OpenSSL certificate related

OpenSSL genrsa-out server.key 1024 (no password required)

OpenSSL Req-new-key server.key-out SERVER.CSR

Cat SERVER.CSR

Paste the above text into http://dc2.sankuai.info/certsrv/request Advanced Certificate request---->web Server certificate, OK, download base 64 encoded certificate, use text editor to open;

Paste the above content into the PF server stored to file server.crt

Replace the/usr/local/pf/conf/ssl file with the file Server.key server.crt above

/etc/init.d/packetfence restart

Generate self signed certificate

# Generate a key, your private key, OpenSSL will prompt you to enter a password, you can enter, you can not lose,

# input, each time you use this key to enter the password, security, or there should be a password protection > OpenSSL genrsa-des3-out selfsign.key 4096# using the key generated above, Generate a Certificate signing request (CSR) # If your key is password protected, OpenSSL will first ask for your password and then ask you a series of questions, # where common Name (CN) is the most important, It represents the goal of your certificate to represent, and if you apply for a certificate for the website, you will need to add your domain name. > OpenSSL req-new-key selfsign.key-out selfsign.csr# generate self signed certificate SELFSIGN.CRT is the certificate we generated > OpenSSL x509-req-d Ays 365-in Selfsign.csr-signkey selfsign.key-out selfsign.crt# Another easy way is to generate key and certificate > OpenSSL req-x509-no with the following command Des-days 365-newkey rsa:2048-keyout privatekey.key-out certificate.crt

Build your own CA (Certificate authority)

# Generate CA's key> OpenSSL genrsa-des3-out ca.key 4096# generate CA certificate > OpenSSL req-new-x509-days 365-key ca.key-out ca.crt # Generate our key and CSR These two steps are the same as above Self signed > OpenSSL genrsa-des3-out myserver.key 4096> OpenSSL req-new-key myserver.ke Y-out myserver.csr# uses the CA's certificate and key to generate our certificate # here set_serial indicates the serial number of the certificate, if the certificate expires (365 days later), # or certificate key leaks, need to re-certification, it is necessary to add 1> OpenSSL x509-req-days 365-in myserver.csr-ca ca.crt-cakey ca.key-set_serial 01-out myserver.crt

View certificates

# view Key Info > OpenSSL rsa-noout-text-in myserver.key# view CSR information > OpenSSL req-noout-text-in myserver.csr# view certificate Information > OpenSSL x509-noout-text-in ca.crt# Authentication Certificate # will prompt self signed> OpenSSL verify selfsign.crt# because MYSERVER.CRT is a ca.crt released, so Will verify success > OpenSSL verify-cafile ca.crt myserver.crt

Remove Key's password protection

Sometimes it is too cumbersome to enter the password, you can remove the key protection password

> OpenSSL rsa-in myserver.key-out server.key.insecure

Conversion of certificates in different formats

# PKCS convert to pem> OpenSSL pkcs12-in myserver.pfx-out myserver.pem-nodes

# PEM converts to der> OpenSSL x509-outform der-in myserver.pem-out myserver. [DER|CRT]

# PEM Extract Key

> OpenSSL rsa-in myserver.pem-out myserver.key# der Convert to pem> OpenSSL x509-inform der-in myserver. [CER|CRT]-out myserver.pem# Pem converted to pkcs> OpenSSL pkcs12-export-out myserver.pfx-inkey myserver.key-in Myserver.pem -certfile CA.CRT

Test Certificate

OpenSSL provides simple client and server tools that can be used to simulate SSL connections for testing.

# Connect to remote server > OpenSSL s_client-connect www.google.com.hk:443# analog HTTPS service, can return OpenSSL related information #-accept used to specify the port number of the listener #-cert-k EY is used to specify the key and certificate for service delivery > OpenSSL s_server-accept 443-cert myserver.crt-key myserver.key-www# can write keys and certificates to the same file > Cat M YSERVER.CRT myserver.key > myserver.pem# when using only one parameter is available > OpenSSL s_server-accept 443-cert myserver.pem-www# can be Server certificates are saved > OpenSSL s_client-connect www.google.com.hk:443 </dev/null | Sed-ne '/-begin certificate-/,/-end certificate-/p ' > remoteserver.pem# convert to der Files, you can view it directly under Windows > OpenSSL x509 -outform der-in remoteserver.pem-out Remoteserver.cer

Calculate MD5 and SHA1

# MD5 digest> OpenSSL dgst-md5 filename# SHA1 digest> OpenSSL dgst-sha1 filename

Https://packetfence.org/doc/PacketFence_MSPKI_Quick_Install_Guide.html#_step_1_install_active_directory_ Certificate_service_adcs

Common Java Keytool keystore commands

Https://www.chinassl.net/ssltools/keytool-commands.html

https://docs.oracle.com/cd/E19900-01/820-0847/ablrb/

OpenSSL certificate related