Use OpenSSL to generate certificates (including OpenSSL)

Source: Internet
Author: User
Tags base64 begin rsa private key openssl openssl rsa openssl x509 pkcs12
1.introduction of OpenSSL

OpenSSL is currently the most popular SSL password library tool, it provides a universal, robust, full-featured tool suite to support the implementation of the SSL/TLS protocol.
Official website: composing partial cipher algorithm library key and certificate encapsulation management function SSL Communication API Interface use establish RSA, DH, DSA key parameters to establish X.509 Certificates, certificate signing requests (CSRs), and CRLs (certificate recycling list) Compute Message Digest use various cipher encryption/decryption SSL/TLS client and server tests to handle S/MIME or encrypted mail 

2. RSA key operations

By default, the OpenSSL output format is PKCS#1-PEM

Generate RSA private key (no encryption)

OpenSSL genrsa-out Rsa_private.key 2048

Generate RSA Public key

OpenSSL rsa-in rsa_private.key-pubout-out Rsa_public.key

Generate RSA private key (using AES256 encryption)

OpenSSL genrsa-aes256-passout pass:111111-out Rsa_aes_private.key 2048

where passout instead of shell for password input, otherwise prompts to enter the password;
After you generate the encrypted content, such as:

DEK-INFO:AES-256-CBC, 5584d000dddd53dd5b12ae935f05a007
Base64 encoded Data
-----End RSA PRIVATE KEY-----

If you generate the public key at this time, you need to provide a password

OpenSSL rsa-in rsa_aes_private.key-passin pass:111111-pubout-out Rsa_public.key

Where the passout instead of the shell for password input, otherwise prompted to enter a password; conversion command

Private key to non-encryption

OpenSSL rsa-in rsa_aes_private.key-passin pass:111111-out Rsa_private.key

Private key transfer encryption

OpenSSL rsa-in rsa_private.key-aes256-passout pass:111111-out Rsa_aes_private.key

Private key Pem Turn der

OpenSSL rsa-in rsa_private.key-outform der-out Rsa_aes_private.der

-inform and-outform parameters are developed in the input-output format, which is the same as Der-PEM format

View private key Details

OpenSSL rsa-in Rsa_private.key-noout-text

Use the-pubin parameter to view public key details

Private key pkcs#1 Turn pkcs#8

OpenSSL pkcs8-topk8-in rsa_private.key-passout 
pass:111111-out Pkcs8_private.key

Where-passout specified the password, the output of the PKCS8 format key is encrypted form, pkcs8 default using the DES3 encryption algorithm, the contents are as follows:

-----BEGIN ENCRYPTED Private key-----
Base64 encoded Data
-----End ENCRYPTED Private key-----

Use the-nocrypt parameter to output an unencrypted Pkcs8 key, as follows:

-----BEGIN Private Key-----
Base64 encoded Data
-----End Private Key-----
3. generate a self-signed certificate

Generate RSA private key and self-signed certificate

OpenSSL req-newkey rsa:2048-nodes-keyout 
rsa_private.key-x509-days 365-out cert.crt

Req is the child command of the certificate request,-newkey Rsa:2048-keyout PRIVATE_KEY.PEM represents the generation of the private key (PKCS8 format),-nodes means the private key is not encrypted, if not with parameters will prompt input password;
-x509 indicates that the output certificate,-days365 for the validity period, then enter the certificate owner information according to the prompts;
To perform automatic input, use the-SUBJ option:

OpenSSL req-newkey rsa:2048-nodes-keyout rsa_private.key-x509-days 
365-out cert.crt-subj "/C=CN/ST=GD/L=SZ/O=vihoo/ Ou=dev/ "

To generate a self-signed certificate using an existing RSA private key

OpenSSL req-new-x509-days 365-key rsa_private.key-out cert.crt

-new refers to generating a certificate request, plus-x509 representing the direct output certificate,-key specifies the private key file, and the remaining options are the same as the above command four, generating signature requests and CA signing

To generate a CSR signature request using the RSA private key

OpenSSL genrsa-aes256-passout pass:111111-out server.key 
2048 OpenSSL req-new-key server.key-out SERVER.CSR

Then enter the password, server certificate information complete, or command line to specify various parameters

OpenSSL req-new-key server.key-passin pass:111111-out 
server.csr-subj "/c=cn/st=gd/l=sz/o=vihoo/ou=dev/ "

The CSR signature request file generated at this time can be submitted to the CA for issuance * * *

View details of CSR

-----BEGIN Certificate Request-----
-----End Certificate Request-----

OpenSSL req-noout-text-in SERVER.CSR

Use CA certificate and CA key to sign the request issuing certificate, generate X509 Certificate

OpenSSL x509-req-days 3650-in server.csr-ca ca.crt-cakey 
ca.key-passin pass:111111-cacreateserial-out server.crt

Where the CAXXX option is used to specify CA parameter input v. Certificate viewing and Conversion

View Certificate Details

OpenSSL x509-in Cert.crt-noout-text

Convert Certificate encoding format

OpenSSL x509-in cert.cer-inform der-outform pem-out Cert.pem

Synthetic PKCS#12 certificate (including private key)

* * Transfer PEM certificate and private key to PKCS#12 certificate * *

OpenSSL pkcs12-export-in server.crt-inkey server.key-passin 
Pass:111111-password pass:111111-out

Where-export directs the PKCS#12 certificate,-inkey specifies the private key file,-passin the private key (file) password (nodes is unencrypted),-password the password for the specified P12 file (Import Export)

* * Combine the PEM certificate and private key/CA Certificate pkcs#12 Certificate * *

OpenSSL pkcs12-export-in server.crt-inkey server.key-passin
 pass:111111 \-chain-cafile Ca.crt-password pass:111
    111-out SERVER-ALL.P12

Where-chain indicates that the certificate chain is added at the same time,-cafile the CA certificate is specified, and the exported P12 file will contain multiple certificates. (Other option:-name can be used to specify a server certificate alias;-caname to specify the CA certificate alias)

* * Pcks#12 extract PEM file (including private key) * *

OpenSSL pkcs12-in server.p12-password pass:111111-passout pass:111111-out Out/server.pem

Where-password specifies the password for the P12 file (Import Export),-passout the encrypted password for the output private key (nodes is unencrypted)
The exported file is in PEM format and contains both the certificate and private key (PKCS#8):

Bag Attributes
    localkeyid:97 DD 3D 1E EF 3B 2E 4 A (Bayi 4F) A6 E7 1F 
subject=/c=cn/st=gd/l=sz/o= Vihoo/ou=dev/
-----BEGIN Certificate-----
-----End Certificate-----
Bag Attributes
    localkeyid:97 DD 3D 1E A6 EF 3B 2E 4 A, Bayi 4F one E7 1F 
Key Attributes: <no attribut es>
miievaibadanbgkqhkig9w0baqefaascbkywggsiageaaoibaqdc/ 6RAC1YAPRNF

Extract private key only

OpenSSL pkcs12-in Server.p12-password pass:111111-passout Pass:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.