First, Introduction
The OpenSSL command set fully embodies the KISS Spirit of Unix programming-the functionality of each command is simple and independent, and it can be combined in a scripting language to achieve powerful functionality.
Here are just a few of our frequently used commands, the detailed help of each command can refer to the corresponding manpages,
ii. Common Functions 1, generate your own CA (Certificate authority)
# Generate a CA's key 4096 # Generate CA's certificate 365 -key Ca.key-outca.crt# generate our key and CSR These two steps are the same as in the above self signed 4096 > OpenSSL req-new-key Myserver.key-Outmyserver.csr# uses CA's certificate and key to generate our certificate # here set_serial indicates the serial number of the certificate, if the certificate expires (365 days later), # or the certificate key leaks, When you need to re-license, add 1365 - in-out myserver.crt
2. Generate Self signed certificate
# Generate a key, your private key, OpenSSL will prompt you to enter a password, you can enter, you can not lose, # input, then each time you use this key to enter the password, security, or there should be a password protection 4096 # using the key generated above, generate a certificate signing request (CSR) # If your key is password protected, OpenSSL will first ask for your password and then ask you a series of questions, # where common Name (CN) Is the most important, it represents your certificate to represent the goal, if you apply for the website certificate, it is necessary to add your domain name. > OpenSSL req-new-key selfsign.key-out selfsign.csr# generate self signed certificate SELFSIGN.CRT is the certificate we generated 365
- in Selfsign.csr-signkey selfsign.key-outselfsign.crt# Another easy way is to generate key and certificate 365 at a time with the following command -newkey RSA:2048 -keyout privatekey.key-out CERTIFICATE.CRT
3. View the Certificate
# view key information > OpenSSL rsa-noout-text-in myserver.key# view CSR information > OpenSSL req-noout-text-in myserver.csr# View certificate information > OpenSSL x509-noout-text-in CA.CRT
- in mysite.pem-noout-modulus View Certificate Subject item (Package ? - in Mysite.pem-noout-subject-nameopt Multiline View Certificate issuer item (package ? - in Mysite.pem-noout-issuer--purpose-noout-in192.168. 200.7. cer
4. Verification Certificate
Reference: http://blog.csdn.net/as3luyuan123/article/details/16872101
# will prompt self signed> OpenSSL verify selfsign.crt# because MYSERVER.CRT is a CA.CRT release, it will verify success > OpenSSL Verify-cafile CA.CRT MYSERVER.CRT
5. Conversion of certificates in different formats
Reference: http://blog.csdn.net/as3luyuan123/article/details/16105475
http://blog.csdn.net/linda1000/article/details/8676330
# PKCS conversion to PEM> OpenSSL pkcs12- in Myserver.pfx-out myserver.pem-nodes# Pem to der> OpenSSL X509-outform der- in Myserver.pem-out myserver. [der| crt]# Pem extract key> OpenSSL RSA- in Myserver.pem-outmyserver.key# der Convert to Pem> OpenSSL x509 -inform der- in MyServer. [CER|CRT]-outmyserver.pem# PEM conversion to PKCS> OpenSSL pkcs12-export-inkey myserver.key- in Myserver.pem -out myserver.pfx-certfile ca.crt
> OpenSSL pkcs12-export-inkey www.mysite.com.key-in www.mysite.com.pem-passin pass:123456-passout pass:123456-out Www.mysite.com.p12
6, remove the key password protection
Sometimes it is too cumbersome to enter the password, you can remove the key protection password > OpenSSL RSA- in Myserver.key-out server.key.insecure
7. Test Certificate
OpenSSL provides simple client and server tools that can be used to simulate SSL connections for testing.
# Connect to a remote server> OpenSSL s_client-connect www.google.com.hk:443# Analog HTTPS service, can return OpenSSL related information #-accept is used to specify the port number of the listener #-cert-key is used to specify the key and certificate that provides the service> OpenSSL s_server-accept443-cert Myserver.crt-key Myserver.key-www# can write keys and certificates to the same file>CatMYSERVER.CRT Myserver.key >myserver.pem# Only one parameter is available when you use it.> OpenSSL s_server-accept443-cert Myserver.pem-www# can save the server's certificate> OpenSSL s_client-connect www.google.com.hk:443</dev/NULL|sed-ne'/-begin certificate-/,/-end certificate-/p'>remoteserver.pem# converted to der files, you can view it directly under Windows> OpenSSL X509-outform der-inchRemoteserver.pem-out Remoteserver.cer
8. Calculate MD5 and SHA1
# MD5 Digest> OpenSSL dgst-MD5 filename# SHA1 digest> OpenSSL dgst-sha1 filename
OpenSSL Certificate Action commands