如何使用openssl创建X509密钥捆绑包?
[英]How do I create an X509 Key Bundle using openssl?
问题描述
What is an issue: 
有什么问题:
I am not sure about the way that I create/validation of an X509 Key Bundle. 我不确定我创建/验证X509密钥捆绑包的方式。
What I have done? 我做了什么?
I am trying to create an X509 mutual authentication key bundle using OpenSSL, able to generate the certificate and Key Bundle. 我正在尝试使用OpenSSL创建一个X509相互身份验证密钥捆绑包,该捆绑包可以生成证书和密钥捆绑包。 The following script is used to create the bundle. 以下脚本用于创建捆绑软件。
mkdir certificate
cd certificate
mkdir certs csr newcerts
touch index.txt
echo "1000" > serial
::Root Certicicate
openssl genrsa -out certs/ca.key.pem 2048
openssl req -config openssl.cnf -key certs/ca.key.pem -new -x509 -days 3650 -sha256 -extensions v3_ca -out certs/ca.crt.pem
openssl x509 -noout -text -in certs/ca.crt.pem
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
::Certificate 1
openssl genrsa -out certs/intermediate1.key.pem 2048
openssl genpkey -algorithm RSA -out certs/intermediate1.key.pem 2048
openssl req -config openssl.cnf -key certs/intermediate1.key.pem -new -sha256 -out csr/intermediate1.csr.pem -subj "/C=CN/ST=STATE/O=ORG/CN=intermediate1"
openssl ca -config openssl.cnf -batch -extensions usr_cert -days 3750 -notext -md sha256 -in csr/intermediate1.csr.pem -out certs/intermediate1.crt.pem
::Certificate 2
openssl genrsa -out certs/intermediate2.key.pem 2048
openssl genpkey -algorithm RSA -out certs/intermediate2.key.pem 2048
openssl req -config openssl.cnf -key certs/intermediate2.key.pem -new -sha256 -out csr/intermediate2.csr.pem -subj "/C=CN/ST=STATE/O=ORG/CN=intermediate2"
openssl ca -config openssl.cnf -batch -extensions usr_cert -days 3750 -notext -md sha256 -in csr/intermediate2.csr.pem -out certs/intermediate2.crt.pem
::Chain the certificate
cat certs/intermediate1.crt.pem certs/ca.crt.pem > certs/ca-chain.cert.pem
cat certs/intermediate2.crt.pem certs/ca.crt.pem > certs/ca-chain.cert.pem
How did I validate? 我如何验证?
I don't know precisely to validate. 我不知道确切要验证。 Please help in this regard. 请帮助这方面。
What are the other solutions tried? 其他尝试过的解决方案是什么?
Stackoverflow answers Stackoverflow答案
How do forum experts help here? 论坛专家如何为您提供帮助?
I am strongly believing that I am circulating around the solution without any conclusion and feels like being stupid. 我坚信我在解决方案中徘徊而没有任何结论,并且感觉自己很愚蠢。 I really need a expert advice to close this in the view of Create Key Bundle/Validate with any public muauth server or any other methods. 我真的需要专家的建议才能使用任何公共muauth服务器或任何其他方法在“创建密钥捆绑包/验证”视图中关闭此操作。
ca-chain certificate ca链证书
1 个解决方案
解决方案1
1 已采纳 2018-04-03 14:15:53
You are using cat incorrectly. 您使用的cat不正确。 This way the second intermediate cert will overwrite the first one, instead of being appended to it. 这样,第二个中间证书将覆盖第一个中间证书,而不是附加到第一个中间证书。 Also, your root cert does not belong in the chain as that's what you're verifying against. 另外,您的根证书也不属于该链,因为这就是您要验证的对象。 You should do instead: 您应该改为:
cat certs/intermediate1.crt.pem certs/intermediate2.crt.pem > certs/ca-chain.cert.pem
And then verify that against the CA cert, or simply: 然后根据CA证书进行验证,或者简单地:
cat certs/intermediate1.crt.pem certs/intermediate2.crt.pem | openssl verify -CAfile certs/ca.crt.pem
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.