OpenSSL certificate related

Source: Internet
Author: User
Tags md5 digest openssl rsa openssl x509 pkcs12 sha1 generate self signed certificate password protection self signed certificate


OpenSSL genrsa-out server.key 1024 (no password required)

OpenSSL Req-new-key server.key-out SERVER.CSR

Cat SERVER.CSR

Paste the above text into http://dc2.sankuai.info/certsrv/request Advanced Certificate request---->web Server certificate, OK, download base 64 encoded certificate, use text editor to open;

Paste the above content into the PF server stored to file server.crt

Replace the/usr/local/pf/conf/ssl file with the file Server.key server.crt above

/etc/init.d/packetfence restart



Generate self signed certificate


# Generate a key, your private key, OpenSSL will prompt you to enter a password, you can enter, you can not lose,

# input, each time you use this key to enter the password, security, or there should be a password protection > OpenSSL genrsa-des3-out selfsign.key 4096# using the key generated above, Generate a Certificate signing request (CSR) # If your key is password protected, OpenSSL will first ask for your password and then ask you a series of questions, # where common Name (CN) is the most important, It represents the goal of your certificate to represent, and if you apply for a certificate for the website, you will need to add your domain name. > OpenSSL req-new-key selfsign.key-out selfsign.csr# generate self signed certificate SELFSIGN.CRT is the certificate we generated > OpenSSL x509-req-d Ays 365-in Selfsign.csr-signkey selfsign.key-out selfsign.crt# Another easy way is to generate key and certificate > OpenSSL req-x509-no with the following command Des-days 365-newkey rsa:2048-keyout privatekey.key-out certificate.crt
Build your own CA (Certificate authority)
# Generate CA's key> OpenSSL genrsa-des3-out ca.key 4096# generate CA certificate > OpenSSL req-new-x509-days 365-key ca.key-out ca.crt # Generate our key and CSR These two steps are the same as above Self signed > OpenSSL genrsa-des3-out myserver.key 4096> OpenSSL req-new-key myserver.ke Y-out myserver.csr# uses the CA's certificate and key to generate our certificate # here set_serial indicates the serial number of the certificate, if the certificate expires (365 days later), # or certificate key leaks, need to re-certification, it is necessary to add 1> OpenSSL x509-req-days 365-in myserver.csr-ca ca.crt-cakey ca.key-set_serial 01-out myserver.crt
View certificates
# view Key Info > OpenSSL rsa-noout-text-in myserver.key# view CSR information > OpenSSL req-noout-text-in myserver.csr# view certificate Information > OpenSSL x509-noout-text-in ca.crt# Authentication Certificate # will prompt self signed> OpenSSL verify selfsign.crt# because MYSERVER.CRT is a ca.crt released, so Will verify success > OpenSSL verify-cafile ca.crt myserver.crt
Remove Key's password protection

Sometimes it is too cumbersome to enter the password, you can remove the key protection password

> OpenSSL rsa-in myserver.key-out server.key.insecure
Conversion of certificates in different formats
# PKCS convert to pem> OpenSSL pkcs12-in myserver.pfx-out myserver.pem-nodes

# PEM converts to der> OpenSSL x509-outform der-in myserver.pem-out myserver. [DER|CRT]

# PEM Extract Key
> OpenSSL rsa-in myserver.pem-out myserver.key# der Convert to pem> OpenSSL x509-inform der-in myserver. [CER|CRT]-out myserver.pem# Pem converted to pkcs> OpenSSL pkcs12-export-out myserver.pfx-inkey myserver.key-in Myserver.pem -certfile CA.CRT
Test Certificate

OpenSSL provides simple client and server tools that can be used to simulate SSL connections for testing.

# Connect to remote server > OpenSSL s_client-connect www.google.com.hk:443# analog HTTPS service, can return OpenSSL related information #-accept used to specify the port number of the listener #-cert-k EY is used to specify the key and certificate for service delivery > OpenSSL s_server-accept 443-cert myserver.crt-key myserver.key-www# can write keys and certificates to the same file > Cat M YSERVER.CRT myserver.key > myserver.pem# when using only one parameter is available > OpenSSL s_server-accept 443-cert myserver.pem-www# can be Server certificates are saved > OpenSSL s_client-connect www.google.com.hk:443 </dev/null | Sed-ne '/-begin certificate-/,/-end certificate-/p ' > remoteserver.pem# convert to der Files, you can view it directly under Windows > OpenSSL x509 -outform der-in remoteserver.pem-out Remoteserver.cer
Calculate MD5 and SHA1
# MD5 digest> OpenSSL dgst-md5 filename# SHA1 digest> OpenSSL dgst-sha1 filename


Https://packetfence.org/doc/PacketFence_MSPKI_Quick_Install_Guide.html#_step_1_install_active_directory_ Certificate_service_adcs


Common Java Keytool keystore commands

Https://www.chinassl.net/ssltools/keytool-commands.html

https://docs.oracle.com/cd/E19900-01/820-0847/ablrb/

OpenSSL certificate related

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.