zoukankan      html  css  js  c++  java
  • OpenSSL 命令说明

    Using OpenSSL Utilities


    An openssl command line takes the following form:

    openssl utility arguments 
    

    For example:

    openssl x509 -in OrbixCA -text 
    

    Each command is individually described in this appendix. To get a list of the arguments associated with a particular command, use the -help option as follows:

    openssl utility -help 
    

    For example:

    openssl x509 -help 
    

    The x509 Utility

    In Orbix 2000 SSL/TLS the x509 utility is mainly used for:

    • Printing text details of certificates you wish to examine.

    • Converting certificates to different formats.

    The options supported by the openssl x509 utility are as follows:

    -inform arg

    - input format - default PEM
    (one of DER, NET or PEM)

    -outform arg

    - output format - default PEM
    (one of DER, NET or PEM

    -keyform arg

    - private key format - default PEM

    -CAform arg

    - CA format - default PEM

    -CAkeyform arg

    - CA key format - default PEM

    -in arg

    - input file - default stdin

    -out arg

    - output file - default stdout

    -serial

    - print serial number value

    -hash

    - print serial number value

    -subject

    - print subject DN

    -issuer

    - print issuer DN

    -startdate

    - notBefore field

    -enddate

    - notAfter field

    -dates

    - both Before and After dates

    -modulus

    - print the RSA key modulus

    -fingerprint

    - print the certificate fingerprint

    -noout

    - no certificate output

    -days arg

    - How long till expiry of a signed certificate
    - def 30 days

    -signkey arg

    - self sign cert with arg

    -x509toreq

    - output a certification request object

    -req

    - input is a certificate request, sign and output

    -CA arg

    - set the CA certificate, must be PEM format

    -CAkey arg

    - set the CA key, must be PEM format. If missing it is assumed to be in the CA file

    -CAcreateserial

    - create serial number file if it does not exist

    -CAserial

    - serial file

    -text

    - print the certificate in text form

    -C

    - print out C code forms

    -md2/-md5/-sha1/
    -mdc2

    - digest to do an RSA sign with



    Using the x509 Utility

    To print the text details of an existing PEM-format X.509 certificate, use the x509 utility as follows:

    openssl x509 -in MyCert.pem -inform PEM -text 
    

    To print the text details of an existing DER-format X.509 certificate, use the x509 utility as follows:

    openssl x509 -in MyCert.der -inform DER -text 
    

    To change a certificate from PEM format to DER format, use the x509 utility as follows:

    openssl x509 -in MyCert.pem -inform PEM -outform DER -out MyCert.der 
    

    The req Utility

    The req utility is used to generate a self-signed certificate or a certificate signing request (CSR). A CSR contains details of a certificate to be issued by a CA. When creating a CSR, the req command prompts you for the necessary information from which a certificate request file and an encrypted private key file are produced. The certificate request is then submitted to a CA for signing.

    If the -nodes (no DES) parameter is not supplied to req, you are prompted for a pass phrase which will be used to protect the private key.

    Note:
    It is important to specify a validity period (using the -days parameter). If the certificate expires, applications that are using that certificate will not be authenticated successfully.

    The options supported by the openssl req utility are as follows:

    -inform arg 
    

    input format - one of DER TXT PEM

    -outform 
    
    arg output format - one of DER TXT PEM 
    
    -in arg 
    
    inout file 
    
    -out arg 
    
    output file 
    

    -text

    text form of request

    -noout 
    
    do not output REQ 
    
    -verify 
    
    verify signature on REQ 
    
    -modulus 
    
    RSA modulus 
    

    -nodes

    do not encrypt the output key

    -key file

    use the private key contained in file 
    

    -keyform arg

    key file format 
    

    -keyout arg

    file to send the key to

    -newkey rsa:bits

    generate a new RSA key of `bits' in size 
    

    -newkey dsa:file

    generate a new DSA key, parameters taken from CA in `file'

    -[digest]

    Digest to sign with (md5, sha1, md2, mdc2) 
    

    -config file

    request template file

    -new

    new request

    -x509

    output an x509 structure instead of a certificate req. (Used for creating self signed certificates)

    -days

    number of days an x509 generated by -x509 is valid for

    -asn1-kludge

    Output the `request' in a format that is wrong but some CA's have been reported as requiring [It is now always turned on but can be turned off with -no-asn1-kludge] 
    


    Using the req Utility

    To create a self-signed certificate with an expiry date a year from now, the req utility can be used as follows to create the certificate CA_cert.pem and the corresponding encrypted private key file CA_pk.pem:

    openssl req -config ssl_conf_path_name -days 365  
    -out CA_cert.pem -new -x509 -keyout CA_pk.pem 
    

    This following command creates the certificate request MyReq.pem and the corresponding encrypted private key file MyEncryptedKey.pem:

    openssl req -config ssl_conf_path_name -days 365 
    -out MyReq.pem -new -keyout MyEncryptedKey.pem 
    

    The rsa Utility

    The rsa command is a useful utility for examining and modifying RSA private key files. Generally RSA keys are stored encrypted with a symmetric algorithm using a user-supplied pass phrase. The OpenSSL req command prompts the user for a pass phrase in order to encrypt the private key. By default, req uses the triple DES algorithm. The rsa command can be used to change the password that protects the private key and to convert the format of the private key. Any rsa command that involves reading an encrypted rsa private key will prompt for the PEM pass phrase used to encrypt it.

    The options supported by the openssl rsa utility are as follows:

    -inform arg

    input format - one of DER NET PEM

    -outform arg

    output format - one of DER NET PEM

    -in arg

    inout file

    -out arg

    output file

    -des

    encrypt PEM output with cbc des

    -des3

    encrypt PEM output with ede cbc des using 168 bit key

    -text

    print the key in text

    -noout

    do not print key out

    -modulus

    print the RSA key modulus



    Using the rsa Utility

    Converting a private key to PEM format from DER format involves using the rsa utility as follows:

    openssl rsa -inform DER -in MyKey.der -outform PEM -out MyKey.pem 
    

    Changing the pass phrase which is used to encrypt the private key involves using the rsa utility as follows:

    openssl rsa -inform PEM -in MyKey.pem -outform PEM -out MyKey.pem -des3 
    

    Removing encryption from the private key (which is not recommended) involves using the rsa command utility as follows:

    openssl rsa -inform PEM -in MyKey.pem -outform PEM -out MyKey2.pem 
    

    Note:
    Do not specify the same file for the -in and -out parameters, because this can corrupt the file.

    The ca Utility

    You can use the ca utility create X.509 certificates by signing existing signing requests. It is imperative that you check the details of a certificate request before signing. Your organization should have a policy with respect to the issuing of certificates. Before implementing CAs, refer to Managing Certificates for more information.

    The ca utility is used to sign certificate requests thereby creating a valid X.509 certificate which can be returned to the request submitter. It can also be used to generate Certificate Revocation Lists (CRLS). For information on the ca -policy and -name options, refer to "The OpenSSL Configuration File" on page?117.

    To create a new CA using the openssl ca utility, two files (serial and index.txt) need to be created in the location specified by the openssl configuration file that you are using.

    The options supported by the openssl ca utility are as follows:

    -verbose

    - Talk alot while doing things

    -config file

    - A config file

    -name arg

    - The particular CA definition to use

    -gencrl

    - Generate a new CRL

    -crldays days

    - Days is when the next CRL is due

    -crlhours hours

    - Hours is when the next CRL is due

    -days arg

    - number of days to certify the certificate for

    -md arg

    - md to use, one of md2, md5, sha or sha1

    -policy arg

    - The CA `policy' to support

    -keyfile arg

    - PEM private key file

    -key arg

    - key to decode the private key if it is encrypted

    -cert

    - The CA certificate

    -in file

    - The input PEM encoded certificate request(s)

    -out file

    - Where to put the output file(s)

    -outdir dir

    - Where to put output certificates 
    

    -infiles....

    - The last argument, requests to process

    -spkac file

    - File contains DN and signed public key and challenge

    -preserveDN

    - Do not re-order the DN

    -batch

    - Do not ask questions

    -msie_hack

    - msie modifications to handle all thos universal strings 
    


    Note:
    Most of the above parameters have default values as defined in openssl.cnf.

    Using the ca Utility

    Converting a private key to PEM format from DER format involves using the ca utility as shown in the following example. To sign the supplied CSR MyReq.pem to be valid for 365 days and create a new X.509 certificate in PEM format, use the ca utility as follows:

    openssl ca -config ssl_conf_path_name -days 365 
    -in MyReq.pem -out MyNewCert.pem 
    
  • 相关阅读:
    2015 多校联赛 ——HDU5389(dp)
    spring MVC配置详解
    面试题整理11
    面试题整理09
    Spring和SpringMVC的区别
    SpringMVC01
    js中typeof与instanceof用法小记
    Java 可变参数
    log4j文件的配置
    Hibernate 分组查询 子查询 原生SQL
  • 原文地址:https://www.cnblogs.com/kungfupanda/p/2308693.html
Copyright © 2011-2022 走看看