Openssl 命令开关用于自动化证书签名

Openssl 命令开关用于自动化证书签名

我知道在使用 openssl 时,您可以通过以下方式绕过交互式输入:

  • -passin pass:无论如何
  • -passout 通行证:无论如何
  • -subj "/C=pa/ST=pa/L=pa/O=pa/OU=pa/CN=pa"

但是,当签署证书时,例如:

openssl ca -config intermediate/openssl.cnf \
        -passin pass:whatever \
        -extensions usr_cert -days 375 -notext -md sha256 \
        -in intermediate/csr/www.example.com.csr.pem \
        -out intermediate/certs/www.example.com.cert.pem

我需要输入两次“y”:

            ....
            X509v3 Authority Key Identifier: 
                keyid:96:7B:52:E6:FC:53:53:F0:F3:D1:B3:EB:FB:5C:95:4D:73:BD:B8:5D

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection

Certificate is to be certified until Jul 12 14:00:14 2017 GMT (375 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

是否有一个 openssl 命令行开关可以自动执行此操作

答案1

man ca

   -batch
       this sets the batch mode. In this mode no questions will be asked
       and all certificates will be certified automatically.

顺便说一下,关于使用密码短语参数man openssl有以下几点要说:pass:

   pass:password
             the actual password is password. Since the password is
             visible to utilities (like 'ps' under Unix) this form should
             only be used where security is not important.

相关内容