思享工具箱

Openssl x509命令

摘要:
1、 简介x509指令是一个功能丰富的证书处理工具。

一、简介

x509指令是一个功能很丰富的证书处理工具。可以用来显示证书的内容,转换其格式,给CSR签名等

二、语法

openssl  x509 [-inform DER|PEM|NET] [-outform DER|PEM|NET] [-keyform DER|PEM] [-CAform DER|PEM] 
[-CAkeyform DER|PEM] [-in filename] [-out filename] [-passin arg] [-serial] [-hash] [-subject_hash] 
[-subject_hash_old] [-issuer_hash] [-issuer_hash_old] [-subject] [-issuer] [-nameopt option] [-email] 
[-ocspid] [-ocsp_uri] [-startdate] [-enddate] [-dates] [-purpose] [-modulus] [-fingerprint] [-alias] [-noout] 
[-trustout] [-clrtrust] [-clrreject] [-addtrust arg] [-addreject arg] [-setalias arg] [-days arg] [-checkend arg] 
[-set_serial n] [-signkey filename] [-x509toreq] [-req] [-CA filename] [-CAkey filename] [-CAcreateserial] 
[-CAserial filename] [-certopt] [-text] [-C] [-md2|-md5|-sha1|-mdc2] [-clrext] [-extfile filename] 
[-extensions section] [-engine id]

选项

 -inform arg     - input format - default PEM (one of DER, NET or PEM)
 -outform arg    - output format - default PEM (one of DER, NET or PEM)
 -keyform arg    - private key format - default PEM
 -CAform arg     - CA format - default PEM
 -CAkeyform arg  - CA key format - default PEM
 -in arg         - input file - default stdin
 -out arg        - output file - default stdout
 -passin arg     - private key password source
 -serial         - print serial number value
 -subject_hash   - print subject hash value
 -subject_hash_old   - print old-style (MD5) subject hash value
 -issuer_hash    - print issuer hash value
 -issuer_hash_old    - print old-style (MD5) issuer hash value
 -hash           - synonym for -subject_hash
 -subject        - print subject DN
 -issuer         - print issuer DN
 -email          - print email address(es)
 -startdate      - notBefore field
 -enddate        - notAfter field
 -purpose        - print out certificate purposes
 -dates          - both Before and After dates
 -modulus        - print the RSA key modulus
 -pubkey         - output the public key
 -fingerprint    - print the certificate fingerprint
 -alias          - output certificate alias
 -noout          - no certificate output
 -ocspid         - print OCSP hash values for the subject name and public key
 -ocsp_uri       - print OCSP Responder URL(s)
 -trustout       - output a "trusted" certificate
 -clrtrust       - clear all trusted purposes
 -clrreject      - clear all rejected purposes
 -addtrust arg   - trust certificate for a given purpose
 -addreject arg  - reject certificate for a given purpose
 -setalias arg   - set certificate alias
 -days arg       - How long till expiry of a signed certificate - def 30 days
 -checkend arg   - check whether the cert expires in the next arg seconds
                   exit 1 if so, 0 if not
 -signkey arg    - self sign cert with arg
 -x509toreq      - output a certification request object
 -req            - input is a certificate request, sign and output.
 -CA arg         - set the CA certificate, must be PEM format.
 -CAkey arg      - set the CA key, must be PEM format
                   missing, it is assumed to be in the CA file.
 -CAcreateserial - create serial number file if it does not exist
 -CAserial arg   - serial file
 -set_serial     - serial number to use
 -text           - print the certificate in text form
 -C              - print out C code forms
 -<dgst>         - digest to use, see openssl dgst -h output for list
 -extfile        - configuration file with X509V3 extensions to add
 -extensions     - section from config file with X509V3 extensions to add
 -clrext         - delete extensions before signing and input certificate
 -nameopt arg    - various certificate name options
 -engine e       - use engine e, possibly a hardware device.
 -certopt arg    - various certificate text options

三、实例

1、生成自签名证书

openssl req -x509 -newkey rsa:1024 -keyout prikey.pem -passout pass:"123456" -new -out certself.pem

2、签发证书

签发v1格式证书

openssl x509 -req -in client_req.csr -CA certself.pem -CAkey prikey.pem  -out client_cert.pem -CAcreateserial -days 365 -passin pass:"123456"

签发v3格式证书

http://blog.csdn.net/wangsifu2009/article/details/6578069
openssl x509 -sha1 -req -in users.csr -CA caself.pem -CAkey cakey.pem -CAcreateserial -out users.pem -days 3650 -passin pass:11111111 -extfile /usr/share/ssl/openssl.cnf –extensions v3_req

3、查看证书内容

openssl x509 -in cert.pem –noout -text
openssl x509 -in cert.pem –noout –srial
openssl x509 -in cert.pem –noout –subject
openssl x509 -in cert.pem –noout –issuer
openssl x509 -in cert.pem –noout –dates
openssl x509 -in cert.pem –noout –pubkey

image

4、从证书中提取证书请求文件

openssl x509 -x509toreq -in certself.pem -out req.pem -signkey prikey.pem -passin pass:"123456"

image

5、从证书中提取公钥

openssl x509 -in certself.pem -pubkey -noout > pubkey2.pem

image

参考:http://blog.csdn.net/as3luyuan123/article/details/16873093

浏览:1103 | 发布日期:

免责声明:文章转载自《Openssl x509命令》仅用于学习参考。如对内容有疑问,请及时联系本站处理。

上篇笔试题之springboot22个开源的PHP框架下篇

宿迁高防,2C2G15M,22元/月;香港BGP,2C5G5M,25元/月 雨云优惠码:MjYwNzM=

随便看看

win10局域网共享报错:不允许一个用户使用一个以上用户名与服务器或共享资源的多重连接

计算机A:共享者(本地文件库);共享访客(工作计算机);计算机A打开另一个帐户-aaa,密码-aaa123。开始文件共享后,计算机B单击网络,发现计算机A已连接。输入帐户密码后,将弹出以下错误。不允许用户使用多个用户名多次连接到服务器或共享资源:断开与此服务器或共享的资源的所有连接。在此链接之前:存在现有连接,或者在建立连接时,现有网络环境已更改,导致帐户被...

thinkphp3.2配置redis缓存和文件缓存

如果您将一些常用但不易更改的数据存储在缓存中,而不是每次检查数据库,则可以大大减轻数据库的压力。最近,由于项目的需要,您尝试了Redis,但后来使用tp3.2文件缓存直接进入主题:在config中添加以下代码。php:“DATA_CACHE_PREFIX”=˃“tp”,//缓存前缀“DATA_CCACHE_TYPE”=˃“Redis”,//高速缓存类型“Re...

狼人杀规则

自爆后,所有演讲立即暂停,进入夜间。自爆后的那晚,狼人可以指着那把刀。预言家只能验证某个玩家是否是狼人,除狼人是否是狼人之外的所有信息都无法验证。如果先知测试丘比特,法官不必担心丘比特是哪一个阵营,只会展示好人的手势。...

一分钟制作U盘版BT3

一分钟生产BT3U磁盘版本方便、快捷、简单、无效且不可退款。BT3磁盘版本,大约694MB,可以直接烧录,然后用CD引导进入BT3。连接如下:http://ftp.heanet.ie/mirrors/backtrack/bt3-final.isoU磁盘版本Bt3,约783MB,连接为:http://cesium.di.uminho.pt/pub/backtr...

tomcat不打印日志的原因及解决办法

tomcat的日志在刚启动的时候可以正常打印,系统正常运行几天以后就会出现不打印日志或者日志打印的内容缺少的情况,但是系统还是可以正常使用的,重启tomcat以后日志打印就又正常了,请问一下这是什么原因呢?日志框架使用的是log4j,使用了日志按天分割,每天的日志量是5G左右1.下载日志jar包,例如:commons-logging-1.1.1.jar。放在...

TensorRT在ubuntu18.04的安装

安装TensorRT前需要安装Cuda和cudnn,安装步骤可以参考ubuntu安装cuda和cudnn。...

最新文章

随机推荐

思享工具箱导航