目录

1、实例

2、帮助命令

3、常用命令

1、实例

----------------------------pem格式的证书-------------

1、CA的私钥,自签名证书 

	openssl genrsa -out ca-key.pem -aes128 2048

	openssl req -new -x509 -key ca-key.pem -out ca-cert.pem  -days 1000

	牢记下面三个属性值,生成csr.pem时需要保持一致:

		Country Name,State or Province Name,Organization Name



2、server端的私钥,证书请求,证书

	openssl genrsa -out server-key.pem -aes128 2048

	openssl req -new -key server-key.pem -out server-csr.pem

 	openssl ca -in server-csr.pem -cert ca-cert.pem -keyfile ca-key.pem -out server-cert.pem -days 365

 	如果发生以下错误:

		"I am unable to access the ../../CA/newcerts directory ../../CA/newcerts: No such file or directory"

	只需要:

		# create directory

		    $ mkdir ../../CA

	    	$ mkdir ../../CA/newcerts

	    # create empty file :

	    $ vi ../../CA/index.txt

	    # create file and input 01 (the content is 01) :

	    $ vi ../../CA/serial

	    

3、client端的私钥,证书请求,证书

	openssl genrsa -out client-key.pem -aes128 2048

	openssl req -new -key client-key.pem -out client-csr.pem

	openssl ca -in client-csr.pem -cert ca-cert.pem -keyfile ca-key.pem -out client-cert.pem -days 365



----------------------------p12格式的证书------------- 

openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -out client-cert.p12



----------------------------jks格式的证书-------------  

keytool -genkeypair -keyalg RSA -alias client -keystore client.jks



# 删除PrivateKeyEntry

keytool -delete -alias client -keystore client.jks



# check keystore

#keytool -list -v -keystore client.jks  



# covert format,否则不能把private-key导入到jks

openssl pkcs8 -in client-key.pem -inform pem -out client-key.pk8 -outform der -topk8 -nocrypt



# 需要下载pkeytool.jar到当前目录

# import client-key.pk8,client-cert.pem

java -jar pkeytool.jar -importkey -keyfile client-key.pk8 -certfile client-cert.pem -alias myclient -keystore client.jks



# import ca-cert

keytool -importcert -v -trustcacerts -file ca-cert.pem -alias myCA -keystore client.jks

2、帮助命令____________________________________________________________

openssl --help

openssl x509 --help

3、常用命令

1、生成普通私钥:

openssl genrsa -out ca-key.pem 1024

 

2、生成带加密口令的密钥:

openssl genrsa -des3 -out ca-key.pem 1024

 

3、去除密钥的口令:

openssl rsa -in ca-key.pem -out ca-key.pem

 

4、通过生成的私钥去生成证书:

openssl req -new -x509 -key ca-key.pem -out ca-cert.pem -days 1095     

 

5、通过私钥生成公钥:

openssl rsa -in ca-key.pem -pubout -out pub-key.pem

 

6、格式转换:(证书、私钥、公钥)(PEM DER)

openssl x509 -in ca-cert.pem -inform PEM -out ca-cert.der -outform DER

openssl rsa -in ca-key.pem -inform PEM -out ca-key.der -outform DER

openssl rsa -pubin -in pub-key.pem -inform PEM -pubout -out pub-key.der -outform DER

 

7、合并成pfx证书(p12):

openssl pkcs12 -export -in server-cert.pem -out server.p12 -inkey server-key.pem



8、p12证书文本化:

openssl pkcs12 -in server.p12 -out server.txt

 

9、屏幕模式显式:(证书、私钥、公钥)

openssl x509 -in ca-cert.pem -noout -text -modulus

openssl rsa -in ca-key.pem -noout -text -modulus

openssl rsa -in pub-key.pem -noout -text -modulus