@echo off setlocal EnableExtensions EnableDelayedExpansion REM ================================================== REM ============== KONFIGURATION ===================== REM ================================================== REM Pfad zu OpenSSL set OPENSSL_PATH="C:\Program Files\OpenSSL-Win64\bin\openssl.exe" REM Angaben zum Zertifikatsinhaber set DN_CN=hsp-software.de set DN_EMAIL=bzst@hsp-software.de set DN_O=hsp Handels-Software-Partner GmbH set DN_L=Hamburg set DN_ST=Hamburg set DN_C=DE REM (Temporäre) Dateinamen set OPENSSL_CNF=openssl-pss.cnf set PRIVATE_KEY=private_key.pem set PUBLIC_KEY=public_key.pem set CSR=csr.pem set CERT=certificate.pem REM ================================================== REM ============ OPENSSL CONFIG ====================== REM ================================================== echo [ req ]> %OPENSSL_CNF% echo default_bits = 4096>> %OPENSSL_CNF% echo default_md = sha256>> %OPENSSL_CNF% echo distinguished_name = dn>> %OPENSSL_CNF% echo string_mask = utf8only>> %OPENSSL_CNF% echo x509_extensions = v3_ca>> %OPENSSL_CNF% echo.>> %OPENSSL_CNF% echo [ dn ]>> %OPENSSL_CNF% echo CN = %DN_CN%>> %OPENSSL_CNF% echo emailAddress = %DN_EMAIL%>> %OPENSSL_CNF% echo O = %DN_O%>> %OPENSSL_CNF% echo L = %DN_L%>> %OPENSSL_CNF% echo ST = %DN_ST%>> %OPENSSL_CNF% echo C = %DN_C%>> %OPENSSL_CNF% echo.>> %OPENSSL_CNF% echo [ v3_ca ]>> %OPENSSL_CNF% echo subjectKeyIdentifier = hash>> %OPENSSL_CNF% echo authorityKeyIdentifier = keyid^:always,issuer>> %OPENSSL_CNF% echo basicConstraints = CA:false>> %OPENSSL_CNF% echo keyUsage = digitalSignature, keyEncipherment>> %OPENSSL_CNF% echo extendedKeyUsage = clientAuth, serverAuth>> %OPENSSL_CNF% echo.>> %OPENSSL_CNF% echo [ req_ext ]>> %OPENSSL_CNF% echo keyUsage = digitalSignature, keyEncipherment>> %OPENSSL_CNF% echo extendedKeyUsage = clientAuth, serverAuth>> %OPENSSL_CNF% REM ================================================== REM ============== KEY GENERIERUNG =================== REM ================================================== REM Generiere Private Key (4096 Bit und AES-256 Passwort) %OPENSSL_PATH% genpkey ^ -algorithm RSA ^ -aes256 ^ -pkeyopt rsa_keygen_bits:4096 ^ -out %PRIVATE_KEY% REM Generiere Public Key %OPENSSL_PATH% rsa ^ -in %PRIVATE_KEY% ^ -pubout ^ -out %PUBLIC_KEY% REM ================================================== REM ============== CSR ERSTELLEN ===================== REM ================================================== REM Erstelle CSR (Certificate Signing Request) MIT subj, damit keine Rückfragen kommen %OPENSSL_PATH% req -new ^ -key %PRIVATE_KEY% ^ -out %CSR% ^ -config %OPENSSL_CNF% ^ -extensions req_ext ^ -subj "/CN=%DN_CN%/emailAddress=%DN_EMAIL%/O=%DN_O%/L=%DN_L%/ST=%DN_ST%/C=%DN_C%" REM ================================================== REM ========== ZERTIFIKAT SIGNIEREN ================== REM ================================================== REM Erstelle selbstsigniertes Zertifikat mit RSASSA-PSS %OPENSSL_PATH% x509 -req ^ -in %CSR% ^ -signkey %PRIVATE_KEY% ^ -out %CERT% ^ -days 3650 ^ -extfile %OPENSSL_CNF% ^ -extensions v3_ca ^ -sigopt rsa_padding_mode:pss ^ -sigopt rsa_pss_saltlen:32 ^ -sha256 REM Lösche temporäre Dateien del %OPENSSL_CNF% del %CSR% del %PUBLIC_KEY% echo. echo Fertig pause