Generate a certificate using OpenSSL

Source: Internet
Author: User
Tags aliases base64 begin rsa private key hash openssl openssl rsa openssl x509 valid

I. Introduction of OpenSSL

OpenSSL is currently the most popular SSL cipher library tool that provides a common, robust, and fully functional suite of tools to support the implementation of the SSL/TLS protocol.
Official website: component cipher algorithm library key and certificate encapsulation management function SSL Communication API Interface use establish RSA, DH, DSA key parameter establish the certificate of , Certificate signing Request (CSR), and CRLs (certificate recycling list) Compute Message digest use various cipher encrypt/Decrypt SSL/TLS client and Server test processing S/MIME or encrypted mail Two, RSA key operation

By default, the OpenSSL output format is Pkcs#1-pem

Generate RSA private key (no encryption)

OpenSSL genrsa-out Rsa_private.key 2048

generate RSA Public key

OpenSSL rsa-in rsa_private.key-pubout-out Rsa_public.key

Generate RSA private key (using aes256 encryption)

OpenSSL genrsa-aes256-passout pass:111111-out Rsa_aes_private.key 2048

where passout instead of the shell for password input, otherwise you will be prompted to enter a password;
After generating the encrypted content, such as:

DEK-INFO:AES-256-CBC, 5584d000dddd53dd5b12ae935f05a007
Base64 encoded Data

If a public key is generated , a password is required

OpenSSL rsa-in rsa_aes_private.key-passin pass:111111-pubout-out Rsa_public.key

where passout in place of the shell for password input, otherwise you will be prompted to enter a password; conversion command

private key to non-encrypted

OpenSSL rsa-in rsa_aes_private.key-passin pass:111111-out Rsa_private.key

private key to encryption

OpenSSL rsa-in rsa_private.key-aes256-passout pass:111111-out Rsa_aes_private.key

private key Pem Goto der

OpenSSL rsa-in rsa_private.key-outform der-out Rsa_aes_private.der

The-inform and-outform parameters are developed in the input/output format, which is the same as the DER to PEM format

View private key details

OpenSSL rsa-in Rsa_private.key-noout-text

Use the-pubin parameter to view public key details

private key pkcs#1 turn pkcs#8

OpenSSL pkcs8-topk8-in rsa_private.key-passout pass:111111-out Pkcs8_private.key

Where-passout specified the password, the output of the PKCS8 format key is encrypted form, PKCS8 by default DES3 encryption algorithm, the content is as follows:

-----BEGIN ENCRYPTED Private key-----
Base64 encoded Data

Use the-nocrypt parameter to output a non-encrypted PKCS8 key, as follows:

-----BEGIN Private Key-----
Base64 encoded Data
-----END Private Key-----
Iii. generating a self-signed certificate

generate RSA private and self-signed certificates

OpenSSL req-newkey rsa:2048-nodes-keyout rsa_private.key-x509-days 365-out cert.crt

Req is a sub-command of the certificate request,-newkey Rsa:2048-keyout PRIVATE_KEY.PEM represents the generated private key (PKCS8 format),-nodes indicates that the private key is not encrypted, if no parameters will prompt for the password;
-x509 represents the output certificate,-days365 is the validity period, after which the certificate owner information is entered as prompted;
To perform automatic input, use the -subj option:

OpenSSL req-newkey rsa:2048-nodes-keyout rsa_private.key-x509-days 365-out cert.crt-subj "/C=CN/ST=GD/L=SZ/O=vihoo/ Ou=dev/ "

generating a self-signed certificate using an existing RSA private key

OpenSSL req-new-x509-days 365-key rsa_private.key-out cert.crt

-new refers to generating a certificate request, plus-x509 for direct output of the certificate,-key specifying the private key file, the remaining options are the same as the above command four, generating a signature request and CA signing

generating a CSR signing request using the RSA private key

OpenSSL genrsa-aes256-passout pass:111111-out server.key 2048
OpenSSL req-new-key server.key-out SERVER.CSR

After that, enter the password, the server certificate information is complete, or you can specify various parameters on the command line

OpenSSL req-new-key server.key-passin pass:111111-out server.csr-subj "/c=cn/st=gd/l=sz/o=vihoo/ou=dev/ "

The resulting CSR signature request file can be submitted to the CA for issuance * * *

View the details of a CSR

-----BEGIN CERTIFICATE Request-----
-----END CERTIFICATE Request-----

OpenSSL req-noout-text-in SERVER.CSR

use CA certificate and CA key to sign the request to issue certificate, generate X509 certificate

OpenSSL x509-req-days 3650-in server.csr-ca ca.crt-cakey ca.key-passin pass:111111-cacreateserial-out server.crt

Where the CAXXX option is used to specify the CA parameter input v. Certificate viewing and Conversion

View Certificate Details

OpenSSL x509-in Cert.crt-noout-text

Convert certificate encoding format

OpenSSL x509-in cert.cer-inform der-outform pem-out Cert.pem

Synthetic pkcs#12 certificate (with private key)

* * transfer PEM certificate and private key to PKCS#12 certificate * *

OpenSSL pkcs12-export-in server.crt-inkey server.key-passin pass:111111-password pass:111111-out server.p12

Where-export directs the PKCS#12 certificate,-inkey specifies the private key file,-passin the private key (file) password (nodes to no encryption),-password Specify the password for the P12 file (Import Export)

* * synthesize the PEM certificate and private key/CA certificate pkcs#12 Certificate * *

OpenSSL pkcs12-export-in server.crt-inkey server.key-passin pass:111111 \
    -chain-cafile Ca.crt-password pass:111 111-out SERVER-ALL.P12

Where-chain indicates that the certificate chain is added at the same time,-cafile specifies the CA certificate, and the exported P12 file will contain multiple certificates. (Other options:-name can be used to specify server certificate aliases;-caname to specify CA certificate aliases)

* * pcks#12 extracting PEM file (with private key) * *

OpenSSL pkcs12-in server.p12-password pass:111111-passout pass:111111-out Out/server.pem

Where-password specifies the password for the P12 file (Import Export),-passout refers to the encrypted password of the output private key (nodes is no encryption)
The exported file is in PEM format and contains both the certificate and the private key (PKCS#8):

Bag Attributes
    localkeyid:97 DD 3D 1E A6 EF 3B 2E 4 A a bayi 4F one-E7 1F 
subject=/c=cn/st=gd/l=sz/o= Vihoo/ou=dev/
Bag Attributes
    localkeyid:97 DD 3D 1E A6 EF 3B 2E 4 A, Bayi 4F one, E7 1F 
, Key Attributes: <no attribut es>
miievaibadanbgkqhkig9w0baqefaascbkywggsiageaaoibaqdc/ 6RAC1YAPRNF

extract private key only

OpenSSL pkcs12-in server.p12-password pass:111111-passout pass:111111-nocerts-out Out/key.pem

Extract certificates only (all certificates)

OpenSSL pkcs12-in Server.p12-password pass:111111-nokeys-out Out/key.pem

extracting CA certificates only

extracting only server certificates

vi.. OpenSSL Command Reference
1. OpenSSL list-standard-commands (Standard command) 1) Asn1parse:asn1parse used to interpret statements written in ans.1 syntax (ASN is typically used to define the composition of the syntax) 2) CA:CA for CA management OpenSSL CA [options]: 2.1)-selfsign The certificate is issued using a key pair that is signed for the certificate request.
        That is, "self-signed," which occurs when the client generating the certificate, the CA that issued the certificate is the same machine (and most of our experiments), we can use the same key pair for "self-signed" 2.2)-in file needs to be processed in PEM format certificate 2.3)-out The certificate file that was output after the file processing ended 2.4)-cert file for issuing the root CA certificate 2.5)-days ARG designation issued  The certificate's valid time 2.6)-keyfile arg CA's private key certificate file 2.7)-keyform arg CA's root private key certificate file format: 2.7.1)    
        PEM 2.7.2) ENGINE 2.8)-key arg CA's root private key certificate file decryption password (if encrypted) 2.9)-config file  Configuration file example1: Signing request certificate with CA certificate OpenSSL ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.key 3)
            REQ:X.509 Certificate Issuance request (CSR) Management OpenSSL req [options] <infile >outfile 3.1)-inform arg input file format   3.1.1) DER 3.1.2) PEM 3.2)-outform arg
        Output file format 3.2.1) DER 3.2.2) PEM 3.3)-in arg pending file 3.4)-out arg
        Pending output file 3.5)-passin The private key file that is used to sign the request certificate to be generated 3.6)-key file is used to sign the private key of the requested certificate to be generated 3.7)-keyform Arg 3.7.1) DER 3.7.2) NET 3.7.3) PEM 3.8)-new New Request 3.9)-x509 output a X509-formatted certificate 3.10)-days X509 The valid time 3.11)-newkey RS A:bits generates a BITS-length RSA private key file for signing 3.12)-[digest] hash algorithm 3.12.1) MD5 3.12. 2) SHA1 3.12.3) MD2 3.12.4) mdc2 3.12.5) MD4 3.13)-config file Specify O Penssl configuration file 3.14)-text:text display format example1: Create a self-signed CA certificate with CA's RSA key (the structure of the last) OpenSSL Req-new-x509-days 3 650-key server.key-out ca.crt example2: Generate certificate with Server.key sign request CSR (this CSR is used to send out pending CA center pending issue) OpenSSL Req-new-key serv
 Er.key-out SERVER.CSR   Example3: View the details of the CSR OpenSSL req-noout-text-in SERVER.CSR 4) Genrsa: Generating RSA parameters OpenSSL Genrsa [args] [Numbi TS] [args] 4.1) whether the generated private key file is to be symmetric encrypted using an encryption algorithm: 4.1.1)-DES:CBC mode des encryption 4.1.2)-DES3:CB C-mode des encryption 4.1.3)-AES128:CBC mode AES128 encryption 4.1.4)-AES192:CBC-mode AES192 encryption 4.1.5)-aes256  : CBC mode of AES256 encryption 4.2)-passout Arg:arg for symmetric encryption (DES, DES, AES) password (using this parameter eliminates the console interaction prompts to enter the password link) 4.3)-out file: Output certificate private key file [Numbits]: Key Length example: Generate a 1024-bit RSA private key with DES encryption (password 1111), save as Server.key file OpenSSL genrsa-out se  Rver.key-passout pass:1111-des3 1024x768 5) RSA:RSA Data Management openssl RSA [options] <infile >outfile 5.1)
         -inform arg input key file format: 5.1.1) DER (ASN1) 5.1.2) NET 5.1.3) PEM (Base64 encoded format)  5.2)-outform arg output key file format 5.2.1) DER 5.2.2) NET 5.2.3) PEM 5.3) -in arg pending key file 
        5.4)-passin Arg Enter the decryption key for this encryption key file (if the encryption algorithm is selected when generating this key file) 5.5)-out arg to output key file
        5.6)-passout ARG If you want the output key file to continue to use the encryption algorithm then specify the password 5.7)-DES:CBC Mode des encryption 5.8)-DES3:CBC Mode des encryption 5.9)-AES128:CBC mode AES128 encryption 5.10)-AES192:CBC mode AES192 encryption 5.11)-AES256:CBC mode AES256 encryption 5.  -text: Print key in text form key data 5.13)-noout: Do not print key key data 5.14)-pubin: Check whether the pending file is a public key file 5.15)-pubout: Output public key file example1: Decryption of the private key file OpenSSL rsa-in server.key-passin pass:111-out server_nopass.key example:2: Using the private key File generates corresponding public key file OpenSSL rsa-in server.key-passin pass:111-pubout-out server_public.key 6) X509: This directive is a very rich card Book Processing tools.
            Can be used to display the contents of the certificate, to convert its format, to the CSR signature, such as the management of the certificates of the certificate of "OpenSSL X509 [args] 6.1)-inform arg pending processing X509 certificate file format
            6.1.1) DER 6.1.2) NET 6.1.3) PEM 6.2)-outform arg to output X509 certificate file format
      6.2.1) DER      6.2.2) NET 6.2.3) PEM 6.3)-in arg pending X509 certificate file 6.4)-out arg pending output X509 certificate file 6.5)-req indicates that the input file is a "request to sign a certificate file (CSR)", waiting to be issued 6.6)-days ARG indicates that it will 
        The validity time of the issued Certificate 6.7)-ca arg specifies the root CA certificate used to issue the request Certificate 6.8)-caform ARG root CA certificate format (default is PEM)  
        6.9)-cakey ARG specifies the CA private key certificate file that is used to issue the request certificate, and if the option has no parameter input, the default is that the private key is 6.10 in the CA certificate file)-cakeyform arg Specify the root CA private key certificate file format (default to PEM format) 6.11)-caserial arg Specifies the serial number file (serial. a) 6.12)-cacreateser  Ial automatically creates a serial number file if it is not specified example1: Convert der Certificate to PEM format OpenSSL x509-in cert.cer-inform Der-outform pem-out Cert.pem example2: Use the root CA certificate to sign the "Request signing certificate", generate x509 format certificate OpenSSL x509-req-days 3650-in server.  Csr-ca ca.crt-cakey ca.key-cacreateserial-out server.crt example3: Print out the contents of the certificate OpenSSL x509-in server.crt-noout -text 7) Crl:crlis the format used to manage CRL list OpenSSL CRL [args] 7.1)-inform arg input file 7.1.1) DER (DER Encoded CRL object)
            7.1.2) PEM (default format) (Base64 encoded CRL object) 7.2)-outform arg Specifies the output format of the file 7.2.1) DER (DER-Encoded CRL object) 7.2.2) PEM (default format)
        (Base64 encoded CRL object) 7.3)-text: Prints the CRL information value in text format. 7.4)-in The input file name specified by filename.
        The default is standard input. 7.5)-out The output file name specified by filename.
        The default is standard output. 7.6)-hash The hash value of the output issuer information value.
        This can be used to query a CRL object in a file based on the hash value of the issuer information value. 7.7)-

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.