openssl

mkca.bat

:: make ca self signed cert
md ca

:: root ca
openssl genrsa -out ca/%1.key 4096
:: make self-signed ca cert
openssl req -new -x509 -days 1826 -subj "/CN=myca" -key ca/%1.key -out ca/%1.crt

mkreq.bat

:: make request to ca to issue cert

set KEY="keys/%~1.k"
set SUBJ="/CN=%~1"
set CER="cer/%~1.crt"

cp .cnf  cln.cnf
::echo commonName_default = %~1%	>>cln.cnf
echo CN = %~1%	>>cln.cnf

md cer keys

openssl genrsa -out %KEY% 1024
openssl req -new -key %KEY% -out .r -subj %SUBJ% -config cln.cnf
openssl x509 -extfile v3-ext.cnf  -req -CA ca/.c -CAkey ca/.k -CAcreateserial -days 1825 -in .r -out %CER%
del .r
openssl pkcs12 -export  -chain -CAfile "ca/.c" -inkey "%KEY%" -in "%CER%" -out "%~n1.p12" 

single line command

openssl req -newkey rsa:1024 -x509  -days 1826 -subj "/CN=mysrv"  -out 1.crt 	-config .cnf -reqexts xxx
#.cnf
[ req ]
distinguished_name 	= nnn
req_extensions		= xxx

[nnn]

[xxx]
extendedKeyUsage=serverAuth
keyUsage=digitalSignature, dataEncipherment, nonRepudiation

uni_ca

::echo off
::cls

:: to make pem for curl
::openssl pkcs12 -clcerts -in %1 -out "%~n1.pem" 

set CA="store/ca.crt"
set CAKEY="keys/ca.key"

md store keys

call:mkca
exit
call:mkcrl

::call:exportcln "mycert"


::call:exportsrv "Feedback"
::exit

::set /P APIDNS=Input DNS for Feedback API:
::call:mksrv 1 "Feedback" "DNS:api.myhost.ru,DNS:*.api.myhost.ru,IP:00000" 
::exit

call:mkcln "Feedback" "B2C"
goto:eof

:: ========================================
:: create CA certificate
:mkca
openssl req -x509 -nodes -newkey rsa:4096 -sha256 -keyout %CAKEY% -out %CA% -days 1825 -subj "/C=RU/CN=API CA"
goto:eof

:: ========================================
:: revoke cert
:mkcrl
echo.[ca]>.cnf
echo database=.db >>.cnf
type null>.db
::openssl ca -revoke "%~1" -md sha1-config .cnf -name ca  -keyfile "keys/ca.key" -cert "store/ca.crt" 
:: create empty crl
openssl ca -gencrl -md sha1 -config .cnf -name ca -keyfile %CAKEY% -cert %CA%  -crldays 1825 -out ca.crl
::openssl crl -inform PEM -in .crl -outform DER -out ca.crl
::del %crl%
:: todo export p7b pack ca.cer + ca.crl
goto:eof

:: ========================================
:: create server certificate
:mksrv
call:mkext server %2 %3
set DAYS=1825
call:mkcrt %*
goto:eof

:: ========================================
:: create client certificate
:mkcln
call:mkext client %2
:: in future it's better to issue by server certificate to distinguish clients more thoroughly
set DAYS=365
call:mkcrt %* %2
goto:eof

:: ========================================
:: create certificate
:mkcrt
openssl genrsa -des3 -out %KEY% 2048
openssl req -nodes -new -sha256 -key %KEY% -out .r -subj %SUBJ%
openssl x509 -sha256 -req -in .r -extfile .v3ext -CA %CA% -CAkey %CAKEY% -CAcreateserial -days %DAYS% -out %CRT%
del .r
goto:eof

:exportcln
call:mkext client %*
call:export %*
goto:eof

:exportsrv
call:mkext server %*
call:export %*
goto:eof


:: ========================================
:: export certificate
:export
echo export for %1
openssl pkcs12 -export -chain -CAfile %CA% -inkey %KEY% -in %CRT% -out "%~n1.p12"  -name "%CRTTYPE% %~1"
goto:eof

:: ========================================
:: create v3 extensions file
:mkext
set CRTTYPE=%1
set KEY="keys/%CRTTYPE%_%~2.key"
set CRT="store/%CRTTYPE%_%~2.crt"

rem echo [cln] > .v3ext
echo.>.v3ext
echo extendedKeyUsage = clientAuth >> .v3ext
echo keyUsage = digitalSignature,keyEncipherment >> .v3ext

if .%1==.server (
  rem echo [srv] > .v3ext
  set CRTTYPE=server
  echo.>.v3ext
  echo subjectAltName=%3 >> .v3ext
  echo extendedKeyUsage = serverAuth >> .v3ext
  echo keyUsage = digitalSignature,keyEncipherment >> .v3ext
)

set SUBJ="/C=RU/CN=API %CRTTYPE% %~2"

goto:eof

v3-ext.cnf

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage=serverAuth