OpenSSL Certificate Action commands

Source: Internet
Author: User
Tags md5 digest openssl rsa openssl x509 pkcs12 generate self signed certificate password protection self signed certificate

The OpenSSL Certificate Action command generates a self signed certificate# Generate a key, your private key, OpenSSL will prompt you to enter a password, you can enter, you can not lose,
# Enter the words, each time you use this key to enter the password, security, or there should be a password protection > OpenSSL genrsa-des3-out selfsign.key4096# use the key generated above to generate a certificate signing request (CSR) # If your key is password protected, OpenSSL will first ask you for your password, and then ask you a series of questions, # where common name (CN) is the most important, it represents your certificate to represent the goal, if you apply for the website certificate, you need to add your domain name. > OpenSSL req-new-key selfsign.key-out selfsign.csr# Generate self signed certificate SELFSIGN.CRT is the certificate we generated > OpenSSL x509-req-days 365-in Selfsign.csr-signkey selfsign.key-out selfsign.crt# Another easy way to do this is to generate key and certificate > OpenSSL req-x509-nodes-days 365-newkey RSA: 2048-keyout privatekey.key-out CERTIFICATE.CRT       
Build your own CA (Certificate authority)
# key> OpenSSL genrsa-des3-out Ca.key to generate CA4096# generate CA Certificate > OpenSSL req-new-x509-days 365-key ca.key-out ca.crt# The two steps to generate our key and CSR are the same as in the above self signed > OpenSSL genrsa-des3-out myserver.key 4096> OpenSSL req-new-key myserver.key-out myserver.csr# uses CA's certificate and key to generate our certificate # Here the set_serial indicates the serial number of the certificate, if the certificate expires (365 days later), # Or the certificate key leaks, need to re-certification, it is necessary to add 1> OpenSSL x509-req-days 365-in Myserver.csr-ca ca.crt-cakey ca.key-set_serial 01-out myserver.crt        
View certificates
# view Key Info > OpenSSL rsa-noout-text-in myserver.key# view CSR Information > OpenSSL req-noout-text-in myserver . csr# View Certificate Information > OpenSSL x509-noout-text-in ca.crt# authentication certificate # will prompt self signed> OpenSSL verify selfsign.crt# because For MYSERVER.CRT is CA.CRT released, so will verify success > OpenSSL verify-cafile ca.crt myserver.crt      
Remove Key's password protection

Sometimes it is too cumbersome to enter the password, you can remove the key protection password

> OpenSSL RSA-inmyserver.key-out server.key.insecure
Conversion of certificates in different formats
# PKCS conversion to pem> OpenSSL pkcs12-inmyserver.pfx-out myserver.pem-nodes
# PEM conversion to der> OpenSSL X509-outform der-inMyserver.pem-outmyserver.[ DER|CRT] 
# PEM Extract Key
> OpenSSL rsa-in myserver.pem-out myserver.key# der Convert to pem> OpenSSL X509-inform der-inmyserver.[ CER|CRT]-outmyserver.pem# PEM conversion to pkcs> OpenSSL pkcs12-export-out myserver.pfx-inkey myserver.key-inMyserv Er.pem-certfile ca.crt   
Test Certificate

OpenSSL provides simple client and server tools that can be used to simulate SSL connections for testing.

# Connect to remote server > OpenSSL s_client-connect analog HTTPS service, can return OpenSSL related information #-Accept is used to specify the port number of the listener #-cert-Key is used to specify the key and certificate for service delivery > OpenSSL s_server-accept443-cert Myserver.crt-key Myserver.key-www# can write keys and certificates to the same file >Cat Myserver.crt Myserver.key >myserver.pem# when using only one parameter is available > OpenSSL s_server-accept443-cert Myserver.pem-www# can save the server's certificate > OpenSSL s_client-connect </dev/NULL | sed-ne '/-begin certificate-/,/-end certificate-/p' > remoteserver.pem# converted to der Files, Can be viewed directly under Windows > OpenSSL X509-outform der-inremoteserver.pem-out remoteserver.cer    
Calculate MD5 and SHA1
# MD5 digest> OpenSSL dgst-MD5 filename# SHA1 digest> OpenSSL dgst-sha1 filename

OpenSSL Certificate Action commands

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.