First, Introduction
The OpenSSL command set fully embodies the KISS Spirit of Unix programming-the functionality of each command is simple and independent, and it can be combined in a scripting language to achieve powerful functionality.
Here are just a few of our frequently used commands, the detailed help of each command can refer to the corresponding manpages,
second, common functions
1) generating CAs and certificates
# to create RSA Certificateopenssl Genrsa-des-passout Pass:"123456"-out Rsa_ca_prikey.key1024x768OpenSSL req-config Caopenssl.cnf-key Rsa_ca_prikey.key-passin Pass:"123456"-new-Out rsa_ca_cert.req OpenSSL x509-req-inchRsa_ca_cert.req-signkey Rsa_ca_prikey.key-passin Pass:"123456"-Out Rsa_ca_cert.pem OpenSSL genrsa-des-passout Pass:"123456"-out Rsa_site_prikey.key1024x768OpenSSL req-config Siteopenssl.cnf-key Rsa_site_prikey.key-passin Pass:"123456"-new-Out rsa_site_cert.req OpenSSL x509-req-inchRsa_site_cert.req-ca Rsa_ca_cert.pem-cakey Rsa_ca_prikey.key-passin Pass:"123456"-out Rsa_site_cert.pem-cacreateserial # to create ECC Certificate OpenSSL ecparam-genkey-name PRIME256V1-Out Ecc_ca_prikey.key OpenSSL req-config Caopenssl.cnf-key Ecc_ca_prikey.key-new-Out ecc_ca_cert.req OpenSSL x509-req-inchEcc_ca_cert.req-signkey Ecc_ca_prikey.key-Out Ecc_ca_cert.pem OpenSSL ecparam-genkey-name PRIME256V1-Out Ecc_site_prikey.key OpenSSL req-config Siteopenssl.cnf-key Ecc_site_prikey.key-new-Out ecc_site_cert.req OpenSSL x509-req-inchEcc_site_cert.req-ca Ecc_ca_cert.pem-cakey ecc_ca_prikey.key-out Ecc_site_cert.pem-cacreateserial # to create DSA Certificate OpenSSL dsaparam-genkey +-Out Dsa_ca_prikey.key OpenSSL req-config Caopenssl.cnf-key Dsa_ca_prikey.key-new-Out dsa_ca_cert.req OpenSSL x509-req-inchDsa_ca_cert.req-signkey Dsa_ca_prikey.key-Out Dsa_ca_cert.pem OpenSSL dsaparam-genkey +-Out Dsa_site_prikey.key OpenSSL req-config Siteopenssl.cnf-key Dsa_site_prikey.key-new-Out dsa_site_cert.req OpenSSL x509-req-inchDsa_site_cert.req-ca Dsa_ca_cert.pem-cakey dsa_ca_prikey.key-out dsa_site_cert.pem-cacreateserial
2) View Certificate
-noout-text-in-noout-text-in-noout-text-in- in Mysite.pem-noout-modulus# View Certificate subject Items
- in Mysite.pem-noout-subject-nameopt multiline# View Certificate issuer Item
- in Mysite.pem-noout-issuer--purpose-noout-in192.168. 200.7. cer
3) Verification Certificate
-cafile Ca_cert.pem Site_cert.pem
4) format conversion
# PKCS conversion to PEM> OpenSSL pkcs12- in Myserver.pfx-out myserver.pem-nodes# Pem to der> OpenSSL X509-outform der- in Myserver.pem-out myserver. [der| crt]# Pem extract key> OpenSSL RSA- in Myserver.pem-outmyserver.key# der Convert to Pem> OpenSSL x509 -inform der- in MyServer. [CER|CRT]-outmyserver.pem# PEM conversion to PKCS> OpenSSL pkcs12-export-inkey myserver.key- in Myserver.pem -out myserver.pfx-certfile ca.crt
> OpenSSL pkcs12-export-inkey www.mysite.com.key-in www.mysite.com.pem-passin pass:123456-passout pass:123456-out Www.mysite.com.p12
5) Remove Key's password protection
7. Test Certificate
OpenSSL provides simple client and server tools that can be used to simulate SSL connections for testing.
# Connect to a remote server> OpenSSL s_client-connect www.google.com.hk:443# Analog HTTPS service, can return OpenSSL related information #-accept is used to specify the port number of the listener #-cert-key is used to specify the key and certificate that provides the service> OpenSSL s_server-accept443-cert Myserver.crt-key Myserver.key-www# can write keys and certificates to the same file>CatMYSERVER.CRT Myserver.key >myserver.pem# Only one parameter is available when you use it.> OpenSSL s_server-accept443-cert Myserver.pem-www# can save the server's certificate> OpenSSL s_client-connect www.google.com.hk:443</dev/NULL|sed-ne'/-begin certificate-/,/-end certificate-/p'>remoteserver.pem# converted to der files, you can view it directly under Windows> OpenSSL X509-outform der-inchRemoteserver.pem-out Remoteserver.cer
8. Calculate MD5 and SHA1
# MD5 Digest> OpenSSL dgst-MD5 filename# SHA1 digest> OpenSSL dgst-sha1 filename
OpenSSL Certificate Action commands