Common Openssl commands

Source: Internet
Author: User
Tags md5 digest openssl rsa openssl x509 pkcs12 generate self signed certificate openssl commands password protection self signed certificate
Document directory
  • Apply for Certificate
  • View certificates
  • Test Certificate
  • Calculate MD5 and SHA1
Apply for Certificate

SSL is often used in authentication, data encryption, and other applications. To use SSL, we have our own password certificate. Digital Certificates are generally applied to professional certification companies (such as VeriSign) and are charged. In some cases, we just want to use encrypted data communication instead of authentication, you can create a certificate by yourself. There are two ways to create a certificate: Self Signed and CA, to release the required certificate. The two methods are described below.

Generate Self Signed certificate
# Generate a key, your private key, and openssl will prompt you to enter a password, which can be entered or not, # If entered, in the future, you must enter the password when using this key. For security reasons, you should still have a password protection> openssl genrsa-des3-out selfsign. key 4096 # Use the key generated above to generate a certificate signing request (CSR) # If your key is password protected, openssl will first ask your password and then ask you a series of questions, # among them, Common Name (CN) is the most important. It represents the target of your certificate. If you apply for a certificate for your website, you need to add your domain Name.> Openssl req-new-key selfsign. key-out selfsign. csr # generate the Self Signed certificate selfsign. crt is the certificate we generated> openssl x509-req-days 365-in selfsign. csr-signkey selfsign. key-out selfsign. crt # Another simple method is to use the following command to generate a key and a certificate> openssl req-x509-nodes-days 365-newkey rsa: 2048-keyout privateKey. key-out certificate. crt
Generate your own CA (Certificate Authority)

CA is the publisher of a certificate. After CA publishes a certificate from another person and adds the CA certificate to the root certificate trusted by the system, the certificate published by CA is also trusted by the system, the key of the CA must be carefully protected. encryption is generally required and the root permission is restricted to read and write.

# Generate the key of the CA> openssl genrsa-des3-out ca. key 4096 # generate CA certificate> openssl req-new-x509-days 365-key ca. key-out ca. crt # generate our key and CSR, which are the same as Self Signed above> openssl genrsa-des3-out myserver. key 4096> openssl req-new-key myserver. key-out myserver. csr # Use the ca certificate and key to generate our certificate # Here set_serial indicates the certificate serial number. If the certificate expires (365 days later), # or the certificate key is leaked, to re-issue the certificate, add 1> openssl x509-req-days 365-in myserver. csr-CA ca. crt-CAkey ca. key-set_serial 01-out myserver. crt
View certificates
# View KEY information> openssl rsa-noout-text-in myserver. key # view CSR information> openssl req-noout-text-in myserver. csr # view Certificate Information> openssl x509-noout-text-in ca. crt # verify CERTIFICATE # self signed> openssl verify selfsign will be prompted. crt # Because myserver. crt is a ca. the crt is released, so it will be verified successfully> openssl verify-CAfile ca. crt myserver. crt
Remove key password protection

Sometimes it is too cumbersome to enter a password every time. You can remove the Key's password.

> openssl rsa -in myserver.key -out server.key.insecure
Certificate conversion in different formats

Generally, certificates can be in three formats:

  • The command above PEM (. pem) generates this format,
  • DER (. cer. der) is common in Windows.
  • PKCS #12 files (. pfx. p12) on Mac
# Convert PEM to DER> openssl x509-outform der-in myserver. crt-out myserver. der # DER to PEM> openssl x509-inform der-in myserver. cer-out myserver. pem # PEM to PKCS> openssl pkcs12-export-out myserver. pfx-inkey myserver. key-in myserver. crt-certfile ca. crt # convert PKCS to PEM> openssl pkcs12-in myserver. pfx-out myserver2.pem-nodes
Test Certificate

Openssl provides simple client and server tools for simulating SSL connections and testing.

# Connect to the remote server> openssl s_client-connect 443 # simulate HTTPS service, you can return information about Openssl #-accept is used to specify the listening port #-cert-key is used to specify the key and certificate for service provision> openssl s_server-accept 443-cert myserver. crt-key myserver. key-www # You can write the key and certificate to the same file> cat myserver. crt myserver. key> myserver. pem # only one parameter is provided.> openssl s_server-accept 443-cert myserver. pem-www # Save the server CERTIFICATE> openssl s_client-connect 443 </dev/null | sed-ne '/-begin certificate -/, /-end certificate-/P'> remoteserver. pem # convert to DER file, you can directly View> openssl x509-outform der-in remoteserver in Windows. pem-out remoteserver. cer
Calculate MD5 and SHA1
# MD5 digest> openssl dgst -md5 filename# SHA1 digest> openssl dgst -sha1 filename

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.