SSL certificate directive

Source: Internet
Author: User
Tags md5 digest openssl rsa openssl x509 pkcs12 generate self signed certificate ssl certificate password protection self signed certificate

Go from: http://blog.csdn.net/madding/article/details/26717963 generate self signed certificate# Generate a key, your private key, OpenSSL will prompt you to enter a password, you can enter, you can not lose,
# Enter the words, each time you use this key to enter the password, security, or there should be a password protection > OpenSSL genrsa-des3-out selfsign.key4096# uses the key generated above to generate a certificate Signing Request (CSR) # If your key is password protected, OpenSSL will first ask for your password and then ask you a series of questions, # where common Name (CN) is the most important, it represents your certificate to represent the target, if you request a certificate for the website, You need to add your domain name. > OpenSSL req-new-key selfsign.key-out selfsign.csr# generate self signed certificate SELFSIGN.CRT is the certificate we generated > OpenSSL x509-req-days 365-out selfsign.crt# Another easy way is to generate key and certificate > OpenSSL req-x509-nodes-days 365-newkey rsa:
Build your own CA (Certificate authority)
# key> OpenSSL genrsa-des3-out Ca.key to generate CA4096# Generate CA certificate > OpenSSL req-new-x509-days 365-key Ca.key-outca.crt# generate our key and CSR These two steps are the same as in the self signed above > OpenSSL genrsa-des3-out myserver.key 4096> OpenSSL req-new-key myserver.key-outmyserver.csr# use CA's certificate and key , generate our Certificate # here set_serial indicates the serial number of the certificate, if the certificate expires (365 days later), # or the certificate key leaks, need to re-certification, it is necessary to add 1> OpenSSL x509-req-days 365-in Myserver.csr-ca ca.crt-cakey ca.key-set_serial 01-out myserver.crt       
View certificates
# view Key Info > OpenSSL rsa-noout-text-in myserver.key# view CSR Information > OpenSSL req-noout-text-in myserver . csr# View Certificate Information > OpenSSL x509-noout-text-in ca.crt# authentication certificate # will prompt self signed> OpenSSL verify selfsign.crt# because For MYSERVER.CRT is CA.CRT released, so will verify success > OpenSSL verify-cafile ca.crt myserver.crt      
Remove Key's password protection

Sometimes it is too cumbersome to enter the password, you can remove the key protection password

> OpenSSL RSA-inmyserver.key-out server.key.insecure
Conversion of certificates in different formats
# PKCS conversion to pem> OpenSSL pkcs12-inmyserver.pfx-out myserver.pem-nodes
# PEM conversion to der> OpenSSL X509-outform der-inMyserver.pem-outmyserver.[ DER|CRT] 
# PEM Extract Key
> OpenSSL rsa-in myserver.pem-out myserver.key# der Convert to pem> OpenSSL X509-inform der-inmyserver.[ CER|CRT]-outmyserver.pem# PEM conversion to pkcs> OpenSSL pkcs12-export-out myserver.pfx-inkey myserver.key-inMyserv Er.pem-certfile ca.crt   
Test Certificate

OpenSSL provides simple client and server tools that can be used to simulate SSL connections for testing.

# Connect to remote server > OpenSSL s_client-connect www.google.com.hk:443# analog HTTPS service, can return OpenSSL related information #-Accept is used to specify the port number of the listener #-cert-Key is used to specify the key and certificate for service delivery > OpenSSL s_server-accept443-cert Myserver.crt-key Myserver.key-www# can write keys and certificates to the same file >Cat Myserver.crt Myserver.key >myserver.pem# when using only one parameter is available > OpenSSL s_server-accept443-cert Myserver.pem-www# can save the server's certificate > OpenSSL s_client-connect www.google.com.hk:443 </dev/null | sed-ne  /-begin certificate-/,/-end certificate-/p >< Span style= "FONT-SIZE:0.9EM; line-height:1.5! important; " > remoteserver.pem# convert to der Files, you can view > OpenSSL x509-outform der-in remoteserver.pem-out remoteserver.cer          
calculate MD5 and SHA1
# MD5 digest> OpenSSL dgst-MD5 filename# SHA1 digest> OpenSSL dgst-sha1 Filenam

SSL certificate directive

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.