截錄如下:
rem CA.key, CA 私鑰.
c:openssl genrsa -out CA.key -des3 -passout pass:PasswordCAKey 4096
rem CA.crt, CA 憑證
c:openssl req -x509 -sha256 -new -nodes -days 382 -key CA.key -out CA.crt -passin pass:PasswordCAKey -passout pass:PasswordCACrt -config CAConfig.cnf
rem Cert.key, 企業 私鑰
c:openssl genrsa -out Cert.key -passout pass:PasswordCertKey 2048
rem Cert.csr, 企業提交申請憑證
c:openssl req -new -sha256 -nodes -key Cert.key -out Cert.csr -passout pass:PasswordCertCsr -config CertConfig.cnf
rem Cert.crt, 企業憑證.
c:openssl x509 -req -in Cert.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out Cert.crt -days 382 -sha256 -passin pass:PasswordCAKey -extfile v3.ext
rem 將 CA 憑證 轉為 .pfx 檔案, 才能匯入 IIS 使用.
c:openssl pkcs12 -export -in CA.crt -inkey CA.key -out CA.pfx -passin pass:PasswordCAKey -passout pass:PasswordCAPfx
rem 將企業憑證 轉為 .pfx 檔案, 才能匯入 IIS 使用.
c:openssl pkcs12 -export -in Cert.crt -inkey Cert.key -out Cert.pfx -passin pass:PasswordCertKey -passout pass:PasswordPfx
rem 檢視 (CA 憑證 和 企業憑證)的截止日期及指紋碼.
echo.
echo CA.crt:
c:openssl x509 -enddate -fingerprint -sha256 -noout -in CA.crt
echo.
echo Cert.crt:
c:openssl x509 -enddate -fingerprint -sha256 -noout -in Cert.crt
執行紀錄:
Certificate request self-signature ok
subject=C = TW, ST = Taiwan, L = Taipei, O = 011IdvTw, OU = WWW011IdvTw, emailAddress = 011netservice@gmail.com, CN = *.011.idv.tw
CA.crt:
notAfter=Jan 1 03:11:25 2024 GMT
sha256 Fingerprint=4F:A2:E3:32:51:DF:F3:C3:84:AF:66:F8:0D:04:74:9E:10:59:92:8D:61:7A:82:F3:3D:A4:B7:3A:A1:5C:0E:D8
Cert.crt:
notAfter=Jan 1 03:11:26 2024 GMT
sha256 Fingerprint=41:8F:37:E2:28:34:A5:03:16:39:68:3D:2B:3A:0C:58:C3:A2:83:13:BE:FB:21:0B:05:8D:81:5E:48:6A:D3:D6