Common Openssl commands

Document directory

• Apply for Certificate
• View certificates
• Test Certificate
• Calculate MD5 and SHA1

Apply for Certificate

SSL is often used in authentication, data encryption, and other applications. To use SSL, we have our own password certificate. Digital Certificates are generally applied to professional certification companies (such as VeriSign) and are charged. In some cases, we just want to use encrypted data communication instead of authentication, you can create a certificate by yourself. There are two ways to create a certificate: Self Signed and CA, to release the required certificate. The two methods are described below.

Generate Self Signed certificate

# Generate a key, your private key, and openssl will prompt you to enter a password, which can be entered or not, # If entered, in the future, you must enter the password when using this key. For security reasons, you should still have a password protection> openssl genrsa-des3-out selfsign. key 4096 # Use the key generated above to generate a certificate signing request (CSR) # If your key is password protected, openssl will first ask your password and then ask you a series of questions, # among them, Common Name (CN) is the most important. It represents the target of your certificate. If you apply for a certificate for your website, you need to add your domain Name.> Openssl req-new-key selfsign. key-out selfsign. csr # generate the Self Signed certificate selfsign. crt is the certificate we generated> openssl x509-req-days 365-in selfsign. csr-signkey selfsign. key-out selfsign. crt # Another simple method is to use the following command to generate a key and a certificate> openssl req-x509-nodes-days 365-newkey rsa: 2048-keyout privateKey. key-out certificate. crt

Generate your own CA (Certificate Authority)

CA is the publisher of a certificate. After CA publishes a certificate from another person and adds the CA certificate to the root certificate trusted by the system, the certificate published by CA is also trusted by the system, the key of the CA must be carefully protected. encryption is generally required and the root permission is restricted to read and write.

# Generate the key of the CA> openssl genrsa-des3-out ca. key 4096 # generate CA certificate> openssl req-new-x509-days 365-key ca. key-out ca. crt # generate our key and CSR, which are the same as Self Signed above> openssl genrsa-des3-out myserver. key 4096> openssl req-new-key myserver. key-out myserver. csr # Use the ca certificate and key to generate our certificate # Here set_serial indicates the certificate serial number. If the certificate expires (365 days later), # or the certificate key is leaked, to re-issue the certificate, add 1> openssl x509-req-days 365-in myserver. csr-CA ca. crt-CAkey ca. key-set_serial 01-out myserver. crt

View certificates

# View KEY information> openssl rsa-noout-text-in myserver. key # view CSR information> openssl req-noout-text-in myserver. csr # view Certificate Information> openssl x509-noout-text-in ca. crt # verify CERTIFICATE # self signed> openssl verify selfsign will be prompted. crt # Because myserver. crt is a ca. the crt is released, so it will be verified successfully> openssl verify-CAfile ca. crt myserver. crt

Remove key password protection

Sometimes it is too cumbersome to enter a password every time. You can remove the Key's password.

> openssl rsa -in myserver.key -out server.key.insecure

Certificate conversion in different formats

Generally, certificates can be in three formats:

• The command above PEM (. pem) generates this format,
• DER (. cer. der) is common in Windows.
• PKCS #12 files (. pfx. p12) on Mac

# Convert PEM to DER> openssl x509-outform der-in myserver. crt-out myserver. der # DER to PEM> openssl x509-inform der-in myserver. cer-out myserver. pem # PEM to PKCS> openssl pkcs12-export-out myserver. pfx-inkey myserver. key-in myserver. crt-certfile ca. crt # convert PKCS to PEM> openssl pkcs12-in myserver. pfx-out myserver2.pem-nodes

Test Certificate

Openssl provides simple client and server tools for simulating SSL connections and testing.

# Connect to the remote server> openssl s_client-connect www.google.com.hk: 443 # simulate HTTPS service, you can return information about Openssl #-accept is used to specify the listening port #-cert-key is used to specify the key and certificate for service provision> openssl s_server-accept 443-cert myserver. crt-key myserver. key-www # You can write the key and certificate to the same file> cat myserver. crt myserver. key> myserver. pem # only one parameter is provided.> openssl s_server-accept 443-cert myserver. pem-www # Save the server CERTIFICATE> openssl s_client-connect www.google.com.hk: 443 </dev/null | sed-ne '/-begin certificate -/, /-end certificate-/P'> remoteserver. pem # convert to DER file, you can directly View> openssl x509-outform der-in remoteserver in Windows. pem-out remoteserver. cer

Calculate MD5 and SHA1

# MD5 digest> openssl dgst -md5 filename# SHA1 digest> openssl dgst -sha1 filename