（不建議安裝于C盤，因?yàn)樵谏晌募倪^程中可能會(huì)遇到的權(quán)限問題）。

為了防止瀏覽器彈出“沒有主題備用名稱”的警告信息，需要將配置文件"C:\Program Files\OpenSSL-Win64\bin\cnf\openssl.cnf"拷貝兩份到D盤根目錄，分別改名為01.ext和02.ext，在01.ext的[usr_cert]一節(jié)添加subjectAltName = DNS:host1，在02.ext的[usr_cert]一節(jié)添加subjectAltName = DNS:host2，請(qǐng)確保這兩個(gè)文件存在。

復(fù)制下列代碼粘貼到DOS窗口執(zhí)行即可，或者保存為批處理文件，注意倒數(shù)第一行需要打回車。為了保證干凈的實(shí)驗(yàn)環(huán)境，每次執(zhí)行都會(huì)先刪除之前建立的目錄然后重建，所以不要在這些目錄里保存重要資料。切記！

OpenSSL版本號(hào)為Windows版1.1.1c ?28 May 2019。

用x509命令簽發(fā)證書

根CA簽發(fā)

實(shí)驗(yàn)場景：先建立根CA：RCA，再由RCA簽發(fā)主機(jī)HOST1和HOST2的證書

批處理在D盤下建立目錄RCA、HOST1、HOST2，各目錄存放的文件顧名思義，其中RCA保留曾簽發(fā)的所有證書的備份。

::?根CA簽發(fā)
::?刪除之前所有的文件
d:&cd\&rd/s/q?host1&rd/s/q?host2&rd/s/q?rca&md?host1&md?host2&md?rca&cd?rca
?
::?生成自簽名的根證書，私鑰和公鑰：
openssl?req?-x509?-newkey?rsa:8192?-keyout?rca.key?-out?rca.cer?-days?3650?-subj?/C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-R/CN=RCA/emailAddress=ca@tiger.com?-passout?pass:abcd
openssl?rsa?-in?rca.key?-pubout?-out?rca.pub?-passin?pass:abcd
?
::?把RCA的證書和公鑰拷貝到HOST1和HOST2
copy?rca.pub?d:\host1&copy?rca.cer?d:\host1&copy?rca.pub?d:\host2&copy?rca.cer?d:\host2
?
::?生成host1與host2的證書請(qǐng)求、私鑰和公鑰
openssl?req?-newkey?rsa:8192?-keyout?host1.key?-out?host1.csr?-subj?/C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-1/CN=host1??-addext?"subjectAltName?=?DNS:host1"?-passout?pass:abcd
openssl?req?-newkey?rsa:8192?-keyout?host2.key?-out?host2.csr?-subj?/C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-2/CN=host2??-addext?"subjectAltName?=?DNS:host2"?-passout?pass:abcd
openssl?rsa?-in?host1.key?-pubout?-out?host1.pub?-passin?pass:abcd
openssl?rsa?-in?host2.key?-pubout?-out?host2.pub?-passin?pass:abcd
?
::?用RCA的私鑰簽署用戶請(qǐng)求
Openssl?x509?-req?-days?1095?-in?host1.csr?-CA?rca.cer?-CAkey?rca.key?-out?host1.cer?-CAcreateserial?-passin?pass:abcd?-extfile?"d:\01.ext"?-extensions?usr_cert
Openssl?x509?-req?-days?1095?-in?host2.csr?-CA?rca.cer?-CAkey?rca.key?-out?host2.cer?-CAcreateserial?-passin?pass:abcd?-extfile?"d:\02.ext"?-extensions?usr_cert
?
::?把HOST1和HOST2的所屬文件拷貝到對(duì)應(yīng)目錄
copy?host1.*?d:\host1&copy?host2.*?d:\host2
?
::?驗(yàn)證證書鏈
openssl?verify?-show_chain?-CAfile?rca.cer?host1.cer
openssl?verify?-show_chain?-CAfile?rca.cer?host2.cer
openssl?x509?-in?rca.cer?-noout?-text|find?"CA:TRUE"
openssl?x509?-in?host1.cer?-noout?-text|find?"CA:TRUE"
openssl?x509?-in?host2.cer?-noout?-text|find?"CA:TRUE"

二級(jí)CA簽發(fā)

根CA：CA1

中間CA：CA2

CA1簽發(fā)CA2的證書，CA2給HOST1和HOST2簽發(fā)證書。

批處理在D盤根目錄下建立目錄CA1、CA2、HOST1、HOST2，各目錄存放的文件顧名思義，其中CA2保留曾簽發(fā)的所有證書的備份。

::?二級(jí)CA簽發(fā)
::?刪除之前所有的文件
d:&cd\&rd/s/q?host1&rd/s/q?host2&rd/s/q?ca1&rd/s/q?ca2&md?host1&md?host2&md?ca1&md?ca2&cd?ca1
?
::?生成自簽名的CA1根證書、私鑰和公鑰：
openssl?req?-x509?-newkey?rsa:8192?-keyout?ca1.key?-out?ca1.cer?-days?3650?-subj?/C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-1/CN=CA1/emailAddress=ca1@tiger.com?-passout?pass:abcd
openssl?rsa?-in?ca1.key?-pubout?-out?ca1.pub?-passin?pass:abcd
?
::?把CA1的證書和公鑰拷貝到CA2，HOST1和HOST2
copy?ca1.cer?d:\host1&copy?ca1.pub?d:\host1&copy?ca1.cer?d:\host2&copy?ca1.pub?d:\host2&copy?ca1.cer?d:\ca2&copy?ca1.pub?d:\ca2
?
::?生成CA2的請(qǐng)求，私鑰和公鑰
openssl?req?-newkey?rsa:8192?-keyout?ca2.key?-out?ca2.csr?-subj?/C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-2/CN=CA2/emailAddress=ca2@tiger.com?-passout?pass:abcd
openssl?rsa?-in?ca2.key?-pubout?-out?ca2.pub?-passin?pass:abcd
?
::?用CA1的私鑰簽署CA2的請(qǐng)求
Openssl?x509?-req?-days?1095?-in?ca2.csr?-CA?ca1.cer?-CAkey?ca1.key?-out?ca2.cer?-days?3650?-passin?pass:abcd?-extfile?"C:\Program?Files\OpenSSL-Win64\bin\cnf\openssl.cnf"?-extensions?v3_ca?-CAcreateserial
?
::?把CA2的證書和公鑰拷貝到HOST1和HOST2，把CA2所屬文件都拷貝到CA2
copy?ca2.cer?d:\host1&copy?ca2.pub?d:\host1&copy?ca2.cer?d:\host2&copy?ca2.pub?d:\host2&copy?ca2.*?\ca2&cd\ca2
?
::?生成HOST1與HOST2的證書請(qǐng)求、私鑰和公鑰
openssl?req?-newkey?rsa:8192?-keyout?host1.key?-out?host1.csr?-subj?/C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-1/CN=host1?-addext?"subjectAltName?=?DNS:host1"?-passout?pass:abcd
openssl?req?-newkey?rsa:8192?-keyout?host2.key?-out?host2.csr?-subj?/C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-2/CN=host2?-addext?"subjectAltName?=?DNS:host2"?-passout?pass:abcd
openssl?rsa?-in?host1.key?-pubout?-out?host1.pub?-passin?pass:abcd
openssl?rsa?-in?host2.key?-pubout?-out?host2.pub?-passin?pass:abcd
?
::?用CA2的私鑰簽署用戶證書：
Openssl?x509?-req?-days?1095?-in?host1.csr?-CA?ca2.cer?-CAkey?ca2.key?-out?host1.cer?-days?3650?-passin?pass:abcd?-CAcreateserial??-extfile?"d:\01.ext"?-extensions?usr_cert
Openssl?x509?-req?-days?1095?-in?host2.csr?-CA?ca2.cer?-CAkey?ca2.key?-out?host2.cer?-days?3650?-passin?pass:abcd?-CAcreateserial??-extfile?"d:\02.ext"?-extensions?usr_cert
echo?把HOST1和HOST2的所有文件拷貝到對(duì)應(yīng)目錄
copy?host1.*?d:\host1&copy?host2.*?d:\host2
?
::?驗(yàn)證證書鏈
copy?ca2.cer+ca1.cer?ca-chain.cer
openssl?verify?-show_chain?-CAfile?ca-chain.cer?host1.cer
openssl?verify?-show_chain?-CAfile?ca-chain.cer?host2.cer
openssl?x509?-in?ca1.cer?-noout?-text|find?"CA:TRUE"
openssl?x509?-in?ca2.cer?-noout?-text|find?"CA:TRUE"
openssl?x509?-in?host1.cer?-noout?-text|find?"CA:TRUE"
openssl?x509?-in?host2.cer?-noout?-text|find?"CA:TRUE"

三級(jí)CA簽發(fā)

根CA：CA1

中間CA：CA2，CA3

CA1簽發(fā)CA2的證書，CA2簽發(fā)CA3的證書，CA3給HOST1和HOST2簽發(fā)證書。

批處理在D盤根目錄下建立目錄CA1、CA2、CA3、HOST1、HOST2，各目錄存放的文件顧名思義，其中CA3保留曾簽發(fā)的所有證書的備份。

::?三級(jí)CA簽發(fā)
::?刪除之前所有的文件
d:&cd\&rd/s/q?host1&rd/s/q?host2&rd/s/q?ca1&rd/s/q?ca2&rd/s/q?ca3&md?host1&md?host2&md?ca1&md?ca2&md?ca3&cd?ca1
?
::?生成自簽名的CA1根證書、私鑰和公鑰：
openssl?req?-x509?-newkey?rsa:8192?-keyout?ca1.key?-out?ca1.cer?-days?3650?-subj?/C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-1/CN=CA1/emailAddress=ca1@tiger.com?-passout?pass:abcd
openssl?rsa?-in?ca1.key?-pubout?-out?ca1.pub?-passin?pass:abcd
?
::?把CA1的證書和公鑰拷貝到CA2，CA3，HOST1，HOST2
copy?ca1.cer?d:\ca2&copy?ca1.pub?d:\ca2&copy?ca1.cer?d:\ca3&copy?ca1.pub?d:\ca3&copy?ca1.cer?d:\host1&copy?ca1.pub?d:\host1&copy?ca1.cer?d:\host2&copy?ca1.pub?d:\host2
?
::?生成CA2的請(qǐng)求，私鑰和公鑰
openssl?req?-newkey?rsa:8192?-keyout?ca2.key?-out?ca2.csr?-subj?/C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-2/CN=CA2/emailAddress=ca2@tiger.com?-passout?pass:abcd
openssl?rsa?-in?ca2.key?-pubout?-out?ca2.pub?-passin?pass:abcd
?
::?用CA1的私鑰簽署CA2的請(qǐng)求
Openssl?x509?-req?-days?1095?-in?ca2.csr?-CA?ca1.cer?-CAkey?ca1.key?-out?ca2.cer?-days?3650?-passin?pass:abcd?-extfile?"C:\Program?Files\OpenSSL-Win64\bin\cnf\openssl.cnf"?-extensions?v3_ca?-CAcreateserial
?
::?把CA2的證書和公鑰拷貝到CA3，HOST1和HOST2，把CA2所屬文件都拷貝到CA2
copy?ca2.cer?d:\ca3&copy?ca2.pub?d:\ca3&copy?ca2.cer?d:\host1&copy?ca2.pub?d:\host1&copy?ca2.cer?d:\host2&copy?ca2.pub?d:\host2&copy?ca2.*?\ca2&cd\ca2
?
::?生成CA3的請(qǐng)求，私鑰和公鑰
openssl?req?-newkey?rsa:8192?-keyout?ca3.key?-out?ca3.csr?-subj?/C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-3/CN=CA3/emailAddress=ca3@tiger.com?-passout?pass:abcd
openssl?rsa?-in?ca3.key?-pubout?-out?ca3.pub?-passin?pass:abcd
?
::?用CA2的私鑰簽署CA3的請(qǐng)求
Openssl?x509?-req?-days?1095?-in?ca3.csr?-CA?ca2.cer?-CAkey?ca2.key?-out?ca3.cer?-days?3650?-passin?pass:abcd?-extfile?"C:\Program?Files\OpenSSL-Win64\bin\cnf\openssl.cnf"?-extensions?v3_ca?-CAcreateserial
?
?
::?把CA3的證書和公鑰拷貝到HOST1和HOST2，把CA3所屬文件都拷貝到CA3
copy?ca3.cer?d:\host1&copy?ca3.pub?d:\host1&copy?ca3.cer?d:\host2&copy?ca3.pub?d:\host2&copy?ca3.*?\ca3&cd\ca3
?
::?生成HOST1與HOST2的證書請(qǐng)求、私鑰和公鑰
openssl?req?-newkey?rsa:8192?-keyout?host1.key?-out?host1.csr?-subj?/C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-1/CN=host1?-addext?"subjectAltName?=?DNS:host1"?-passout?pass:abcd
openssl?req?-newkey?rsa:8192?-keyout?host2.key?-out?host2.csr?-subj?/C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-2/CN=host2?-addext?"subjectAltName?=?DNS:host2"?-passout?pass:abcd
openssl?rsa?-in?host1.key?-pubout?-out?host1.pub?-passin?pass:abcd
openssl?rsa?-in?host2.key?-pubout?-out?host2.pub?-passin?pass:abcd
?
::?用CA3的私鑰簽署用戶證書：
Openssl?x509?-req?-days?1095?-in?host1.csr?-CA?ca3.cer?-CAkey?ca3.key?-out?host1.cer?-days?3650?-passin?pass:abcd?-CAcreateserial?-extfile?"d:\01.ext"?-extensions?usr_cert
Openssl?x509?-req?-days?1095?-in?host2.csr?-CA?ca3.cer?-CAkey?ca3.key?-out?host2.cer?-days?3650?-passin?pass:abcd?-CAcreateserial?-extfile?"d:\02.ext"?-extensions?usr_cert
?
::?把HOST1和HOST2的所有文件拷貝到對(duì)應(yīng)目錄
copy?host1.*?d:\host1&copy?host2.*?d:\host2
??
::?驗(yàn)證證書鏈：
copy?ca3.cer+ca2.cer+ca1.cer?ca-chain.cer
openssl?verify?-show_chain?-CAfile?ca-chain.cer?host1.cer
openssl?verify?-show_chain?-CAfile?ca-chain.cer?host2.cer
openssl?x509?-in?ca1.cer?-noout?-text|find?"CA:TRUE"
openssl?x509?-in?ca2.cer?-noout?-text|find?"CA:TRUE"
openssl?x509?-in?ca3.cer?-noout?-text|find?"CA:TRUE"
openssl?x509?-in?host1.cer?-noout?-text|find?"CA:TRUE"
openssl?x509?-in?host2.cer?-noout?-text|find?"CA:TRUE"

文章標(biāo)題：OpenSSL自建CA和CA鏈，給主機(jī)簽發(fā)證書的批處理（使用
URL分享：http://jinyejixie.com/article34/gggope.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供標(biāo)簽優(yōu)化、定制網(wǎng)站、搜索引擎優(yōu)化、用戶體驗(yàn)、靜態(tài)網(wǎng)站、動(dòng)態(tài)網(wǎng)站

廣告

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請(qǐng)盡快告知，我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場，如需處理請(qǐng)聯(lián)系客服。電話：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時(shí)需注明來源： 創(chuàng)新互聯(lián)