Tags: key-o definition asi tin PEM option Full Art
It is mainly used for outputting certificate information , can also sign certificate request file, self-signed, convert certificate format , etc.
The OpenSSL x509 tool does not use the settings in the OpenSSL configuration file, but is completely self-setting or uses the default value of the pseudo-command, which is like a complete small CA toolbox .
[-caserial filename] [-text] [-MD2|-MD5|-SHA1|-MDC2] [-extfile filename] [-extensions section]
There are many options, so the segmentation is explained.
"Input and Output options:"-in filename : Specifies the certificate input file, and if the "-req" option is specified at the same time, the input file is the request file for the certificate. -out FileName: Specifies the output file -md2|-md5|-sha1|-mdc2: Specifies the one-way encryption algorithm .
"Information Output options:"-text: Output the certificate content in text format, which is output in the most complete format: including public key,signature Algorithms,issuer and subject names,serial number and any Trust settings.-certopt option: Customizing the items to be exported-noout: Suppresses output from the certificate request fileCoding Section-pubkey: In the output certificatePublic Key-modulus: In the output certificatePublic Key ModuleSection-serial: The output certificateSerial Number-subject: In the output certificatesubject-issuer: In the output certificateIssuer, that is, the issuer's subject-subject_hash: Subject in the output certificateHash Code-issuer_hash: In the output certificateissuer (i.e. the issuer's subject) hash code-hash:equivalent to "-subject_hash", but this is the option provided for backwards compatibility-email: The output in the certificateEmail Address, if you have an email-startdate: Output certificate validity periodStart Date-enddate: The output certificate validity periodEnd Date-dates: Output Certificateexpiry date, equivalent to "startdate+enddate"-fingerprint: OutputFingerprint summary information
When you export some information for a certificate, you can work with the "-noout" option (that is, suppress which part of the certificate is exported), and then specify some items to use. For example:
[email protected] ~]# OpenSSL x509-in cert.pem-noout-text[[email protected] ~]# OpenSSL x509-in cert.pem-noout-seri Al[[email protected] ~]# OpenSSL x509-in cert.pem-noout-subject[[email protected] ~]# OpenSSL x509-in cert.pem-noout -issuer[[email protected] ~]# OpenSSL x509-in cert.pem-noout-fingerprint[[email protected] ~]# OpenSSL x509-in cert.pe M-noout-issuer_hash[[email protected] ~]# OpenSSL x509-in cert.pem-noout-startdate-enddate
"Signing options:" ****************************************************************************************** Pseudo command X509 can perform signature actions on a certificate or request like a OpenSSL ca. AttentionOpenSSL x509 * * Does not read the configuration file, all configurations are provided by X509 itself, so the OpenSSL x509 is like a "mini CA" *-signkey filename : This option is used to provideprivate key file when self-signed, the file for the self-signed input files "-in file" can be a certificate request file, or it can be a signed certificate. -days ARG: Specifies the certificate validity period, which is 30 days by default. -x509toreq:convert a signed certificate back to a certificate request file。 You need to use the "-signkey" option to pass the required private key.The -req:x509 tool defaults to the certificate file as Inputfile (-in file), which specifies that the file for input file will be requested for the certificate. -set_serial N:Specify the certificate serial number。 This option can be used with the "-singkey" or "-ca" options. ：if used with "-ca", the serial value specified by the "-caserial" or "-cacreateserial" option will be invalidated。 : The serial number can be either a numeric value or a 16 binary (starting with 0x). Negative values are also accepted, but not recommended. -CA FileName:Specify the CA certificate to use when signing。 This option is typically used with the "-req" option to request a file signature for a certificate. -cakey FileName: Settingthe private key file used when the CA is signed。 If this option is not specified, the CA private key is assumed to already exist in the CA self-signed certificate file. -caserial FileName: Sets the serial number file used by the CA. WhenWhen you use the "-ca" option to sign, it will use the serial number specified in a file to uniquely identify the certificate file after this signature。 ：The contents of this serial number file are only one row, and the value of this line is 16 binary digits. When a serial number is used, the serial number in the file is automatically incremented。 : The default serial number file is named suffix with the CA certificate file base name plus ". Srl". If the CA certificate is "Mycert.pem", the default search for the serial number file is "MYCERT.SRL"-cacreateserial: When this option is used,If the CA uses a serial number file that does not exist, it will be created automatically: The file will contain the serial number value "02" and the certificate file serial number is 1 after this signature。 ：in general, if the "-ca" option is used and the serial number file does not exist, it will produce an error "Srl File not found"。 -extfile FileName:Specify the file that contains the extension to add to the certificate when signing。
"CERTIFICATE EXTENSIONS"-purpose: OptionsCheck the extension of the certificate and decide what aspects the certificate is allowed to use, that is, the purpose range of the certificate. Basicconstraints: This extension is used todecide whether a certificate can be treated as a CA certificate。 Formatted as Basicconstraints=ca:true | False:1. If the CA's flag is set totrue, the certificate is allowed as a CA certificate, which can issue subordinate certificates or sign;: 2. If the CA's flag is set tofalse, the certificate cannot be used as a CA and cannot be issued a certificate or signature for a subordinate;: 3.The CA's flag must be set to True for all CA certificates。 : 4. If the basicconstraints extension is not set, then the certificate is considered a suspicious CA, or "Possible CA". Keyusage: This extension is used tospecifies an additional usage limit for the certificate, which is also a manifestation of the purpose of use. : 1.If the keyusage extension is specified, then the certificate will have additional usage restrictions。 : 2.at least keyusage=keycertsign must be set in the CA certificate file。 : 3. If the keyusage extension is set, the critical will be limited to the specified usage purpose purpose, regardless of whether or not it is used.
For example, use the X509 tool to build your own CA. Because X509 cannot establish a certificate request file, you can only use OpenSSL req to generate the request file , and then use X509 to come from the signature .
From the time of signing:
Use the "-req" option to explicitly indicate that the input file is a certificate request file, otherwise it will be the certificate file by default ;
Use "-signkey" to provide self-signed private keys;
[email protected] ssl]# OpenSSL req-new-keyout key.pem-out req.csr #由私钥生成请求证书 [[email protected] ssl]# OpenSSL x50 9 -req-in req.csr -signkey key.pem -out x509.crt #使用x509签署请求证书时, both the request certificate and the private key must be specified
X509 can also be used to sign other people's certificate requests, that is, to issue certificates to others . Note that when you issue certificates to others, make sure that the serial file exists, and we recommend that you use the Automatically created option "-cacreateserial".
[email protected] ssl]# OpenSSL x509 -req-in req.csr -ca ca.crt -cakey ca.key-out x509.crt - Cacreateserial
(+) OpenSSL X509 (Signed and self-signed)