一、简介
req指令用来创建和处理PKCS#10格式的证书
二、语法
openssl req [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-out filename] [-text] [-pubkey] [-noout] [-verify] [-modulus] [-nodes] [-subject] [-passin arg] [-passout arg] [-key filename] [-keyform PEM|DER] [-keyout filename] [-rand file(s)] [-newkey rsa:bits] [-newkey dsa:file] [-newkey ec:file] [-digest] [-config filename] [-subj arg] [-multivalue-rdn] [-new] [-batch] [-x509] [-days n] [-set_serial n] [-newhdr][-asn1-kludge][ -no-asn1-kludge][-extensions section] [-reqexts section] [-utf8] [-nameopt option] [-reqopt option][-verbose] [engine id]
选项
-inform arg input format - DER or PEM -outform arg output format - DER or PEM -in arg input file -out arg output file -text text form of request -pubkey output public key -noout do not output REQ -verify verify signature on REQ -modulus RSA modulus -nodes don't encrypt the output key -engine e use engine e, possibly a hardware device -subject output the request's subject -passin private key password source -key file use the private key contained in file -keyform arg key file format -keyout arg file to send the key to -rand file:file:... load the file (or the files in the directory) into the random number generator -newkey rsa:bits generate a new RSA key of 'bits' in size -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file' -newkey ec:file generate a new EC key, parameters taken from CA in 'file' -[digest] Digest to sign with (see openssl dgst -h for list) -config file request template file. -subj arg set or modify request subject -multivalue-rdn enable support for multivalued RDNs -new new request. -batch do not ask anything during request generation -x509 output a x509 structure instead of a cert. req. -days number of days a certificate generated by -x509 is valid for. -set_serial serial number to use for a certificate generated by -x509. -newhdr output "NEW" in the header lines -asn1-kludge Output the 'request' in a format that is wrong but some CA's have been reported as requiring -extensions .. specify certificate extension section (override value in config file) -reqexts .. specify request extension section (override value in config file) -utf8 input characters are UTF8 (default ASCII) -nameopt arg - various certificate name options -reqopt arg - various request text options
三、实例
1、根据私钥生成证书请求
方式1
openssl genrsa -des -passout pass:"123456" -out prikey.pem 1024 openssl req -key prikey.pem -passin pass:"123456" -new -out cerreq.pem
方式2
交互式
openssl req -newkey rsa:1024 -keyout prikey.pem -passout pass:"123456" -new -out cerreq.pem
非交互式
openssl req -newkey rsa:1024 -keyout prikey.pem -passout pass:"123456" -config openssl.cnf -new -out cerreq.pem
2、用私钥验证请求签名
openssl req -verify -key client_prikey.pem -in client_req.csr -passin pass:"123456" -noout
3、生成一个自签名的根证书
openssl req -x509 -newkey rsa:1024 -keyout prikey.pem -passout pass:"123456" -config openssl.cnf -new -out certself.pem
4、生成带中文支持的请求(UTF-8)
openssl req -newkey rsa:1024 -keyout ca_prikey.key -passout pass:"123456" -new -x509 -utf8 -config openssl_utf8.cnf -out ca_self.pem
参考:http://blog.chinaunix.net/uid-7591044-id-1742939.html
5、生成带扩展项的请求