当前位置：首页 > news >正文

openssl3.2 - 官方demo学习 - certs

news 2025/12/10 23:05:03

文章目录

- openssl3.2 - 官方demo学习 - certs
- 概述
- 笔记
- 官方的实验流程
- mkcerts.sh - 整理
- ocsprun.sh - 整理
- ocspquery.sh - 整理
- 从mkcerts.sh整理出来的27个.bat
- a1_create_certificate_directly.cmd
- a2_Intermediate_CA_request_first.cmd
- a3_Sign_request_CA_extensions.cmd
- a4_Server_certificate_create_request_first.cmd
- a5_Sign_request_end_entity_extensions.cmd
- a6_Client_certificate_request_first.cmd
- a7_Sign_using_intermediate_CA.cmd
- a8_Revoked_certificate_request_first.cmd
- a9_Sign_using_intermediate_CA.cmd
- a10_OCSP_responder_certificate_request_first.cmd
- a11_Sign_using_intermediate_CA_and_responder_extensions.cmd
- a12_First_DH_parameters.cmd
- a13_Now_a_DH_private_key.cmd
- a14_Create_DH_public_key_file.cmd
- a15_dh_cert_req.cmd
- a16_Sign_dh_req.cmd
- a17_gen_dh_client_priv_key.cmd
- a18_gen_dh_client_pub_key.cmd
- a19_dh_clint_cert_req.cmd
- a20_dh_client_cert_sign.cmd
- a21_gen_crl_without_ca.cmd
- a22_add_cert_sha1_server.cmd
- a23_add_cert_sha1_client.cmd
- a24_add_cert_sha1_revoke.cmd
- a25_gen_crl.cmd
- a26_revoke_cert.cmd
- a27_gen_crl_new_one.cmd
- run_ax_bat.cmd
- 从ocsprun.sh整理出来的1个.bat
- ocsprun.cmd
- 从ocspquery.sh整理出来的4个.bat
- query1.cmd
- query2.cmd
- query3.cmd
- query_all.cmd
- 备注
- 生成测试用的根CA证书
- 生成二级CA(中间CA)
- 应用服务器的证书
- 客户端的证书
- 用于吊销演示的证书
- OCSP证书
- DH服务器证书
- DH客户端证书
- 建立本地CA需要的数据库
- 向本地CA数据库中登记服务器证书
- 向本地CA数据库登记客户端证书
- 向本地数据库登记用于吊销演示用的证书
- 产生证书吊销列表
- 吊销一个证书
- 产生(更新)证书吊销列表
- 本地实验需要的文件列表
- END

openssl3.2 - 官方demo学习 - certs

概述

打开官方demos的certs目录, 没看到.c. 茫然了一下.
官方在这个目录中要展示啥呢?
看了readme, 懂了.
原来官方在这个目录中, 要展示如何使用openssl.exe的命令行来操作证书(建立证书, 证书入库, 吊销证书, 查询证书).
官方通过3个.sh来展示证书操作.
mkcerts.sh - 一组操作, 用来建立证书, 证书入库
ocsprun.sh - 建立一个ocsp查询的服务器.
ocspquery.sh - 向ocsp服务器查询证书的有效性.
在cygwin64下, 这3个.sh都好使.
但是, 如果只是运行一下这3个.sh学不到东西. 如果自己有自签名的证书要操作, 还是得一个一个命令的都搞懂才行.

我先将这3个.sh翻译成.bat, 然后每一条命令做一个.bat, 一个一个.bat来运行, 观察运行结果.
整了一遍之后, 再整理.bat, 证书操作基本懂了. 用了2天时间.

如果不整理官方的.sh, 命令行参数中的的文件官方命名很容易将自己看糊涂.
在保证和官方实现一致的前提下, 将文件名改为自己能懂的. 加上注释, 以后就能知道, 每个命令行干啥活.

笔记

官方的实验流程

先运行 mkcerts.sh, 将后续要操作的证书都做出来.
再运行ocsprun.sh, 建立ocsp服务器.
最后运行 ocspquery.sh, 查询证书的有效性.

在mkcerts.sh中, 如果只是运行一次听个响, 27个操作, 一堆操作输出, 根本不能理解这个.sh到底干了啥.
同理, ocspquery.sh有4个操作, 只是运行一次, 啥也不懂.

所以要想理解官方的这3个.sh展示了啥, 需要将这3个.sh中, 每个命令行都自己单独做一次, 每个命令行执行完, 都观察一下有啥输出.

mkcerts.sh - 整理

#!/bin/sh# \file mkcerts.shOPENSSL=./openssl
OPENSSL_CONF=./openssl.cnf
export OPENSSL_CONF# Root CA: create certificate directly
# a1_create_certificate_directly.cmd
# 生成测试用的根证书, 私钥和证书都在一个文件(.pem)中
# %OPENSSL%                req -config ca.cnf -x509 -nodes -keyout root_ca.pem -out root_ca.pem -newkey rsa:2048 -days 3650 > opt_log_A1.txt 2>&1
CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes -keyout root.pem    -out root.pem    -newkey rsa:2048 -days 3650# Intermediate CA: request first
# a2_Intermediate_CA_request_first.cmd
# 中间CA证书 - 请求
# %OPENSSL%                        req -config ca.cnf -nodes -keyout inter_ca_priv_key.pem -out inter_ca_req.pem -newkey rsa:2048 > opt_log_A2.txt 2>&1
CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes -keyout intkey.pem            -out intreq.pem       -newkey rsa:2048# Sign request: CA extensions
# a3_Sign_request_CA_extensions.cmd
# 中间CA证书请求 - 签名
# %OPENSSL% x509 -req -in inter_ca_req.pem -CA root_ca.pem -days 3600 -extfile ca.cnf -extensions v3_ca -CAcreateserial -out inter_ca_req_sign.pem > opt_log_A3.txt 2>&1
$OPENSSL    x509 -req -in intreq.pem       -CA root.pem    -days 3600 -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem# Server certificate: create request first
# a4_Server_certificate_create_request_first.cmd
# 服务器证书请求
# %OPENSSL%                    req -config ca.cnf -nodes -keyout server_priv_key.pem -out server_req.pem -newkey rsa:1024 > opt_log_A4.txt 2>&1
CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes -keyout skey.pem            -out req.pem        -newkey rsa:1024# Sign request: end entity extensions
# a5_Sign_request_end_entity_extensions.cmd
# 对服务器证书请求 进行 签名
# %OPENSSL% x509 -req -in server_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server_req_sign.pem > opt_log_A5.txt 2>&1
$OPENSSL    x509 -req -in req.pem        -CA intca.pem             -CAkey intkey.pem            -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem# Client certificate: request first
# a6_Client_certificate_request_first.cmd
# 客户端证书申请
# %OPENSSL%                    req -config ca.cnf -nodes -keyout client_priv_key.pem -out client_req.pem -newkey rsa:1024 > opt_log_A6.txt 2>&1
CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes -keyout ckey.pem            -out creq.pem       -newkey rsa:1024# Sign using intermediate CA
# a7_Sign_using_intermediate_CA.cmd
# 用中间CA签名客户端证书请求
# %OPENSSL% x509 -req -in client_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client_req_sign.pem > opt_log_A7.txt 2>&1
$OPENSSL    x509 -req -in creq.pem       -CA intca.pem             -CAkey intkey.pem            -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem# Revoked certificate: request first
# a8_Revoked_certificate_request_first.cmd
# 吊销证书的申请
# %OPENSSL%                     req -config ca.cnf -nodes -keyout revoke_priv_key.pem -out revoke_req.pem -newkey rsa:1024 > opt_log_A8.txt 2>&1
CN="Test Revoked Cert" $OPENSSL req -config ca.cnf -nodes -keyout revkey.pem          -out rreq.pem       -newkey rsa:1024# Sign using intermediate CA
# a9_Sign_using_intermediate_CA.cmd
# 吊销证书申请的签名
# %OPENSSL% x509 -req -in revoke_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out revoke_req_sign.pem > opt_log_A9.txt 2>&1
$OPENSSL    x509 -req -in rreq.pem       -CA intca.pem              -CAkey intkey.pem           -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem# OCSP responder certificate: request first
# a10_OCSP_responder_certificate_request_first.cmd
# OCSP证书申请
# %OPENSSL%                            req -config ca.cnf -nodes -keyout ocsp_priv_key.pem -out ocsp_req.pem -newkey rsa:1024 > opt_log_A10.txt 2>&1
CN="Test OCSP Responder Cert" $OPENSSL req -config ca.cnf -nodes -keyout respkey.pem       -out respreq.pem  -newkey rsa:1024# Sign using intermediate CA and responder extensions
# a11_Sign_using_intermediate_CA_and_responder_extensions.cmd
# OCSP证书申请的签名
# %OPENSSL% x509 -req -in ocsp_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out ocsp_req_sign.pem > opt_log_A11.txt 2>&1
$OPENSSL    x509 -req -in respreq.pem  -CA intca.pem             -CAkey intkey.pem            -days 3600 -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem# Example creating a PKCS#3 DH certificate.# First DH parameters
# a12_First_DH_parameters.cmd
# 产生DH证书参数文件
# %OPENSSL%                genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dh_param.pem > opt_log_A12.txt 2>&1
[ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem# Now a DH private key
# a13_Now_a_DH_private_key.cmd
# 产生DH证书私钥
# %OPENSSL% genpkey -paramfile dh_param.pem -out dh_priv_key.pem > opt_log_A13.txt 2>&1
$OPENSSL    genpkey -paramfile dhp.pem      -out dhskey.pem# Create DH public key file
# a14_Create_DH_public_key_file.cmd
# 产生DH证书公钥
# %OPENSSL% pkey -in dh_priv_key.pem -pubout -out dh_pub_key.pem > opt_log_A14.txt 2>&1
$OPENSSL  pkey -in dhskey.pem      -pubout -out dhspub.pem# Certificate request, key just reuses old one as it is ignored when the request is signed
# a15_dh_cert.cmd
# DH证书申请
# %OPENSSL%                       req -config ca.cnf -new -key server_priv_key.pem -out dh_req.pem > opt_log_A15.txt 2>&1
CN="Test Server DH Cert" $OPENSSL req -config ca.cnf -new -key skey.pem -out dhsreq.pem# Sign request: end entity DH extensions
# a16_Sign_dh_req.cmd
# DH证书申请的签名
# %OPENSSL% x509 -req -in dh_req.pem -CA root_ca.pem -days 3600 -force_pubkey dh_pub_key.pem -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dh_req_sign.pem > opt_log_A16.txt 2>&1
$OPENSSL    x509 -req -in dhsreq.pem -CA root.pem    -days 3600 -force_pubkey dhspub.pem     -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem# DH client certificate
# a17_gen_dh_client_priv_key.cmd
# 产生DH客户端私钥
# %OPENSSL% genpkey -paramfile dh_param.pem -out dh_client_priv_key.pem > opt_log_A17.txt 2>&1
$OPENSSL    genpkey -paramfile dhp.pem      -out dhckey.pem# a18_gen_dh_client_pub_key.cmd
# 产生DH客户端公钥
# %OPENSSL% pkey -in dh_client_priv_key.pem -pubout -out dh_client_pub_key.pem > opt_log_A18.txt 2>&1
$OPENSSL    pkey -in dhckey.pem             -pubout -out dhcpub.pem# a19_dh_clint_cert_req.cmd
# DH客户端证书请求
# %OPENSSL%                       req -config ca.cnf -new -key server_priv_key.pem -out dh_client_req.pem > opt_log_A19.txt 2>&1
CN="Test Client DH Cert" $OPENSSL req -config ca.cnf -new -key skey.pem            -out dhcreq.pem# a20_dh_client_cert_sign.cmd
# 对DH客户端证书请求进行签名
# %OPENSSL% x509 -req -in dh_client_req.pem -CA root_ca.pem -days 3600 -force_pubkey dh_client_pub_key.pem -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dh_client_req_sign.pem > opt_log_A20.txt 2>&1
$OPENSSL    x509 -req -in dhcreq.pem        -CA root.pem    -days 3600 -force_pubkey dhcpub.pem            -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem# Examples of CRL generation without the need to use 'ca' to issue certificates.
# Create zero length index file
# a21_gen_crl_without_ca.cmd
# 建立本地CA需要的数据库(产生一个空的index.txt 和一个里面内容为01的crlnum.txt)
>index.txt
# Create initial crl number file
echo 01 >crlnum.txt# Add entries for server and client certs
# a22_add_cert_sha1_server.cmd
# 向本地CA数据库中登记服务器证书(将服务器证书登记信息写入 index.txt)
# %OPENSSL% ca -valid server_req_sign.pem -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A22.txt 2>&1
$OPENSSL    ca -valid server.pem          -keyfile root.pem    -cert root.pem    -config ca.cnf -md sha1# a23_add_cert_sha1_client.cmd
# 向本地CA数据库登记客户端证书(将服务器证书登记信息写入 index.txt)
# %OPENSSL% ca -valid client_req_sign.pem -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A23.txt 2>&1
$OPENSSL    ca -valid client.pem          -keyfile root.pem    -cert root.pem    -config ca.cnf -md sha1# a24_add_cert_sha1_revoke.cmd
# 向本地数据库等级吊销用的证书(将吊销用的证书登记信息吸入 index.txt)
# %OPENSSL% ca -valid revoke_req_sign.pem -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A24.txt 2>&1
$OPENSSL    ca -valid rev.pem             -keyfile root.pem    -cert root.pem    -config ca.cnf -md sha1# Generate a CRL.
# a25_gen_crl.cmd
# 产生证书吊销列表
# %OPENSSL% ca -gencrl -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 -crldays 1 -out crl_cert_list.pem > opt_log_A25.txt 2>&1
$OPENSSL    ca -gencrl -keyfile root.pem    -cert root.pem    -config ca.cnf -md sha1 -crldays 1 -out crl1.pem# Revoke a certificate
# a26_revoke_cert.cmd
# 吊销一个证书
# %OPENSSL% ca -revoke revoke_req_sign.pem -crl_reason superseded -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A26.txt 2>&1
openssl     ca -revoke rev.pem             -crl_reason superseded -keyfile root.pem    -cert root.pem    -config ca.cnf -md sha1# Generate another CRL
# a27_gen_crl_new_one.cmd
# 吊销一个证书后, 要产生新的吊销证书列表供其他应用验证证书是否被吊销.
# 证书吊销列表的名称, 在实际应用中, 应该是一个名字, 这里是实验, 就重新命令一个吊销列表文件的名称, 表示这是在吊销证书后, 新产生的证书吊销列表
# %OPENSSL% ca -gencrl -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 -crldays 1 -out crl_cert_list_1.pem > opt_log_A27.txt 2>&1
$OPENSSL    ca -gencrl -keyfile root.pem    -cert root.pem    -config ca.cnf -md sha1 -crldays 1 -out crl2.pem

ocsprun.sh - 整理

# Example of running an querying OpenSSL test OCSP responder.
# This assumes "mkcerts.sh" or similar has been run to set up the
# necessary file structure.OPENSSL=../../apps/openssl
OPENSSL_CONF=../../apps/openssl.cnf
export OPENSSL_CONF# Run OCSP responder.PORT=8888# %OPENSSL% ocsp -port %PORT% -index index.txt -CA inter_ca_req_sign.pem -rsigner ocsp_req_sign.pem  -rkey ocsp_priv_key.pem -rother inter_ca_req_sign.pem
$OPENSSL    ocsp -port $PORT  -index index.txt -CA intca.pem             -rsigner resp.pem           -rkey respkey.pem       -rother intca.pem $*

ocspquery.sh - 整理

# Example querying OpenSSL test responder. Assumes ocsprun.sh has been
# called.OPENSSL=../../apps/openssl
OPENSSL_CONF=../../apps/openssl.cnf
export OPENSSL_CONF# Send responder queries for each certificate.echo "Requesting OCSP status for each certificate"
# query1.cmd
# %OPENSSL% ocsp -issuer inter_ca_req_sign.pem  -cert client_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query1.txt 2>&1
$OPENSSL    ocsp -issuer intca.pem              -cert client.pem          -CAfile root.pem    -url http://127.0.0.1:8888/# query2.cmd
# %OPENSSL% ocsp -issuer inter_ca_req_sign.pem  -cert server_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query2.txt 2>&1
$OPENSSL    ocsp -issuer intca.pem              -cert server.pem          -CAfile root.pem    -url http://127.0.0.1:8888/#query3.cmd
# %OPENSSL% ocsp -issuer inter_ca_req_sign.pem  -cert revoke_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query3.txt 2>&1
$OPENSSL    ocsp -issuer intca.pem              -cert rev.pem             -CAfile root.pem    -url http://127.0.0.1:8888/# One query for all three certificates.
echo "Requesting OCSP status for three certificates in one request"
# %OPENSSL% ocsp -issuer inter_ca_req_sign.pem  -cert client_req_sign.pem -cert server_req_sign.pem -cert revoke_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query_all.txt 2>&1
$OPENSSL    ocsp -issuer intca.pem              -cert client.pem          -cert server.pem          -cert rev.pem             -CAfile root.pem -url http://127.0.0.1:8888/

从mkcerts.sh整理出来的27个.bat

a1_create_certificate_directly.cmd

@echo off
rem \file a1_create_certificate_directly.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem Root CA: create certificate directly
set CN="Test Root CA"rem # 生成测试用的根证书, 私钥和证书都在一个文件(.pem)中%OPENSSL% req -config ca.cnf -x509 -nodes -keyout root_ca.pem -out root_ca.pem -newkey rsa:2048 -days 3650 > opt_log_A1.txt 2>&1

a2_Intermediate_CA_request_first.cmd

@echo off
rem \file a2_Intermediate_CA_request_first.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem Intermediate CA: request first
set CN="Test Intermediate CA"rem # 中间CA证书 - 请求%OPENSSL% req -config ca.cnf -nodes -keyout inter_ca_priv_key.pem -out inter_ca_req.pem -newkey rsa:2048 > opt_log_A2.txt 2>&1

a3_Sign_request_CA_extensions.cmd

@echo off
rem \file a3_Sign_request_CA_extensions.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem Sign request: CA extensions
rem # 中间CA证书请求 - 签名%OPENSSL% x509 -req -in inter_ca_req.pem -CA root_ca.pem -days 3600 -extfile ca.cnf -extensions v3_ca -CAcreateserial -out inter_ca_req_sign.pem > opt_log_A3.txt 2>&1

a4_Server_certificate_create_request_first.cmd

@echo offrem \file a4_Server_certificate_create_request_first.cmdset OPENSSL=.\opensslset OPENSSL_CONF=.\openssl.cnfrem Server certificate: create request firstset CN="Test Server Cert"rem # 服务器证书请求rem # 除了根CA, 其他CA/服务器的私钥和证书都要分开, 不能是一个.pem%OPENSSL% req -config ca.cnf -nodes -keyout server_priv_key.pem -out server_req.pem -newkey rsa:1024 > opt_log_A4.txt 2>&1

a5_Sign_request_end_entity_extensions.cmd

@echo off
rem \file a5_Sign_request_end_entity_extensions.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem Sign request: end entity extensions
rem # 对服务器证书请求 进行 签名%OPENSSL% x509 -req -in server_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 ^
-extfile ca.cnf -extensions usr_cert -CAcreateserial -out server_req_sign.pem > opt_log_A5.txt 2>&1

a6_Client_certificate_request_first.cmd

@echo off
rem \file a6_Client_certificate_request_first.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem echo OPENSSL_CONF = %OPENSSL_CONF%rem Client certificate: request first
set CN="Test Client Cert"rem # 客户端证书申请%OPENSSL% req -config ca.cnf -nodes -keyout client_priv_key.pem -out client_req.pem -newkey rsa:1024 > opt_log_A6.txt 2>&1

a7_Sign_using_intermediate_CA.cmd

@echo off
rem \file a7_Sign_using_intermediate_CA.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem Sign using intermediate CA
rem # 用中间CA签名客户端证书请求%OPENSSL% x509 -req -in client_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client_req_sign.pem > opt_log_A7.txt 2>&1

a8_Revoked_certificate_request_first.cmd

@echo off
rem \file a8_Revoked_certificate_request_first.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem Revoked certificate: request first
set CN="Test Revoked Cert"rem # 吊销证书的申请%OPENSSL% req -config ca.cnf -nodes -keyout revoke_priv_key.pem -out revoke_req.pem -newkey rsa:1024 > opt_log_A8.txt 2>&1

a9_Sign_using_intermediate_CA.cmd

@echo off
rem \file a9_Sign_using_intermediate_CA.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem Sign using intermediate CA
rem # 吊销证书申请的签名%OPENSSL% x509 -req -in revoke_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out revoke_req_sign.pem > opt_log_A9.txt 2>&1

a10_OCSP_responder_certificate_request_first.cmd

@echo off
rem \file a10_OCSP_responder_certificate_request_first.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem OCSP responder certificate: request first
set CN="Test OCSP Responder Cert"rem # OCSP证书申请%OPENSSL% req -config ca.cnf -nodes -keyout ocsp_priv_key.pem -out ocsp_req.pem -newkey rsa:1024 > opt_log_A10.txt 2>&1

a11_Sign_using_intermediate_CA_and_responder_extensions.cmd

@echo off
rem \file a11_Sign_using_intermediate_CA_and_responder_extensions.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem Sign using intermediate CA and responder extensions
rem # OCSP证书申请的签名%OPENSSL% x509 -req -in ocsp_req.pem -CA inter_ca_req_sign.pem -CAkey inter_ca_priv_key.pem -days 3600 -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out ocsp_req_sign.pem > opt_log_A11.txt 2>&1

a12_First_DH_parameters.cmd

@echo off
rem \file a12_First_DH_parameters.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem echo OPENSSL_CONF = %OPENSSL_CONF%
rem First DH parametersdel /Q .\dh_param.pem > nul 2>&1
rem # 产生DH证书参数文件%OPENSSL% genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dh_param.pem > opt_log_A12.txt 2>&1

a13_Now_a_DH_private_key.cmd

@echo off
rem \file a13_Now_a_DH_private_key.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem Now a DH private key
rem # 产生DH证书私钥%OPENSSL% genpkey -paramfile dh_param.pem -out dh_priv_key.pem > opt_log_A13.txt 2>&1

a14_Create_DH_public_key_file.cmd

@echo off
rem \file a14_Create_DH_public_key_file.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem Create DH public key file
rem # 产生DH证书公钥%OPENSSL% pkey -in dh_priv_key.pem -pubout -out dh_pub_key.pem > opt_log_A14.txt 2>&1

a15_dh_cert_req.cmd

@echo off
rem \file a15_dh_cert_req.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem Certificate request, key just reuses old one as it is ignored when the request is signedset CN="Test Server DH Cert"rem 使用的key必须是服务器证书的私钥, 而不是dh证书的私钥, 否则报错rem # DH证书申请%OPENSSL% req -config ca.cnf -new -key server_priv_key.pem -out dh_req.pem > opt_log_A15.txt 2>&1

a16_Sign_dh_req.cmd

@echo off
rem \file a16_Sign_dh_req.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem Sign request: end entity DH extensions
rem # DH证书申请的签名rem 使用的key必须是服务器证书的私钥, 而不是dh证书的私钥, 否则报错%OPENSSL% x509 -req -in dh_req.pem -CA root_ca.pem -days 3600 -force_pubkey dh_pub_key.pem -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dh_req_sign.pem > opt_log_A16.txt 2>&1

a17_gen_dh_client_priv_key.cmd

@echo off
rem \file a17_gen_dh_client_priv_key.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem DH client certificate
rem # 产生DH客户端私钥%OPENSSL% genpkey -paramfile dh_param.pem -out dh_client_priv_key.pem > opt_log_A17.txt 2>&1

a18_gen_dh_client_pub_key.cmd

@echo off
rem \file a18_gen_dh_client_pub_key.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem DH client certificate
rem # 产生DH客户端公钥%OPENSSL% pkey -in dh_client_priv_key.pem -pubout -out dh_client_pub_key.pem > opt_log_A18.txt 2>&1

a19_dh_clint_cert_req.cmd

@echo off
rem \file a19_dh_clint_cert_req.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem echo OPENSSL_CONF = %OPENSSL_CONF%
rem DH client certificateset CN="Test Client DH Cert"rem # DH客户端证书请求%OPENSSL% req -config ca.cnf -new -key server_priv_key.pem -out dh_client_req.pem > opt_log_A19.txt 2>&1

a20_dh_client_cert_sign.cmd

@echo off
rem \file a20_dh_client_cert_sign.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem DH client certificate
rem # 对DH客户端证书请求进行签名%OPENSSL% x509 -req -in dh_client_req.pem -CA root_ca.pem -days 3600 -force_pubkey dh_client_pub_key.pem -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dh_client_req_sign.pem > opt_log_A20.txt 2>&1

a21_gen_crl_without_ca.cmd

@echo off
rem \file a21_gen_crl_without_ca.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem # Examples of CRL generation without the need to use 'ca' to issue certificates.
rem # 建立本地CA需要的数据库(产生一个空的index.txt 和一个里面内容为01的crlnum.txt)rem # Create zero length index filecd. > index.txtrem # Create initial crl number fileecho 01 > crlnum.txt

a22_add_cert_sha1_server.cmd

@echo offrem \file a22_add_cert_sha1_server.cmdset OPENSSL=.\opensslset OPENSSL_CONF=.\openssl.cnfrem Add entries for server and client certsrem # 向本地CA数据库中登记服务器证书(将服务器证书登记信息写入 index.txt)%OPENSSL% ca -valid server_req_sign.pem -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A22.txt 2>&1

a23_add_cert_sha1_client.cmd

@echo off
rem \file a23_add_cert_sha1_client.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem Add entries for server and client certs
rem set CN="Test Client DH Cert"
rem # 向本地CA数据库登记客户端证书(将服务器证书登记信息写入 index.txt)%OPENSSL% ca -valid client_req_sign.pem -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A23.txt 2>&1

a24_add_cert_sha1_revoke.cmd

@echo off
rem \file a24_add_cert_sha1_revoke.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem Add entries for server and client certs
rem set CN="Test Client DH Cert"
rem # 向本地数据库等级吊销用的证书(将吊销用的证书登记信息写入 index.txt)%OPENSSL% ca -valid revoke_req_sign.pem -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A24.txt 2>&1

a25_gen_crl.cmd

@echo off
rem \file a25_gen_crl.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem Add entries for server and client certs
rem set CN="Test Client DH Cert"
rem # 产生证书吊销列表%OPENSSL% ca -gencrl -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 -crldays 1 -out crl_cert_list.pem > opt_log_A25.txt 2>&1

a26_revoke_cert.cmd

@echo off
rem \file a26_revoke_cert.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem Revoke a certificate
rem set CN="Test Client DH Cert"
rem # 吊销一个证书%OPENSSL% ca -revoke revoke_req_sign.pem -crl_reason superseded -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 > opt_log_A26.txt 2>&1

a27_gen_crl_new_one.cmd

@echo off
rem \file a25_gen_crl.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfrem Add entries for server and client certsrem # 吊销一个证书后, 要产生新的吊销证书列表供其他应用验证证书是否被吊销.rem # 证书吊销列表的名称, 在实际应用中, 应该是一个名字, 这里是实验, 就重新命令一个吊销列表文件的名称, 表示这是在吊销证书后, 新产生的证书吊销列表%OPENSSL% ca -gencrl -keyfile root_ca.pem -cert root_ca.pem -config ca.cnf -md sha1 -crldays 1 -out crl_cert_list_1.pem > opt_log_A27.txt 2>&1

run_ax_bat.cmd

模拟mkcerts.sh, 将做的27个单独的.bat一起都调用了.

call a1_create_certificate_directly.cmd
call a2_Intermediate_CA_request_first.cmd
call a3_Sign_request_CA_extensions.cmd
call a4_Server_certificate_create_request_first.cmd
call a5_Sign_request_end_entity_extensions.cmd
call a6_Client_certificate_request_first.cmd
call a7_Sign_using_intermediate_CA.cmd
call a8_Revoked_certificate_request_first.cmd
call a9_Sign_using_intermediate_CA.cmd
call a10_OCSP_responder_certificate_request_first.cmd
call a11_Sign_using_intermediate_CA_and_responder_extensions.cmd
call a12_First_DH_parameters.cmd
call a13_Now_a_DH_private_key.cmd
call a14_Create_DH_public_key_file.cmd
call a15_dh_cert_req.cmd
call a16_Sign_dh_req.cmd
call a17_gen_dh_client_priv_key.cmd
call a18_gen_dh_client_pub_key.cmd
call a19_dh_clint_cert_req.cmd
call a20_dh_client_cert_sign.cmd
call a21_gen_crl_without_ca.cmd
call a22_add_cert_sha1_server.cmd
call a23_add_cert_sha1_client.cmd
call a24_add_cert_sha1_revoke.cmd
call a25_gen_crl.cmd
call a26_revoke_cert.cmd
call a27_gen_crl_new_one.cmd
ECHO END
pause

从ocsprun.sh整理出来的1个.bat

ocsprun.cmd

@echo offrem \file ocsprun.cmdrem # Example of running an querying OpenSSL test OCSP responder.
rem # This assumes "mkcerts.sh" or similar has been run to set up the
rem # necessary file structure.set OPENSSL= .\openssl
set OPENSSL_CONF=.\openssl.cnfrem # Run OCSP responder.set PORT=8888%OPENSSL% ocsp -port %PORT% -index index.txt -CA inter_ca_req_sign.pem -rsigner ocsp_req_sign.pem  -rkey ocsp_priv_key.pem -rother inter_ca_req_sign.pem

从ocspquery.sh整理出来的4个.bat

query1.cmd

@echo off
rem \file query1.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem echo OPENSSL_CONF = %OPENSSL_CONF%rem Revoke a certificate
rem set CN="Test Client DH Cert"@echo "Requesting OCSP status for each certificate"
%OPENSSL% ocsp -issuer inter_ca_req_sign.pem  -cert client_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query1.txt 2>&1

query2.cmd

@echo off
rem \file query2.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem echo OPENSSL_CONF = %OPENSSL_CONF%rem Revoke a certificate
rem set CN="Test Client DH Cert"@echo "Requesting OCSP status for each certificate"
%OPENSSL% ocsp -issuer inter_ca_req_sign.pem  -cert server_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query2.txt 2>&1

query3.cmd

@echo off
rem \file query3.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem echo OPENSSL_CONF = %OPENSSL_CONF%rem Revoke a certificate
rem set CN="Test Client DH Cert"@echo "Requesting OCSP status for each certificate"
%OPENSSL% ocsp -issuer inter_ca_req_sign.pem  -cert revoke_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query3.txt 2>&1

query_all.cmd

@echo off
rem \file query3.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnf
rem echo OPENSSL_CONF = %OPENSSL_CONF%rem Revoke a certificate
rem set CN="Test Client DH Cert"@echo "Requesting OCSP status for three certificates in one request"
%OPENSSL% ocsp -issuer inter_ca_req_sign.pem  -cert client_req_sign.pem -cert server_req_sign.pem -cert revoke_req_sign.pem -CAfile root_ca.pem -url http://127.0.0.1:8888/ > opt_log_query_all.txt 2>&1

备注

即使是发一个证书出来, 一个openssl.exe命令行也搞不定的.
将官方证书操作分类来备注.

生成测试用的根CA证书

a1_create_certificate_directly.cmd 这个一步搞定, 生成了根CA的证书和私钥.

生成二级CA(中间CA)

a2_Intermediate_CA_request_first.cmd 中间CA证书 - 请求, 生成了中间CA的私钥和请求
a3_Sign_request_CA_extensions.cmd 中间CA证书请求 - 签名, 将请求签名, 生成最终的中间CA证书

应用服务器的证书

a4_Server_certificate_create_request_first.cmd 服务器证书请求, 生成服务器证书私钥和请求.
a5_Sign_request_end_entity_extensions.cmd 对服务器证书请求进行签名, 得到最终可用的服务器证书

客户端的证书

a6_Client_certificate_request_first.cmd 客户端证书申请, 生成客户端证书私钥和请求
a7_Sign_using_intermediate_CA.cmd 用中间CA签名客户端证书请求, 生成最终可用的客户端证书.

用于吊销演示的证书

a8_Revoked_certificate_request_first.cmd 用于吊销证书的申请, 生成私钥和申请
a9_Sign_using_intermediate_CA.cmd 吊销证书申请的签名, 得到最终用于吊销演示操作的证书.

OCSP证书

a10_OCSP_responder_certificate_request_first.cmd OCSP证书申请, 得到私钥和申请
a11_Sign_using_intermediate_CA_and_responder_extensions.cmd OCSP证书申请的签名, 得到最终可用的OCSP证书

DH服务器证书

a12_First_DH_parameters.cmd 产生DH证书参数文件
a13_Now_a_DH_private_key.cmd 产生DH证书私钥
a14_Create_DH_public_key_file.cmd 产生DH证书公钥
a15_dh_cert.cmd 产生DH证书申请
a16_Sign_dh_req.cmd DH证书申请的签名, 得到最终可用的DH服务器证书

DH客户端证书

a17_gen_dh_client_priv_key.cmd 产生DH客户端私钥
a18_gen_dh_client_pub_key.cmd 产生DH客户端公钥
a19_dh_clint_cert_req.cmd DH客户端证书请求
a20_dh_client_cert_sign.cmd 对DH客户端证书请求进行签名, 得到最终可用的DH客户端证书

建立本地CA需要的数据库

a21_gen_crl_without_ca.cmd 建立本地CA需要的数据库(产生一个空的index.txt 和一个里面内容为01的crlnum.txt)

向本地CA数据库中登记服务器证书

a22_add_cert_sha1_server.cmd 向本地CA数据库中登记服务器证书(将服务器证书登记信息写入 index.txt)

向本地CA数据库登记客户端证书

a23_add_cert_sha1_client.cmd 向本地CA数据库登记客户端证书(将服务器证书登记信息写入 index.txt)

向本地数据库登记用于吊销演示用的证书

a24_add_cert_sha1_revoke.cmd 向本地数据库等级吊销用的证书(将吊销用的证书登记信息吸入 index.txt)

产生证书吊销列表

a25_gen_crl.cmd 产生证书吊销列表(新建立了N张证书后, 都要登记入库, 然后重新生成证书吊销列表).

吊销一个证书

a26_revoke_cert.cmd 吊销证书后, 这张证书就废了.

产生(更新)证书吊销列表

a27_gen_crl_new_one.cmd 吊销一个证书后, 要产生新的吊销证书列表供其他应用验证证书是否被吊销. 证书吊销列表的名称, 在实际应用中, 应该是同一个名字, 这里是实验, 就重新命令一个吊销列表文件的名称, 表示这是在吊销证书后, 新产生的证书吊销列表

本地实验需要的文件列表

tree /A /F
D:.a10_OCSP_responder_certificate_request_first.cmda11_Sign_using_intermediate_CA_and_responder_extensions.cmda12_First_DH_parameters.cmda13_Now_a_DH_private_key.cmda14_Create_DH_public_key_file.cmda15_dh_cert_req.cmda16_Sign_dh_req.cmda17_gen_dh_client_priv_key.cmda18_gen_dh_client_pub_key.cmda19_dh_clint_cert_req.cmda1_create_certificate_directly.cmda20_dh_client_cert_sign.cmda21_gen_crl_without_ca.cmda22_add_cert_sha1_server.cmda23_add_cert_sha1_client.cmda24_add_cert_sha1_revoke.cmda25_gen_crl.cmda26_revoke_cert.cmda27_gen_crl_new_one.cmda2_Intermediate_CA_request_first.cmda3_Sign_request_CA_extensions.cmda4_Server_certificate_create_request_first.cmda5_Sign_request_end_entity_extensions.cmda6_Client_certificate_request_first.cmda7_Sign_using_intermediate_CA.cmda8_Revoked_certificate_request_first.cmda9_Sign_using_intermediate_CA.cmdca.cnflibcrypto-3-x64.dlllibssl-3-x64.dllmkcerts.shocspquery.shocsprun.cmdocsprun.shopenssl.cnfopenssl.exequery1.cmdquery2.cmdquery3.cmdquery_all.cmdREADME.txtrun_ax_bat.cmd

文章目录

openssl3.2 - 官方demo学习 - certs

概述

笔记

官方的实验流程

mkcerts.sh - 整理

ocsprun.sh - 整理

ocspquery.sh - 整理

从mkcerts.sh整理出来的27个.bat

a1_create_certificate_directly.cmd

a2_Intermediate_CA_request_first.cmd

a3_Sign_request_CA_extensions.cmd

a4_Server_certificate_create_request_first.cmd

a5_Sign_request_end_entity_extensions.cmd

a6_Client_certificate_request_first.cmd

a7_Sign_using_intermediate_CA.cmd

a8_Revoked_certificate_request_first.cmd

a9_Sign_using_intermediate_CA.cmd

a10_OCSP_responder_certificate_request_first.cmd

a11_Sign_using_intermediate_CA_and_responder_extensions.cmd

a12_First_DH_parameters.cmd

a13_Now_a_DH_private_key.cmd

a14_Create_DH_public_key_file.cmd

a15_dh_cert_req.cmd

a16_Sign_dh_req.cmd

a17_gen_dh_client_priv_key.cmd

a18_gen_dh_client_pub_key.cmd

a19_dh_clint_cert_req.cmd

a20_dh_client_cert_sign.cmd

a21_gen_crl_without_ca.cmd

a22_add_cert_sha1_server.cmd

a23_add_cert_sha1_client.cmd

a24_add_cert_sha1_revoke.cmd

a25_gen_crl.cmd

a26_revoke_cert.cmd

a27_gen_crl_new_one.cmd

run_ax_bat.cmd

从ocsprun.sh整理出来的1个.bat

ocsprun.cmd

从ocspquery.sh整理出来的4个.bat

query1.cmd

query2.cmd

query3.cmd

query_all.cmd

备注

生成测试用的根CA证书

生成二级CA(中间CA)

应用服务器的证书

客户端的证书

用于吊销演示的证书

OCSP证书

DH服务器证书

DH客户端证书

建立本地CA需要的数据库

向本地CA数据库中登记服务器证书

向本地CA数据库登记客户端证书

向本地数据库登记用于吊销演示用的证书

产生证书吊销列表

吊销一个证书

产生(更新)证书吊销列表

本地实验需要的文件列表

END

相关文章：