本文介绍: D:3rd_prjcryptopenssl-3.2.0demospkcs12目录下, 有2个实验(pkread.c, pkwrite.c), 需要PKCS12的证书.但是官方给的demos/certs目录的脚本中, 并没有看到如何生成P12证书.现在将openssl帮助文档整理出来后, 找到了如何生成P12证书.做个实验先, 自己将P12证书生成出来, 给demospkcs12目录下的实验用.

openssl3.2 – helpdoc – P12证书操作

概述

D:3rd_prjcryptopenssl-3.2.0demospkcs12目录下, 有2个实验(pkread.c, pkwrite.c), 需要PKCS12的证书.
但是官方给的demos/certs目录的脚本中, 并没有看到如何生成P12证书.
现在将openssl帮助文档整理出来后, 找到了如何生成P12证书.
做个实验先, 自己将P12证书生成出来, 给demospkcs12目录下的实验用.

笔记

如何生成P12证书的帮助文档有2个
file:///D:/my_dev/my_local_git_prj/study/openSSL/openssl-3.2.0_for_doc/doc/html/man1/CA.pl.html
file:///D:/my_dev/my_local_git_prj/study/openSSL/openssl-3.2.0_for_doc/doc/html/man1/openssl-pkcs12.html

前面一个是用perl脚本来生成P12证书.
后面一个是如何用openssl命令行来操作P12证书.

/doc/html/man1/CA.pl.html

我自己改的openssl入口可以将openssl命令行参数记录下来, 官方调用CA.pl干的活就能看到了(而且不会遗漏openssl的命令行).
不过这个CA.pl好像每个调用openssl命令行的具体参数从UI上都看得到.

 CA.pl -newca
 CA.pl -newreq
 CA.pl -sign
 CA.pl -pkcs12 "My Test Certificate"

CA.pl -newca

执行了2句openssl命令行

openssl req -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem 
// CA certificate filename (or enter to create) 时, 回车, 别的不行(报错)
然后输入opensslUI提出的内容.


openssl ca -create_serial -out ./demoCA/cacert.pem -days 1095 -batch -keyfile ./demoCA/private/cakey.pem -selfsign -extensions v3_ca -infiles ./demoCA/careq.pem 

// Enter PEM pass phrase = 111111
A challenge password = 222222
Enter pass phrase for ./demoCA/private/cakey.pem = 111111 // 这个口令就是第一次建立CA时要求输入的私钥口令(Enter PEM pass phrase), 如果输入错误, 就报错结束了

D:my_devmy_local_git_prjstudyopenSSLhelp_doc_exppkcs12ca_opt_v1>perl CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
====
c:openssl_3d2binopenssl req  -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem
.+++++++++++++++++++++++++++++++++++++++*..+...+..+++++++++++++++++++++++++++++++++++++++*...+...+.....+....+......+..+....+........+.+......+........+...+....+.....+.........+.+.....+.+..+.+.........+...+.....+...............+...+....+.................+.........+..........+..+...+......+.+........+......+.+.................+.......+...........+............+.+..+.......+..+......+..........+........+....+......+......+.....+.+...+.................+.......+..+.+...+..+.........+.+..+..........+.....+.+..+...+.+.......................+......+.........+.............+..+...+...+.+..............+....+...+..+.+..+.......+.....+.+.....+....+...+.....+.............+....................+......+.+..+......+......+....+...............+...........+..........+...+........+.........+.+...............+..+......+.......+..+.......+.....+......+.............+...........+...+......+....+...+.....+...+......+..........+......+.........+.....+...+..........+..+......+.........+.............+...............+...+.....+.......+...+...+............+..+.+..+...+....+...+..+.......+...........+...+............+....+.....+....+..+....+...+............+.........+......+.....+...+..........+.....+................+.....+......+..........+.....+....+..+.......+...........+.+.........+......+......+..............+.+........+.+...+.......................+..................+.+........+.+.....+.+...+......+.....+............+...+.+.....+.+........+....+..+.+...............+.....+............+.+..+............+.......+...+.....+.......+.....+....+.....+......+...+.......+...+......+..+...+....+..+....+..+..................+.......+...+...............+.....+.+......+..+.......+.....+...+...+..........+..................+..+....+........+...+...+.+...+.....+..........+.....+.+......+.....+.+..+.+..+.........+...............+....+..+.............+......+...+..+.........+.......+...............+...+.................+...+......+..........+...+...........+.........+.+..+....+........+.+.........+...+.....+....+.....+.+..+.............+........+.+...+..................+...+...............+..+.........+..................+............+..................+.+..+...+....+...+.....+...+..........+.....+......+..................+.......+...+............+.....+.+..................+..+...+.+...+...........+.++++++
...+...+.+.........+.....+.+......+...+.....+.......+.....+++++++++++++++++++++++++++++++++++++++*....+......+...+.+...+...+...+...........+++++++++++++++++++++++++++++++++++++++*.......+..+...................+..+...+.......+...+............+...+......+...............+...+..+.+...+..+.......+..........................+....+...+...+......+.....+.........+.........+.+....................+.+.........+...........+.+.....+......................+.....+.+..+...+.+...+..+.+........+.........+..........+........+...+.+......+...+...........+....+..+.........+....+..+.......+...+........+..........+...............+.........+.....+...++++++
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:SX
Locality Name (eg, city) []:TY
Organization Name (eg, company) [Internet Widgits Pty Ltd]:KRGY
Organizational Unit Name (eg, section) []:RD
Common Name (e.g. server FQDN or YOUR name) []:MY_CA
Email Address []:test@sina.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:222222
An optional company name []:krgy
==> 0
====
====
c:openssl_3d2binopenssl ca  -create_serial -out ./demoCA/cacert.pem -days 1095 -batch -keyfile ./demoCA/private/cakey.pem -selfsign -extensions v3_ca -infiles ./demoCA/careq.pem
Using configuration from C:openssl_3d2commonopenssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            04:ac:e1:ce:5b:5f:48:56:2c:45:92:46:fb:ed:ca:dc:0e:f2:4f:46
        Validity
            Not Before: Jan 31 10:44:29 2024 GMT
            Not After : Jan 30 10:44:29 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = SX
            organizationName          = KRGY
            organizationalUnitName    = RD
            commonName                = MY_CA
            emailAddress              = test@sina.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                55:39:9F:AA:3D:85:10:C2:72:E4:16:0E:7A:E4:E3:9E:69:37:8C:13
            X509v3 Authority Key Identifier:
                55:39:9F:AA:3D:85:10:C2:72:E4:16:0E:7A:E4:E3:9E:69:37:8C:13
            X509v3 Basic Constraints: critical
                CA:TRUE
Certificate is to be certified until Jan 30 10:44:29 2027 GMT (1095 days)

Write out database with 1 new entries
Database updated
==> 0
====
CA certificate is in ./demoCA/cacert.pem

D:my_devmy_local_git_prjstudyopenSSLhelp_doc_exppkcs12ca_opt_v1>



CA.pl -newreq

openssl req -new -keyout newkey.pem -out newreq.pem -days 365 

// newreq.pem
Enter PEM pass phrase = 333333, 这是建立一张新的证书, 给的是要做的新证书的口令
A challenge password = 444444, 新作的证书的挑战口令

CA.pl -sign

openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem 

Enter pass phrase for ./demoCA/private/cakey.pem: 111111
对CA签发出的证书签名时, 只需要CA私钥的key密码

CA.pl -pkcs12 “My Test Certificate”

openssl pkcs12 -in newcert.pem -inkey newkey.pem -certfile ./demoCA/cacert.pem -out newcert.p12 -export -name My Test Certificate 

Enter pass phrase for newkey.pem: 333333 // 对哪张证书导出P12, 就需要哪张私钥证书的密码.
Enter Export Password:555555 // 对签发出的P12证书设置新的导出口令

/doc/html/man1/openssl-pkcs12.html

Parse a PKCS#12 file and output it to a PEM file:

 openssl pkcs12 -in file.p12 -out file.pem
Output only client certificates to a file:

 openssl pkcs12 -in file.p12 -clcerts -out file.pem
Don't encrypt the private key:

 openssl pkcs12 -in file.p12 -out file.pem -noenc
Print some info about a PKCS#12 file:

 openssl pkcs12 -in file.p12 -info -noout
Print some info about a PKCS#12 file in legacy mode:

 openssl pkcs12 -in file.p12 -info -noout -legacy
Create a PKCS#12 file from a PEM file that may contain a key and certificates:

 openssl pkcs12 -export -in file.pem -out file.p12 -name "My PSE"
Include some extra certificates:

 openssl pkcs12 -export -in file.pem -out file.p12 -name "My PSE" 
  -certfile othercerts.pem
Export a PKCS#12 file with data from a certificate PEM file and from a further PEM file containing a key, with default algorithms as in the legacy provider:

 openssl pkcs12 -export -in cert.pem -inkey key.pem -out file.p12 -legacy
file:///D:/my_dev/my_local_git_prj/study/openSSL/openssl-3.2.0_for_doc/doc/html/man1/openssl-pkcs12.html

Parse a PKCS#12 file and output it to a PEM file:

// 将 help_doc_exppkcs12ca_optnewcert.p12 拷贝过来, 改名为file.p12
openssl pkcs12 -in file.p12 -out file.pem
Enter Import Password: 
导入密码为555555(操作P12证书时的导入密码, 就是前面签发P12证书时的导出密码)
Enter PEM pass phrase: 666666 设置导出的证书(file.pem)的密码, 这个是新的密码.

Output only client certificates to a file:

 openssl pkcs12 -in file.p12 -clcerts -out file1.pem
Enter Import Password: 555555
Enter PEM pass phrase: 777777 // 导出的新证书(file1.pem)的密码

Don't encrypt the private key:

 openssl pkcs12 -in file.p12 -out file2.pem -noenc
// 要求导出密码, 也是P12证书的导出密码555555
// 因为不用加密, 所以只要输入的P12证书的导出密码就够了


Print some info about a PKCS#12 file:

 openssl pkcs12 -in file.p12 -info -noout
// 要求导出密码, 也是P12证书的导出密码555555

Print some info about a PKCS#12 file in legacy mode:

 openssl pkcs12 -in file.p12 -info -noout -legacy
// 和不带 -legacy的输出是一样的

Create a PKCS#12 file from a PEM file that may contain a key and certificates:

 openssl pkcs12 -export -in file.pem -out file_pem_exp.p12 -name "My PSE"
// 需要file.pem的口令(666666)和导出口令(导出的file_pem_exp.p12的导出口令, 新设置的导出口令为888888)

Include some extra certificates:

 // openssl pkcs12 -export -in file.pem -out file_pem_exp1.p12 -name "My PSE" -certfile othercerts.pem
openssl pkcs12 -export -in file.pem -out file_pem_exp1.p12 -name "My PSE" -certfile file2.pem
// 需要file.pem的口令(666666), 导出口令(针对 file_pem_exp1.p12设置新的导出口令999999)

Export a PKCS#12 file with data from a certificate PEM file and from a further PEM file containing a key, with default algorithms as in the legacy provider:

 // openssl pkcs12 -export -in cert.pem -inkey key.pem -out file.p12 -legacy
// 将上一个CA实现生成的 newcert.pem和newkey.pem拷贝过来实验
openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out file_newcert_export.p12 -legacy
Enter pass phrase for newkey.pem 333333(CA做newkey.pem时, 指定的口令是333333)
Enter Export Password: 998888 (设置导出的P12证书(file.p12)的导出口令)


备注

现在有了自己做的P12证书, P12证书的口令也知道了, 就可以做官方给的PKCS12的C工程实验了.
今天运气还挺好, 按照字母序翻看整理好的官方帮助文件, 才看了4,5个帮助文件, 就找到了官方如何生成P12证书的说明.

END

原文地址:https://blog.csdn.net/LostSpeed/article/details/135956842

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。

如若转载,请注明出处:http://www.7code.cn/show_66377.html

如若内容造成侵权/违法违规/事实不符,请联系代码007邮箱:suwngjj01@126.com进行投诉反馈,一经查实,立即删除!

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注