openssl常用命令

笔记

一般证书签发流程

# Generate CA private key
$ openssl genrsa -out ca.key 2048
# Generate CSR
$ openssl req -new -key ca.key -out ca.csr
# Generate Self Signed certificate（CA 根证书）
$ openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

# private key
$ openssl genrsa -des3 -out server.key 1024
# generate csr
$ openssl req -new -key server.key -out server.csr
# generate certificate
$ openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key

各种格式证书生成

# 生成普通证书
$ openssl x509 -req -in user.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out user.crt -days 3650
# p12证书生成
$ openssl pkcs12 -export -inkey user.key -in user.crt -password "pass:passwd" -out "user.p12"
# p7b证书生成
$ openssl crl2pkcs7 -nocrl -certfile out/sha1_1024.crt  -certfile server.crt -out certificate.p7b

PKCS12证书操作

# PKCS12
$ openssl pkcs12 -in in.pfx -password "pass:123456" -nodes -out tmp_out.cer
$ opwnssl pkcs12 -in in.pfx -password "pass:123456" -nodes -nocerts -out out.key
$ openssl x509 -in tmp_out.cer -out out.cer

$ openssl pkcs12 -in sm2.pfx -password "pass:111111" -clcerts -nodes -nokeys
$ openssl pkcs12 -in sm2.pfx -password "pass:111111" -nodes -nocerts

$ openssl pkcs12 -in server.p12 -cacerts
$ openssl pkcs12 -in server.p12 -clcerts
$ openssl pkcs12 -in server.p12 -nocerts -nodes

其他证书操作

# openssl指定生效时间  -startdate
$ openssl ca -in usr.csr -out usr1.crt -startdate `date +"%Y%m%d%H%M%S"`"-0800" -cert ca.crt -keyfile ca.key -config /etc/openssl.cnf
$ openssl x509 -req -in user.csr -CA ca.crt -CAkey ca.key -out user22.crt -days 3650 -setstartdate `date $ +"%Y%m%d%H%M%S"`"-0800"

# define FORMAT_GEN_CA_CERT
$ openssl x509 -req -in %s -out %s -signkey %s -days 3650 -setstartdate `date $ +'%%Y%%m%%d%%H%%M%%S'`'-0800'
# define FORMAT_GEN_USER_CERT "
$ openssl x509 -req -in %s -out %s -signkey %s -CA %s -CAkey %s -CAcreateserial -days %d  $ -setstartdate `date +'%%Y%%m%%d%%H%%M%%S'`'-0800'
# define FORMAT_GEN_P12_CERT
$ openssl pkcs12 -export -clcerts -in %s -inkey %s -out %s -password "pass:%s"