使用openssl命令行制作证书的例子

参考openssl源码安装目录下 demos/ssltest-ecc/RSAcertgen.sh ECCcertgen.sh

RSAcertgen.sh文件内容如下：

#!/bin/sh

# For a list of supported curves, use "apps/openssl ecparam -list_curves".

# Path to the openssl distribution

OPENSSL_DIR=../..

# Path to the openssl program

OPENSSL_CMD=$OPENSSL_DIR/apps/openssl

# Option to find configuration file

OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"

# Directory where certificates are stored

CERTS_DIR=./Certs

# Directory where private key files are stored

KEYS_DIR=$CERTS_DIR

# Directory where combo files (containing a certificate and corresponding

# private key together) are stored

COMBO_DIR=$CERTS_DIR

# cat command

CAT=/bin/cat

# rm command

RM=/bin/rm

# mkdir command

MKDIR=/bin/mkdir

# The certificate will expire these many days after the issue date.

DAYS=1500

TEST_CA_FILE=rsa1024TestCA

TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (1024 bit RSA)"

TEST_SERVER_FILE=rsa1024TestServer

TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (1024 bit RSA)"

TEST_CLIENT_FILE=rsa1024TestClient

TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (1024 bit RSA)"

# Generating an EC certificate involves the following main steps

# 1. Generating curve parameters (if needed)

# 2. Generating a certificate request

# 3. Signing the certificate request

# 4. [Optional] One can combine the cert and private key into a single

# file and also delete the certificate request

$MKDIR -p $CERTS_DIR

$MKDIR -p $KEYS_DIR

$MKDIR -p $COMBO_DIR

echo "Generating self-signed CA certificate (RSA)"

echo "==========================================="

$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \

-keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \

-newkey rsa:1024 -new \

-out $CERTS_DIR/$TEST_CA_FILE.req.pem

$OPENSSL_CMD x509 -req -days $DAYS \

-in $CERTS_DIR/$TEST_CA_FILE.req.pem \

-extfile $OPENSSL_DIR/apps/openssl.cnf \

-extensions v3_ca \

-signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \

-out $CERTS_DIR/$TEST_CA_FILE.cert.pem

# Display the certificate

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text

# Place the certificate and key in a common file

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \

> $COMBO_DIR/$TEST_CA_FILE.pem

$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem

# Remove the cert request file (no longer needed)

$RM $CERTS_DIR/$TEST_CA_FILE.req.pem

echo "GENERATING A TEST SERVER CERTIFICATE (RSA)"

echo "=========================================="

$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \

-keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \

-newkey rsa:1024 -new \

-out $CERTS_DIR/$TEST_SERVER_FILE.req.pem

$OPENSSL_CMD x509 -req -days $DAYS \

-in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \

-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \

-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \

-out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial

# Display the certificate

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text

# Place the certificate and key in a common file

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \

> $COMBO_DIR/$TEST_SERVER_FILE.pem

$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem

# Remove the cert request file (no longer needed)

$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem

echo "GENERATING A TEST CLIENT CERTIFICATE (RSA)"

echo "=========================================="

$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \

-keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \

-newkey rsa:1024 -new \

-out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem

$OPENSSL_CMD x509 -req -days $DAYS \

-in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \

-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \

-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \

-out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial

# Display the certificate

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text

# Place the certificate and key in a common file

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \

> $COMBO_DIR/$TEST_CLIENT_FILE.pem

$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem

# Remove the cert request file (no longer needed)

$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem

ECCcertgen.sh文件内容：

#!/bin/sh

# For a list of supported curves, use "apps/openssl ecparam -list_curves".

# Path to the openssl distribution

OPENSSL_DIR=../..

# Path to the openssl program

OPENSSL_CMD=$OPENSSL_DIR/apps/openssl

# Option to find configuration file

OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"

# Directory where certificates are stored

CERTS_DIR=./Certs

# Directory where private key files are stored

KEYS_DIR=$CERTS_DIR

# Directory where combo files (containing a certificate and corresponding

# private key together) are stored

COMBO_DIR=$CERTS_DIR

# cat command

CAT=/bin/cat

# rm command

RM=/bin/rm

# mkdir command

MKDIR=/bin/mkdir

# The certificate will expire these many days after the issue date.

DAYS=1500

TEST_CA_CURVE=secp160r1

TEST_CA_FILE=secp160r1TestCA

TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1)"

TEST_SERVER_CURVE=secp160r2

TEST_SERVER_FILE=secp160r2TestServer

TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2)"

TEST_CLIENT_CURVE=secp160r2

TEST_CLIENT_FILE=secp160r2TestClient

TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (Elliptic curve secp160r2)"

# Generating an EC certificate involves the following main steps

# 1. Generating curve parameters (if needed)

# 2. Generating a certificate request

# 3. Signing the certificate request

# 4. [Optional] One can combine the cert and private key into a single

# file and also delete the certificate request

$MKDIR -p $CERTS_DIR

$MKDIR -p $KEYS_DIR

$MKDIR -p $COMBO_DIR

echo "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)"

echo "==============================================================="

$OPENSSL_CMD ecparam -name $TEST_CA_CURVE -out $TEST_CA_CURVE.pem

# Generate a new certificate request in $TEST_CA_FILE.req.pem. A

# new ecdsa (actually ECC) key pair is generated on the parameters in

# $TEST_CA_CURVE.pem and the private key is saved in $TEST_CA_FILE.key.pem

# WARNING: By using the -nodes option, we force the private key to be

# stored in the clear (rather than encrypted with a password).

$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \

-keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \

-newkey ec:$TEST_CA_CURVE.pem -new \

-out $CERTS_DIR/$TEST_CA_FILE.req.pem

# Sign the certificate request in $TEST_CA_FILE.req.pem using the

# private key in $TEST_CA_FILE.key.pem and include the CA extension.

# Make the certificate valid for 1500 days from the time of signing.

# The certificate is written into $TEST_CA_FILE.cert.pem

$OPENSSL_CMD x509 -req -days $DAYS \

-in $CERTS_DIR/$TEST_CA_FILE.req.pem \

-extfile $OPENSSL_DIR/apps/openssl.cnf \

-extensions v3_ca \

-signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \

-out $CERTS_DIR/$TEST_CA_FILE.cert.pem

# Display the certificate

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text

# Place the certificate and key in a common file

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \

> $COMBO_DIR/$TEST_CA_FILE.pem

$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem

# Remove the cert request file (no longer needed)

$RM $CERTS_DIR/$TEST_CA_FILE.req.pem

echo "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)"

echo "=========================================================================="

# Generate parameters for curve $TEST_SERVER_CURVE, if needed

$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem

# Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A

# new ecdsa (actually ECC) key pair is generated on the parameters in

# $TEST_SERVER_CURVE.pem and the private key is saved in

# $TEST_SERVER_FILE.key.pem

# WARNING: By using the -nodes option, we force the private key to be

# stored in the clear (rather than encrypted with a password).

$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \

-keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \

-newkey ec:$TEST_SERVER_CURVE.pem -new \

-out $CERTS_DIR/$TEST_SERVER_FILE.req.pem

# Sign the certificate request in $TEST_SERVER_FILE.req.pem using the

# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in

# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number

# file for this CA, create one. Make the certificate valid for $DAYS days

# from the time of signing. The certificate is written into

# $TEST_SERVER_FILE.cert.pem

$OPENSSL_CMD x509 -req -days $DAYS \

-in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \

-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \

-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \

-out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial

# Display the certificate

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text

# Place the certificate and key in a common file

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \

> $COMBO_DIR/$TEST_SERVER_FILE.pem

$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem

# Remove the cert request file (no longer needed)

$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem

echo "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)"

echo "=========================================================================="

# Generate parameters for curve $TEST_CLIENT_CURVE, if needed

$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem

# Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A

# new ecdsa (actually ECC) key pair is generated on the parameters in

# $TEST_CLIENT_CURVE.pem and the private key is saved in

# $TEST_CLIENT_FILE.key.pem

# WARNING: By using the -nodes option, we force the private key to be

# stored in the clear (rather than encrypted with a password).

$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \

-keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \

-newkey ec:$TEST_CLIENT_CURVE.pem -new \

-out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem

# Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the

# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in

# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number

# file for this CA, create one. Make the certificate valid for $DAYS days

# from the time of signing. The certificate is written into

# $TEST_CLIENT_FILE.cert.pem

$OPENSSL_CMD x509 -req -days $DAYS \

-in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \

-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \

-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \

-out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial

# Display the certificate

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text

# Place the certificate and key in a common file

$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \

> $COMBO_DIR/$TEST_CLIENT_FILE.pem

$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem

# Remove the cert request file (no longer needed)

$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem

需要注意目录中的斜线和引号。