自建ca

可以参考我之前的文章:前戏地址

openssl安装配置

安装

linux 环境,这里以centos7为例,centos7默认安装的有,不再赘述
windows 下载地址
建议下载解压版,添加到path即可

配置

重中之重

首先生成openssl根证书
参见前戏文章

windows配置

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
## This definition stops the following lines choking if HOME isn't
# defined.
HOME            = .
RANDFILE        = $ENV::HOME/.rnd# Extra OBJECT IDENTIFIER info:
#oid_file       = $ENV::HOME/.oid
oid_section     = new_oids# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions        =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)[ new_oids ]# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6####################################################################
[ ca ]
default_ca  = CA_default       # The default ca section####################################################################
[ CA_default ]dir       = h://openssl/ca       # Where everything is kept
certs       = $dir/certs       # Where the issued certs are kept
crl_dir     = $dir/crl     # Where the issued crl are kept
database    = $dir/index.txt   # database index file.
#unique_subject = no           # Set to 'no' to allow creation of# several ctificates with same subject.
new_certs_dir   = $dir/newcerts        # default place for new certs.certificate   = $dir/cacert.pem  # The CA certificate
serial      = $dir/serial      # The current serial number
crlnumber   = $dir/crlnumber   # the current crl number# must be commented out to leave a V1 CRL
crl     = $dir/crl.pem         # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE    = $dir/private/.rand   # private random number filex509_extensions = usr_cert     # The extentions to add to the cert# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt    = ca_default       # Subject Name options
cert_opt    = ca_default       # Certificate field options# Extension copying option: use with caution.
# copy_extensions = copy# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions    = crl_extdefault_days  = 365          # how long to certify for
default_crl_days= 30           # how long before next CRL
default_md  = sha1         # which md to use.
preserve    = no           # keep passed DN ordering# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy      = policy_match# For the CA policy
[ policy_match ]
countryName     = match
stateOrProvinceName = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName     = optional
stateOrProvinceName = optional
localityName        = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional####################################################################
[ req ]
default_bits        = 1024
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
attributes      = req_attributes
x509_extensions = v3_ca    # The extentions to add to the self signed cert# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr# req_extensions = v3_req # The extensions to add to a certificate request[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = AU
countryName_min         = 2
countryName_max         = 2stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = Some-StatelocalityName           = Locality Name (eg, city)0.organizationName       = Organization Name (eg, company)
0.organizationName_default  = Internet Widgits Pty Ltd# we can do this but it is not needed normally :-)
#1.organizationName     = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty LtdorganizationalUnitName     = Organizational Unit Name (eg, section)
#organizationalUnitName_default =commonName            = Common Name (eg, YOUR name)
commonName_max          = 64emailAddress           = Email Address
emailAddress_max        = 64# SET-ex3          = SET extension number 3[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min       = 4
challengePassword_max       = 20unstructuredName       = An optional company name[ usr_cert ]# These extensions are added when 'ca' signs a request.# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.basicConstraints=CA:FALSE# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.# This is OK for an SSL server.
# nsCertType            = server# For an object signing certificate this would be used.
# nsCertType = objsign# For normal client use this is typical
# nsCertType = client, email# and for everything including object signing:
# nsCertType = client, email, objsign# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment# This will be displayed in Netscape's comment listbox.
nsComment           = "OpenSSL Generated Certificate"# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move# Copy subject details
# issuerAltName=issuer:copy#nsCaRevocationUrl      = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName[ v3_req ]# Extensions to add to a certificate requestbasicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment[ v3_ca ]# Extensions for a typical CA# PKIX recommendation.subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid:always,issuer:always# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign# Some might want this also
# nsCertType = sslCA, emailCA# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF[ crl_ext ]# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.basicConstraints=CA:FALSE# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.# This is OK for an SSL server.
# nsCertType            = server# For an object signing certificate this would be used.
# nsCertType = objsign# For normal client use this is typical
# nsCertType = client, email# and for everything including object signing:
# nsCertType = client, email, objsign# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment# This will be displayed in Netscape's comment listbox.
nsComment           = "OpenSSL Generated Certificate"# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move# Copy subject details
# issuerAltName=issuer:copy#nsCaRevocationUrl      = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

linux配置

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
## This definition stops the following lines choking if HOME isn't
# defined.
HOME            = .
RANDFILE        = $ENV::HOME/.rnd# Extra OBJECT IDENTIFIER info:
#oid_file       = $ENV::HOME/.oid
oid_section     = new_oids# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions        =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)[ new_oids ]# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7####################################################################
[ ca ]
default_ca  = CA_default       # The default ca section####################################################################
[ CA_default ]dir       = /opt/myca        # Where everything is kept
certs       = $dir/certs       # Where the issued certs are kept
crl_dir     = $dir/crl     # Where the issued crl are kept
database    = $dir/index.txt   # database index file.
#unique_subject = no           # Set to 'no' to allow creation of# several ctificates with same subject.
new_certs_dir   = $dir/newcerts        # default place for new certs.certificate   = $dir/cacert.pem  # The CA certificate
serial      = $dir/serial      # The current serial number
crlnumber   = $dir/crlnumber   # the current crl number# must be commented out to leave a V1 CRL
crl     = $dir/crl.pem         # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE    = $dir/private/.rand   # private random number filex509_extensions = usr_cert     # The extentions to add to the cert# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt    = ca_default       # Subject Name options
cert_opt    = ca_default       # Certificate field options# Extension copying option: use with caution.
# copy_extensions = copy# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions    = crl_extdefault_days  = 365          # how long to certify for
default_crl_days= 30           # how long before next CRL
default_md  = sha256       # use SHA-256 by default
preserve    = no           # keep passed DN ordering# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy      = policy_match# For the CA policy
[ policy_match ]
countryName     = match
stateOrProvinceName = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName     = optional
stateOrProvinceName = optional
localityName        = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional####################################################################
[ req ]
default_bits        = 2048
default_md      = sha256
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
attributes      = req_attributes
x509_extensions = v3_ca    # The extentions to add to the self signed cert# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only# req_extensions = v3_req # The extensions to add to a certificate request[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = XX
countryName_min         = 2
countryName_max         = 2stateOrProvinceName     = State or Province Name (full name)
#stateOrProvinceName_default    = Default ProvincelocalityName         = Locality Name (eg, city)
localityName_default        = Default City0.organizationName       = Organization Name (eg, company)
0.organizationName_default  = Default Company Ltd# we can do this but it is not needed normally :-)
#1.organizationName     = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty LtdorganizationalUnitName     = Organizational Unit Name (eg, section)
#organizationalUnitName_default =commonName            = Common Name (eg, your name or your server\'s hostname)
commonName_max          = 64emailAddress           = Email Address
emailAddress_max        = 64# SET-ex3          = SET extension number 3[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min       = 4
challengePassword_max       = 20unstructuredName       = An optional company name[ usr_cert ]# These extensions are added when 'ca' signs a request.# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.basicConstraints=CA:FALSE# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.# This is OK for an SSL server.
# nsCertType            = server# For an object signing certificate this would be used.
# nsCertType = objsign# For normal client use this is typical
# nsCertType = client, email# and for everything including object signing:
# nsCertType = client, email, objsign# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment# This will be displayed in Netscape's comment listbox.
nsComment           = "OpenSSL Generated Certificate"# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move# Copy subject details
# issuerAltName=issuer:copy#nsCaRevocationUrl      = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping[ v3_req ]# Extensions to add to a certificate requestbasicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment[ v3_ca ]# Extensions for a typical CA# PKIX recommendation.subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid:always,issuer# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign# Some might want this also
# nsCertType = sslCA, emailCA# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF[ crl_ext ]# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.basicConstraints=CA:FALSE# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.# This is OK for an SSL server.
# nsCertType            = server# For an object signing certificate this would be used.
# nsCertType = objsign# For normal client use this is typical
# nsCertType = client, email# and for everything including object signing:
# nsCertType = client, email, objsign# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment# This will be displayed in Netscape's comment listbox.
nsComment           = "OpenSSL Generated Certificate"# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move# Copy subject details
# issuerAltName=issuer:copy#nsCaRevocationUrl      = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo####################################################################
[ tsa ]default_tsa = tsa_config1   # the default TSA section[ tsa_config1 ]# These are used by the TSA reply generation only.
dir     = ./demoCA     # TSA root directory
serial      = $dir/tsaserial   # The current serial number (mandatory)
crypto_device   = builtin      # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem     # The TSA signing certificate# (optional)
certs       = $dir/cacert.pem  # Certificate chain to include in reply# (optional)
signer_key  = $dir/private/tsakey.pem # The TSA private key (optional)default_policy   = tsa_policy1      # Policy if request did not specify it# (optional)
other_policies  = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests     = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy    = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits  = 0    # number of digits after dot. (optional)
ordering        = yes  # Is ordering defined for timestamps?# (optional, default: no)
tsa_name        = yes  # Must the TSA name be included in the reply?# (optional, default: no)
ess_cert_id_chain   = no   # Must the ESS cert id chain be included?# (optional, default: no)

关键参数:
dir
default_days
default_crl_days
default_md
policy_match
具体参数解释参见英文释义

脚本编写

windows 脚本

@echo on
::-- openssl 配置文件地址
set OPENSSL_CONF=H:\openssl\ca\openssl.cnf
::-- openssl ca私钥地址 用作给颁发证书签名
set BASE_CA_PRI="H:\openssl\ca\cacert.pem"
::-- openssl  生成的客户端证书系列文件存储地址
set BASE_FOLDERNAME=clientset BASE_ALL_PATH="H:\openssl"echo 请输入 客户端x509证书 主题 subject  example "/C=CN/ST=xx/L=xx/O=xxx/OU=xxx/CN=*.xx.com"
echo C 国家代码 ST 省份 L 城市 O 组织 OU 单位 CN 域名（example:*.baidu.com）echo 各省市简称如下:
echo BJ―北京市；SH―上海市；TJ―天津市；CQ―重庆市；HE―河北省；SX―山西省；NM―内蒙古自治区；LN―辽宁省；
echo JL―吉林省；HL―黑龙江省；JS―江苏省；ZJ―浙江省；AH―安徽省；FJ―福建省；JX―江西省；SD―山东省；HA―河南省；
echo HB―湖北省；HN―湖南省；GD―广东省；GX―广西壮族自治区； HI―海南省； SC―四川省；GZ―贵州省；YN―云南省；
echo XZ―西藏自治区；SN―陕西省；GS―甘肃省；QH―青海省；NX―宁夏回族自治区；XJ―新疆维吾尔族自治区；TW―台湾省；HK―香港特别行政区；MO―澳门特别行政区set /p C=国家代码(例如:中国CN):
set /p ST=省份(例如:北京BJ):
set /p L=城市(例如:北京BJ):
set /p O=组织(例如:baidu):
set /p OU=单位(例如:baidu):
set /p CN=域名(例如:*.baidu.com):
set subject="/C=%C%/ST=%ST%/L=%L%/O=%O%/OU=%OU%/CN=%CN%"call :create %subject%echo "生成完成,文件已保存在,%BASE_ALL_PATH%\client目录下"pauseexit:create
cd %BASE_ALL_PATH%if not exist %BASE_FOLDERNAME% ( mkdir %BASE_FOLDERNAME% )cd %BASE_FOLDERNAME%
set fileDir="%ST%_%L%_%O%"
if not exist %fileDir% (mkdir %fileDir%)
cd %fileDir%
::-- 生成私钥
openssl genrsa  -out client_private.pem 2048
::-- 生成公钥
openssl rsa -in client_private.pem -pubout -out client_public_key.pem ::-- 生成请求证书
openssl req -utf8 -new -days 3650 -key client_private.pem -out client_req.pem -subj %1::-- 根据请求证书生成x509公钥证书
openssl ca -in client_req.pem -out client_public_key.pem -days 3650 -batch::-- 合并公钥证书和私钥生成p12个人证书
openssl pkcs12 -export -in client_public_key.pem -inkey client_private.pem -out client.p12 -certfile  %BASE_CA_PRI% -password  pass:123456::--  私钥转 pkcs8格式 .net读取方便
openssl pkcs8 -topk8 -nocrypt -in client_private.pem -out client_pkcs8_key.pemgoto:eof

linux 脚本

#!/bin/bash#openssl ca私钥地址 用作给颁发证书签名
BASE_CA_PRI="/opt/myca/cacert.pem"
# openssl  生成的客户端证书系列文件存储地址
BASE_FOLDERNAME="client"
#生成的所有证书存储的基础目录
BASE_ALL_PATH="/opt/myca/testcer/"# 输入描述
function  desc () { printf  "C 国家代码 ST 省份 L 城市 O 组织 OU 单位 CN 域名（example:*.baidu.com"
printf "各省市简称如下:"
printf "BJ―北京市；SH―上海市；TJ―天津市；CQ―重庆市；HE―河北省；SX―山西省；NM―内蒙古自治区；LN―辽宁省"
printf "JL―吉林省；HL―黑龙江省；JS―江苏省；ZJ―浙江省；AH―安徽省；FJ―福建省；JX―江西省；SD―山东省；HA―河南省"
printf "HB―湖北省；HN―湖南省；GD―广东省；GX―广西壮族自治区； HI―海南省； SC―四川省；GZ―贵州省；YN―云南省"
printf "XZ―西藏自治区；SN―陕西省；GS―甘肃省；QH―青海省；NX―宁夏回族自治区；XJ―新疆维吾尔族自治区；TW―台湾省；HK―香港特别行政区；MO―澳门特别行政区"}  function create () {printf  "C 国家代码 ST 省份 L 城市 O 组织 OU 单位 CN 域名（example:*.baidu.com\n"
printf "各省市简称如下:\n"
printf "BJ―北京市；SH―上海市；TJ―天津市；CQ―重庆市；HE―河北省；SX―山西省；NM―内蒙古自治区；LN―辽宁省\n"
printf "JL―吉林省；HL―黑龙江省；JS―江苏省；ZJ―浙江省；AH―安徽省；FJ―福建省；JX―江西省；SD―山东省；HA―河南省\n"
printf "HB―湖北省；HN―湖南省；GD―广东省；GX―广西壮族自治区； HI―海南省； SC―四川省；GZ―贵州省；YN―云南省\n"
printf "XZ―西藏自治区；SN―陕西省；GS―甘肃省；QH―青海省；NX―宁夏回族自治区；XJ―新疆维吾尔族自治区；TW―台湾省；HK―香港特别行政区；MO―澳门特别行政区\n"if [ ! -d  $BASE_ALL_PATH ]; thenmkdir -p $BASE_ALL_PATHficd $BASE_ALL_PATH if [ ! -d  $BASE_FOLDERNAME ]; thenmkdir -p $BASE_FOLDERNAMEficd $BASE_FOLDERNAMEprintf "请依次输入,C=国家代码(例如:中国CN),ST=省份(例如:北京BJ),L=城市(例如:北京BJ),O=组织(例如:baidu):,OU=单位(例如:baidu):,CN=域名(例如:*.baidu.com):并以空格间隔\n"
read C ST L O OU CNsubject="/C="${C}"/ST="${ST}"/L="${L}"/O="${O}"/OU="${OU}"/CN="${CN}echo "证书主题:"${subject}# 拼接 证书存放地址
fileDir=${ST}_${L}_${O}if [ ! -d  $fileDir ]; thenmkdir -p $fileDirficd  ${fileDir}echo "生成文件存储路径为:"$(pwd) #生成私钥
openssl genrsa  -out client_private.pem 2048
# 生成公钥
openssl rsa -in client_private.pem -pubout -out client_public_key.pem #生成请求证书
openssl req -utf8 -new -days 3650 -key client_private.pem -out client_req.pem -subj $subject#根据请求证书生成x509公钥证书
openssl ca -in client_req.pem -out client_public_key.pem -days 3650 -batch#合并公钥证书和私钥生成p12个人证书
openssl pkcs12 -export -in client_public_key.pem -inkey client_private.pem -out client.p12 -certfile  $BASE_CA_PRI -password  pass:123456# 私钥转 pkcs8格式 .net读取方便
openssl pkcs8 -topk8 -nocrypt -in client_private.pem -out client_pkcs8_key.pem
}case $1 in"create" ) create;;
esacexit 0

脚本释义参见脚本注释
windows 脚本安装好 openssl后双击,输入必要DN参数即可生成
linux 脚本 chmod u+x ./xx.sh create 输入必要DN参数即可生成

最终效果:

openssl 自建ca之脚本自动签发相关推荐

openssl 自建ca，颁发客户端证书
openssl 自建ca,颁发客户端证书概念理解数字证书: 数字证书就是互联网通讯中标志通讯各方身份信息的一串数字,提供了一种在Internet上验证通信实体身份的方式,数字证书不是数字身份证,而 ...
互联网协议 — TLS — 使用 OpenSSL 自建 CA 中心
目录文章目录目录使用 OpenSSL 自建 CA 并签发证书示例 Step 1. 搭建 CA 中心 Step 2. 生成 CA 的 RSA 私钥 Step 3. 生成 CA 的公钥(CA 证书 ...
OpenSSL自建CA和签发二级CA及颁发SSL证书
自己签发CA证书再签发服务器证书的场景非常简单.把根CA证书导入到浏览器后,就可以信任由这个根CA直接签发的服务器证书. 但是实际上网站使用的证书肯定都不是由根CA直接签发的,比如像百度这种,网站使 ...
openssl 自建CA签发证书网站https的ssl通信
<<COMMENT X509 文件扩展名首先我们要理解文件的扩展名代表什么.DER.PEM.CRT和CER这些扩展名经常令人困惑. 很多人错误地认为这些扩展名可以互相代替.尽管的确有时候 ...
基于OpenSSL自建CA和颁发SSL证书
关于SSL/TLS介绍见文章 SSL/TLS原理详解. 关于证书授权中心CA以及数字证书等概念,请移步 OpenSSL 与 SSL 数字证书概念贴 . openssl是一个开源程序的套件.这个套件有三 ...
利用openssl自建ca并且使apache2用自建的ca证书进行https链接（自用，，，
参考了信安实践--自建CA证书搭建https服务器 - LiBaoquan - 博客园 (cnblogs.com) 加一些关于apache的命令: sudo systemctl start apach ...
Openssl私建CA
构建私有CA: 在确定配置为CA的服务上生成一个自签证书,并为CA提供所需要的目录及文件即可: 步骤: (1) 生成私钥: [root@centos7 ~]# (umask 077; ope ...
基于openssl工具完成自建CA以及为server,client颁发证书
文章目录一.openssl简介 1.1 主要构成部分 1.2 openssl用途 1.3 证书.密钥.CSR请求文件.CRL列表查看命令二.RSA密钥操作 2.1密钥生成 2.2 转换命令 2. ...
加密解密、Openssl、自建CA
一.三种加密方式 1.对称加密工作机制:需要对加密和解密使用相同密钥的加密算法.密钥是控制加密及解密过程的指令.算法是一组规则,规定如何进行加密和解密.将原文分割成固定大小的数据块,对这些进行 ...
openssl工具详解及自建CA方法
前言: openssl是一款很强大的多用途的开源加密解密的命令行工具,比如创建私钥,创建证书签名请求,测试各种加密算法耗时等等. 在我们进入openssl工具讲解之前,我们有必要先了解先Linux下的 ...

openssl 自建ca之脚本自动签发