Openssl 命令行问题
编辑:还没有解决我的问题,但我已经转向新的、更令人兴奋的问题。
将其留在这里,以防万一有人有洞察力,这将有助于将来偶然发现这个问题的人。
你好, 我正在尝试从 php 向 Outlook 发送加密电子邮件。 因此,我需要生成一个证书才能导入到 Outlook 中。 我使用 openssl 及其附带的 CA.pl 脚本生成一组密钥没有问题,但是当我尝试运行命令来生成 PKCS12 文件以导入到 Outlook 中时,它抱怨缺少“demoCA”目录。 看来这个目录是 openssl 的一部分,并且在 openssl 配置中引用......但我不知道它在哪里。 我已经用多种方式搜索了驱动器,从 grep 到聚光灯(在 os x 上,尽管我真的不希望聚光灯找到任何东西),但无法想出任何东西。
我试图运行的命令是:
$ openssl ca -cert newcert.pem -ss_cert newcert.pem
Using configuration from /sw/etc/ssl/openssl.cnf
./demoCA/private/cakey.pem: No such file or directory trying to load CA private key
19918:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('./demoCA/private/cakey.pem','r')
19918:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:
在加密/SSL 方面我有点菜鸟,所以我可能会错过一些愚蠢的东西(我确定如果是这样,哈哈)。
Edit: Haven't solved my problems, but I've moved on to new and more exciting problems.
Leaving this here in case anyone has and insightful that'll help someone who stumbles on to this question in the future.
Hi,
I'm attempting to send an encrypted email from php to outlook. As such, I need to generate a certificate to import into outlook. I had no problem generating a set of keys using openssl and the CA.pl script that comes with it, but when I try to run the command to generate the PKCS12 file to import into outlook it complains about a missing "demoCA" directory. It appears this directory is a part of openssl, and is referenced in the openssl config... but i have no idea where it is. I've searched the drive in many ways from grep to spotlight (on os x, though i really wasn't expecting spotlight to find anything), and can't come up with anything.
The command I was trying to run is:
$ openssl ca -cert newcert.pem -ss_cert newcert.pem
Using configuration from /sw/etc/ssl/openssl.cnf
./demoCA/private/cakey.pem: No such file or directory trying to load CA private key
19918:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('./demoCA/private/cakey.pem','r')
19918:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:
I am a bit of a noob when it comes to encryption / SSL, so I might be missing something stupid (I'm sure if it, haha).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您应该通过提供的脚本创建一个新的 CA,这比仅仅处理所有 openssl 选项更容易。 您可以通过 Windows 本身内与 Cygwin 捆绑的 openssl 或使用您最喜欢的 Unix 发行版来完成此操作。 我将向您展示如何使用 bash 脚本执行此操作(但 perl 脚本应该相同)。
这将创建 demoCA 目录,其中包含 CA 证书。 当您调用上述命令时,系统将提示您输入 CA 证书(CN、OU 等)和 CA 私钥密码的字段。
现在您可以创建证书请求或从证书请求创建证书。
这会提示输入新的证书请求字段和密码以加密生成的私钥。 默认情况下,请求保留在与 CA.sh (newreq.pem) 相同的目录中。 请务必使用您拥有的电子邮件地址作为 CN(通用名)。
现在您只需签名即可获得完整的证书。
这将生成 newcert.pem,这是签名的证书请求。 您拥有证书,只需将证书和私钥打包到 Microsoft CSP 识别的 PFX 或 P12 文件中即可。
然后将 newreq.pem 和 newcert.pem 的内容复制到文件中。
现在通过 openssl shell 生成 P12 文件(这次我们没有任何脚本的帮助)。 它将提示您输入生成请求时使用的密码,然后提示您导出密码(用于加密 p12 文件内的私钥)。
等等瞧。 您有一个 PKCS#12 文件,您可以在 Windows 中双击该文件并将其导入您的密钥库并将其用作邮件签名证书(我不记得默认选项是否足够,或者您需要在创建证书,以便 Outlook 将其识别为电子邮件签名证书)。 您还需要导入 CA 证书作为受信任的 CA(将 cacert.pem 复制到 demoCA 目录内的 cacert.cer 并双击导入)。
You should create a new CA by means of the script provided, which is easier than just handle all the openssl options. You can do this be means of openssl bundled with Cygwin inside Windows itself or use your favourite Unix distro. I will show you how to do it with bash scripts (but perl scripts should be the same).
This creates demoCA directory with the CA certificate inside it. As you invoke above command you will be prompt about the fields of the CA certificate (CN, OU, etc.) and CA private key passphrase.
Now you can create certificate requests or certificates from certificate requestes.
This prompts for a new certificate request fields and the passphrase to encrypt the private key generated. By default the request is left in the same directory as CA.sh (newreq.pem). It is important that you use as CN (Common Name) the email address you have.
Now you only need to sign it and you have a full blown certificate.
This will generate newcert.pem which is the signed certificate request. You have your certificate, you only need to pack the certificate and the private key inside a PFX or P12 file, that Microsoft CSP recognizes.
Then copy the contents of newreq.pem and newcert.pem into a file.
And now generate P12 file by means of openssl shell (this time we don't have the help of any script). It will prompt you for the passphrase you used when request was generated and then the export password (to encrypt private key inside p12 file).
Et voilà. You have a PKCS#12 file that you can double click in Windows and import it to your keystore and use it as a mail signing certificate (I don't remember if default options are enough or you need to specify some additional attributes when creating the certificate so Outlook recognizes as a e-mail signing certificate). You will also need to import CA certificate as a trusted CA (copy cacert.pem to cacert.cer that is inside demoCA directory and double click it to import).