Last active
September 9, 2018 13:05
-
-
Save dimalyshev/c8d85efce8868b0a136b9628ba2d122d to your computer and use it in GitHub Desktop.
openssl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
:: make ca self signed cert | |
md ca | |
:: root ca | |
openssl genrsa -out ca/%1.key 4096 | |
:: make self-signed ca cert | |
openssl req -new -x509 -days 1826 -subj "/CN=myca" -key ca/%1.key -out ca/%1.crt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
:: make request to ca to issue cert | |
set KEY="keys/%~1.k" | |
set SUBJ="/CN=%~1" | |
set CER="cer/%~1.crt" | |
cp .cnf cln.cnf | |
::echo commonName_default = %~1% >>cln.cnf | |
echo CN = %~1% >>cln.cnf | |
md cer keys | |
openssl genrsa -out %KEY% 1024 | |
openssl req -new -key %KEY% -out .r -subj %SUBJ% -config cln.cnf | |
openssl x509 -extfile v3-ext.cnf -req -CA ca/.c -CAkey ca/.k -CAcreateserial -days 1825 -in .r -out %CER% | |
del .r | |
openssl pkcs12 -export -chain -CAfile "ca/.c" -inkey "%KEY%" -in "%CER%" -out "%~n1.p12" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openssl req -newkey rsa:1024 -x509 -days 1826 -subj "/CN=mysrv" -out 1.crt -config .cnf -reqexts xxx | |
#.cnf | |
[ req ] | |
distinguished_name = nnn | |
req_extensions = xxx | |
[nnn] | |
[xxx] | |
extendedKeyUsage=serverAuth | |
keyUsage=digitalSignature, dataEncipherment, nonRepudiation |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
::echo off | |
::cls | |
:: to make pem for curl | |
::openssl pkcs12 -clcerts -in %1 -out "%~n1.pem" | |
set CA="store/ca.crt" | |
set CAKEY="keys/ca.key" | |
md store keys | |
call:mkca | |
exit | |
call:mkcrl | |
::call:exportcln "mycert" | |
::call:exportsrv "Feedback" | |
::exit | |
::set /P APIDNS=Input DNS for Feedback API: | |
::call:mksrv 1 "Feedback" "DNS:api.myhost.ru,DNS:*.api.myhost.ru,IP:00000" | |
::exit | |
call:mkcln "Feedback" "B2C" | |
goto:eof | |
:: ======================================== | |
:: create CA certificate | |
:mkca | |
openssl req -x509 -nodes -newkey rsa:4096 -sha256 -keyout %CAKEY% -out %CA% -days 1825 -subj "/C=RU/CN=API CA" | |
goto:eof | |
:: ======================================== | |
:: revoke cert | |
:mkcrl | |
echo.[ca]>.cnf | |
echo database=.db >>.cnf | |
type null>.db | |
::openssl ca -revoke "%~1" -md sha1-config .cnf -name ca -keyfile "keys/ca.key" -cert "store/ca.crt" | |
:: create empty crl | |
openssl ca -gencrl -md sha1 -config .cnf -name ca -keyfile %CAKEY% -cert %CA% -crldays 1825 -out ca.crl | |
::openssl crl -inform PEM -in .crl -outform DER -out ca.crl | |
::del %crl% | |
:: todo export p7b pack ca.cer + ca.crl | |
goto:eof | |
:: ======================================== | |
:: create server certificate | |
:mksrv | |
call:mkext server %2 %3 | |
set DAYS=1825 | |
call:mkcrt %* | |
goto:eof | |
:: ======================================== | |
:: create client certificate | |
:mkcln | |
call:mkext client %2 | |
:: in future it's better to issue by server certificate to distinguish clients more thoroughly | |
set DAYS=365 | |
call:mkcrt %* %2 | |
goto:eof | |
:: ======================================== | |
:: create certificate | |
:mkcrt | |
openssl genrsa -des3 -out %KEY% 2048 | |
openssl req -nodes -new -sha256 -key %KEY% -out .r -subj %SUBJ% | |
openssl x509 -sha256 -req -in .r -extfile .v3ext -CA %CA% -CAkey %CAKEY% -CAcreateserial -days %DAYS% -out %CRT% | |
del .r | |
goto:eof | |
:exportcln | |
call:mkext client %* | |
call:export %* | |
goto:eof | |
:exportsrv | |
call:mkext server %* | |
call:export %* | |
goto:eof | |
:: ======================================== | |
:: export certificate | |
:export | |
echo export for %1 | |
openssl pkcs12 -export -chain -CAfile %CA% -inkey %KEY% -in %CRT% -out "%~n1.p12" -name "%CRTTYPE% %~1" | |
goto:eof | |
:: ======================================== | |
:: create v3 extensions file | |
:mkext | |
set CRTTYPE=%1 | |
set KEY="keys/%CRTTYPE%_%~2.key" | |
set CRT="store/%CRTTYPE%_%~2.crt" | |
rem echo [cln] > .v3ext | |
echo.>.v3ext | |
echo extendedKeyUsage = clientAuth >> .v3ext | |
echo keyUsage = digitalSignature,keyEncipherment >> .v3ext | |
if .%1==.server ( | |
rem echo [srv] > .v3ext | |
set CRTTYPE=server | |
echo.>.v3ext | |
echo subjectAltName=%3 >> .v3ext | |
echo extendedKeyUsage = serverAuth >> .v3ext | |
echo keyUsage = digitalSignature,keyEncipherment >> .v3ext | |
) | |
set SUBJ="/C=RU/CN=API %CRTTYPE% %~2" | |
goto:eof |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
authorityKeyIdentifier=keyid,issuer | |
basicConstraints=CA:FALSE | |
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment | |
extendedKeyUsage=serverAuth |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment