Openssl命令行的麻烦 [英] Openssl command line troubles

问题描述

编辑：没有解决我的问题，但我已经转移到新的更令人兴奋的问题。

如果有人有洞察力，这将帮助那些绊倒的人这个问题在未来。

Haven't solved my problems, but I've moved on to new and more exciting problems.
Leaving this here in case anyone has and insightful that'll help someone who stumbles on to this question in the future.

您好，
我试图将加密的电子邮件从php发送到Outlook。因此，我需要生成导入Outlook的证书。使用openssl和CA.pl脚本生成一组密钥时，我没有问题，但是当我尝试运行命令生成要导入到Outlook的PKCS12文件时，它会抱怨丢失的demoCA目录。看来这个目录是openssl的一部分，在openssl配置中引用...但我不知道它在哪里。我从许多方面搜索了驱动器，从grep到聚光灯（在os x上，虽然我真的不期待聚光灯找到任何东西），但也不能想出任何东西。

Hi, I'm attempting to send an encrypted email from php to outlook. As such, I need to generate a certificate to import into outlook. I had no problem generating a set of keys using openssl and the CA.pl script that comes with it, but when I try to run the command to generate the PKCS12 file to import into outlook it complains about a missing "demoCA" directory. It appears this directory is a part of openssl, and is referenced in the openssl config... but i have no idea where it is. I've searched the drive in many ways from grep to spotlight (on os x, though i really wasn't expecting spotlight to find anything), and can't come up with anything.

我试图运行的命令是：

$ openssl ca -cert newcert.pem -ss_cert newcert.pem
Using configuration from /sw/etc/ssl/openssl.cnf
./demoCA/private/cakey.pem: No such file or directory trying to load CA private key
19918:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('./demoCA/private/cakey.pem','r')
19918:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:

我在加密/ SSL时有点noob，所以我可能会丢失一些愚蠢的东西（我确定如果是，哈哈）。

I am a bit of a noob when it comes to encryption / SSL, so I might be missing something stupid (I'm sure if it, haha).

推荐答案

您应该通过提供的脚本创建一个新的CA，这比只处理所有openssl选项更容易。您可以这样做是Windows内部与Cygwin捆绑的openssl的手段，或使用您最喜爱的Unix发行版。我会告诉你如何使用bash脚本（但是perl脚本应该是一样的）。

You should create a new CA by means of the script provided, which is easier than just handle all the openssl options. You can do this be means of openssl bundled with Cygwin inside Windows itself or use your favourite Unix distro. I will show you how to do it with bash scripts (but perl scripts should be the same).

$ ./CA.sh -newca

这将创建具有CA证书的demoCA目录。当您上述命令时，您将会提示CA证书（CN，OU等）和CA私钥密码的字段。

This creates demoCA directory with the CA certificate inside it. As you invoke above command you will be prompt about the fields of the CA certificate (CN, OU, etc.) and CA private key passphrase.

现在您可以创建证书请求或来自证书请求的证书。

Now you can create certificate requests or certificates from certificate requestes.

$ ./CA.sh -newreq

这将提示新的证书请求字段和密码以加密生成的私钥。默认情况下，请求与CA.sh（newreq.pem）在同一目录中。您必须以CN（通用名称）的形式使用您所拥有的电子邮件地址。

This prompts for a new certificate request fields and the passphrase to encrypt the private key generated. By default the request is left in the same directory as CA.sh (newreq.pem). It is important that you use as CN (Common Name) the email address you have.

现在您只需要签名并且拥有完整的证书。 p>

Now you only need to sign it and you have a full blown certificate.

$ ./CA.sh -sign

这将生成newcert.pem，它是签名的证书请求。您有证书，您只需要将证书和私钥打包在Microsoft CSP识别的PFX或P12文件中。

This will generate newcert.pem which is the signed certificate request. You have your certificate, you only need to pack the certificate and the private key inside a PFX or P12 file, that Microsoft CSP recognizes.

然后复制newreq的内容。 pem和newcert.pem转换成文件。

Then copy the contents of newreq.pem and newcert.pem into a file.

$ cat newreq.pem > keypair.pem
$ cat newcert.pem >> keypair.pem

现在，通过openssl shell生成P12文件（这次我们没有任何脚本的帮助）。它将提示您生成请求时使用的密码，然后提示导出密码（用于加密p12文件中的私钥）。

And now generate P12 file by means of openssl shell (this time we don't have the help of any script). It will prompt you for the passphrase you used when request was generated and then the export password (to encrypt private key inside p12 file).

$ openssl pkcs12 -export -in keypair.pem  -out mykeypair.p12
Enter pass phrase for keypair.pem:
Enter Export Password:
Verifying - Enter Export Password:

Etvoilà。您有一个PKCS＃12文件，您可以在Windows中双击并将其导入到密钥库，并将其用作邮件签名证书（我不记得默认选项是否足够，或者您需要在创建时指定一些其他属性证书，所以Outlook认可为电子邮件签名证书）。您还需要将CA证书作为受信任的CA导入（将cacert.pem复制到cccert.cer，该文件位于demoCA目录下，然后双击才能导入）。

Et voilà. You have a PKCS#12 file that you can double click in Windows and import it to your keystore and use it as a mail signing certificate (I don't remember if default options are enough or you need to specify some additional attributes when creating the certificate so Outlook recognizes as a e-mail signing certificate). You will also need to import CA certificate as a trusted CA (copy cacert.pem to cacert.cer that is inside demoCA directory and double click it to import).

这篇关于Openssl命令行的麻烦的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！