OpenSSL自建CA和CA鏈，給主機簽發(fā)證書的批處理（使用

x509命令和CA命令都能以CA身份給客戶簽發(fā)證書，本文介紹前者，CA命令的用法見另一篇博文。

當(dāng)使用-CA infile選項時，x509命令的行為就像是一個“迷你CA”，對輸入的文件進(jìn)行簽名，它不像CA命令那樣需要預(yù)先建立配置文件定義的目錄結(jié)構(gòu)，也不把曾經(jīng)簽署的證書信息寫入數(shù)據(jù)庫，使用上相對方便一些。

把openssl.exe所在文件夾加入PATH環(huán)境變量，就可以在任何位置執(zhí)行批處理（不建議安裝于C盤，因為在生成文件的過程中可能會遇到的權(quán)限問題）。

為了防止瀏覽器彈出“沒有主題備用名稱”的警告信息，需要將配置文件"C:\Program Files\OpenSSL-Win64\bin\cnf\openssl.cnf"拷貝兩份到D盤根目錄，分別改名為01.ext和02.ext，在01.ext的[usr_cert]一節(jié)添加subjectAltName = DNS:host1，在02.ext的[usr_cert]一節(jié)添加subjectAltName = DNS:host2，請確保這兩個文件存在。

復(fù)制下列代碼粘貼到DOS窗口執(zhí)行即可，或者保存為批處理文件，注意倒數(shù)第一行需要打回車。為了保證干凈的實驗環(huán)境，每次執(zhí)行都會先刪除之前建立的目錄然后重建，所以不要在這些目錄里保存重要資料。切記！

OpenSSL版本號為Windows版1.1.1c ?28 May 2019。

用x509命令簽發(fā)證書

根CA簽發(fā)

實驗場景：先建立根CA：RCA，再由RCA簽發(fā)主機HOST1和HOST2的證書

批處理在D盤下建立目錄RCA、HOST1、HOST2，各目錄存放的文件顧名思義，其中RCA保留曾簽發(fā)的所有證書的備份。

::?根CA簽發(fā)
::?刪除之前所有的文件
d:&cd\&rd/s/q?host1&rd/s/q?host2&rd/s/q?rca&md?host1&md?host2&md?rca&cd?rca
?
::?生成自簽名的根證書，私鑰和公鑰：
openssl?req?-x509?-newkey?rsa:8192?-keyout?rca.key?-out?rca.cer?-days?3650?-subj?/C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-R/CN=RCA/emailAddress=ca@tiger.com?-passout?pass:abcd
openssl?rsa?-in?rca.key?-pubout?-out?rca.pub?-passin?pass:abcd
?
::?把RCA的證書和公鑰拷貝到HOST1和HOST2
copy?rca.pub?d:\host1&copy?rca.cer?d:\host1&copy?rca.pub?d:\host2&copy?rca.cer?d:\host2
?
::?生成host1與host2的證書請求、私鑰和公鑰
openssl?req?-newkey?rsa:8192?-keyout?host1.key?-out?host1.csr?-subj?/C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-1/CN=host1??-addext?"subjectAltName?=?DNS:host1"?-passout?pass:abcd
openssl?req?-newkey?rsa:8192?-keyout?host2.key?-out?host2.csr?-subj?/C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-2/CN=host2??-addext?"subjectAltName?=?DNS:host2"?-passout?pass:abcd
openssl?rsa?-in?host1.key?-pubout?-out?host1.pub?-passin?pass:abcd
openssl?rsa?-in?host2.key?-pubout?-out?host2.pub?-passin?pass:abcd
?
::?用RCA的私鑰簽署用戶請求
Openssl?x509?-req?-days?1095?-in?host1.csr?-CA?rca.cer?-CAkey?rca.key?-out?host1.cer?-CAcreateserial?-passin?pass:abcd?-extfile?"d:\01.ext"?-extensions?usr_cert
Openssl?x509?-req?-days?1095?-in?host2.csr?-CA?rca.cer?-CAkey?rca.key?-out?host2.cer?-CAcreateserial?-passin?pass:abcd?-extfile?"d:\02.ext"?-extensions?usr_cert
?
::?把HOST1和HOST2的所屬文件拷貝到對應(yīng)目錄
copy?host1.*?d:\host1&copy?host2.*?d:\host2
?
::?驗證證書鏈
openssl?verify?-show_chain?-CAfile?rca.cer?host1.cer
openssl?verify?-show_chain?-CAfile?rca.cer?host2.cer
openssl?x509?-in?rca.cer?-noout?-text|find?"CA:TRUE"
openssl?x509?-in?host1.cer?-noout?-text|find?"CA:TRUE"
openssl?x509?-in?host2.cer?-noout?-text|find?"CA:TRUE"

二級CA簽發(fā)

根CA：CA1

中間CA：CA2

CA1簽發(fā)CA2的證書，CA2給HOST1和HOST2簽發(fā)證書。

批處理在D盤根目錄下建立目錄CA1、CA2、HOST1、HOST2，各目錄存放的文件顧名思義，其中CA2保留曾簽發(fā)的所有證書的備份。

::?二級CA簽發(fā)
::?刪除之前所有的文件
d:&cd\&rd/s/q?host1&rd/s/q?host2&rd/s/q?ca1&rd/s/q?ca2&md?host1&md?host2&md?ca1&md?ca2&cd?ca1
?
::?生成自簽名的CA1根證書、私鑰和公鑰：
openssl?req?-x509?-newkey?rsa:8192?-keyout?ca1.key?-out?ca1.cer?-days?3650?-subj?/C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-1/CN=CA1/emailAddress=ca1@tiger.com?-passout?pass:abcd
openssl?rsa?-in?ca1.key?-pubout?-out?ca1.pub?-passin?pass:abcd
?
::?把CA1的證書和公鑰拷貝到CA2，HOST1和HOST2
copy?ca1.cer?d:\host1&copy?ca1.pub?d:\host1&copy?ca1.cer?d:\host2&copy?ca1.pub?d:\host2&copy?ca1.cer?d:\ca2&copy?ca1.pub?d:\ca2
?
::?生成CA2的請求，私鑰和公鑰
openssl?req?-newkey?rsa:8192?-keyout?ca2.key?-out?ca2.csr?-subj?/C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-2/CN=CA2/emailAddress=ca2@tiger.com?-passout?pass:abcd
openssl?rsa?-in?ca2.key?-pubout?-out?ca2.pub?-passin?pass:abcd
?
::?用CA1的私鑰簽署CA2的請求
Openssl?x509?-req?-days?1095?-in?ca2.csr?-CA?ca1.cer?-CAkey?ca1.key?-out?ca2.cer?-days?3650?-passin?pass:abcd?-extfile?"C:\Program?Files\OpenSSL-Win64\bin\cnf\openssl.cnf"?-extensions?v3_ca?-CAcreateserial
?
::?把CA2的證書和公鑰拷貝到HOST1和HOST2，把CA2所屬文件都拷貝到CA2
copy?ca2.cer?d:\host1&copy?ca2.pub?d:\host1&copy?ca2.cer?d:\host2&copy?ca2.pub?d:\host2&copy?ca2.*?\ca2&cd\ca2
?
::?生成HOST1與HOST2的證書請求、私鑰和公鑰
openssl?req?-newkey?rsa:8192?-keyout?host1.key?-out?host1.csr?-subj?/C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-1/CN=host1?-addext?"subjectAltName?=?DNS:host1"?-passout?pass:abcd
openssl?req?-newkey?rsa:8192?-keyout?host2.key?-out?host2.csr?-subj?/C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-2/CN=host2?-addext?"subjectAltName?=?DNS:host2"?-passout?pass:abcd
openssl?rsa?-in?host1.key?-pubout?-out?host1.pub?-passin?pass:abcd
openssl?rsa?-in?host2.key?-pubout?-out?host2.pub?-passin?pass:abcd
?
::?用CA2的私鑰簽署用戶證書：
Openssl?x509?-req?-days?1095?-in?host1.csr?-CA?ca2.cer?-CAkey?ca2.key?-out?host1.cer?-days?3650?-passin?pass:abcd?-CAcreateserial??-extfile?"d:\01.ext"?-extensions?usr_cert
Openssl?x509?-req?-days?1095?-in?host2.csr?-CA?ca2.cer?-CAkey?ca2.key?-out?host2.cer?-days?3650?-passin?pass:abcd?-CAcreateserial??-extfile?"d:\02.ext"?-extensions?usr_cert
echo?把HOST1和HOST2的所有文件拷貝到對應(yīng)目錄
copy?host1.*?d:\host1&copy?host2.*?d:\host2
?
::?驗證證書鏈
copy?ca2.cer+ca1.cer?ca-chain.cer
openssl?verify?-show_chain?-CAfile?ca-chain.cer?host1.cer
openssl?verify?-show_chain?-CAfile?ca-chain.cer?host2.cer
openssl?x509?-in?ca1.cer?-noout?-text|find?"CA:TRUE"
openssl?x509?-in?ca2.cer?-noout?-text|find?"CA:TRUE"
openssl?x509?-in?host1.cer?-noout?-text|find?"CA:TRUE"
openssl?x509?-in?host2.cer?-noout?-text|find?"CA:TRUE"

三級CA簽發(fā)

根CA：CA1

中間CA：CA2，CA3

CA1簽發(fā)CA2的證書，CA2簽發(fā)CA3的證書，CA3給HOST1和HOST2簽發(fā)證書。

批處理在D盤根目錄下建立目錄CA1、CA2、CA3、HOST1、HOST2，各目錄存放的文件顧名思義，其中CA3保留曾簽發(fā)的所有證書的備份。

::?三級CA簽發(fā)
::?刪除之前所有的文件
d:&cd\&rd/s/q?host1&rd/s/q?host2&rd/s/q?ca1&rd/s/q?ca2&rd/s/q?ca3&md?host1&md?host2&md?ca1&md?ca2&md?ca3&cd?ca1
?
::?生成自簽名的CA1根證書、私鑰和公鑰：
openssl?req?-x509?-newkey?rsa:8192?-keyout?ca1.key?-out?ca1.cer?-days?3650?-subj?/C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-1/CN=CA1/emailAddress=ca1@tiger.com?-passout?pass:abcd
openssl?rsa?-in?ca1.key?-pubout?-out?ca1.pub?-passin?pass:abcd
?
::?把CA1的證書和公鑰拷貝到CA2，CA3，HOST1，HOST2
copy?ca1.cer?d:\ca2&copy?ca1.pub?d:\ca2&copy?ca1.cer?d:\ca3&copy?ca1.pub?d:\ca3&copy?ca1.cer?d:\host1&copy?ca1.pub?d:\host1&copy?ca1.cer?d:\host2&copy?ca1.pub?d:\host2
?
::?生成CA2的請求，私鑰和公鑰
openssl?req?-newkey?rsa:8192?-keyout?ca2.key?-out?ca2.csr?-subj?/C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-2/CN=CA2/emailAddress=ca2@tiger.com?-passout?pass:abcd
openssl?rsa?-in?ca2.key?-pubout?-out?ca2.pub?-passin?pass:abcd
?
::?用CA1的私鑰簽署CA2的請求
Openssl?x509?-req?-days?1095?-in?ca2.csr?-CA?ca1.cer?-CAkey?ca1.key?-out?ca2.cer?-days?3650?-passin?pass:abcd?-extfile?"C:\Program?Files\OpenSSL-Win64\bin\cnf\openssl.cnf"?-extensions?v3_ca?-CAcreateserial
?
::?把CA2的證書和公鑰拷貝到CA3，HOST1和HOST2，把CA2所屬文件都拷貝到CA2
copy?ca2.cer?d:\ca3&copy?ca2.pub?d:\ca3&copy?ca2.cer?d:\host1&copy?ca2.pub?d:\host1&copy?ca2.cer?d:\host2&copy?ca2.pub?d:\host2&copy?ca2.*?\ca2&cd\ca2
?
::?生成CA3的請求，私鑰和公鑰
openssl?req?-newkey?rsa:8192?-keyout?ca3.key?-out?ca3.csr?-subj?/C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-3/CN=CA3/emailAddress=ca3@tiger.com?-passout?pass:abcd
openssl?rsa?-in?ca3.key?-pubout?-out?ca3.pub?-passin?pass:abcd
?
::?用CA2的私鑰簽署CA3的請求
Openssl?x509?-req?-days?1095?-in?ca3.csr?-CA?ca2.cer?-CAkey?ca2.key?-out?ca3.cer?-days?3650?-passin?pass:abcd?-extfile?"C:\Program?Files\OpenSSL-Win64\bin\cnf\openssl.cnf"?-extensions?v3_ca?-CAcreateserial
?
?
::?把CA3的證書和公鑰拷貝到HOST1和HOST2，把CA3所屬文件都拷貝到CA3
copy?ca3.cer?d:\host1&copy?ca3.pub?d:\host1&copy?ca3.cer?d:\host2&copy?ca3.pub?d:\host2&copy?ca3.*?\ca3&cd\ca3
?
::?生成HOST1與HOST2的證書請求、私鑰和公鑰
openssl?req?-newkey?rsa:8192?-keyout?host1.key?-out?host1.csr?-subj?/C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-1/CN=host1?-addext?"subjectAltName?=?DNS:host1"?-passout?pass:abcd
openssl?req?-newkey?rsa:8192?-keyout?host2.key?-out?host2.csr?-subj?/C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-2/CN=host2?-addext?"subjectAltName?=?DNS:host2"?-passout?pass:abcd
openssl?rsa?-in?host1.key?-pubout?-out?host1.pub?-passin?pass:abcd
openssl?rsa?-in?host2.key?-pubout?-out?host2.pub?-passin?pass:abcd
?
::?用CA3的私鑰簽署用戶證書：
Openssl?x509?-req?-days?1095?-in?host1.csr?-CA?ca3.cer?-CAkey?ca3.key?-out?host1.cer?-days?3650?-passin?pass:abcd?-CAcreateserial?-extfile?"d:\01.ext"?-extensions?usr_cert
Openssl?x509?-req?-days?1095?-in?host2.csr?-CA?ca3.cer?-CAkey?ca3.key?-out?host2.cer?-days?3650?-passin?pass:abcd?-CAcreateserial?-extfile?"d:\02.ext"?-extensions?usr_cert
?
::?把HOST1和HOST2的所有文件拷貝到對應(yīng)目錄
copy?host1.*?d:\host1&copy?host2.*?d:\host2
??
::?驗證證書鏈：
copy?ca3.cer+ca2.cer+ca1.cer?ca-chain.cer
openssl?verify?-show_chain?-CAfile?ca-chain.cer?host1.cer
openssl?verify?-show_chain?-CAfile?ca-chain.cer?host2.cer
openssl?x509?-in?ca1.cer?-noout?-text|find?"CA:TRUE"
openssl?x509?-in?ca2.cer?-noout?-text|find?"CA:TRUE"
openssl?x509?-in?ca3.cer?-noout?-text|find?"CA:TRUE"
openssl?x509?-in?host1.cer?-noout?-text|find?"CA:TRUE"
openssl?x509?-in?host2.cer?-noout?-text|find?"CA:TRUE"