【OpenSSL】使用证书和私钥导出P12格式个人证书
1, 产生CA证书
1.1, 生成ca的私钥
openssl genrsa -out cakey.pem 2048
1.2, 生成ca的自签名证书请求
openssl req -new -key cakey.pem -subj "/CN=Example Root CA" -out cacsr.pem
1.3, 自签名ca的证书
openssl x509 -req -in cacsr.pem -signkey cakey.pem -days 999 -out cacert.pem
2, 产生个人证书
2.1, 生成个人证书的私钥
openssl genrsa -out alicekey.pem 2048
2.2, 生成个人证书请求
openssl req -new -key alicekey.pem -subj "/emailAddress=alice@example.com" -out alicecsr.pem
2.3, 签发个人证书
openssl x509 -req -in alicecsr.pem -CA cacert.pem -CAkey cakey.pem -days 999 -set_serial 01 -out alicecert.pem
3, 合并证书和私钥得到p12格式的个人证书
openssl pkcs12 -export -in alicecert.pem -inkey alicekey.pem -certfile cacert.pem -out alice.p12
4, 提取个人证书
openssl pkcs12 -in alice.p12 -nokeys -clcerts -out alicecert.pem
5, 提取个人证书的私钥
openssl pkcs12 -in alice.p12 -nocerts -out alicekey.pem
6, 提取ca证书
openssl pkcs12 -in alice.p12 -nokeys -cacerts -out cacert.pem
备注:
1,绑定ca证书的时候,-certfile和-CAfile的区别 http://arstechnica.com/civis/viewtopic.php?p=24680099
You're right, the documentation is confusing (man page here*), but I think I've figured it out, after some testing:
-certfile adds all certificates in that file to the .p12 store (in addition to the input certificate).
-CAfile and -CApath are used to build the "standard CA store" (just as they do for openssl s_client), which is only used with the -chain option, which will add the entire certification chain for the input certificate to the .p12, assuming it can be found in that file and/or directory. Without the -chain option they do nothing.
* Also, most distros supply man pages for the openssl subcommands under the subcommand name, e.g. pkcs(1).
see
http://openssl.6102.n7.nabble.com/How-to-include-intermediate-in-pkcs12-td49603.html
A lotofthingsonthe Internet are wrong. The OpenSSL man page doesnotsay multipleoccurrences workandI’m pretty sure it never did, nor did the code.IngeneralOpenSSL commandlines don’t handle repeated options; the few exceptions are noted.pkcs12 -caname (NOT–cafile)ISoneofthe few that can be repeated,andpossiblysome thingsonthe Internet got that confused. However, the commandlines (at leastusually?) don’t *diagnose* repeated (andoverridden) options.pkcs12 –export gets certsfromuptothree places:- the input file (-inifspecifiedelsestdin redirectedorpiped)- -certfileifspecified (once,asyou saw)- the truststoreif–CAfileand/or–CApath specifiedIFNEEDEDInother words, any certininfileorcertfileisalwaysinthe output, neededornot.Ifthatsetdoesnotprovide a complete chain, pkcs12 willtrytocomplete itusingthe truststoreifspecified, but will produce output evenifit remains incomplete.Likeother commandlines,andmany programsusingthe library, the truststorecan be asinglefilewith–CAfile (NOT–cafile)ora directoryofhashnamedlinksorfileswith–CApathorboth.Ifthe cert you are puttinginpkcs12isunder a CA that you trust other peerstouseandthus you haveinyour truststore, easiesttouse itfromthere. Similarlyifyour certisunder an intermediate (orseveral) that you haveinyour truststoretoallow peerstouse evenifthe peers don’t send (asthey should), easiesttousefromthere.Otherwise IMO it’s easiesttojust putininfileor–certfile (ora combination),although theoptionoftemporarily creatingormodifying a truststore works. Whethertodoyour trustorewithCAfileorCApathorbothisa more general questionanddepends partlyonwhether you use somebody’s package.Forexample the curl website supplies the Mozilla truststoreinCAfile format;whenI wanttouse that I don’t bother convertingtoCApath format.From: [hidden email] [[hidden email]]OnBehalfOfEdward Ned Harvey (openssl)Sent: Tuesday, April22,201415:31To: [hidden email]Subject: *** Spam *** Howtoinclude intermediateinpkcs12?A bunchofthingsonthe internet saytodo"-cafile intermediate.pem -cafile root.pem"or"-certfile intermediate.pem -certfile root.pem"andthey explicitly say that calling these command-line options more than onceisokandwill resultinboth the certs being includedinthe final pkcs12... But I have found thistobe untrue.I have found, thatifI concatenate intermediate & rootintoasingleglom file,andthenI specify -certfile onceforthe glom,thenmy pfx file will include the complete chain. ButifI use -certfile twice, Igetno intermediateinmy pfx.AndI just wasted more time than I caretodescribe, figuring this out.So...Whileconcatenation/glomisa viable workaround, I'd like to know, what's supposed to work? And was it a new feature introduced after a certain rev or something? I have OpenSSL 0.9.8y command-line on Mac OSX, and OpenSSL 1.0.1e command-line on cygwin. I believe I've seen the same behavior in both.
-CAfile 的处理逻辑
/* If chaining get chain from user cert */
if (chain) {
int vret;
STACK_OF(X509) *chain2;
X509_STORE *store = X509_STORE_new();
if (!store) {
BIO_printf(bio_err, "Memory allocation error\n");
goto export_end;
}
if (!X509_STORE_load_locations(store, CAfile, CApath))
X509_STORE_set_default_paths(store);
vret = get_cert_chain(ucert, store, &chain2);
X509_STORE_free(store);
if (!vret) {
/* Exclude verified certificate */
for (i = 1; i < sk_X509_num(chain2); i++)
sk_X509_push(certs, sk_X509_value(chain2, i));
/* Free first certificate */
X509_free(sk_X509_value(chain2, 0));
sk_X509_free(chain2);
} else {
if (vret >= 0)
BIO_printf(bio_err, "Error %s getting chain.\n",
X509_verify_cert_error_string(vret));
else
ERR_print_errors(bio_err);
goto export_end;
}
}
-certfile的处理逻辑
/* Add any more certificates asked for */
if (certfile) {
STACK_OF(X509) *morecerts = NULL;
if (!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM,
NULL, e,
"certificates from certfile")))
goto export_end;
while (sk_X509_num(morecerts) > 0)
sk_X509_push(certs, sk_X509_shift(morecerts));
sk_X509_free(morecerts);
}
2,-name选项可以设置显示名称,否则导入证书的时候,可能会显示一些乱码。
