1.OpenSSL配置简介

在windows环境下安装完OpenSSL，需要修改openssl.cfg配置文件，修改内容如下：
dir= D:/developer/OpenSSL-Win64/bin/arcgisCA
同时还需要在上面配置的目录下创建CA相关的文件夹和文件，批处理脚本如下：

@echo off
@rem openssl初始环境设置
@rem set OPENSSL_HOME=D:\developer\OpenSSL-Win64
set OPENSSL_HOME=D:\developer\OpenSSL-Win64
set PATH=%OPENSSL_HOME%\bin;%PATH%
echo "1.创建证书存储主目录与子目录"
mkdir %OPENSSL_HOME%\bin\CA
cd /d %OPENSSL_HOME%\bin\CA 
mkdir certs  
mkdir newcerts  
mkdir private  
mkdir crl  
echo "2.创建index和serial文件"  
echo 0>index.txt  
echo 01>serial  
echo "3.创建rand文件"  
openssl rand -out private/.rand 1000  
@rem openssl初始环境配置完成

2.创建ArcGIS Enterprise证书批处理脚本

本脚本用于创建portal、server、datastore组件的证书。生产环境下需要为各服务器生成SSL证书，可在本脚步上根据需要修改。

@echo off
set OPENSSL_HOME=D:\developer\OpenSSL-Win64
set PATH=%OPENSSL_HOME%\bin;%PATH%
cd /d %OPENSSL_HOME%\bin\arcgisCA
@rem 第一步：创建CA根证书
echo "开始创建CA根证书......"
echo "1.创建CA私钥key"
openssl genrsa -out private/cakey.pem 2048
echo "2.创建自签发CA证书"
@rem CN是CA签发结构名
openssl req -new -x509 -days 3650 -key private/cakey.pem -out certs/ca.cer -extensions v3_ca -subj "/C=CN/ST=GD/L=GZ/O=esrichina/OU=rdd/CN=*.xinli.local"
echo "3.导出cer证书为PKCS12格式"
@rem 导出密码：arcgis
openssl pkcs12 -export -clcerts -in certs/ca.cer -inkey private/cakey.pem -out certs/ca.p12
echo "4.检查证书内容"
@rem 方式1：使用openssl检查
openssl x509 -in certs/ca.cer -noout -text
@rem 方式2：使用keytools检查 
@rem keytool -list -keystore certs/ca.p12 -storetype pkcs12 -v -storepass arcgis
pause
echo "CA根证书创建完成......"
echo ......
echo ......
echo ......
@rem 第二步：创建Portal服务器证书
echo "开始创建portal服务器证书......"
echo "1.创建portal证书私钥key"
openssl genrsa -out private/portalkey.pem 2048
echo "2.生成portal证书请求文件"
@rem 服务器FQDN：portal.xinli.local
openssl req -new -days 3650 -key private/portalkey.pem -out private/portal.csr -subj "/C=CN/ST=GD/L=GZ/O=esrichina/OU=rdd/CN=portal.xinli.local"
echo "3.检查portal证书请求文件"
openssl req -text -noout -in private/portal.csr
pause
echo "4.CA根证书签发portal证书"
openssl ca -in private/portal.csr -out newcerts/portal.cer -cert certs/ca.cer -keyfile private/cakey.pem
echo "5.导出cer证书为PKCS12格式"
@rem 导出密码：arcgis
openssl pkcs12 -export -clcerts -in newcerts/portal.cer -inkey private/portalkey.pem -out newcerts/portal.p12
echo "6.检查portal证书内容"
@rem 使用openssl检查
openssl x509 -in newcerts/portal.cer -noout -text
pause
echo "portal服务器证书创建完成......"
echo ......
echo ......
echo ......
@rem 第三步：创建server服务器证书
echo "开始创建server服务器证书......"
echo "1.创建server证书私钥key"
openssl genrsa -out private/serverkey.pem 2048
echo "2.生成server证书请求文件"
openssl req -new -days 3650 -key private/serverkey.pem -out private/server.csr -subj "/C=CN/ST=GD/L=GZ/O=esrichina/OU=rdd/CN=server.xinli.local"
echo "3.CA根证书签发server证书"
openssl ca -in private/server.csr -out newcerts/server.cer -cert certs/ca.cer -keyfile private/cakey.pem
echo "4.导出cer证书为PKCS12格式"
@rem 导出密码：arcgis
openssl pkcs12 -export -clcerts -in newcerts/server.cer -inkey private/serverkey.pem -out newcerts/server.p12
echo "5.检查server证书内容"
@rem 使用openssl检查
openssl x509 -in newcerts/server.cer -noout -text
echo "server服务器证书创建完成......"
echo ......
echo ......
echo ......
@rem 第三步：创建datastore服务器证书
echo "开始创建datastore服务器证书......"
echo "1.创建datastore证书私钥key"
openssl genrsa -out private/datastorekey.pem 2048
echo "2.生成datastore证书请求文件"
openssl req -new -days 3650 -key private/datastorekey.pem -out private/datastore.csr -subj "/C=CN/ST=GD/L=GZ/O=esrichina/OU=rdd/CN=datastore.xinli.local"
echo "3.CA根证书签发datastore证书"
openssl ca -in private/datastore.csr -out newcerts/datastore.cer -cert certs/ca.cer -keyfile private/cakey.pem
echo "4.导出cer证书为PKCS12格式"
@rem 导出密码：arcgis
openssl pkcs12 -export -clcerts -in newcerts/datastore.cer -inkey private/datastorekey.pem -out newcerts/datastore.p12
echo "5.检查datastore证书内容"
@rem 使用openssl检查
openssl x509 -in newcerts/datastore.cer -noout -text
echo "datastore服务器证书创建完成......"
echo ......
echo ......
pause