Shulou(Shulou.com)06/02 Report--

What are the commonly used commands in OpenSSL? I believe many inexperienced people don't know what to do about it. Therefore, this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

OpenSSL is an extremely powerful command-line tool that can be used to accomplish many tasks related to public key system (Public Key Infrastructure) and HTTPS. This quick check manual collates the use of commonly used OpenSSL commands, such as generating private keys, generating certificate signature requests, and certificate format conversion.

Preface: about Certificate signing request (CSR)

If you want to obtain a SSL certificate from a certification authority (CA), you first need to make a certificate signing request (CSR). The main content of CSR is the public key in the key pair, as well as some additional information that will be inserted into the certificate when signing.

When using openssl to generate a certificate signing request, you need to enter the unique identification information (Distinguished Name) of the certificate, one of which is the common name (Common Name), which should be the full name of the domain name (FQDN) of the host where you want to deploy the certificate.

Other entries in DN are used to provide additional information about your organization. If you are purchasing a SSL certificate from a certification authority, you usually need these additional fields, such as Organization, so that you can truly show the details of your organization.

Here's what CSR looks like:

Country Name (2 letter code) [AU]: USState or Province Name (full name) [Some-State]: New YorkLocality Name (eg, city) []: BrooklynOrganization Name (eg, company) [Internet Widgits Pty Ltd]: Example Brooklyn CompanyOrganizational Unit Name (eg, section) []: Technology DivisionCommon Name (e.g. Server FQDN or YOUR name) []: examplebrooklyn.comEmail Address []:

You can also provide the information required when generating CSR in a non-interactive manner, and any OpenSSL command that requires CSR information can add the-subj option. For example:

-subj "/ C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=examplebrooklyn.com" 1. Generate a certificate signature request

This section covers the OpenSSL commands related to generating CSR (and private keys). CSR can be used to request an SSL certificate from a certification authority.

Remember, you can add CSR information interactively, or you can use the-subj option to add the same information non-interactively.

1.1 generate private key and CSR

If you need to use HTTPS to harden your web server, you will apply for a certificate from the certification authority. The CSR generated here can be sent to CA to issue its signed SSL certificate.

The following command creates a 2048-bit private key (domain.key) and a CSR (domain.csr):

Openssl req\-newkey rsa:2048-nodes-keyout domain.key\-out domain.csr

Here you need to enter CSR information interactively in order to complete the whole process.

The-newkey rsa:2048 option declares the use of the RAS algorithm to generate a 2048-bit private key. The-nodes option indicates that we do not encrypt the private key with a password. The-new option is implied to indicate that you want to generate a CSR.

1.2 generate CSR using an existing private key

If you already have a private key, you can use it directly to apply for a certificate from CA.

The following command creates a new CSR (domain.csr) using an existing private key (domain.key):

Openssl req\-key domain.key\-new-out domain.csr

The-key option is used to specify the existing private key file, and the-new option indicates that we want to generate a CSR.

1.3 generate CSR using existing certificates and private keys

If you need to renew an existing certificate, but neither you nor CA have the original CSR, you can generate the CSR again.

For example, the following command creates a new CSR using the existing certificate (domain.crt) and private key (domain.key):

Openssl x509\-in domain.crt\-signkey domain.key\-x509toreq-out domain.csr

The-x509toreq option indicates that we are going to use the X509 certificate to make CSR.

Second, generate SSL certificate

If you just want to harden your web server with a SSL certificate, but you don't need a CA-signed certificate, a simple way is to sign the certificate yourself.

A common type you can sign is a self-signed certificate-a certificate issued with your own private key. Self-signed certificates can be used to encrypt data just like certificates issued by CA, but your users will be prompted to indicate that the certificate is not used by their computer or browser information. Therefore, self-signed certificates can only be used when there is no need to prove your identity to the user, such as a non-production environment or a non-public service.

This section covers OpenSSL commands related to self-signed certificate generation.

2.1 generate a self-signed certificate

If you need to use a HTTPS hardening server, but do not need a certificate issued by CA, you can use a self-signed certificate.

The following command creates a 2048-bit private key (domain.key) and a self-signed certificate (domain.crt):

Openssl req\-newkey rsa:2048-nodes-keyout domain.key\-x509-days 365-out domain.crt

The-x509 option indicates that we want to create a self-signed certificate, and the-days option declares that the certificate is valid for 365 days. During the above command execution, a temporary CSR is created to collect CSR information related to the certificate.

2.2 generate a self-signed certificate using an existing private key

You can also use an existing private key to generate a self-signed certificate. For example, the following command generates a self-signed certificate (domain.crt) using the existing private key (domain.key):

Openssl req\-key domain.key\-new\-x509-days 365-out domain.crt

The-new option is used to start the CSR information collection prompt.

2.3 generate a self-signed certificate using an existing private key and CSR

The third way is to use the existing private key and CSR to generate a self-signed certificate. For example, the following command creates a self-signed certificate (domain:crt) using private (domain.key) and CSR (domain.csr):

Openssl x509\-signkey domain.key\-in domain.csr\-req-days 365-out domain.crt 3. View the certificate

Certificates and CSR files are encoded in PEM format and are not suitable for human reading. This section focuses on the commands for viewing PEM-encoded files in OpenSSL.

3.1 View CSR entries

The following command views and validates the plaintext of the CSR file:

Openssl req-text-noout-verify-in domain.csr3.2 View Certificate entry

The following command can view the clear text of the certificate file:

Openssl x509-text-noout-in domain.crt3.3 verify that the certificate is issued by CA

The following command verifies that the certificate doman.crt is issued by a certification authority (ca.crt):

Openssl verify-verbose-CAFile ca.crt domain.crt IV. Private key generation and verification

This section describes the OpenSSL commands related to private key generation and verification.

4.1 create a private key

The following command creates a password-protected 2048-bit private key domain.key:

Openssl genrsa-des3-out domain.key 2048

The above command prompts for a password.

4.2 verify the private key

The following command verifies that the private key domain.key is valid:

Openssl rsa-check-in domain.key

If the private key is encrypted, the command prompts for a password, and if the password is verified successfully, the unencrypted private key is displayed.

4.3 verify that the private key matches the certificate and CSR

Verify that the private key domain.key matches the certificate domain.crt and CSR using the following command:

Openssl rsa-noout-modulus-in domain.key | openssl md5openssl x509-noout-modulus-in domain.crt | openssl md5openssl req-noout-modulus-in domain.csr | openssl md5

If the output of the above three commands is the same, then there is a high probability that the private key, certificate, and CSR can be considered relevant.

4.4 encrypted private key

The following command encrypts the private key unencrypted.key and outputs the encrypted private key encrypted.key:

Openssl rsa-des3\-in unencrypted.key\-out encrypted.key

The above command prompts you to set the password when executed.

4.5 decrypt the private key

The following command decrypts the encrypted private key encrypted.key and outputs the plaintext result:

Openssl rsa\-in encrypted.key\-out decrypted.key

The above command will prompt for the decryption password when executed.

V. Certificate format conversion

The certificates we have contacted before are all in X.509 format and are encoded in PEM of ASCII. There are other certificate encoding formats and container types. OpenSSL can be used to convert certificates between many different types. This section mainly introduces the OpenSSL commands related to certificate format conversion.

5.1 PEM to DER

You can convert a PEM-encoded certificate domain.crt to a binary DER-encoded certificate domain.der:

Openssl x509\-in domain.crt\-outform der-out domain.der

The DER format is commonly used for Java.

5.2 DER to PEM

Similarly, DER-encoded certificates (domain.der) can be converted to PEM-encoded certificates (domain.crt):

Openssl x509\-inform der-in domain.der\-out domain.crt5.3 PEM to PKCS7

You can add PEM certificates (domain.crt and ca-chain.crt) to a PKCS7 (domain.p7b) file:

Openssl crl2pkcs7-nocrl\-certfile domain.crt\-certfile ca-chain.crt\-out domain.p7b

Use the-certfile option to specify the certificate to add to the PKCS7.

The PKCS7 file, also known as P7B, is commonly used in the Keystore of Java and the ASCII file that holds certificates in Microsoft's IIS.

5.4 conversion from PKCS7 to PEM

Use the following command to convert a PKCS7 file (domain.p7b) to a PEM file:

Openssl pkcs7\-in domain.p7b\-print_certs-out domain.crt

If the PKCS7 file contains multiple certificates, such as a normal certificate and an intermediate CA certificate, the output PEM file will contain all the certificates.

5.5 convert PEM to PKCS12

You can combine a private key file (domain.key) and a certificate file (domain.crt) to generate a PKCS12 file (domain.pfx):

Openssl pkcs12\-inkey domain.key\-in domain.crt\-export-out domain.pfx

The above command will prompt you to enter the export password, which can be left blank.

PKCS12 files, also known as PFX files, are commonly used to import / export certificate chains in Microsoft IIS.

5.6 convert PKCS12 to PEM

You can also convert PKCS12 files (domain.pfx) to PEM format (domain.combined.crt):

Openssl pkcs12\-in domain.pfx\-nodes-out domain.combined.crt

Note that if the PKCS12 file contains multiple entries, such as the certificate and its private key, then the generated PEM file will contain all entries.

After reading the above, have you mastered the methods of common OpenSSL commands? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.