OpenSSL Certificate Action commands

The OpenSSL Certificate Action command generates a self signed certificate# Generate a key, your private key, OpenSSL will prompt you to enter a password, you can enter, you can not lose,

# Enter the words, each time you use this key to enter the password, security, or there should be a password protection > OpenSSL genrsa-des3-out selfsign.key4096# use the key generated above to generate a certificate signing request (CSR) # If your key is password protected, OpenSSL will first ask you for your password, and then ask you a series of questions, # where common name (CN) is the most important, it represents your certificate to represent the goal, if you apply for the website certificate, you need to add your domain name. > OpenSSL req-new-key selfsign.key-out selfsign.csr# Generate self signed certificate SELFSIGN.CRT is the certificate we generated > OpenSSL x509-req-days 365-in Selfsign.csr-signkey selfsign.key-out selfsign.crt# Another easy way to do this is to generate key and certificate > OpenSSL req-x509-nodes-days 365-newkey RSA: 2048-keyout privatekey.key-out CERTIFICATE.CRT       

Build your own CA (Certificate authority)

# key> OpenSSL genrsa-des3-out Ca.key to generate CA4096# generate CA Certificate > OpenSSL req-new-x509-days 365-key ca.key-out ca.crt# The two steps to generate our key and CSR are the same as in the above self signed > OpenSSL genrsa-des3-out myserver.key 4096> OpenSSL req-new-key myserver.key-out myserver.csr# uses CA's certificate and key to generate our certificate # Here the set_serial indicates the serial number of the certificate, if the certificate expires (365 days later), # Or the certificate key leaks, need to re-certification, it is necessary to add 1> OpenSSL x509-req-days 365-in Myserver.csr-ca ca.crt-cakey ca.key-set_serial 01-out myserver.crt        

View certificates

# view Key Info > OpenSSL rsa-noout-text-in myserver.key# view CSR Information > OpenSSL req-noout-text-in myserver . csr# View Certificate Information > OpenSSL x509-noout-text-in ca.crt# authentication certificate # will prompt self signed> OpenSSL verify selfsign.crt# because For MYSERVER.CRT is CA.CRT released, so will verify success > OpenSSL verify-cafile ca.crt myserver.crt      

Remove Key's password protection

Sometimes it is too cumbersome to enter the password, you can remove the key protection password

> OpenSSL RSA-inmyserver.key-out server.key.insecure

Conversion of certificates in different formats

# PKCS conversion to pem> OpenSSL pkcs12-inmyserver.pfx-out myserver.pem-nodes

# PEM conversion to der> OpenSSL X509-outform der-inMyserver.pem-outmyserver.[ DER|CRT] 

# PEM Extract Key

> OpenSSL rsa-in myserver.pem-out myserver.key# der Convert to pem> OpenSSL X509-inform der-inmyserver.[ CER|CRT]-outmyserver.pem# PEM conversion to pkcs> OpenSSL pkcs12-export-out myserver.pfx-inkey myserver.key-inMyserv Er.pem-certfile ca.crt   

Test Certificate

OpenSSL provides simple client and server tools that can be used to simulate SSL connections for testing.

# Connect to remote server > OpenSSL s_client-connect www.google.com.hk:443# analog HTTPS service, can return OpenSSL related information #-Accept is used to specify the port number of the listener #-cert-Key is used to specify the key and certificate for service delivery > OpenSSL s_server-accept443-cert Myserver.crt-key Myserver.key-www# can write keys and certificates to the same file >Cat Myserver.crt Myserver.key >myserver.pem# when using only one parameter is available > OpenSSL s_server-accept443-cert Myserver.pem-www# can save the server's certificate > OpenSSL s_client-connect www.google.com.hk:443 </dev/NULL | sed-ne '/-begin certificate-/,/-end certificate-/p' > remoteserver.pem# converted to der Files, Can be viewed directly under Windows > OpenSSL X509-outform der-inremoteserver.pem-out remoteserver.cer    

Calculate MD5 and SHA1

# MD5 digest> OpenSSL dgst-MD5 filename# SHA1 digest> OpenSSL dgst-sha1 filename

OpenSSL Certificate Action commands