OpenSSL generates HTTPS certificates, and various related operations for converting certificate formats

Source: Internet
Author: User
Tags convert pem to pkcs12 generate csr openssl md5 openssl rsa openssl x509 pkcs12 in domain ssl certificate

First step: Generate private key, CSR and other files

We may need to enter the following information (interactive):

---country name (2 letter code) [Au]:usstate or province name ("full name") [some-state]:new yorklocality name (eg, city) [] : brooklynorganization name (eg, company) [Internet widgits Pty ltd]:example Brooklyn companyorganizational Unit Name (eg, section) []:technology Divisioncommon name (e.g. server FQDN or YOUR name) []:examplebrooklyn.comemail Address []:

The above information is entered one line at a line, or it can be done by using the-SUBJ option.

-SUBJ "/c=us/st=new york/l=brooklyn/o=example Brooklyn company/cn=examplebrooklyn.com"

  

You can also generate a private key and a CSR file at the same time:

OpenSSL req        -newkey rsa:2048-nodes-keyout domain.key        -out DOMAIN.CSR

The-newkey rsa:2048 option means that the generated key is 2048 bits generated by the RSA algorithm.

-nodes private key does not require password encryption

To generate a CSR file from an existing private key:

OpenSSL req        -key domain.key        -new-out DOMAIN.CSR

-key the existing private key is specified (private key)

Generate CSR based on existing CRT files and private keys

OpenSSL x509        -in domain.crt        -signkey domain.key        -x509toreq-out DOMAIN.CSR

-x509toreq using X509 certificates to generate CSR

Step two: Generate an SSL certificate

Generate a private key and a self-signed certificate:

OpenSSL req        -newkey rsa:2048-nodes-keyout domain.key        -x509-days 365-out domain.crt

-days 365 365 days validity

To generate a self-signed certificate from an existing private key:

OpenSSL req        -key domain.key        -new        -x509-days 365-out domain.crt

  

Step Three: View certificates

CRT and CSR files are encoded in PEM format, and we cannot read the files directly to get the actual information.

Check the configuration information inside the CSR file:

OpenSSL req-text-noout-verify-in DOMAIN.CSR

  

Check the configuration information inside the CRT file:

OpenSSL x509-text-noout-in Domain.crt

  

Other:

To create a private key:

OpenSSL genrsa-des3-out Domain.key 2048

  

Verify the private key:

OpenSSL rsa-check-in Domain.key

  

Verify that the private key matches the CRT and the CSR file:

OpenSSL rsa-noout-modulus-in Domain.key | OpenSSL Md5openssl x509-noout-modulus-in domain.crt | OpenSSL Md5openssl req-noout-modulus-in DOMAIN.CSR | OpenSSL MD5

  

Encrypt private key:

OpenSSL rsa-des3        -in unencrypted.key        -out Encrypted.key

  

Decrypt the private key:

OpenSSL RSA        -in encrypted.key        -out Decrypted.key

  

Convert certificate format:

Convert Pem to DER:

OpenSSL x509        -in domain.crt        -outform der-out domain.der

  

Convert DER to PEM:

OpenSSL x509        -inform der-in domain.der        -out domain.crt

  

Convert PEM to PKCS7:

You can join one or more CRT files.

OpenSSL crl2pkcs7-nocrl        -certfile domain.crt        -certfile ca-chain.crt        -out domain.p7b

PKCS7 (P7B), used in Java keystores and IIS, is an ASCII file that can contain CRT and CA certificate information

Convert PKCS7 to PEM:

OpenSSL pkcs7        -in domain.p7b        -print_certs-out domain.crt

  

Convert PEM to PKCS12:

OpenSSL pkcs12        -inkey domain.key        -in domain.crt        -export-out domain.pfx

  

Convert PKCS12 to PEM:

OpenSSL pkcs12        -in domain.pfx        -nodes-out domain.combined.crt

  

Convert PEM to CER:

OpenSSL x509-inform pem-in cacert.pem-outform der-out certificate.cer

  

OpenSSL generates HTTPS certificates, and various related operations for converting certificate formats

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.