OpenSSL Certificate Action commands

Source: Internet
Author: User
Tags md5 digest openssl rsa openssl x509 pkcs12 sha1 generate self signed certificate password protection self signed certificate

First, Introduction

The OpenSSL command set fully embodies the KISS Spirit of Unix programming-the functionality of each command is simple and independent, and it can be combined in a scripting language to achieve powerful functionality.

Here are just a few of our frequently used commands, the detailed help of each command can refer to the corresponding manpages,

ii. Common Functions 1, generate your own CA (Certificate authority)

# Generate a CA's key 4096 # Generate CA's certificate 365 -key Ca.key-outca.crt# generate our key and CSR These two steps are the same as in the above self signed 4096 > OpenSSL req-new-key Myserver.key-Outmyserver.csr# uses CA's certificate and key to generate our certificate # here set_serial indicates the serial number of the certificate, if the certificate expires (365 days later), # or the certificate key leaks, When you need to re-license, add 1365 - in-out myserver.crt
2. Generate Self signed certificate
# Generate a key, your private key, OpenSSL will prompt you to enter a password, you can enter, you can not lose, # input, then each time you use this key to enter the password, security, or there should be a password protection 4096 # using the key generated above, generate a certificate signing request (CSR) # If your key is password protected, OpenSSL will first ask for your password and then ask you a series of questions, # where common Name (CN) Is the most important, it represents your certificate to represent the goal, if you apply for the website certificate, it is necessary to add your domain name. > OpenSSL req-new-key selfsign.key-out selfsign.csr# generate self signed certificate SELFSIGN.CRT is the certificate we generated 365
    - in Selfsign.csr-signkey selfsign.key-outselfsign.crt# Another easy way is to generate key and certificate 365 at a time with the following command  -newkey RSA:2048 -keyout privatekey.key-out CERTIFICATE.CRT
3. View the Certificate
 # view key information  > OpenSSL rsa-noout-text-in   myserver.key# view CSR information  > OpenSSL req-noout-text-in   myserver.csr# View certificate information  > OpenSSL x509-noout-text-in   CA.CRT  
- in mysite.pem-noout-modulus View Certificate Subject item (Package ?  - in Mysite.pem-noout-subject-nameopt Multiline View Certificate issuer item (package ?  - in Mysite.pem-noout-issuer--purpose-noout-in192.168. 200.7. cer
4. Verification Certificate


# will prompt self signed> OpenSSL verify selfsign.crt# because MYSERVER.CRT is a CA.CRT release, it will verify success > OpenSSL Verify-cafile CA.CRT MYSERVER.CRT
5. Conversion of certificates in different formats


# PKCS conversion to PEM> OpenSSL pkcs12- in Myserver.pfx-out myserver.pem-nodes# Pem to der> OpenSSL X509-outform der- in Myserver.pem-out myserver. [der| crt]# Pem extract key> OpenSSL RSA- in Myserver.pem-outmyserver.key# der Convert to Pem> OpenSSL x509 -inform der- in MyServer. [CER|CRT]-outmyserver.pem# PEM conversion to PKCS> OpenSSL pkcs12-export-inkey myserver.key- in Myserver.pem  -out myserver.pfx-certfile ca.crt
> OpenSSL pkcs12-export-inkey pass:123456-passout pass:123456-out
6, remove the key password protection
Sometimes it is too cumbersome to enter the password, you can remove the key protection password > OpenSSL RSA- in Myserver.key-out server.key.insecure
7. Test Certificate

OpenSSL provides simple client and server tools that can be used to simulate SSL connections for testing.

# Connect to a remote server> OpenSSL s_client-connect Analog HTTPS service, can return OpenSSL related information #-accept is used to specify the port number of the listener #-cert-key is used to specify the key and certificate that provides the service> OpenSSL s_server-accept443-cert Myserver.crt-key Myserver.key-www# can write keys and certificates to the same file>CatMYSERVER.CRT Myserver.key >myserver.pem# Only one parameter is available when you use it.> OpenSSL s_server-accept443-cert Myserver.pem-www# can save the server's certificate> OpenSSL s_client-connect</dev/NULL|sed-ne'/-begin certificate-/,/-end certificate-/p'>remoteserver.pem# converted to der files, you can view it directly under Windows> OpenSSL X509-outform der-inchRemoteserver.pem-out Remoteserver.cer
8. Calculate MD5 and SHA1
# MD5 Digest> OpenSSL dgst-MD5 filename# SHA1 digest> OpenSSL dgst-sha1 filename

OpenSSL Certificate Action commands

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.