OpenSSL generates HTTPS certificates, and various related operations for converting certificate formats

First step: Generate private key, CSR and other files

We may need to enter the following information (interactive):

---country name (2 letter code) [Au]:usstate or province name ("full name") [some-state]:new yorklocality name (eg, city) [] : brooklynorganization name (eg, company) [Internet widgits Pty ltd]:example Brooklyn companyorganizational Unit Name (eg, section) []:technology Divisioncommon name (e.g. server FQDN or YOUR name) []:examplebrooklyn.comemail Address []:

The above information is entered one line at a line, or it can be done by using the-SUBJ option.

-SUBJ "/c=us/st=new york/l=brooklyn/o=example Brooklyn company/cn=examplebrooklyn.com"

　　

You can also generate a private key and a CSR file at the same time:

OpenSSL req        -newkey rsa:2048-nodes-keyout domain.key        -out DOMAIN.CSR

The-newkey rsa:2048 option means that the generated key is 2048 bits generated by the RSA algorithm.

-nodes private key does not require password encryption

To generate a CSR file from an existing private key:

OpenSSL req        -key domain.key        -new-out DOMAIN.CSR

-key the existing private key is specified (private key)

Generate CSR based on existing CRT files and private keys

OpenSSL x509        -in domain.crt        -signkey domain.key        -x509toreq-out DOMAIN.CSR

-x509toreq using X509 certificates to generate CSR

Step two: Generate an SSL certificate

Generate a private key and a self-signed certificate:

OpenSSL req        -newkey rsa:2048-nodes-keyout domain.key        -x509-days 365-out domain.crt

-days 365 365 days validity

To generate a self-signed certificate from an existing private key:

OpenSSL req        -key domain.key        -new        -x509-days 365-out domain.crt

　　

Step Three: View certificates

CRT and CSR files are encoded in PEM format, and we cannot read the files directly to get the actual information.

Check the configuration information inside the CSR file:

OpenSSL req-text-noout-verify-in DOMAIN.CSR

　　

Check the configuration information inside the CRT file:

OpenSSL x509-text-noout-in Domain.crt

　　

Other:

To create a private key:

OpenSSL genrsa-des3-out Domain.key 2048

　　

Verify the private key:

OpenSSL rsa-check-in Domain.key

　　

Verify that the private key matches the CRT and the CSR file:

OpenSSL rsa-noout-modulus-in Domain.key | OpenSSL Md5openssl x509-noout-modulus-in domain.crt | OpenSSL Md5openssl req-noout-modulus-in DOMAIN.CSR | OpenSSL MD5

　　

Encrypt private key:

OpenSSL rsa-des3        -in unencrypted.key        -out Encrypted.key

　　

Decrypt the private key:

OpenSSL RSA        -in encrypted.key        -out Decrypted.key

　　

Convert certificate format:

Convert Pem to DER:

OpenSSL x509        -in domain.crt        -outform der-out domain.der

　　

Convert DER to PEM:

OpenSSL x509        -inform der-in domain.der        -out domain.crt

　　

Convert PEM to PKCS7:

You can join one or more CRT files.

OpenSSL crl2pkcs7-nocrl        -certfile domain.crt        -certfile ca-chain.crt        -out domain.p7b

PKCS7 (P7B), used in Java keystores and IIS, is an ASCII file that can contain CRT and CA certificate information

Convert PKCS7 to PEM:

OpenSSL pkcs7        -in domain.p7b        -print_certs-out domain.crt

　　

Convert PEM to PKCS12:

OpenSSL pkcs12        -inkey domain.key        -in domain.crt        -export-out domain.pfx

　　

Convert PKCS12 to PEM:

OpenSSL pkcs12        -in domain.pfx        -nodes-out domain.combined.crt

　　

Convert PEM to CER:

OpenSSL x509-inform pem-in cacert.pem-outform der-out certificate.cer

　　

OpenSSL generates HTTPS certificates, and various related operations for converting certificate formats