下列的这问题我设法在根证书、中间证书和最终证书的层次结构中创建了许多证书:
# Create root RSA key pair of 1024 bits as well as a certificate signing request
openssl.exe req -new -newkey rsa:1024 -nodes -out caRoot.csr -keyout caRoot.key
# Create root certificate and store into .pem format
openssl x509 -trustout -signkey caRoot.key -days 365 -req -in caRoot.csr -out caRoot.pem
# Create intermediate certificate RSA key pair
openssl genrsa -out clientIntermediate.key 1024
# Create intermediate CSR
openssl req -new -key clientIntermediate.key -out clientIntermediate.csr
# Do the same thing for the end certificate
openssl req -new -keyout clientEnd.key -out clientEnd.csr -days 365
# Create a certificate request
openssl ca -policy anyPolicy -keyfile clientIntermediate.key -cert clientIntermediate.pem -out clientEnd.pem -infiles clientEnd.request
# Create and sing certificate
openssl ca -policy anyPolicy -keyfile clientIntermediate.key -cert clientIntermediate.pem -out caRoot.pem -infiles clientEnd.csr
如何创建如上所述的证书链并将其完全存储在PKCS#12格式?
答案1
我描述中的“后者”,即私钥和证书链,是 PKCS#12,正如您最初要求的那样。(PKCS#7 仅处理证书链的情况。)要最简单地创建 PKCS#12,请使用带有pkcs12
选项的命令行操作-export
。有几种方法可以组合此命令的选项,但对于像您这样的 3 级场景(根、中、叶),有两种简单的方法是:
openssl pkcs12 -export -in leafcert.pem -inkey leafkey.pem -certfile midcert.pem -CAfile rootcert.pem -chain -out my.p12
cat leafcert.pem leafkey.pem midcert.pem rootcert.pem | openssl pkcs12 -export -out my.p12
(替换您的文件名)。完整详细信息请参阅手册页,可在已(完全)安装 OpenSSL 的任何 Unix 系统上获取,或在线获取https://www.openssl.org/docs/man1.0.2/apps/pkcs12.html(或者从中选择较早的版本https://www.openssl.org/docs/manpages.html如果需要的话)。
为了完整起见,如果你确实需要没有私钥的链,那么
openssl crl2pkcs7 -nocrl -certfile leafcert.pem -certfile midcert.pem -certfile rootcert.pem -out my.p7b