openssl req 证书请求及自签名证书

介绍

openssl req 用于生成证书请求，以让第三方权威机构CA来签发，生成我们需要的证书。req 命令也可以调用x509命令，以进行格式转换及显示证书文件中的text，modulus等信息。如果你还没有密钥对，req命令可以一统帮你生成密钥对和证书请求，也可以指定是否对私钥文件进行加密。

语法

openssl req[-inform PEM|DER] [-outform PEM|DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-text] [-pubkey] [-noout] [-verify] [-modulus] [-new] [-rand file(s)] [-newkey rsa:bits] [-newkey alg:file] [-nodes] [-key filename] [-keyform PEM|DER] [-keyout filename] [-keygen_engine id] [-[digest]] [-config filename] [-subj arg] [-multivalue-rdn] [-x509] [-days n] [-set_serial n] [-asn1-kludge] [-no-asn1-kludge] [-newhdr] [-extensions section] [-reqexts section] [-utf8] [-nameopt] [-reqopt] [-subject] [-subj arg] [-batch] [-verbose] [-engine id]

-new

这个选项用于生成一个新的证书请求，并提示用户输入个人信息。如果没有指定-key 则会先生成一个私钥文件，再生成证书请求。

E:OpenSSLfoo>openssl req -new -key rsa_pri_nopw.pem -out crs.pem
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:HeBei
Locality Name (eg, city) []:SJZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CCIT
Organizational Unit Name (eg, section) []:CCIT
Common Name (eg, YOUR name) []:fym
Email Address []:fym0121@163.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
E:OpenSSLfoo>ls
crs.pem
rsa_pri_nopw.pem

没有指定-key选项时，会生成私钥文件，默认是有密码保护的，-nodes（no des），可以明确指定不需要密码保护。-keyout可以指定生成的私钥文件名，-pubout可以指定生成的公钥文件名

openssl req -new -out crs.pem
openssl req -new -out crs.pem -nodes

-subj   替换或指定证书申请者的个人信息

格式是：/type0=value0/type1=value1/type2=...（其中C是Country，ST是state，L是local，O是Organization，OU是Organization Unit，CN是common name）

E:OpenSSLfoo>openssl req -new -key rsa_pri_nopw.pem -out crs.pem -subj /C=CN/S
T=HB/L=SJZ/O=CCIT/OU=CCIT/CN=fym/emailAddress=fym0121@163.com
Loading 'screen' into random state - done

-newkey arg     生成私钥和证书请求，类似与-new

arg的格式是rsa:nbit  ，还有几个格式，我只能看懂这个

openssl req -newkey rsa:1024 -out crs.pem

-xf09 生成自签名证书

openssl req -newkey rsa:1024 -x509 -nodes -out selfsing.pem

-config 指定配置文件，参见config

产生自签名的root CA

1、建立目录结构(参加ca directory structure)

假设当前工作目录为E:OpenSSLfoo，在此目录下建立以下目录结构

E:OpenSSLfoo>mkdir demoCA
E:OpenSSLfoo>mkdir demoCAprivate demoCA
ewcerts

在demoCA目录下建立两个空文件，serial和index.txt，并向serial文件中写入"01"两个字符

2、产生自签名证书，作为root ca使用

E:OpenSSLfoo>openssl req -new -x509 -keyout cakey.pem -out cacert.pem

提示输入密码保护私钥，和自签名root ca的信息。生成两个文件，将cakey.pem放到demoCAprivate目录下，将cacert.pem放到demoCA目录下。

E:OpenSSLfoo>move cacert.pem demoCA
E:OpenSSLfoo>move cakey.pem demoCAprivate

至此，root ca已经建立完毕。

证书请求及签名

1、生成请求

E:OpenSSLfoo>openssl req -new -nodes -out req.pem

提示输入个人信息，最后生成req.pem证书请求文件。

2、签名，生成证书

E:OpenSSLfoo>openssl ca -in req.pem -out newcert.pem
Using configuration from e:OpenSSLinopenssl.cfg
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok