Use OpenSSL to generate certificates (including OpenSSL)

Source: Internet
Author: User
Tags base64 begin rsa private key openssl openssl rsa openssl x509 pkcs12
Original
1.introduction of OpenSSL


OpenSSL is currently the most popular SSL password library tool, it provides a universal, robust, full-featured tool suite to support the implementation of the SSL/TLS protocol.
Official website: https://www.openssl.org/source/ composing partial cipher algorithm library key and certificate encapsulation management function SSL Communication API Interface use establish RSA, DH, DSA key parameters to establish X.509 Certificates, certificate signing requests (CSRs), and CRLs (certificate recycling list) Compute Message Digest use various cipher encryption/decryption SSL/TLS client and server tests to handle S/MIME or encrypted mail 

2. RSA key operations



By default, the OpenSSL output format is PKCS#1-PEM



Generate RSA private key (no encryption)


OpenSSL genrsa-out Rsa_private.key 2048


Generate RSA Public key


OpenSSL rsa-in rsa_private.key-pubout-out Rsa_public.key


Generate RSA private key (using AES256 encryption)


OpenSSL genrsa-aes256-passout pass:111111-out Rsa_aes_private.key 2048


where passout instead of shell for password input, otherwise prompts to enter the password;
After you generate the encrypted content, such as:


-----BEGIN RSA PRIVATE KEY-----
proc-type:4,encrypted
DEK-INFO:AES-256-CBC, 5584d000dddd53dd5b12ae935f05a007
Base64 encoded Data
-----End RSA PRIVATE KEY-----


If you generate the public key at this time, you need to provide a password


OpenSSL rsa-in rsa_aes_private.key-passin pass:111111-pubout-out Rsa_public.key


Where the passout instead of the shell for password input, otherwise prompted to enter a password; conversion command



Private key to non-encryption


OpenSSL rsa-in rsa_aes_private.key-passin pass:111111-out Rsa_private.key


Private key transfer encryption


OpenSSL rsa-in rsa_private.key-aes256-passout pass:111111-out Rsa_aes_private.key


Private key Pem Turn der


OpenSSL rsa-in rsa_private.key-outform der-out Rsa_aes_private.der


-inform and-outform parameters are developed in the input-output format, which is the same as Der-PEM format



View private key Details


OpenSSL rsa-in Rsa_private.key-noout-text


Use the-pubin parameter to view public key details



Private key pkcs#1 Turn pkcs#8


OpenSSL pkcs8-topk8-in rsa_private.key-passout 
pass:111111-out Pkcs8_private.key



Where-passout specified the password, the output of the PKCS8 format key is encrypted form, pkcs8 default using the DES3 encryption algorithm, the contents are as follows:


-----BEGIN ENCRYPTED Private key-----
Base64 encoded Data
-----End ENCRYPTED Private key-----


Use the-nocrypt parameter to output an unencrypted Pkcs8 key, as follows:


-----BEGIN Private Key-----
Base64 encoded Data
-----End Private Key-----
3. generate a self-signed certificate


Generate RSA private key and self-signed certificate


OpenSSL req-newkey rsa:2048-nodes-keyout 
rsa_private.key-x509-days 365-out cert.crt


Req is the child command of the certificate request,-newkey Rsa:2048-keyout PRIVATE_KEY.PEM represents the generation of the private key (PKCS8 format),-nodes means the private key is not encrypted, if not with parameters will prompt input password;
-x509 indicates that the output certificate,-days365 for the validity period, then enter the certificate owner information according to the prompts;
To perform automatic input, use the-SUBJ option:


OpenSSL req-newkey rsa:2048-nodes-keyout rsa_private.key-x509-days 
365-out cert.crt-subj "/C=CN/ST=GD/L=SZ/O=vihoo/ Ou=dev/cn=vivo.com/emailaddress=yy@vivo.com "


To generate a self-signed certificate using an existing RSA private key


OpenSSL req-new-x509-days 365-key rsa_private.key-out cert.crt


-new refers to generating a certificate request, plus-x509 representing the direct output certificate,-key specifies the private key file, and the remaining options are the same as the above command four, generating signature requests and CA signing



To generate a CSR signature request using the RSA private key


OpenSSL genrsa-aes256-passout pass:111111-out server.key 
2048 OpenSSL req-new-key server.key-out SERVER.CSR


Then enter the password, server certificate information complete, or command line to specify various parameters


OpenSSL req-new-key server.key-passin pass:111111-out 
server.csr-subj "/c=cn/st=gd/l=sz/o=vihoo/ou=dev/cn=vivo.com/ Emailaddress=yy@vivo.com "


The CSR signature request file generated at this time can be submitted to the CA for issuance * * *



View details of CSR


Cat SERVER.CSR
-----BEGIN Certificate Request-----
base64encodeddata
-----End Certificate Request-----

OpenSSL req-noout-text-in SERVER.CSR


Use CA certificate and CA key to sign the request issuing certificate, generate X509 Certificate


OpenSSL x509-req-days 3650-in server.csr-ca ca.crt-cakey 
ca.key-passin pass:111111-cacreateserial-out server.crt


Where the CAXXX option is used to specify CA parameter input v. Certificate viewing and Conversion



View Certificate Details


OpenSSL x509-in Cert.crt-noout-text


Convert Certificate encoding format


OpenSSL x509-in cert.cer-inform der-outform pem-out Cert.pem


Synthetic PKCS#12 certificate (including private key)



* * Transfer PEM certificate and private key to PKCS#12 certificate * *


OpenSSL pkcs12-export-in server.crt-inkey server.key-passin 
Pass:111111-password pass:111111-out


Where-export directs the PKCS#12 certificate,-inkey specifies the private key file,-passin the private key (file) password (nodes is unencrypted),-password the password for the specified P12 file (Import Export)



* * Combine the PEM certificate and private key/CA Certificate pkcs#12 Certificate * *


OpenSSL pkcs12-export-in server.crt-inkey server.key-passin
 pass:111111 \-chain-cafile Ca.crt-password pass:111
    111-out SERVER-ALL.P12


Where-chain indicates that the certificate chain is added at the same time,-cafile the CA certificate is specified, and the exported P12 file will contain multiple certificates. (Other option:-name can be used to specify a server certificate alias;-caname to specify the CA certificate alias)



* * Pcks#12 extract PEM file (including private key) * *


OpenSSL pkcs12-in server.p12-password pass:111111-passout pass:111111-out Out/server.pem


Where-password specifies the password for the P12 file (Import Export),-passout the encrypted password for the output private key (nodes is unencrypted)
The exported file is in PEM format and contains both the certificate and private key (PKCS#8):


Bag Attributes
    localkeyid:97 DD 3D 1E EF 3B 2E 4 A (Bayi 4F) A6 E7 1F 
subject=/c=cn/st=gd/l=sz/o= Vihoo/ou=dev/cn=vihoo.com/emailaddress=yy@vihoo.com
issuer=/c=cn/st=gd/l=sz/o=viroot/ou=dev/cn=viroot.com/ emailaddress=yy@viroot.com
-----BEGIN Certificate-----
miidazccalmccqciola9/ DCFEJANBGKQHKIG9W0BAQUFADB5MQSWCQYDVQQGEWJD
1LPQCA+2B6DN4SCZWACD
-----End Certificate-----
Bag Attributes
    localkeyid:97 DD 3D 1E A6 EF 3B 2E 4 A, Bayi 4F one E7 1F 
Key Attributes: <no attribut es>
-----BEGIN ENCRYPTED PRIVATE KEY-----
miievaibadanbgkqhkig9w0baqefaascbkywggsiageaaoibaqdc/ 6RAC1YAPRNF
k9zlhbybtkvaxehjxzjhhw==
-----End ENCRYPTED PRIVATE KEY-----


Extract private key only


OpenSSL pkcs12-in Server.p12-password pass:111111-passout Pass:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.