生成包含开始日期和结束日期的签名证书

时间:2018-04-12 02:15:21

标签: c# bash powershell openssl asp.net-core-2.0

要为令牌签名目的创建自签名证书(例如here),我使用openssl 

    // ----------------
    // create crt + pfx files
    // ----------------

    // create key
    $ openssl genrsa -des3 -passout pass:x -out client.pass.key 2048
    $ openssl rsa -passin pass:x -in client.pass.key -out client.key

    // create certificate request (csr)
    $ openssl req -new -key client.key -out client.csr

    // create certificate (crt)
    $ openssl x509 -req -sha256 -days 365 -in client.csr -signkey client.key -out client.crt

    // export pfx file from key and crt
    $ openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt

    // ----------------
    // create pem + pfx files
    // ----------------

    // create key + cert in pem format
    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

    // export pfx file from key and crt
    openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem

openssl不允许您添加证书的NotBeforeNotAfter字段。

是否有其他工具可以添加这些字段?

2 个答案:

答案 0 :(得分:0)

可以按照解释here

进行操作
  

正如Thomas Pornin所说,证书请求不包含任何内容   日期,notBefore和notAfter日期设置为新的   证书由CA创建(签名)。

     

如果您使用openssl ca工具,则可以使用-startdate date设置它们   和-enddate date命令行选项或使用default_startdate和   {/ 1}}在配置文件的default_enddate部分。

答案 1 :(得分:0)

使用Powershell命令New-SelfSignedCertificate(PS 5.x提供)-NotBefore可用于设置日期

    //---------------
    // create certificate
    //---------------

    // create certificate and add it to certificate store
    // couldn't find an option to export to a file without adding to the store
    New-SelfSignedCertificate -Type Custom -DnsName "www.example.com" -KeyUsage DigitalSignature -CertStoreLocation "Cert:\LocalMachine\My" -NotBefore "2018-04-11 00:00:00z"

    // list all certificates in the store and find the thumbprint of the created one
    PS C:\> Set-Location Cert:\LocalMachine\My
    PS Cert:\LocalMachine\My> Get-ChildItem | Format-Table Subject, FriendlyName, Thumbprint -AutoSize

    //---------------
    // export certificate
    //---------------

    // create password as a secure string
    $mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText

    // export pfx file
    Get-ChildItem -Path Cert:\LocalMachine\My\xxxx | Export-PfxCertificate -FilePath C:\client.pfx -Password $mypwd

    // export certificate
    // this will output as a binary file
    $cert = (Get-ChildItem -Path xxxx)
    Export-Certificate -Cert $cert -FilePath c:\user.cer -Type Cert

    // convert the binary file to base64 -- this is the format of the .cer file created by openssl
    $x = [System.Convert]::ToBase64String([IO.File]::ReadAllBytes("c:/client.cer"))
相关问题
最新问题