openssl签发证书肘后备急方(cheatsheet)

生成一对新的RSA非对称密钥,2048bits长。 generate an RSA private key

openssl genrsa -out private.key 2048

从私钥中提出公钥。 extract the public key

openssl rsa -in mykey.pem -pubout > my_pubkey.pub

创建自签名证书。create a self-singned certificate

openssl req -config openssl.conf -x509 -sha256 -days 3650 -newkey rsa:4096 -keyout ca.key -out ca.crt

签署CSR。sign the CSR

openssl ca -config openssl.conf -days 375 -notext -in test.csr -out test.crt

检验签书。verify the certificate

openssl verify -CAfile ca.crt test.crt

生成一个CSR。Generate a new private key and CSR(Certificate Signing Request)

openssl req -config openssl.conf -out CSR.csr -nodes -new -newkey rsa:2048 -nodes -keyout private.key

查看一个证书。show the certificate

openssl x509 -noout -text -in test.crt

PEM格式的证书转换为pfx格式的证书

openssl pkcs12 -inkey bob_key.pem -in bob_cert.cert -export -out bob_pfx.pfx

We can extract the private key form a PFX to a PEM file with this command:

openssl pkcs12 -in filename.pfx -nocerts -out key.pem

Exporting the certificate only:

openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

Removing the password from the extracted private key:

openssl rsa -in key.pem -out server.key

///////////////////////// openssl.conf /////////////////////////

我用的openssl配置文件

[ ca ]
default_ca = kamus # The default ca section

[ kamus ]
dir = . # top dir
database = $dir/index.txt # index file.
new_certs_dir = $dir/newcerts # new certs dir

certificate = $dir/ca.crt # The CA cert
serial = $dir/serial # serial no file
private_key = $dir/root.key # CA private key
RANDFILE = $dir/.rand # random number file

default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # md to use

policy = policy_any # default policy
email_in_dn = no # Don't add the email into cert DN

name_opt = ca_default # Subject name display option
cert_opt = ca_default # Certificate display option
copy_extensions = none # Don't copy extensions from request

[ policy_any ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
subjectAltName = supplied
emailAddress = optional

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256

[ req_distinguished_name ]
countryName = Country Name(2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
commonName = Common Name
subjectAltName = SubjectAltName
emailAddress = email