• Openssl x509命令


    一、简介

    x509指令是一个功能很丰富的证书处理工具。可以用来显示证书的内容,转换其格式,给CSR签名等

    二、语法

    openssl  x509 [-inform DER|PEM|NET] [-outform DER|PEM|NET] [-keyform DER|PEM] [-CAform DER|PEM] 
    [-CAkeyform DER|PEM] [-in filename] [-out filename] [-passin arg] [-serial] [-hash] [-subject_hash] 
    [-subject_hash_old] [-issuer_hash] [-issuer_hash_old] [-subject] [-issuer] [-nameopt option] [-email] 
    [-ocspid] [-ocsp_uri] [-startdate] [-enddate] [-dates] [-purpose] [-modulus] [-fingerprint] [-alias] [-noout] 
    [-trustout] [-clrtrust] [-clrreject] [-addtrust arg] [-addreject arg] [-setalias arg] [-days arg] [-checkend arg] 
    [-set_serial n] [-signkey filename] [-x509toreq] [-req] [-CA filename] [-CAkey filename] [-CAcreateserial] 
    [-CAserial filename] [-certopt] [-text] [-C] [-md2|-md5|-sha1|-mdc2] [-clrext] [-extfile filename] 
    [-extensions section] [-engine id]

    选项

     -inform arg     - input format - default PEM (one of DER, NET or PEM)
     -outform arg    - output format - default PEM (one of DER, NET or PEM)
     -keyform arg    - private key format - default PEM
     -CAform arg     - CA format - default PEM
     -CAkeyform arg  - CA key format - default PEM
     -in arg         - input file - default stdin
     -out arg        - output file - default stdout
     -passin arg     - private key password source
     -serial         - print serial number value
     -subject_hash   - print subject hash value
     -subject_hash_old   - print old-style (MD5) subject hash value
     -issuer_hash    - print issuer hash value
     -issuer_hash_old    - print old-style (MD5) issuer hash value
     -hash           - synonym for -subject_hash
     -subject        - print subject DN
     -issuer         - print issuer DN
     -email          - print email address(es)
     -startdate      - notBefore field
     -enddate        - notAfter field
     -purpose        - print out certificate purposes
     -dates          - both Before and After dates
     -modulus        - print the RSA key modulus
     -pubkey         - output the public key
     -fingerprint    - print the certificate fingerprint
     -alias          - output certificate alias
     -noout          - no certificate output
     -ocspid         - print OCSP hash values for the subject name and public key
     -ocsp_uri       - print OCSP Responder URL(s)
     -trustout       - output a "trusted" certificate
     -clrtrust       - clear all trusted purposes
     -clrreject      - clear all rejected purposes
     -addtrust arg   - trust certificate for a given purpose
     -addreject arg  - reject certificate for a given purpose
     -setalias arg   - set certificate alias
     -days arg       - How long till expiry of a signed certificate - def 30 days
     -checkend arg   - check whether the cert expires in the next arg seconds
                       exit 1 if so, 0 if not
     -signkey arg    - self sign cert with arg
     -x509toreq      - output a certification request object
     -req            - input is a certificate request, sign and output.
     -CA arg         - set the CA certificate, must be PEM format.
     -CAkey arg      - set the CA key, must be PEM format
                       missing, it is assumed to be in the CA file.
     -CAcreateserial - create serial number file if it does not exist
     -CAserial arg   - serial file
     -set_serial     - serial number to use
     -text           - print the certificate in text form
     -C              - print out C code forms
     -<dgst>         - digest to use, see openssl dgst -h output for list
     -extfile        - configuration file with X509V3 extensions to add
     -extensions     - section from config file with X509V3 extensions to add
     -clrext         - delete extensions before signing and input certificate
     -nameopt arg    - various certificate name options
     -engine e       - use engine e, possibly a hardware device.
     -certopt arg    - various certificate text options

    三、实例

    1、生成自签名证书

    openssl req -x509 -newkey rsa:1024 -keyout prikey.pem -passout pass:"123456" -new -out certself.pem

    2、签发证书

    签发v1格式证书

    openssl x509 -req -in client_req.csr -CA certself.pem -CAkey prikey.pem  -out client_cert.pem -CAcreateserial -days 365 -passin pass:"123456"

    签发v3格式证书

    openssl x509 -sha1 -req -in users.csr -CA caself.pem -CAkey cakey.pem -CAcreateserial -out users.pem -days 3650 -passin pass:11111111 -extfile /usr/share/ssl/openssl.cnf –extensions v3_req

    3、查看证书内容

    openssl x509 -in cert.pem –noout -text
    openssl x509 -in cert.pem –noout –srial
    openssl x509 -in cert.pem –noout –subject
    openssl x509 -in cert.pem –noout –issuer
    openssl x509 -in cert.pem –noout –dates
    openssl x509 -in cert.pem –noout –pubkey

    image

    4、从证书中提取证书请求文件

    openssl x509 -x509toreq -in certself.pem -out req.pem -signkey prikey.pem -passin pass:"123456"

    image

    5、从证书中提取公钥

    openssl x509 -in certself.pem -pubkey -noout > pubkey2.pem

    image

  • 相关阅读:
    [spring]AOP(切面)编程
    [spring]基于注解的spring配置
    [redis]redis五种数据类型和应用场景
    [redis]redis实现分页的方法
    [zookeeper]ZooInspector的使用
    [log4j]SLF4J+log4j的使用
    [zookeeper]依赖jar的问题
    导出word功能,用html代码在word中插入分页符
    jq实现千分位的转换
    oracle 创建表空间及oracle 11g表空间之最大最小
  • 原文地址:https://www.cnblogs.com/274914765qq/p/4672108.html
Copyright © 2020-2023  润新知