openssl3.2 - helpdoc - P12证书操作

概述

D:\3rd_prj\crypt\openssl-3.2.0\demos\pkcs12目录下, 有2个实验(pkread.c, pkwrite.c), 需要PKCS12的证书.
但是官方给的demos/certs目录的脚本中, 并没有看到如何生成P12证书.
现在将openssl帮助文档整理出来后, 找到了如何生成P12证书.
做个实验先, 自己将P12证书生成出来, 给\demos\pkcs12目录下的实验用.

笔记

如何生成P12证书的帮助文档有2个
file:///D:/my_dev/my_local_git_prj/study/openSSL/openssl-3.2.0_for_doc/doc/html/man1/CA.pl.html
file:///D:/my_dev/my_local_git_prj/study/openSSL/openssl-3.2.0_for_doc/doc/html/man1/openssl-pkcs12.html

前面一个是用perl脚本来生成P12证书.
后面一个是如何用openssl命令行来操作P12证书.

/doc/html/man1/CA.pl.html

我自己改的openssl入口可以将openssl命令行参数记录下来, 官方调用CA.pl干的活就能看到了(而且不会遗漏openssl的命令行).
不过这个CA.pl好像每个调用openssl命令行的具体参数从UI上都看得到.

 CA.pl -newcaCA.pl -newreqCA.pl -signCA.pl -pkcs12 "My Test Certificate"

CA.pl -newca

执行了2句openssl命令行

openssl req -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem 
// CA certificate filename (or enter to create) 时, 回车, 别的不行(报错)
然后输入opensslUI提出的内容.openssl ca -create_serial -out ./demoCA/cacert.pem -days 1095 -batch -keyfile ./demoCA/private/cakey.pem -selfsign -extensions v3_ca -infiles ./demoCA/careq.pem // Enter PEM pass phrase = 111111
A challenge password = 222222
Enter pass phrase for ./demoCA/private/cakey.pem = 111111 // 这个口令就是第一次建立CA时要求输入的私钥口令(Enter PEM pass phrase), 如果输入错误, 就报错结束了

D:\my_dev\my_local_git_prj\study\openSSL\help_doc_exp\pkcs12\ca_opt_v1>perl CA.pl -newca
CA certificate filename (or enter to create)Making CA certificate ...
====
c:\openssl_3d2\bin\openssl req  -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem
.+++++++++++++++++++++++++++++++++++++++*..+...+..+++++++++++++++++++++++++++++++++++++++*...+...+.....+....+......+..+....+........+.+......+........+...+....+.....+.........+.+.....+.+..+.+.........+...+.....+...............+...+....+.................+.........+..........+..+...+......+.+........+......+.+.................+.......+...........+............+.+..+.......+..+......+..........+........+....+......+......+.....+.+...+.................+.......+..+.+...+..+.........+.+..+..........+.....+.+..+...+.+.......................+......+.........+.............+..+...+...+.+..............+....+...+..+.+..+.......+.....+.+.....+....+...+.....+.............+....................+......+.+..+......+......+....+...............+...........+..........+...+........+.........+.+...............+..+......+.......+..+.......+.....+......+.............+...........+...+......+....+...+.....+...+......+..........+......+.........+.....+...+..........+..+......+.........+.............+...............+...+.....+.......+...+...+............+..+.+..+...+....+...+..+.......+...........+...+............+....+.....+....+..+....+...+............+.........+......+.....+...+..........+.....+................+.....+......+..........+.....+....+..+.......+...........+.+.........+......+......+..............+.+........+.+...+.......................+..................+.+........+.+.....+.+...+......+.....+............+...+.+.....+.+........+....+..+.+...............+.....+............+.+..+............+.......+...+.....+.......+.....+....+.....+......+...+.......+...+......+..+...+....+..+....+..+..................+.......+...+...............+.....+.+......+..+.......+.....+...+...+..........+..................+..+....+........+...+...+.+...+.....+..........+.....+.+......+.....+.+..+.+..+.........+...............+....+..+.............+......+...+..+.........+.......+...............+...+.................+...+......+..........+...+...........+.........+.+..+....+........+.+.........+...+.....+....+.....+.+..+.............+........+.+...+..................+...+...............+..+.........+..................+............+..................+.+..+...+....+...+.....+...+..........+.....+......+..................+.......+...+............+.....+.+..................+..+...+.+...+...........+.++++++
...+...+.+.........+.....+.+......+...+.....+.......+.....+++++++++++++++++++++++++++++++++++++++*....+......+...+.+...+...+...+...........+++++++++++++++++++++++++++++++++++++++*.......+..+...................+..+...+.......+...+............+...+......+...............+...+..+.+...+..+.......+..........................+....+...+...+......+.....+.........+.........+.+....................+.+.........+...........+.+.....+......................+.....+.+..+...+.+...+..+.+........+.........+..........+........+...+.+......+...+...........+....+..+.........+....+..+.......+...+........+..........+...............+.........+.....+...++++++
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:SX
Locality Name (eg, city) []:TY
Organization Name (eg, company) [Internet Widgits Pty Ltd]:KRGY
Organizational Unit Name (eg, section) []:RD
Common Name (e.g. server FQDN or YOUR name) []:MY_CA
Email Address []:test@sina.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:222222
An optional company name []:krgy
==> 0
====
====
c:\openssl_3d2\bin\openssl ca  -create_serial -out ./demoCA/cacert.pem -days 1095 -batch -keyfile ./demoCA/private/cakey.pem -selfsign -extensions v3_ca -infiles ./demoCA/careq.pem
Using configuration from C:\openssl_3d2\common\openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number:04:ac:e1:ce:5b:5f:48:56:2c:45:92:46:fb:ed:ca:dc:0e:f2:4f:46ValidityNot Before: Jan 31 10:44:29 2024 GMTNot After : Jan 30 10:44:29 2027 GMTSubject:countryName               = CNstateOrProvinceName       = SXorganizationName          = KRGYorganizationalUnitName    = RDcommonName                = MY_CAemailAddress              = test@sina.comX509v3 extensions:X509v3 Subject Key Identifier:55:39:9F:AA:3D:85:10:C2:72:E4:16:0E:7A:E4:E3:9E:69:37:8C:13X509v3 Authority Key Identifier:55:39:9F:AA:3D:85:10:C2:72:E4:16:0E:7A:E4:E3:9E:69:37:8C:13X509v3 Basic Constraints: criticalCA:TRUE
Certificate is to be certified until Jan 30 10:44:29 2027 GMT (1095 days)Write out database with 1 new entries
Database updated
==> 0
====
CA certificate is in ./demoCA/cacert.pemD:\my_dev\my_local_git_prj\study\openSSL\help_doc_exp\pkcs12\ca_opt_v1>

CA.pl -newreq

openssl req -new -keyout newkey.pem -out newreq.pem -days 365 // newreq.pem
Enter PEM pass phrase = 333333, 这是建立一张新的证书, 给的是要做的新证书的口令
A challenge password = 444444, 新作的证书的挑战口令

CA.pl -sign

openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem Enter pass phrase for ./demoCA/private/cakey.pem: 111111
对CA签发出的证书签名时, 只需要CA私钥的key密码

CA.pl -pkcs12 “My Test Certificate”

openssl pkcs12 -in newcert.pem -inkey newkey.pem -certfile ./demoCA/cacert.pem -out newcert.p12 -export -name My Test Certificate Enter pass phrase for newkey.pem: 333333 // 对哪张证书导出P12, 就需要哪张私钥证书的密码.
Enter Export Password:555555 // 对签发出的P12证书设置新的导出口令

/doc/html/man1/openssl-pkcs12.html

Parse a PKCS#12 file and output it to a PEM file:openssl pkcs12 -in file.p12 -out file.pem
Output only client certificates to a file:openssl pkcs12 -in file.p12 -clcerts -out file.pem
Don't encrypt the private key:openssl pkcs12 -in file.p12 -out file.pem -noenc
Print some info about a PKCS#12 file:openssl pkcs12 -in file.p12 -info -noout
Print some info about a PKCS#12 file in legacy mode:openssl pkcs12 -in file.p12 -info -noout -legacy
Create a PKCS#12 file from a PEM file that may contain a key and certificates:openssl pkcs12 -export -in file.pem -out file.p12 -name "My PSE"
Include some extra certificates:openssl pkcs12 -export -in file.pem -out file.p12 -name "My PSE" \-certfile othercerts.pem
Export a PKCS#12 file with data from a certificate PEM file and from a further PEM file containing a key, with default algorithms as in the legacy provider:openssl pkcs12 -export -in cert.pem -inkey key.pem -out file.p12 -legacy

file:///D:/my_dev/my_local_git_prj/study/openSSL/openssl-3.2.0_for_doc/doc/html/man1/openssl-pkcs12.htmlParse a PKCS#12 file and output it to a PEM file:// 将 \help_doc_exp\pkcs12\ca_opt\newcert.p12 拷贝过来, 改名为file.p12
openssl pkcs12 -in file.p12 -out file.pem
Enter Import Password: 
导入密码为555555(操作P12证书时的导入密码, 就是前面签发P12证书时的导出密码)
Enter PEM pass phrase: 666666 设置导出的证书(file.pem)的密码, 这个是新的密码.Output only client certificates to a file:openssl pkcs12 -in file.p12 -clcerts -out file1.pem
Enter Import Password: 555555
Enter PEM pass phrase: 777777 // 导出的新证书(file1.pem)的密码Don't encrypt the private key:openssl pkcs12 -in file.p12 -out file2.pem -noenc
// 要求导出密码, 也是P12证书的导出密码555555
// 因为不用加密, 所以只要输入的P12证书的导出密码就够了Print some info about a PKCS#12 file:openssl pkcs12 -in file.p12 -info -noout
// 要求导出密码, 也是P12证书的导出密码555555Print some info about a PKCS#12 file in legacy mode:openssl pkcs12 -in file.p12 -info -noout -legacy
// 和不带 -legacy的输出是一样的Create a PKCS#12 file from a PEM file that may contain a key and certificates:openssl pkcs12 -export -in file.pem -out file_pem_exp.p12 -name "My PSE"
// 需要file.pem的口令(666666)和导出口令(导出的file_pem_exp.p12的导出口令, 新设置的导出口令为888888)Include some extra certificates:// openssl pkcs12 -export -in file.pem -out file_pem_exp1.p12 -name "My PSE" -certfile othercerts.pem
openssl pkcs12 -export -in file.pem -out file_pem_exp1.p12 -name "My PSE" -certfile file2.pem
// 需要file.pem的口令(666666), 导出口令(针对 file_pem_exp1.p12设置新的导出口令999999)Export a PKCS#12 file with data from a certificate PEM file and from a further PEM file containing a key, with default algorithms as in the legacy provider:// openssl pkcs12 -export -in cert.pem -inkey key.pem -out file.p12 -legacy
// 将上一个CA实现生成的 newcert.pem和newkey.pem拷贝过来实验
openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out file_newcert_export.p12 -legacy
Enter pass phrase for newkey.pem 333333(CA做newkey.pem时, 指定的口令是333333)
Enter Export Password: 998888 (设置导出的P12证书(file.p12)的导出口令)

备注

现在有了自己做的P12证书, P12证书的口令也知道了, 就可以做官方给的PKCS12的C工程实验了.
今天运气还挺好, 按照字母序翻看整理好的官方帮助文件, 才看了4,5个帮助文件, 就找到了官方如何生成P12证书的说明.

END