如何使用openssl创建X509密钥包?

时间:2018-04-03 13:49:29

标签: openssl x509

什么是问题:

我不确定我创建/验证X509密钥包的方式。

我做了什么?

我正在尝试使用OpenSSL创建X509相互身份验证密钥包,能够生成证书和密钥包。以下脚本用于创建捆绑包。

mkdir certificate
cd certificate
mkdir certs csr newcerts
touch index.txt
echo "1000" > serial

::Root Certicicate
openssl genrsa -out certs/ca.key.pem 2048
openssl req -config openssl.cnf -key certs/ca.key.pem -new -x509 -days 3650 -sha256 -extensions v3_ca -out certs/ca.crt.pem
openssl x509 -noout -text -in certs/ca.crt.pem
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

::Certificate 1
openssl genrsa -out certs/intermediate1.key.pem 2048
openssl genpkey -algorithm RSA -out certs/intermediate1.key.pem 2048
openssl req -config openssl.cnf -key certs/intermediate1.key.pem -new -sha256 -out csr/intermediate1.csr.pem -subj "/C=CN/ST=STATE/O=ORG/CN=intermediate1"
openssl ca -config openssl.cnf -batch -extensions usr_cert -days 3750 -notext -md sha256 -in csr/intermediate1.csr.pem -out certs/intermediate1.crt.pem

::Certificate 2
openssl genrsa -out certs/intermediate2.key.pem 2048
openssl genpkey -algorithm RSA -out certs/intermediate2.key.pem 2048
openssl req -config openssl.cnf -key certs/intermediate2.key.pem -new -sha256 -out csr/intermediate2.csr.pem -subj "/C=CN/ST=STATE/O=ORG/CN=intermediate2"
openssl ca -config openssl.cnf -batch -extensions usr_cert -days 3750 -notext -md sha256 -in csr/intermediate2.csr.pem -out certs/intermediate2.crt.pem

::Chain the certificate
cat certs/intermediate1.crt.pem certs/ca.crt.pem > certs/ca-chain.cert.pem
cat certs/intermediate2.crt.pem certs/ca.crt.pem > certs/ca-chain.cert.pem

我是如何验证的?

我不确切地知道要验证。请帮忙。

尝试了哪些其他解决方案?

KeyStore Explorer

Stackoverflow answers

论坛专家如何在这里提供帮助?

我坚信我在解决方案中没有任何结论,感觉就像是愚蠢的。我真的需要一个专家建议,在任何公共muauth服务器或任何其他方法的Create Key Bundle / Validate视图中关闭它。

ca-chain证书

enter image description here

1 个答案:

答案 0 :(得分:1)

您错误地使用了cat。这样,第二个中间证书将覆盖第一个中间证书,而不是附加到它。此外,您的根证书不属于链,因为您正在验证的是。你应该这样做:

cat certs/intermediate1.crt.pem certs/intermediate2.crt.pem > certs/ca-chain.cert.pem

然后根据CA证书进行验证,或者只是:

cat certs/intermediate1.crt.pem certs/intermediate2.crt.pem | openssl verify -CAfile certs/ca.crt.pem
相关问题
最新问题