OpenSSL使用笔记

cp /usr/lib/ssl/openssl.cnf .
echo "[ ext ]
basicConstraints=critical,CA:TRUE,pathlen:0" >> openssl.cnf
# 生成4096位RSA根证书
openssl genrsa -out ca.key 4096
openssl rsa -text -noout -in ca.key
openssl req -new -x509 -sha384 -key ca.key -out ca.cer -days 3650 -subj '/C=/ST=/L=/O=/OU=/CN=ca/emailAddress='
openssl x509 -text -noout -in ca.cer
# 生成256位ECC中间证书签名请求
openssl ecparam -name prime256v1 -genkey -noout -out mid.key
openssl ec -text -noout -in mid.key
openssl req -new -newkey -x509 -sha256 -key mid.key -out mid.csr -subj '/C=/ST=/L=/O=/OU=/CN=mid/emailAddress='
openssl req -noout -text -in mid.csr
# 对csr签名
mkdir -p ./demoCA/newcerts
touch ./demoCA/index.txt
openssl ca -notext -create_serial -policy policy_anything -cert ca.cer -keyfile ca.key -in mid.csr -out mid.cer -days 365 -config openssl.cnf -extensions ext
openssl verify -CAfile ca.cer mid.cer
# 使用中间证书对最终Ed25519证书签名
openssl genpkey -algorithm ed25519 -out client.key
openssl pkey -text -noout -in client.key
openssl req -new -newkey -x509 -sha256 -key client.key -out client.csr -subj '/C=/ST=/L=/O=/OU=/CN=client/emailAddress='
openssl ca -notext -create_serial -policy policy_anything -cert mid.cer -keyfile mid.key -in client.csr -out client.cer -days 10
# 验证证书
cp ca.cer cas.cer
cat mid.cer >> cas.cer
openssl verify -CAfile cas.cer client.cer
#转p12格式
cat client.key >> client.cer
openssl pkcs12 -export -in client.cer -out client.p12