Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to use OpenSSL to deal with SSL certificate in linux, which is very detailed and has certain reference value. Friends who are interested must read it!

OpenSSL is a versatile command line tool that can be used for a large number of tasks related to public key infrastructure (Public Key Infrastructure) (PKI) and HTTPS (HTTP over TLS). This cheat sheet-style guide provides a quick reference to OpenSSL commands, which are useful in common everyday scenarios. This includes OpenSSL examples for generating private keys, certificate signing requests (certificate signing request) (CSR), and certificate format conversions, but it does not cover all the uses of OpenSSL.

How to use this guide

If you are not familiar with Certificate signing request (CSR), please read the first part.

In addition to the first part, this guide uses a simple scripting format: it comes with command-line code snippets.

Skip to any part related to the task you are going to accomplish.

Most commands are single-line and have been extended to multiple lines (using the\ symbol) for clarity.

About Certificate signing request (CSR)

If you want to obtain a SSL certificate from a certification authority (certificate authority) (CA), you must generate a certificate signing request (certificate signing request) (CSR). A CSR is mainly composed of the public key of a key pair and some additional information. When the certificate is signed, both parts are inserted into the certificate.

Whenever you generate a CSR, you will be prompted to provide information about the certificate. This information is called a distinguished name (Distinguised Name) (DN). An important field in DN is the universal name (Common Name) (CN), which should be the fully qualified domain name (Fully Qualified Domain Name) (FQDN) of the host you plan to use the certificate. When creating a CSR, you can also skip interactive prompts by passing information on the command line or in a file.

Other projects in DN provide additional information about your business or organization. If you are purchasing a SSL certificate from a certification authority, these additional fields (such as "Organization") are usually required to accurately reflect the details of your organization.

Here is an example of an CSR message prompt:

-Country Name (2 letter code) [AU]: USState or Province Name (full name) [Some-State]: New YorkLocality Name (eg, city) []: BrooklynOrganization Name (eg, company) [Internet Widgits Pty Ltd]: Example Brooklyn CompanyOrganizational Unit Name (eg, section) []: Technology DivisionCommon Name (e.g. Server FQDN or YOUR name) []: examplebrooklyn.comEmail Address []:

If you want to answer CSR message prompts non-interactively, you can do so by adding the-subj option to any OpenSSL command that requests CSR information. Here is an example of this option, using the same information shown in the code block above:

-subj "/ C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=examplebrooklyn.com"

Now that you know about CSR, feel free to jump to any section of this guide that covers your OpenSSL requirements.

Generate CSR

This section describes the OpenSSL commands related to generating CSR (and private keys, if they don't already exist). CSR can be used to request an SSL certificate from a certification authority.

Remember, you can add CSR information non-interactively through the-subj option mentioned in the previous section.

Generate a private key and a CSR

Use this method if you want to use HTTPS (HTTP over TLS) to secure your Apache HTTP or Nginx Web server, and you want to use a certification authority (CA) to issue SSL certificates. The generated CSR can be sent to CA to request the issuance of a SSL certificate signed by CA. If your CA supports SHA-2, please add the-sha256 option to sign CSR with SHA-2.

This command creates a 2048-bit private key (domain.key) and a CSR (domain.csr) from scratch:

Openssl req\-newkey rsa:2048-nodes-keyout domain.key\-out domain.csr

Answer questions from CSR messages and complete the process.

The option-newkey rsa:2048 specifies that the key should be 2048 bits, generated using the RSA algorithm. Option-nodes specifies that the private key is not encrypted with a password. The-new option is not included here, but is implied in it, indicating that a CSR is being generated.

Generate a CSR from an existing private key

Use this method if you already have a private key and want to use it to apply for a certificate from CA.

This command creates a new CSR (domain.csr) based on the existing private key (domain.key):

Openssl req\-key domain.key\-new-out domain.csr

Answer questions from CSR messages and complete the process.

The option-key specifies an existing private key (domain.key) that will be used to generate a new CSR. The option-new indicates that a CSR is being generated.

Generate CSR from existing certificates and private keys

Use this method if you want to update your existing certificate, but for some reason, you or your CA do not have the original CSR. Basically, you don't have to re-enter CSR information because it extracts information from existing certificates.

This command creates a new CSR (domain.csr) based on the existing certificate (domain.crt) and private key (domain.key):

Openssl x509\-in domain.crt\-signkey domain.key\-x509toreq-out domain.csr

Option-x509toreq specifies that you use an X509 certificate to make CSR.

Generate SSL certificate

If you want to use a SSL certificate to secure the service, but you don't need a CA signed certificate, a valid (and free) solution is to sign your own certificate.

A common certificate that you can sign yourself is a self-signed certificate (self-signed certificate). A self-signed certificate is a certificate signed with your own private key. Self-signed certificates can be used to encrypt data as well as CA-signed certificates, but your users will display a warning that the certificate is not trusted by their computers or browsers. Therefore, you can use self-signed certificates (such as non-production or non-public servers) only if you do not need to prove your service identity to the user.

This section describes the OpenSSL commands related to generating self-signed certificates.

Generate self-signed certificate

Use this method if you want to use HTTPS (HTTP over TLS) to protect your Apache HTTP or Nginx Web server and you do not need your certificate to be signed by CA.

This command creates a 2048-bit private key (domain.key) and a self-signed certificate (domain.crt) from scratch:

Openssl req\-newkey rsa:2048-nodes-keyout domain.key\-x509-days 365-out domain.crt

Answer questions from CSR messages and complete the process.

The option-x509 tells the req subcommand to create a self-signed certificate. The-days option specifies that the certificate is valid for 365 days. It generates a temporary CSR to collect information related to the certificate.

Generate a self-signed certificate from an existing private key

Use this method if you already have a private key and you want to use it to generate a self-signed certificate.

This command creates a self-signed certificate (domain.crt) from the existing private key (domain.key)

Openssl req\-key domain.key\-new\-x509-days 365-out domain.crt

Answer questions from CSR messages and complete the process.

The option-x509 tells the req subcommand to create a self-signed certificate. The-days option specifies that the certificate is valid for 365 days. Option-new enables CSR information questioning.

Generate a self-signed certificate from an existing private key and CSR

Use this method if you already have a private key and CSR and you want to use them to generate a self-signed certificate.

This command creates a self-signed certificate (domain.crt) from the existing private key (domain.key) and (domain.csr).

Openssl x509\-signkey domain.key\-in domain.csr\-req-days 365-out domain.crt

The option-days 365 specifies that the certificate is valid for 365 days.

View certificat

Certificates and CSR files are encoded in PEM format and are not suitable for reading.

The OpenSSL command described in this section outputs the actual entries for the PEM encoding file.

View CSR entry

This command allows you to view and verify the contents of plain text CSR (domain.csr):

Openssl req\

-text-noout-verify\

-in domain.csr

View certificate entries

This command allows you to view the contents of a plain text certificate (domain.crt):

Openssl x509\

-text-noout\

-in domain.crt

The verification certificate is signed by CA

Use this command to verify that the certificate (domain.crt) is signed by a specific CA certificate (ca.crt):

Openssl verify\

-verbose-CAFile ca.crt\

Domain.crt

Private key

This section describes the OpenSSL commands used to create and verify private keys.

Create a private key

Use this command to create a password-protected 2048-bit private key (domain.key):

Openssl genrsa\

-des3-out domain.key 2048

Enter the password when prompted to complete the process.

Verify the private key

Use this command to check whether the private key (domain.key) is a valid key:

Openssl rsa\

-check-in domain.key

If your private key is encrypted, you will be prompted to enter its password, and after success, the unencrypted key will be output on the terminal.

Verify that the private key matches the certificate and CSR

Use these commands to verify that the private key (domain.key) matches the certificate (domain.crt) and CSR (domain.csr):

Openssl rsa-noout-modulus-in domain.key | openssl md5openssl x509-noout-modulus-in domain.crt | openssl md5openssl req-noout-modulus-in domain.csr | openssl md5

If the output of each command is the same, then the private key, certificate, and CSR are most likely relevant.

Encrypted private key

This requires an unencrypted private key (unencrypted.key) and outputs its encrypted version (encrypted.key):

Openssl rsa-des3\-in unencrypted.key\-out encrypted.key

Enter the password you need to encrypt the private key.

Decrypt the private key

This requires an encrypted private key (encrypted.key) and outputs a decrypted version (decrypted.key):

Openssl rsa\-in encrypted.key\-out decrypted.key

When prompted, enter the password for the encryption key.

Convert certificate format

All the certificates we have been using are X.509 certificates encoded by ASCII code PEM. There are many other certificate encodings and container types; some applications prefer some formats to others. In addition, many of these formats can contain multiple items in a file, such as private keys, certificates, and CA certificates.

OpenSSL can be used to convert certificates between Zexi formats. This section describes some possible transformations.

Convert PEM to DER

Use this command if you want to convert a PEM-encoded certificate (domain.crt) to an DER-encoded certificate (domain.der), which is in binary format:

Openssl x509\-in domain.crt\-outform der-out domain.der

The DER format is usually used with Java.

Convert DER to PEM

If you want to convert a DER-encoded certificate (domain.der) to an PEM-encoded certificate (domain.crt), use this command:

Openssl x509\-inform der-in domain.der\-out domain.crt converts PEM to PKCS7

If you want to add PEM certificates (domain.crt and ca-chain.crt) to the PKCS7 file (domain.p7b), use this command:

Openssl crl2pkcs7-nocrl\-certfile domain.crt\-certfile ca-chain.crt\-out domain.p7b

Note that you can use one or more-certfile options to specify the certificate to be added to the PKCS7 file.

PKCS7 files, also known as P7B, are commonly used for Java Keystores and Microsoft IIS (Windows). They are ASCII files and can contain certificates and CA certificates.

Convert PKCS7 to PEM

If you want to convert a PKCS7 file (domain.p7b) to a PEM file, use this command:

Openssl pkcs7\-in domain.p7b\-print_certs-out domain.crt

Please note that if you have multiple projects in your PKCS7 file (such as certificates and CA intermediate certificates), the PEM file created will contain all the projects in it.

Convert PEM to PKCS12

If you want to use the private key (domain.key) and certificate (domain.crt) and combine them into a PKCS12 file (domain.pfx), use this command:

Openssl pkcs12\-inkey domain.key\-in domain.crt\-export-out domain.pfx

You will be prompted for your export password and you can leave it blank. Note that in this case, you can add a certificate chain to the PKCS12 file by connecting multiple certificates to a PEM file (domain.crt).

PKCS12 files, also known as PFX files, are commonly used to import and export certificate chains in Micrsoft IIS (Windows).

Convert PKCS12 to PEM

If you want to convert the PKCS12 file (domain.pfx) and convert it to PEM format (domain.combined.crt), use this command:

Openssl pkcs12\-in domain.pfx\-nodes-out domain.combined.crt

Please note that if you have multiple items (such as certificates and private keys) in your PKCS12 file, the created PEM file will contain all the items in it.

OpenSSL version

The openssl version command can be used to check the version you are running. The version of OpenSSL you are running and the options you use at compile time affect the features you can use (and sometimes command line options).

The following command shows the version of OpenSSL you are running and all the options when it is compiled:

Openssl version-a

This guide is written using an OpenSSL binary with the following details (see the output of the previous command):

OpenSSL 1.0.1f 6 Jan 2014built on: Mon Apr 7 21:22:23 UTC 2014platform: debian-amd64options: bn (64) rc4 (16x idx,cisc,16,int) blowfish (idx) compiler: cc-fPIC-DOPENSSL_PIC-DOPENSSL_THREADS-D_REENTRANT-DDSO_DLFCN-DHAVE_DLFCN_H-M64-DL_ENDIAN-DTERMIO-g-O2-fstack-protector-param=ssp-buffer-size=4-Wformat-Werror=format-security-D_FORTIFY_SOURCE=2-Wl,-Bsymbolic-functions-Wl,-z,relro-Wa -- noexecstack-Wall-DMD32_REG_T=int-DOPENSSL_IA32_SSE2-DOPENSSL_BN_ASM_MONT-DOPENSSL_BN_ASM_MONT5-DOPENSSL_BN_ASM_GF2m-DSHA1_ASM-DSHA256_ASM-DSHA512_ASM-DMD5_ASM-DAES_ASM-DVPAES_ASM-DBSAES_ASM-DWHIRLPOOL_ASM-DGHASH_ASMOPENSSLDIR: "/ usr/lib/ssl" is all the content of the article "how to use OpenSSL in linux to handle SSL certificates" Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.