生成一对新的RSA非对称密钥,2048bits长。 generate an RSA private key
openssl genrsa -out private.key 2048
从私钥中提出公钥。 extract the public key
openssl rsa -in mykey.pem -pubout > my_pubkey.pub
创建自签名证书。create a self-singned certificate
openssl req -config openssl.conf -x509 -sha256 -days 3650 -newkey rsa:4096 -keyout ca.key -out ca.crt
签署CSR。sign the CSR
openssl ca -config openssl.conf -days 375 -notext -in test.csr -out test.crt
检验签书。verify the certificate
openssl verify -CAfile ca.crt test.crt
生成一个CSR。Generate a new private key and CSR(Certificate Signing Request)
openssl req -config openssl.conf -out CSR.csr -nodes -new -newkey rsa:2048 -nodes -keyout private.key
查看一个证书。show the certificate
openssl x509 -noout -text -in test.crt
PEM格式的证书转换为pfx格式的证书
openssl pkcs12 -inkey bob_key.pem -in bob_cert.cert -export -out bob_pfx.pfx
We can extract the private key form a PFX to a PEM file with this command:
openssl pkcs12 -in filename.pfx -nocerts -out key.pem
Exporting the certificate only:
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
Removing the password from the extracted private key:
openssl rsa -in key.pem -out server.key
///////////////////////// openssl.conf /////////////////////////
我用的openssl配置文件
[ ca ]
default_ca = kamus # The default ca section
[ kamus ]
dir = . # top dir
database = $dir/index.txt # index file.
new_certs_dir = $dir/newcerts # new certs dir
certificate = $dir/ca.crt # The CA cert
serial = $dir/serial # serial no file
private_key = $dir/root.key # CA private key
RANDFILE = $dir/.rand # random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # md to use
policy = policy_any # default policy
email_in_dn = no # Don't add the email into cert DN
name_opt = ca_default # Subject name display option
cert_opt = ca_default # Certificate display option
copy_extensions = none # Don't copy extensions from request
[ policy_any ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
subjectAltName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
[ req_distinguished_name ]
countryName = Country Name(2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
commonName = Common Name
subjectAltName = SubjectAltName
emailAddress = email