【OpenSSL】使用證書和私鑰導出P12格式個人證書

1, 產生CA證書

1.1, 生成ca的私鑰
openssl genrsa -out cakey.pem 2048

1.2, 生成ca的自簽名證書請求

openssl req -new -key cakey.pem -subj "/CN=Example Root CA" -out cacsr.pem

1.3, 自簽名ca的證書

openssl x509 -req -in cacsr.pem -signkey cakey.pem -days 999 -out cacert.pem

2, 產生個人證書

2.1, 生成個人證書的私鑰
openssl genrsa -out alicekey.pem 2048

2.2, 生成個人證書請求

openssl req -new -key alicekey.pem -subj "/emailAddress=alice@example.com" -out alicecsr.pem

2.3, 簽發個人證書

openssl x509 -req -in alicecsr.pem -CA cacert.pem -CAkey cakey.pem -days 999 -set_serial 01 -out alicecert.pem

3, 合并證書和私鑰得到p12格式的個人證書

openssl pkcs12 -export -in alicecert.pem -inkey alicekey.pem -certfile cacert.pem -out alice.p12

4, 提取個人證書

openssl pkcs12 -in alice.p12 -nokeys -clcerts -out alicecert.pem

5, 提取個人證書的私鑰

openssl pkcs12 -in alice.p12 -nocerts -out alicekey.pem

6, 提取ca證書

openssl pkcs12 -in alice.p12 -nokeys -cacerts -out cacert.pem

備注：

1，綁定ca證書的時候，-certfile和-CAfile的區別 http://arstechnica.com/civis/viewtopic.php?p=24680099
You're right, the documentation is confusing (man page here*), but I think I've figured it out, after some testing:
-certfile adds all certificates in that file to the .p12 store (in addition to the input certificate).
-CAfile and -CApath are used to build the "standard CA store" (just as they do for openssl s_client), which is only used with the -chain option, which will add the entire certification chain for the input certificate to the .p12, assuming it can be found in that file and/or directory. Without the -chain option they do nothing.
* Also, most distros supply man pages for the openssl subcommands under the subcommand name, e.g. pkcs(1).
seehttp://openssl.6102.n7.nabble.com/How-to-include-intermediate-in-pkcs12-td49603.html
A lotofthingsonthe Internet are wrong. The OpenSSL man page doesnotsay multipleoccurrences workandI’m pretty sure it never did, nor did the code.IngeneralOpenSSL commandlines don’t handle repeated options; the few exceptions are noted.pkcs12 -caname (NOT–cafile)ISoneofthe few that can be repeated,andpossiblysome thingsonthe Internet got that confused. However, the commandlines (at leastusually?) don’t *diagnose* repeated (andoverridden) options.pkcs12 –export gets certsfromuptothree places:- the input file (-inifspecifiedelsestdin redirectedorpiped)- -certfileifspecified (once,asyou saw)- the truststoreif–CAfileand/or–CApath specifiedIFNEEDEDInother words, any certininfileorcertfileisalwaysinthe output, neededornot.Ifthatsetdoesnotprovide a complete chain, pkcs12 willtrytocomplete itusingthe truststoreifspecified, but will produce output evenifit remains incomplete.Likeother commandlines,andmany programsusingthe library, the truststorecan be asinglefilewith–CAfile (NOT–cafile)ora directoryofhashnamedlinksorfileswith–CApathorboth.Ifthe cert you are puttinginpkcs12isunder a CA that you trust other peerstouseandthus you haveinyour truststore, easiesttouse itfromthere. Similarlyifyour certisunder an intermediate (orseveral) that you haveinyour truststoretoallow peerstouse evenifthe peers don’t send (asthey should), easiesttousefromthere.Otherwise IMO it’s easiesttojust putininfileor–certfile (ora combination),although theoptionoftemporarily creatingormodifying a truststore works. Whethertodoyour trustorewithCAfileorCApathorbothisa more general questionanddepends partlyonwhether you use somebody’s package.Forexample the curl website supplies the Mozilla truststoreinCAfile format;whenI wanttouse that I don’t bother convertingtoCApath format.From: [hidden email] [[hidden email]]OnBehalfOfEdward Ned Harvey (openssl)Sent: Tuesday, April22,201415:31To: [hidden email]Subject: *** Spam *** Howtoinclude intermediateinpkcs12?A bunchofthingsonthe internet saytodo"-cafile intermediate.pem -cafile root.pem"or"-certfile intermediate.pem -certfile root.pem"andthey explicitly say that calling these command-line options more than onceisokandwill resultinboth the certs being includedinthe final pkcs12... But I have found thistobe untrue.I have found, thatifI concatenate intermediate & rootintoasingleglom file,andthenI specify -certfile onceforthe glom,thenmy pfx file will include the complete chain. ButifI use -certfile twice, Igetno intermediateinmy pfx.AndI just wasted more time than I caretodescribe, figuring this out.So...Whileconcatenation/glomisa viable workaround, I'd like to know, what's supposed to work? And was it a new feature introduced after a certain rev or something? I have OpenSSL 0.9.8y command-line on Mac OSX, and OpenSSL 1.0.1e command-line on cygwin. I believe I've seen the same behavior in both.

-CAfile 的處理邏輯

/* If chaining get chain from user cert */
if (chain) {
int vret;
STACK_OF(X509) *chain2;
X509_STORE *store = X509_STORE_new();
if (!store) {
BIO_printf(bio_err, "Memory allocation errorn");
goto export_end;
}
if (!X509_STORE_load_locations(store, CAfile, CApath))
X509_STORE_set_default_paths(store);
vret = get_cert_chain(ucert, store, &chain2);
X509_STORE_free(store);
if (!vret) {
/* Exclude verified certificate */
for (i = 1; i < sk_X509_num(chain2); i++)
sk_X509_push(certs, sk_X509_value(chain2, i));
/* Free first certificate */
X509_free(sk_X509_value(chain2, 0));
sk_X509_free(chain2);
} else {
if (vret >= 0)
BIO_printf(bio_err, "Error %s getting chain.n",
X509_verify_cert_error_string(vret));
else
ERR_print_errors(bio_err);
goto export_end;
}
}

-certfile的處理邏輯

/* Add any more certificates asked for */
if (certfile) {
STACK_OF(X509) *morecerts = NULL;
if (!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM,
NULL, e,
"certificates from certfile")))
goto export_end;
while (sk_X509_num(morecerts) > 0)
sk_X509_push(certs, sk_X509_shift(morecerts));
sk_X509_free(morecerts);
}

2，-name選項可以設置顯示名稱，否則導入證書的時候，可能會顯示一些亂碼