Go from: http://blog.csdn.net/madding/article/details/26717963 generate self signed certificate# Generate a key, your private key, OpenSSL will prompt you to enter a password, you can enter, you can not lose,
# Enter the words, each time you use this key to enter the password, security, or there should be a password protection > OpenSSL genrsa-des3-out selfsign.key4096# uses the key generated above to generate a certificate Signing Request (CSR) # If your key is password protected, OpenSSL will first ask for your password and then ask you a series of questions, # where common Name (CN) is the most important, it represents your certificate to represent the target, if you request a certificate for the website, You need to add your domain name. > OpenSSL req-new-key selfsign.key-out selfsign.csr# generate self signed certificate SELFSIGN.CRT is the certificate we generated > OpenSSL x509-req-days 365-out selfsign.crt# Another easy way is to generate key and certificate > OpenSSL req-x509-nodes-days 365-newkey rsa:
Build your own CA (Certificate authority)
# key> OpenSSL genrsa-des3-out Ca.key to generate CA4096# Generate CA certificate > OpenSSL req-new-x509-days 365-key Ca.key-outca.crt# generate our key and CSR These two steps are the same as in the self signed above > OpenSSL genrsa-des3-out myserver.key 4096> OpenSSL req-new-key myserver.key-outmyserver.csr# use CA's certificate and key , generate our Certificate # here set_serial indicates the serial number of the certificate, if the certificate expires (365 days later), # or the certificate key leaks, need to re-certification, it is necessary to add 1> OpenSSL x509-req-days 365-in Myserver.csr-ca ca.crt-cakey ca.key-set_serial 01-out myserver.crt
View certificates
# view Key Info > OpenSSL rsa-noout-text-in myserver.key# view CSR Information > OpenSSL req-noout-text-in myserver . csr# View Certificate Information > OpenSSL x509-noout-text-in ca.crt# authentication certificate # will prompt self signed> OpenSSL verify selfsign.crt# because For MYSERVER.CRT is CA.CRT released, so will verify success > OpenSSL verify-cafile ca.crt myserver.crt
Remove Key's password protection
Sometimes it is too cumbersome to enter the password, you can remove the key protection password
> OpenSSL RSA-inmyserver.key-out server.key.insecure
Conversion of certificates in different formats
# PKCS conversion to pem> OpenSSL pkcs12-inmyserver.pfx-out myserver.pem-nodes
# PEM conversion to der> OpenSSL X509-outform der-inMyserver.pem-outmyserver.[ DER|CRT]
# PEM Extract Key
> OpenSSL rsa-in myserver.pem-out myserver.key# der Convert to pem> OpenSSL X509-inform der-inmyserver.[ CER|CRT]-outmyserver.pem# PEM conversion to pkcs> OpenSSL pkcs12-export-out myserver.pfx-inkey myserver.key-inMyserv Er.pem-certfile ca.crt
Test Certificate
OpenSSL provides simple client and server tools that can be used to simulate SSL connections for testing.
# Connect to remote server > OpenSSL s_client-connect www.google.com.hk:443# analog HTTPS service, can return OpenSSL related information #-Accept is used to specify the port number of the listener #-cert-Key is used to specify the key and certificate for service delivery > OpenSSL s_server-accept443-cert Myserver.crt-key Myserver.key-www# can write keys and certificates to the same file >Cat Myserver.crt Myserver.key >myserver.pem# when using only one parameter is available > OpenSSL s_server-accept443-cert Myserver.pem-www# can save the server's certificate > OpenSSL s_client-connect www.google.com.hk:443 </dev/null | sed-ne /-begin certificate-/,/-end certificate-/p >< Span style= "FONT-SIZE:0.9EM; line-height:1.5! important; " > remoteserver.pem# convert to der Files, you can view > OpenSSL x509-outform der-in remoteserver.pem-out remoteserver.cer
calculate MD5 and SHA1
# MD5 digest> OpenSSL dgst-MD5 filename# SHA1 digest> OpenSSL dgst-sha1 Filenam
SSL certificate directive