openssl ca

来源：互联网发布：苹果授权网络经销商编辑：程序博客网时间：2024/05/23 00:09

openssl.cnf

HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /usr/app/ca/dc=nodomain/cn=admin/cn=ROOT
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
unique_subject = yes
new_certs_dir = $dir/newcerts
certificate = /usr/app/ca/dc=nodomain/cn=admin/ROOT.crt
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $crl_dir/ROOT.crl
private_key = /usr/app/ca/dc=nodomain/cn=admin/ROOT.key
RANDFILE = $dir/private/ca.rand
name_opt = ca_default
cert_opt = ca_default
x509_extensions = usr_cert
default_days = 365
default_crl_days= 1
default_md = sha1
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
default_keyfile = private.key
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max= 2

stateOrProvinceName= State or Province Name (full name)
stateOrProvinceName_default= Some-State
localityName= Locality Name (eg, city)
0.organizationName= Organization Name (eg, company)
0.organizationName_default= Internet Widgits Pty Ltd
organizationalUnitName= Organizational Unit Name (eg, section)
commonName= Common Name (eg, YOUR name)
commonName_max= 64
emailAddress= Email Address
emailAddress_max= 64
[ req_attributes ]
challengePassword= A challenge password
challengePassword_min= 4
challengePassword_max= 20
unstructuredName= An optional company name
[ usr_cert ]
authorityInfoAccess = OCSP;URI:http://192.168.1.232:8000/publicca/OcspUtils_ocsp.action
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
authorityInfoAccess = OCSP;URI:http://192.168.1.232:8000/publicca/OcspUtils_ocsp.action
basicConstraints = CA:FALSE
[ v3_ca ]
authorityInfoAccess = OCSP;URI:http://192.168.1.232:8000/publicca/OcspUtils_ocsp.action
basicConstraints = CA:true
subjectKeyIdentifier = hash
issuerAltName=issuer:copy
nsCaRevocationUrl= http://192.168.1.232:8000/publicca/Crl_downloadCRL.action?DN=cn%3DROOT%2Ccn%3Dadmin%2Cdc%3Dnodomain&CN=ROOT

ROOT.cnf

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
x509_extensions = v3_ca
output_password = 123qwe
[ req_distinguished_name ]
C = CN
ST = 浙江省
L = 浙江省杭州市滨江区
O = 杭州创谐
OU = 研发部
CN = ROOT
[ req_attributes ]
challengePassword = A challenge password
[ v3_ca ]
basicConstraints = CA:true
authorityInfoAccess = OCSP;URI:http://192.168.1.232:8000/publicca/OcspUtils_ocsp.action
subjectKeyIdentifier = hash
issuerAltName=issuer:copy
nsCaRevocationUrl= http://192.168.1.232:8000/publicca/Crl_downloadCRL.action?DN=cn%3DROOT%2Ccn%3Dadmin%2Cdc%3Dnodomain&CN=ROOT

Device.cnf

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
x509_extensions = usr_cert
output_password = 123qwe
[ req_distinguished_name ]
C = CN
ST = 浙江省
L = 浙江省杭州市滨江区
O = 杭州创谐
OU = 研发部
CN = User 430725199002093279
[ req_attributes ]
challengePassword = A challenge password
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType= server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# This will be displayed in Netscape's comment listbox.
nsComment= "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.

1.生成根证书

openssl req -x509 -newkey rsa:$4 -keyout $1.key -out $1.crt -days $3 -config $2.cnf

2.生成子证书

openssl req -newkey rsa:$7 -keyout $1.key -passin pass:$2 -out $1.csr -config $1.cnf
openssl x509 -req -in $1.csr -sha1 -extfile $6 -extensions v3_ca -CA $3.crt -CAkey $3.key -passin pass:$4 -CAcreateserial -out $1.crt -days $5

3.生成用户证书

openssl req -newkey rsa:$7 -keyout $1.key -passin pass:$2 -out $1.csr -config $1.cnf
openssl x509 -req -in $1.csr -sha1 -extfile $6 -extensions usr_cert -CA $3.crt -CAkey $3.key -passin pass:$4 -CAcreateserial -out $1.crt -days $5

4.生成crl列表

openssl ca -gencrl -out $1.crl -keyfile $1.key -passin pass:$2 -cert $1.crt -config $3

5.生成android bks

$1jre/bin/keytool -keystore $2.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass hzihca -importcert -noprompt -alias $3 -file $4

6.生成PKCS文件

openssl pkcs12 -export -inkey $1.key -passin pass:$2 -in $1.crt -out $1.p12 -passout pass:$2

7.吊销证书

openssl ca -revoke $1.crt -keyfile $2.key -passin pass:$3 -cert $2.crt -config $4