Shulou(Shulou.com)06/01 Report--

Both the x509 command and the CA command can issue certificates to customers as CA. This article introduces the former, and the usage of the CA command can be found in another blog post.

When using the-CA infile option, the x509 command behaves like a "mini CA", signing the input file, unlike the CA command, which does not need to establish the directory structure defined by the configuration file in advance, nor write the signed certificate information to the database, which is relatively convenient to use.

Add the folder where openssl.exe is located to the PATH environment variable, and batch processing can be executed anywhere (installation on disk C is not recommended because of permission issues that may be encountered during file generation).

In order to prevent the browser from popping up the warning message "No theme alternate name", you need to make two copies of the configuration file "C:\ Program Files\ OpenSSL-Win64\ bin\ cnf\ openssl.cnf" to the root directory of D disk and rename it to 01.ext and 02.ext respectively. Add subjectAltName = DNS:host1 in the [usr_cert] section of 01.ext and subjectAltName = DNS:host2 in the [usr_cert] section of 02.ext. Make sure these two files exist.

Copy the following code and paste it into the DOS window for execution, or save it as a batch file. Note that you need to enter on the penultimate line. In order to ensure a clean experimental environment, the previously established directories will be deleted and then rebuilt for each execution, so do not save important data in these directories. Remember!

OpenSSL version number is Windows version 1.1.1c 28 May 2019.

Issue the certificate with x509 command

Root CA issuance

Experimental scenario: first establish the root CA:RCA, and then the RCA issues the certificates of the host HOST1 and HOST2

The batch process establishes directories RCA, HOST1 and HOST2 under D disk, and the files stored in each directory are as their name implies, in which RCA retains the backup of all certificates issued.

:: root CA sign:: delete all previous files d:&cd\ & rd/s/q host1&rd/s/q host2&rd/s/q rca&md host1&md host2&md rca&cd rca:: generate a self-signed root certificate Private and public keys: openssl req-x509-newkey rsa:8192-keyout rca.key-out rca.cer-days 3650-subj / C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-R/CN=RCA/emailAddress=ca@tiger.com-passout pass:abcdopenssl rsa-in rca.key-pubout-out rca.pub-passin pass:abcd:: copy RCA certificates and public keys to HOST1 and HOST2copy rca.pub d:\ host1© rca.cer d:\ host1© rca.pub d:\ host2© rca.cer D:\ host2:: generate certificate requests for host1 and host2, Private and public keys openssl req-newkey rsa:8192-keyout host1.key-out host1.csr-subj / C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-1/CN=host1-addext "subjectAltName = DNS:host1"-passout pass:abcdopenssl req-newkey rsa:8192-keyout host2.key-out host2.csr-subj / C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-2/CN=host2-addext "subjectAltName = DNS:host2"-passout pass:abcdopenssl rsa-in host1.key-pubout-out host1.pub-passin pass:abcdopenssl Rsa-in host2.key-pubout-out host2.pub-passin pass:abcd:: sign with the private key of RCA. The user requests Openssl x509-req-days 1095-in host1.csr-CA rca.cer-CAkey rca.key-out host1.cer-CAcreateserial-passin pass:abcd-extfile "d:\ 01.ext"-extensions usr_certOpenssl x509-req-days 1095-in host2.csr-CA rca.cer-CAkey rca.key-out host2.cer-CAcreateserial-passin pass:abcd-extfile "d: \ 02.ext "- extensions usr_cert:: copy the files of HOST1 and HOST2 to the corresponding directory copy host1.* d:\ host1© host2.* d:\ host2:: verify the certificate chain openssl verify-show_chain-CAfile rca.cer host1.ceropenssl verify-show_chain-CAfile rca.cer host2.ceropenssl x509-in rca.cer-noout-text | find" CA:TRUE "openssl x509-in host1.cer-noout-text | find" CA:TRUE "openssl x509-in host2.cer-noout-text | find" CA:TRUE "

Second-level CA issuance

Root CA:CA1

Intermediate CA:CA2

CA1 issues certificates for CA2, and CA2 issues certificates for HOST1 and HOST2.

The batch process establishes directories CA1, CA2, HOST1 and HOST2 under the root directory of disk D. the files stored in each directory are as their name implies, in which CA2 retains the backup of all certificates issued.

:: secondary CA signing:: delete all previous files d:&cd\ & rd/s/q host1&rd/s/q host2&rd/s/q ca1&rd/s/q ca2&md host1&md host2&md ca1&md ca2&cd ca1:: generate self-signed CA1 root certificate, Private key and public key: openssl req-x509-newkey rsa:8192-keyout ca1.key-out ca1.cer-days 3650-subj / C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-1/CN=CA1/emailAddress=ca1@tiger.com-passout pass:abcdopenssl rsa-in ca1.key-pubout-out ca1.pub-passin pass:abcd:: copy the CA1 certificate and public key to CA2 HOST1 and HOST2copy ca1.cer d:\ host1© ca1.pub d:\ host1© ca1.cer d:\ host2© ca1.pub d:\ host2© ca1.cer d:\ ca2© ca1.pub d:\ ca2:: the request to generate CA2 Private key and public key openssl req-newkey rsa:8192-keyout ca2.key-out ca2.csr-subj / C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-2/CN=CA2/emailAddress=ca2@tiger.com-passout pass:abcdopenssl rsa-in ca2.key-pubout-out ca2.pub-passin pass:abcd:: request for signing CA2 with CA1's private key Openssl x509-req-days 1095-in ca2.csr-CA ca1.cer-CAkey ca1.key-out ca2.cer-days 3650-passin pass:abcd-extfile "C :\ Program Files\ OpenSSL-Win64\ bin\ cnf\ openssl.cnf "- extensions v3_ca-CAcreateserial:: copy the certificate and public key of CA2 to HOST1 and HOST2 Copy all the files to which CA2 belongs to CA2copy ca2.cer d:\ host1© ca2.pub d:\ host1© ca2.cer d:\ host2© ca2.pub d:\ host2© ca2.*\ ca2&cd\ ca2:: generate certificate requests for HOST1 and HOST2, Private and public keys openssl req-newkey rsa:8192-keyout host1.key-out host1.csr-subj / C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-1/CN=host1-addext "subjectAltName = DNS:host1"-passout pass:abcdopenssl req-newkey rsa:8192-keyout host2.key-out host2.csr-subj / C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-2/CN=host2-addext "subjectAltName = DNS:host2"-passout pass:abcdopenssl rsa-in host1.key-pubout-out host1.pub-passin pass:abcdopenssl rsa- In host2.key-pubout-out host2.pub-passin pass:abcd:: sign the user certificate with CA2's private key: Openssl x509-req-days 1095-in host1.csr-CA ca2.cer-CAkey ca2.key-out host1.cer-days 3650-passin pass:abcd-CAcreateserial-extfile "d:\ 01.ext"-extensions usr_certOpenssl x509-req-days 1095-in host2.csr-CA ca2.cer-CAkey ca2.key-out host2.cer-days 3650-passin pass:abcd- CAcreateserial-extfile "d:\ 02.ext"-extensions usr_certecho copies all files of HOST1 and HOST2 to the corresponding directory copy host1.* d:\ host1© host2.* d:\ host2:: verify the certificate chain copy ca2.cer+ca1.cer ca-chain.ceropenssl verify-show_chain-CAfile ca-chain.cer host1.ceropenssl verify-show_chain-CAfile ca-chain.cer host2.ceropenssl x509-in ca1.cer-noout-text | find "CA:TRUE" openssl x509-in ca2 .cer-noout-text | find "CA:TRUE" openssl x509-in host1.cer-noout-text | find "CA:TRUE" openssl x509-in host2.cer-noout-text | find "CA:TRUE"

Level 3 CA issuance

Root CA:CA1

Intermediate CA:CA2,CA3

CA1 issues certificates for CA2, CA2 issues certificates for CA3, and CA3 issues certificates for HOST1 and HOST2.

The batch process establishes directories CA1, CA2, CA3, HOST1, HOST2 under the root directory of disk D. the files stored in each directory are as their name implies, in which CA3 retains the backup of all certificates issued.

:: three-level CA signing:: delete all previous files d:&cd\ & rd/s/q host1&rd/s/q host2&rd/s/q ca1&rd/s/q ca2&rd/s/q ca3&md host1&md host2&md ca1&md ca2&md ca3&cd ca1:: generate self-signed CA1 root certificate, Private key and public key: openssl req-x509-newkey rsa:8192-keyout ca1.key-out ca1.cer-days 3650-subj / C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-1/CN=CA1/emailAddress=ca1@tiger.com-passout pass:abcdopenssl rsa-in ca1.key-pubout-out ca1.pub-passin pass:abcd:: copy the CA1 certificate and public key to CA2 CA3,HOST1,HOST2copy ca1.cer d:\ ca2© ca1.pub d:\ ca2© ca1.cer d:\ ca3© ca1.pub d:\ ca3© ca1.cer d:\ host1© ca1.pub d:\ host1© ca1.cer d:\ host2© ca1.pub d:\ host2:: the request to generate CA2 Private key and public key openssl req-newkey rsa:8192-keyout ca2.key-out ca2.csr-subj / C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-2/CN=CA2/emailAddress=ca2@tiger.com-passout pass:abcdopenssl rsa-in ca2.key-pubout-out ca2.pub-passin pass:abcd:: request for signing CA2 with CA1's private key Openssl x509-req-days 1095-in ca2.csr-CA ca1.cer-CAkey ca1.key-out ca2.cer-days 3650-passin pass:abcd-extfile "C :\ Program Files\ OpenSSL-Win64\ bin\ cnf\ openssl.cnf "- extensions v3_ca-CAcreateserial:: copy the certificate and public key of CA2 to CA3 HOST1 and HOST2, copy the files to which CA2 belongs to CA2copy ca2.cer d:\ ca3© ca2.pub d:\ ca3© ca2.cer d:\ host1© ca2.pub d:\ host1© ca2.cer d:\ host2© ca2.pub d:\ host2© ca2.*\ ca2&cd\ ca2:: the request to generate CA3 Private key and public key openssl req-newkey rsa:8192-keyout ca3.key-out ca3.csr-subj / C=CN/ST=jiangsu/L=nanjing/O=Tiger/OU=CA-3/CN=CA3/emailAddress=ca3@tiger.com-passout pass:abcdopenssl rsa-in ca3.key-pubout-out ca3.pub-passin pass:abcd:: request for signing CA3 with CA2's private key Openssl x509-req-days 1095-in ca3.csr-CA ca2.cer-CAkey ca2.key-out ca3.cer-days 3650-passin pass:abcd-extfile "C :\ Program Files\ OpenSSL-Win64\ bin\ cnf\ openssl.cnf "- extensions v3_ca-CAcreateserial:: copy the certificate and public key of CA3 to HOST1 and HOST2 Copy all the files to which CA3 belongs to CA3copy ca3.cer d:\ host1© ca3.pub d:\ host1© ca3.cer d:\ host2© ca3.pub d:\ host2© ca3.*\ ca3&cd\ ca3:: generate certificate requests for HOST1 and HOST2, Private and public keys openssl req-newkey rsa:8192-keyout host1.key-out host1.csr-subj / C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-1/CN=host1-addext "subjectAltName = DNS:host1"-passout pass:abcdopenssl req-newkey rsa:8192-keyout host2.key-out host2.csr-subj / C=CN/ST=guangdong/L=shenzhen/O=SUN/OU=Office-2/CN=host2-addext "subjectAltName = DNS:host2"-passout pass:abcdopenssl rsa-in host1.key-pubout-out host1.pub-passin pass:abcdopenssl rsa- In host2.key-pubout-out host2.pub-passin pass:abcd:: sign the user certificate with CA3's private key: Openssl x509-req-days 1095-in host1.csr-CA ca3.cer-CAkey ca3.key-out host1.cer-days 3650-passin pass:abcd-CAcreateserial-extfile "d:\ 01.ext"-extensions usr_certOpenssl x509-req-days 1095-in host2.csr-CA ca3.cer-CAkey ca3.key-out host2.cer-days 3650-passin pass:abcd-CAcreateserial -extfile "d:\ 02.ext"-extensions usr_cert:: copy all the files of HOST1 and HOST2 to the corresponding directory copy host1.* d:\ host1© host2.* d:\ host2:: verification certificate chain: copy ca3.cer+ca2.cer+ca1.cer ca-chain.ceropenssl verify-show_chain-CAfile ca-chain.cer host1.ceropenssl verify-show_chain-CAfile ca-chain.cer host2.ceropenssl x509-in ca1.cer-noout-text | find "CA:TRUE" Openssl x509-in ca2.cer-noout-text | find "CA:TRUE" openssl x509-in ca3.cer-noout-text | find "CA:TRUE" openssl x509-in host1.cer-noout-text | find "CA:TRUE" openssl x509-in host2.cer-noout-text | find "CA:TRUE"

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.