OpenSSL pkcs12 单独导出链接的 CA 证书

发布于 2025-01-13 08:17:30 字数 869 浏览 5 评论 0原文

我有一个如下所示的证书链：

Global CA
- 中级 CA
  - 我的证书

我正在使用 openssl.exe 从 MyCert.pfx 创建 .cer 文件，我希望生成的证书首先包含客户端证书，然后是中间 CA 证书。最终结果应该如下所示：

Bag Attributes
  <mycert attributes>

-----BEGIN CERTIFICATE-----
  <mycert data>
-----END CERTIFICATE-----  

Bag Attributes
  <intermediate ca attributes>

-----BEGIN CERTIFICATE-----
  <intermediate ca data>
-----END CERTIFICATE-----

我可以通过运行获取第一个证书

openssl pkcs12 -in MyCert.pfx -clcerts -nokeys -password pass:mypassword -out mycert.cer

我可以运行命令来获取链中的 CA 证书，如下所示

openssl pkcs12 -in MyCert.pfx -cacerts -nokeys -password pass:mypassword -out cacert.cer

但这会生成一个包含全局 CA 和中间 CA 证书的文件。

有没有办法仅通过 CN 或其他方式指定中间 CA？

我可以从文件中获取内容，但希望有一个更干净的解决方案。

原文

I have a cert chain that looks like this:

Global CA
- Intermediate CA
  - MyCert

I am using openssl.exe to create .cer files from MyCert.pfx, and I want the generated cert to contain the client cert first, followed by the Intermediate CA cert. The end result should look something like this:

Bag Attributes
  <mycert attributes>

-----BEGIN CERTIFICATE-----
  <mycert data>
-----END CERTIFICATE-----  

Bag Attributes
  <intermediate ca attributes>

-----BEGIN CERTIFICATE-----
  <intermediate ca data>
-----END CERTIFICATE-----

I can get the first cert by running

openssl pkcs12 -in MyCert.pfx -clcerts -nokeys -password pass:mypassword -out mycert.cer

And I can run the command to get the CA certs in the chain like this

openssl pkcs12 -in MyCert.pfx -cacerts -nokeys -password pass:mypassword -out cacert.cer

But this generates a file with both the Global CA and the Intermediate CA certs.

Is there a way to specify only the Intermediate CA by CN or something?

I can get the content out of the file but was hoping for a cleaner solution.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

染墨丶若流云 2025-01-20 08:17:30

好吧，我选择了粗俗的方式......就是这样。

# Generate the client cert
&"$opensslPath\openssl.exe" pkcs12 -in "$($filepathforCert).pfx" -clcerts -nokeys -out "$($filepathforCert)-fullchain.crt" -password pass:$certPassword

# Generate the CA certs in the chain
&"$opensslPath\openssl.exe" pkcs12 -in "$($filepathforCert).pfx" -cacerts -nokeys -out "$($filepathforCACert).crt" -password pass:$certPassword


# Combine certs
# The common name for the intermediate CA should be the same until 2031
$intermediateCaCn = "CN = DigiCert TLS RSA SHA256 2020 CA1"
$certBeginToken = "-----BEGIN CERTIFICATE-----"
$certEndToken = "-----END CERTIFICATE-----"

$intermediateCACertStart = (Select-String -Pattern $intermediateCaCn -Path "$($filepathforCACert).crt" -SimpleMatch | select-object -First 1).LineNumber
$firstCertStart = (Select-String -Pattern $certBeginToken -Path "$($filepathforCACert).crt" -SimpleMatch | select-object -First 1).LineNumber

$intermediateStartLine = 0
$intermediateEndLine = 0

# The beginning of the cert will always start after the CN
if($intermediateCACertStart -gt $firstCertStart)
{
    $intermediateStartLine = (Select-String -Pattern $certBeginToken -Path "$($filepathforCACert).crt" -SimpleMatch | select-object -Last 1).LineNumber
    $intermediateEndLine = (Select-String -Pattern $certEndToken -Path "$($filepathforCACert).crt" -SimpleMatch | select-object -Last 1).LineNumber
}
else
{
    $intermediateStartLine = $firstCertStart
    $intermediateEndLine = (Select-String -Pattern $certEndToken -Path "$($filepathforCACert).crt" -SimpleMatch | select-object -First 1).LineNumber
}

# size of the cert, including the delimiters
$lineCount = ($intermediateEndLine - $intermediateStartLine)

$certContent = (Get-Content -Path "$($filepathforCACert).crt"| Select-Object -Skip ($intermediateStartLine - 1) -First ($lineCount +1))

Add-Content -Path "$($filepathforCert)-fullchain.crt" -Value $certContent

Well I opted for the gross way... Here it is.

# Generate the client cert
&"$opensslPath\openssl.exe" pkcs12 -in "$($filepathforCert).pfx" -clcerts -nokeys -out "$($filepathforCert)-fullchain.crt" -password pass:$certPassword

# Generate the CA certs in the chain
&"$opensslPath\openssl.exe" pkcs12 -in "$($filepathforCert).pfx" -cacerts -nokeys -out "$($filepathforCACert).crt" -password pass:$certPassword


# Combine certs
# The common name for the intermediate CA should be the same until 2031
$intermediateCaCn = "CN = DigiCert TLS RSA SHA256 2020 CA1"
$certBeginToken = "-----BEGIN CERTIFICATE-----"
$certEndToken = "-----END CERTIFICATE-----"

$intermediateCACertStart = (Select-String -Pattern $intermediateCaCn -Path "$($filepathforCACert).crt" -SimpleMatch | select-object -First 1).LineNumber
$firstCertStart = (Select-String -Pattern $certBeginToken -Path "$($filepathforCACert).crt" -SimpleMatch | select-object -First 1).LineNumber

$intermediateStartLine = 0
$intermediateEndLine = 0

# The beginning of the cert will always start after the CN
if($intermediateCACertStart -gt $firstCertStart)
{
    $intermediateStartLine = (Select-String -Pattern $certBeginToken -Path "$($filepathforCACert).crt" -SimpleMatch | select-object -Last 1).LineNumber
    $intermediateEndLine = (Select-String -Pattern $certEndToken -Path "$($filepathforCACert).crt" -SimpleMatch | select-object -Last 1).LineNumber
}
else
{
    $intermediateStartLine = $firstCertStart
    $intermediateEndLine = (Select-String -Pattern $certEndToken -Path "$($filepathforCACert).crt" -SimpleMatch | select-object -First 1).LineNumber
}

# size of the cert, including the delimiters
$lineCount = ($intermediateEndLine - $intermediateStartLine)

$certContent = (Get-Content -Path "$($filepathforCACert).crt"| Select-Object -Skip ($intermediateStartLine - 1) -First ($lineCount +1))

Add-Content -Path "$($filepathforCert)-fullchain.crt" -Value $certContent

回复收藏 0 原文

~没有更多了~