openssl3.2/test/certs – 016 – ca variants: CA:false, no bc, key2, DN2, issuer2, expired

文章目录

    • openssl3.2/test/certs - 016 - ca variants: CA:false, no bc, key2, DN2, issuer2, expired
    • 概述
    • 笔记
    • END

openssl3.2/test/certs - 016 - ca variants: CA:false, no bc, key2, DN2, issuer2, expired

概述

openssl3.2 - 官方demo学习 - test - certs

test/certs/setup.sh 有500条
昨天给今天定进度, 本来想一天搞50条.
今天看了一下, 可以搞100条, 那5天就能过一遍.
这个016实验, 官方脚本一下子给了6条脚本库调用(一条库脚本一般对应3条openssl命令行), 有点不适应.
现在对出证书的流程已经懂了. 等过一遍后, 等要做不同场景的证书时, 再回来研究参数细节.

笔记

// file my_openssl_linux_log_doc_016.txt
//
ote openssl3.2/test/certs - 016 - ca variants: CA:false, no bc, key2, DN2, issuer2, expired
// 这个官方脚本功能分组, 咋整这么多条脚本…, ++

// --------------------------------------------------------------------------------
// 官方脚本
// --------------------------------------------------------------------------------

// openssl3.2/test/certs - 016 - ca variants: CA:false, no bc, key2, DN2, issuer2, expired
./mkcert.sh genee “CA” ca-key ca-nonca root-key root-cert

// 打印一次openssl版本, 用来作为不同官方脚本库调用语句之间的分隔
openssl -v

./mkcert.sh gen_nonbc_ca “CA” ca-key ca-nonbc root-key root-cert

// 打印一次openssl版本, 用来作为不同官方脚本库调用语句之间的分隔
openssl -v

./mkcert.sh genca “CA” ca-key2 ca-cert2 root-key root-cert

// 打印一次openssl版本, 用来作为不同官方脚本库调用语句之间的分隔
openssl -v

./mkcert.sh genca “CA2” ca-key ca-name2 root-key root-cert

// 打印一次openssl版本, 用来作为不同官方脚本库调用语句之间的分隔
openssl -v

./mkcert.sh genca “CA” ca-key ca-root2 root-key2 root-cert2

// 打印一次openssl版本, 用来作为不同官方脚本库调用语句之间的分隔
openssl -v

DAYS=-1 ./mkcert.sh genca “CA” ca-key ca-expired root-key root-cert

// --------------------------------------------------------------------------------
// openssl命令行整理/分析
// --------------------------------------------------------------------------------

// --------------------------------------------------------------------------------
// 脚本1 ./mkcert.sh genee “CA” ca-key ca-nonca root-key root-cert

openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out ca-key.pem

// config file = config_sc1_cmd1.txt
string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = CA

openssl req -new -sha256 -key ca-key.pem -config config_sc1_cmd1.txt -out ca-key-req.pem

// config file = extfile_sc1_cmd2.txt
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
basicConstraints = CA:false

extendedKeyUsage = serverAuth
[alts]
subjectAltName = @alts
DNS=CA

[alts]

// // root-cert.pem, root-key.pem 是001实验产生的
openssl x509 -req -sha256 -out ca-nonca.pem -extfile extfile_sc1_cmd2.txt -CA root-cert.pem -CAkey root-key.pem -set_serial 2 -days 36525 -in ca-key-req.pem

// --------------------------------------------------------------------------------
// 脚本2 ./mkcert.sh gen_nonbc_ca “CA” ca-key ca-nonbc root-key root-cert

config file = config_sc2_cmd1.txt
string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = CA

openssl req -new -sha256 -key ca-key.pem -config config_sc2_cmd1.txt -out ca-key-req.pem

config file = extfile_sc2_cmd2.txt
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
keyUsage = keyCertSign, cRLSign

openssl x509 -req -sha256 -out ca-nonbc.pem -extfile extfile_sc2_cmd2.txt -CA root-cert.pem -CAkey root-key.pem -set_serial 2 -days 36525 -in ca-key-req.pem

// --------------------------------------------------------------------------------
// 脚本3 ./mkcert.sh genca “CA” ca-key2 ca-cert2 root-key root-cert

openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out ca-key2.pem

// config file = config_sc3_cmd1.txt
string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = CA

openssl req -new -sha256 -key ca-key2.pem -config config_sc3_cmd1.txt -out ca-key2-req.pem

// config file = extfile_sc3_cmd2.txt
basicConstraints = critical,CA:true
keyUsage = keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid

openssl x509 -req -sha256 -out ca-cert2.pem -extfile extfile_sc3_cmd2.txt -CA root-cert.pem -CAkey root-key.pem -set_serial 2 -days 36525 -in ca-key2-req.pem

// --------------------------------------------------------------------------------
// 脚本4 ./mkcert.sh genca “CA2” ca-key ca-name2 root-key root-cert

// config file = config_sc4_cmd1.txt
string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = CA2

openssl req -new -sha256 -key ca-key.pem -config config_sc4_cmd1.txt -out ca-key-req.pem

// config file = extfile_sc4_cmd2.txt
basicConstraints = critical,CA:true
keyUsage = keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid

openssl x509 -req -sha256 -out ca-name2.pem -extfile extfile_sc4_cmd2.txt -CA root-cert.pem -CAkey root-key.pem -set_serial 2 -days 36525 -in ca-key-req.pem

// --------------------------------------------------------------------------------
// 脚本5 ./mkcert.sh genca “CA” ca-key ca-root2 root-key2 root-cert2

// config file = config_sc5_cmd1.txt
string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = CA

openssl req -new -sha256 -key ca-key.pem -config config_sc5_cmd1.txt -out ca-key-req.pem

// config file = extfile_sc5_cmd2.txt
basicConstraints = critical,CA:true
keyUsage = keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid

// root-cert2.pem, root-key2.pem 是实验003产生的
openssl x509 -req -sha256 -out ca-root2.pem -extfile extfile_sc5_cmd2.txt -CA root-cert2.pem -CAkey root-key2.pem -set_serial 2 -days 36525 -in ca-key-req.pem

// --------------------------------------------------------------------------------
// 脚本6 DAYS=-1 ./mkcert.sh genca “CA” ca-key ca-expired root-key root-cert

// config file = config_sc6_cmd1.txt
string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = CA

openssl req -new -sha256 -key ca-key.pem -config config_sc6_cmd1.txt -out ca-key-req.pem

// config file = extfile_sc6_cmd2.txt
basicConstraints = critical,CA:true
keyUsage = keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid

openssl x509 -req -sha256 -out ca-expired.pem -extfile extfile_sc6_cmd2.txt -CA root-cert.pem -CAkey root-key.pem -set_serial 2 -days -1 -in ca-key-req.pem

// --------------------------------------------------------------------------------
// openssl入口日志记录
// --------------------------------------------------------------------------------

// --------------------------------------------------------------------------------
// 脚本1 ./mkcert.sh genee “CA” ca-key ca-nonca root-key root-cert

openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out ca-key.pem
openssl req -new -sha256 -key ca-key.pem -config /dev/fd/63

-config /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txt

string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = CA
openssl x509 -req -sha256 -out ca-nonca.pem -extfile /dev/fd/63 -CA root-cert.pem -CAkey root-key.pem -set_serial 2 -days 36525

-extfile /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txt

subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
basicConstraints = CA:false

extendedKeyUsage = serverAuth
[alts]
subjectAltName = @alts
DNS=CA

[alts]

// --------------------------------------------------------------------------------
// 脚本2 ./mkcert.sh gen_nonbc_ca “CA” ca-key ca-nonbc root-key root-cert

openssl req -new -sha256 -key ca-key.pem -config /dev/fd/63

-config /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txt

string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = CA
openssl x509 -req -sha256 -out ca-nonbc.pem -extfile /dev/fd/63 -CA root-cert.pem -CAkey root-key.pem -set_serial 2 -days 36525

-extfile /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txt

subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
keyUsage = keyCertSign, cRLSign
// --------------------------------------------------------------------------------
// 脚本3 ./mkcert.sh genca “CA” ca-key2 ca-cert2 root-key root-cert

openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out ca-key2.pem
openssl req -new -sha256 -key ca-key2.pem -config /dev/fd/63

-config /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txt

string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = CA
openssl x509 -req -sha256 -out ca-cert2.pem -extfile /dev/fd/63 -CA root-cert.pem -CAkey root-key.pem -set_serial 2 -days 36525

-extfile /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txt

basicConstraints = critical,CA:true
keyUsage = keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
// --------------------------------------------------------------------------------
// 脚本4 ./mkcert.sh genca “CA2” ca-key ca-name2 root-key root-cert

openssl req -new -sha256 -key ca-key.pem -config /dev/fd/63

-config /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txt

string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = CA2
openssl x509 -req -sha256 -out ca-name2.pem -extfile /dev/fd/63 -CA root-cert.pem -CAkey root-key.pem -set_serial 2 -days 36525

-extfile /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txt

basicConstraints = critical,CA:true
keyUsage = keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
// --------------------------------------------------------------------------------
// 脚本5 ./mkcert.sh genca “CA” ca-key ca-root2 root-key2 root-cert2

openssl req -new -sha256 -key ca-key.pem -config /dev/fd/63

-config /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txt

string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = CA
openssl x509 -req -sha256 -out ca-root2.pem -extfile /dev/fd/63 -CA root-cert2.pem -CAkey root-key2.pem -set_serial 2 -days 36525

-extfile /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txt

basicConstraints = critical,CA:true
keyUsage = keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
// --------------------------------------------------------------------------------
// 脚本6 DAYS=-1 ./mkcert.sh genca “CA” ca-key ca-expired root-key root-cert

openssl req -new -sha256 -key ca-key.pem -config /dev/fd/63

-config /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txt

string_mask=utf8only
[req]
prompt = no
distinguished_name = dn
[dn]
CN = CA
openssl x509 -req -sha256 -out ca-expired.pem -extfile /dev/fd/63 -CA root-cert.pem -CAkey root-key.pem -set_serial 2 -days -1

-extfile /dev/fd/63 => /home/lostspeed/openssl/openssl-3.2.0_debian/test/certs/my_openssl_linux_log.txt

basicConstraints = critical,CA:true
keyUsage = keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid

END