x509命令和CA命令都能以CA身份給客戶簽發(fā)證書(shū)，本文介紹前者，CA命令的用法見(jiàn)另一篇博文。

創(chuàng)新互聯(lián)公司服務(wù)項(xiàng)目包括威海網(wǎng)站建設(shè)、威海網(wǎng)站制作、威海網(wǎng)頁(yè)制作以及威海網(wǎng)絡(luò)營(yíng)銷策劃等。多年來(lái)，我們專注于互聯(lián)網(wǎng)行業(yè)，利用自身積累的技術(shù)優(yōu)勢(shì)、行業(yè)經(jīng)驗(yàn)、深度合作伙伴關(guān)系等，向廣大中小型企業(yè)、政府機(jī)構(gòu)等提供互聯(lián)網(wǎng)行業(yè)的解決方案，威海網(wǎng)站推廣取得了明顯的社會(huì)效益與經(jīng)濟(jì)效益。目前，我們服務(wù)的客戶以成都為中心已經(jīng)輻射到威海省份的部分城市，未來(lái)相信會(huì)繼續(xù)擴(kuò)大服務(wù)區(qū)域并繼續(xù)獲得客戶的支持與信任！

當(dāng)使用-CA infile選項(xiàng)時(shí)，x509命令的行為就像是一個(gè)“迷你CA”，對(duì)輸入的文件進(jìn)行簽名，它不像CA命令那樣需要預(yù)先建立配置文件定義的目錄結(jié)構(gòu)，也不把曾經(jīng)簽署的證書(shū)信息寫入數(shù)據(jù)庫(kù)，使用上相對(duì)方便一些。

把openssl.exe所在文件夾加入PATH環(huán)境變量，就可以在任何位置執(zhí)行批處理（不建議安裝于C盤，因?yàn)樵谏晌募倪^(guò)程中可能會(huì)遇到的權(quán)限問(wèn)題）。

為了防止瀏覽器彈出“沒(méi)有主題備用名稱”的警告信息，需要將配置文件"C:\Program Files\OpenSSL-Win64\bin\cnf\openssl.cnf"拷貝兩份到D盤根目錄，分別改名為01.ext和02.ext，在01.ext的[usr_cert]一節(jié)添加subjectAltName = DNS:host1，在02.ext的[usr_cert]一節(jié)添加subjectAltName = DNS:host2，請(qǐng)確保這兩個(gè)文件存在。

復(fù)制下列代碼粘貼到DOS窗口執(zhí)行即可，或者保存為批處理文件，注意倒數(shù)第一行需要打回車。為了保證干凈的實(shí)驗(yàn)環(huán)境，每次執(zhí)行都會(huì)先刪除之前建立的目錄然后重建，所以不要在這些目錄里保存重要資料。切記！

OpenSSL版本號(hào)為Windows版1.1.1c ?28 May 2019。

用x509命令簽發(fā)證書(shū)

根CA簽發(fā)

實(shí)驗(yàn)場(chǎng)景：先建立根CA：RCA，再由RCA簽發(fā)主機(jī)HOST1和HOST2的證書(shū)

批處理在D盤下建立目錄RCA、HOST1、HOST2，各目錄存放的文件顧名思義，其中RCA保留曾簽發(fā)的所有證書(shū)的備份。

::?根CA簽發(fā) ::?刪除之前所有的文件 d:&cd\&rd/s/q?host1&rd/s/q?host2&rd/s/q?rca&md?host1&md?host2&md?rca&cd?rca ? ::?生成自簽名的根證書(shū)，私鑰和公鑰： openssl?req?-x509?-newkey?rsa:8192?-keyout?rca.key?-out?rca.cer?-days?3650?-subj?/C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-R/CN=RCA/emailAddress=ca@tiger.com?-passout?pass:abcd openssl?rsa?-in?rca.key?-pubout?-out?rca.pub?-passin?pass:abcd ? ::?把RCA的證書(shū)和公鑰拷貝到HOST1和HOST2 copy?rca.pub?d:\host1&copy?rca.cer?d:\host1&copy?rca.pub?d:\host2&copy?rca.cer?d:\host2 ? ::?生成host1與host2的證書(shū)請(qǐng)求、私鑰和公鑰 openssl?req?-newkey?rsa:8192?-keyout?host1.key?-out?host1.csr?-subj?/C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-1/CN=host1??-addext?"subjectAltName?=?DNS:host1"?-passout?pass:abcd openssl?req?-newkey?rsa:8192?-keyout?host2.key?-out?host2.csr?-subj?/C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-2/CN=host2??-addext?"subjectAltName?=?DNS:host2"?-passout?pass:abcd openssl?rsa?-in?host1.key?-pubout?-out?host1.pub?-passin?pass:abcd openssl?rsa?-in?host2.key?-pubout?-out?host2.pub?-passin?pass:abcd ? ::?用RCA的私鑰簽署用戶請(qǐng)求 Openssl?x509?-req?-days?1095?-in?host1.csr?-CA?rca.cer?-CAkey?rca.key?-out?host1.cer?-CAcreateserial?-passin?pass:abcd?-extfile?"d:\01.ext"?-extensions?usr_cert Openssl?x509?-req?-days?1095?-in?host2.csr?-CA?rca.cer?-CAkey?rca.key?-out?host2.cer?-CAcreateserial?-passin?pass:abcd?-extfile?"d:\02.ext"?-extensions?usr_cert ? ::?把HOST1和HOST2的所屬文件拷貝到對(duì)應(yīng)目錄 copy?host1.*?d:\host1&copy?host2.*?d:\host2 ? ::?驗(yàn)證證書(shū)鏈 openssl?verify?-show_chain?-CAfile?rca.cer?host1.cer openssl?verify?-show_chain?-CAfile?rca.cer?host2.cer openssl?x509?-in?rca.cer?-noout?-text|find?"CA:TRUE" openssl?x509?-in?host1.cer?-noout?-text|find?"CA:TRUE" openssl?x509?-in?host2.cer?-noout?-text|find?"CA:TRUE"

二級(jí)CA簽發(fā)

根CA：CA1

中間CA：CA2

CA1簽發(fā)CA2的證書(shū)，CA2給HOST1和HOST2簽發(fā)證書(shū)。

批處理在D盤根目錄下建立目錄CA1、CA2、HOST1、HOST2，各目錄存放的文件顧名思義，其中CA2保留曾簽發(fā)的所有證書(shū)的備份。

::?二級(jí)CA簽發(fā) ::?刪除之前所有的文件 d:&cd\&rd/s/q?host1&rd/s/q?host2&rd/s/q?ca1&rd/s/q?ca2&md?host1&md?host2&md?ca1&md?ca2&cd?ca1 ? ::?生成自簽名的CA1根證書(shū)、私鑰和公鑰： openssl?req?-x509?-newkey?rsa:8192?-keyout?ca1.key?-out?ca1.cer?-days?3650?-subj?/C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-1/CN=CA1/emailAddress=ca1@tiger.com?-passout?pass:abcd openssl?rsa?-in?ca1.key?-pubout?-out?ca1.pub?-passin?pass:abcd ? ::?把CA1的證書(shū)和公鑰拷貝到CA2，HOST1和HOST2 copy?ca1.cer?d:\host1&copy?ca1.pub?d:\host1&copy?ca1.cer?d:\host2&copy?ca1.pub?d:\host2&copy?ca1.cer?d:\ca2&copy?ca1.pub?d:\ca2 ? ::?生成CA2的請(qǐng)求，私鑰和公鑰 openssl?req?-newkey?rsa:8192?-keyout?ca2.key?-out?ca2.csr?-subj?/C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-2/CN=CA2/emailAddress=ca2@tiger.com?-passout?pass:abcd openssl?rsa?-in?ca2.key?-pubout?-out?ca2.pub?-passin?pass:abcd ? ::?用CA1的私鑰簽署CA2的請(qǐng)求 Openssl?x509?-req?-days?1095?-in?ca2.csr?-CA?ca1.cer?-CAkey?ca1.key?-out?ca2.cer?-days?3650?-passin?pass:abcd?-extfile?"C:\Program?Files\OpenSSL-Win64\bin\cnf\openssl.cnf"?-extensions?v3_ca?-CAcreateserial ? ::?把CA2的證書(shū)和公鑰拷貝到HOST1和HOST2，把CA2所屬文件都拷貝到CA2 copy?ca2.cer?d:\host1&copy?ca2.pub?d:\host1&copy?ca2.cer?d:\host2&copy?ca2.pub?d:\host2&copy?ca2.*?\ca2&cd\ca2 ? ::?生成HOST1與HOST2的證書(shū)請(qǐng)求、私鑰和公鑰 openssl?req?-newkey?rsa:8192?-keyout?host1.key?-out?host1.csr?-subj?/C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-1/CN=host1?-addext?"subjectAltName?=?DNS:host1"?-passout?pass:abcd openssl?req?-newkey?rsa:8192?-keyout?host2.key?-out?host2.csr?-subj?/C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-2/CN=host2?-addext?"subjectAltName?=?DNS:host2"?-passout?pass:abcd openssl?rsa?-in?host1.key?-pubout?-out?host1.pub?-passin?pass:abcd openssl?rsa?-in?host2.key?-pubout?-out?host2.pub?-passin?pass:abcd ? ::?用CA2的私鑰簽署用戶證書(shū)： Openssl?x509?-req?-days?1095?-in?host1.csr?-CA?ca2.cer?-CAkey?ca2.key?-out?host1.cer?-days?3650?-passin?pass:abcd?-CAcreateserial??-extfile?"d:\01.ext"?-extensions?usr_cert Openssl?x509?-req?-days?1095?-in?host2.csr?-CA?ca2.cer?-CAkey?ca2.key?-out?host2.cer?-days?3650?-passin?pass:abcd?-CAcreateserial??-extfile?"d:\02.ext"?-extensions?usr_cert echo?把HOST1和HOST2的所有文件拷貝到對(duì)應(yīng)目錄 copy?host1.*?d:\host1&copy?host2.*?d:\host2 ? ::?驗(yàn)證證書(shū)鏈 copy?ca2.cer+ca1.cer?ca-chain.cer openssl?verify?-show_chain?-CAfile?ca-chain.cer?host1.cer openssl?verify?-show_chain?-CAfile?ca-chain.cer?host2.cer openssl?x509?-in?ca1.cer?-noout?-text|find?"CA:TRUE" openssl?x509?-in?ca2.cer?-noout?-text|find?"CA:TRUE" openssl?x509?-in?host1.cer?-noout?-text|find?"CA:TRUE" openssl?x509?-in?host2.cer?-noout?-text|find?"CA:TRUE"

三級(jí)CA簽發(fā)

根CA：CA1

中間CA：CA2，CA3

CA1簽發(fā)CA2的證書(shū)，CA2簽發(fā)CA3的證書(shū)，CA3給HOST1和HOST2簽發(fā)證書(shū)。

批處理在D盤根目錄下建立目錄CA1、CA2、CA3、HOST1、HOST2，各目錄存放的文件顧名思義，其中CA3保留曾簽發(fā)的所有證書(shū)的備份。

::?三級(jí)CA簽發(fā) ::?刪除之前所有的文件 d:&cd\&rd/s/q?host1&rd/s/q?host2&rd/s/q?ca1&rd/s/q?ca2&rd/s/q?ca3&md?host1&md?host2&md?ca1&md?ca2&md?ca3&cd?ca1 ? ::?生成自簽名的CA1根證書(shū)、私鑰和公鑰： openssl?req?-x509?-newkey?rsa:8192?-keyout?ca1.key?-out?ca1.cer?-days?3650?-subj?/C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-1/CN=CA1/emailAddress=ca1@tiger.com?-passout?pass:abcd openssl?rsa?-in?ca1.key?-pubout?-out?ca1.pub?-passin?pass:abcd ? ::?把CA1的證書(shū)和公鑰拷貝到CA2，CA3，HOST1，HOST2 copy?ca1.cer?d:\ca2&copy?ca1.pub?d:\ca2&copy?ca1.cer?d:\ca3&copy?ca1.pub?d:\ca3&copy?ca1.cer?d:\host1&copy?ca1.pub?d:\host1&copy?ca1.cer?d:\host2&copy?ca1.pub?d:\host2 ? ::?生成CA2的請(qǐng)求，私鑰和公鑰 openssl?req?-newkey?rsa:8192?-keyout?ca2.key?-out?ca2.csr?-subj?/C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-2/CN=CA2/emailAddress=ca2@tiger.com?-passout?pass:abcd openssl?rsa?-in?ca2.key?-pubout?-out?ca2.pub?-passin?pass:abcd ? ::?用CA1的私鑰簽署CA2的請(qǐng)求 Openssl?x509?-req?-days?1095?-in?ca2.csr?-CA?ca1.cer?-CAkey?ca1.key?-out?ca2.cer?-days?3650?-passin?pass:abcd?-extfile?"C:\Program?Files\OpenSSL-Win64\bin\cnf\openssl.cnf"?-extensions?v3_ca?-CAcreateserial ? ::?把CA2的證書(shū)和公鑰拷貝到CA3，HOST1和HOST2，把CA2所屬文件都拷貝到CA2 copy?ca2.cer?d:\ca3&copy?ca2.pub?d:\ca3&copy?ca2.cer?d:\host1&copy?ca2.pub?d:\host1&copy?ca2.cer?d:\host2&copy?ca2.pub?d:\host2&copy?ca2.*?\ca2&cd\ca2 ? ::?生成CA3的請(qǐng)求，私鑰和公鑰 openssl?req?-newkey?rsa:8192?-keyout?ca3.key?-out?ca3.csr?-subj?/C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-3/CN=CA3/emailAddress=ca3@tiger.com?-passout?pass:abcd openssl?rsa?-in?ca3.key?-pubout?-out?ca3.pub?-passin?pass:abcd ? ::?用CA2的私鑰簽署CA3的請(qǐng)求 Openssl?x509?-req?-days?1095?-in?ca3.csr?-CA?ca2.cer?-CAkey?ca2.key?-out?ca3.cer?-days?3650?-passin?pass:abcd?-extfile?"C:\Program?Files\OpenSSL-Win64\bin\cnf\openssl.cnf"?-extensions?v3_ca?-CAcreateserial ? ? ::?把CA3的證書(shū)和公鑰拷貝到HOST1和HOST2，把CA3所屬文件都拷貝到CA3 copy?ca3.cer?d:\host1&copy?ca3.pub?d:\host1&copy?ca3.cer?d:\host2&copy?ca3.pub?d:\host2&copy?ca3.*?\ca3&cd\ca3 ? ::?生成HOST1與HOST2的證書(shū)請(qǐng)求、私鑰和公鑰 openssl?req?-newkey?rsa:8192?-keyout?host1.key?-out?host1.csr?-subj?/C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-1/CN=host1?-addext?"subjectAltName?=?DNS:host1"?-passout?pass:abcd openssl?req?-newkey?rsa:8192?-keyout?host2.key?-out?host2.csr?-subj?/C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-2/CN=host2?-addext?"subjectAltName?=?DNS:host2"?-passout?pass:abcd openssl?rsa?-in?host1.key?-pubout?-out?host1.pub?-passin?pass:abcd openssl?rsa?-in?host2.key?-pubout?-out?host2.pub?-passin?pass:abcd ? ::?用CA3的私鑰簽署用戶證書(shū)： Openssl?x509?-req?-days?1095?-in?host1.csr?-CA?ca3.cer?-CAkey?ca3.key?-out?host1.cer?-days?3650?-passin?pass:abcd?-CAcreateserial?-extfile?"d:\01.ext"?-extensions?usr_cert Openssl?x509?-req?-days?1095?-in?host2.csr?-CA?ca3.cer?-CAkey?ca3.key?-out?host2.cer?-days?3650?-passin?pass:abcd?-CAcreateserial?-extfile?"d:\02.ext"?-extensions?usr_cert ? ::?把HOST1和HOST2的所有文件拷貝到對(duì)應(yīng)目錄 copy?host1.*?d:\host1&copy?host2.*?d:\host2 ?? ::?驗(yàn)證證書(shū)鏈： copy?ca3.cer+ca2.cer+ca1.cer?ca-chain.cer openssl?verify?-show_chain?-CAfile?ca-chain.cer?host1.cer openssl?verify?-show_chain?-CAfile?ca-chain.cer?host2.cer openssl?x509?-in?ca1.cer?-noout?-text|find?"CA:TRUE" openssl?x509?-in?ca2.cer?-noout?-text|find?"CA:TRUE" openssl?x509?-in?ca3.cer?-noout?-text|find?"CA:TRUE" openssl?x509?-in?host1.cer?-noout?-text|find?"CA:TRUE" openssl?x509?-in?host2.cer?-noout?-text|find?"CA:TRUE"

另外有需要云服務(wù)器可以了解下創(chuàng)新互聯(lián)cdcxhl.cn，海內(nèi)外云服務(wù)器15元起步，三天無(wú)理由+7*72小時(shí)售后在線，公司持有idc許可證，提供“云服務(wù)器、裸金屬服務(wù)器、高防服務(wù)器、香港服務(wù)器、美國(guó)服務(wù)器、虛擬主機(jī)、免備案服務(wù)器”等云主機(jī)租用服務(wù)以及企業(yè)上云的綜合解決方案，具有“安全穩(wěn)定、簡(jiǎn)單易用、服務(wù)可用性高、性價(jià)比高”等特點(diǎn)與優(yōu)勢(shì)，專為企業(yè)上云打造定制，能夠滿足用戶豐富、多元化的應(yīng)用場(chǎng)景需求。

本文名稱：OpenSSL自建CA和CA鏈，給主機(jī)簽發(fā)證書(shū)的批處理（使用-創(chuàng)新互聯(lián)
網(wǎng)頁(yè)鏈接：http://jinyejixie.com/article48/dcgoep.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供建站公司、定制網(wǎng)站、網(wǎng)站營(yíng)銷、移動(dòng)網(wǎng)站建設(shè)、外貿(mào)網(wǎng)站建設(shè)、品牌網(wǎng)站制作

廣告

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請(qǐng)盡快告知，我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng)，如需處理請(qǐng)聯(lián)系客服。電話：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時(shí)需注明來(lái)源： 創(chuàng)新互聯(lián)