OpenSSL命令行常用功能(1)

OpenSSL命令行常用功能(1)

作者：rainbow 文章出处：中国信息安全组织 发布时间：2005-11-04 点击： <script src="/php/count.php?artID=23854&view=yes" type="text/javascript"></script> 3390 字体： 【小 中 大】

1、为CA创建一个RSA私钥 D:/openssl/bin>openssl genrsa -des3 -out -ca.key 1024 Loading 'screen' into random state - done Generating RSA private key, 1024 bit long modulus ............................................................................++++++ ........++++++ e is 65537 (0x10001) Enter pass phrase for -ca.key:123456 Verifying - Enter pass phrase for -ca.key:123456 2、利用CA的RSA私钥创建一个自签名的CA证书 D:/openssl/bin>openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -config openssl.cnf Enter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:cn State or Province Name (full name) [Some-State]:sh Locality Name (eg, city) []:sh Organization Name (eg, company) [Internet Widgits Pty Ltd]:ciso Organizational Unit Name (eg, section) []:ciso Common Name (eg, YOUR name) []:infosecurity.org.cn Email Address []:webmaster@infosecurity.org.cn 3、生成证书请求 D:/openssl/bin>openssl req -config openssl.cnf -new -keyout webmaster.key -out wm_req.pem -days 365 Loading 'screen' into random state - done Generating a 1024 bit RSA private key .....++++++ ......................++++++ writing new private key to 'newreq.pem' Enter PEM pass phrase:123456(自己输) Verifying - Enter PEM pass phrase:123456(自己输) ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:cn State or Province Name (full name) [Some-State]:sh Locality Name (eg, city) []:sh Organization Name (eg, company) [Internet Widgits Pty Ltd]:ciso Organizational Unit Name (eg, section) []:ciso Common Name (eg, YOUR name) []:webmaster Email Address []:webmaster@infosecurity.org.cn Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:(不输) An optional company name []:(不输) 4、签发证书 D:/openssl/bin>openssl ca -config openssl.cnf -out webmaster.pem -infiles wm_req.pem Using configuration from openssl.cnf Loading 'screen' into random state - done 1896:error:0E06D06C:configuration file routines:NCONF_get_string:no value:./crypto/conf/conf_lib.c:329:group=CA_defa ult name=unique_subject Enter pass phrase for ./ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName     :PRINTABLE:'cn' stateOrProvinceName   :PRINTABLE:'sh' localityName     :PRINTABLE:'sh' organizationName   :PRINTABLE:'ciso' organizationalUnitName:PRINTABLE:'ciso' commonName       :PRINTABLE:'webmaster' emailAddress     :IA5STRING:&# 39webmaster@infosecurity.org.cn ' Certificate is to be certified until Aug 23 10:01:35 2005 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 5、重复步骤3与4可以创建个人证书。 6、包成pfx文件格式。 输入：z1.key与z1.crt 输出：z1.pfx D:/openssl/bin>openssl pkcs12 -export -inkey z1.key -in z1.crt -out z1.pfx Loading 'screen' into random state - done Enter pass phrase for z1.key:(输入密码) Enter Export Password: :(输入密码) Verifying - Enter Export Password::(输入密码) 7、去除私钥的密码。 D:/openssl/bin>openssl rsa -in z1.key -out z1_nopwd.key Enter pass phrase for z1.key:(输入密码) writing RSA key