openssl 生成自签证书及查看证书细节

# 生成自签CA以及证书

## 1. 生成X509格式的CA自签名证书

```
openssl req -new -x509 -keyout ca.key -out ca.crt
# 去除密码
openssl rsa -in ca.key -out ca.key
```

## 2. 生成服务端的私钥(key文件)及csr文件

```
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
```

## 3. 生成客户端的私钥(key文件)及csr文件

```
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr
```

## 4. 用生成的CA的证书为刚才生成的server.csr,client.csr文件签名

```
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
```

上面的命令执行后可能出现以下错误：

```
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
139883256969032:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen('/etc/pki/CA/index.txt','r')
139883256969032:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:
```

解决方法：

```
# Create the index.txt file.
touch /etc/pki/CA/index.txt
# Create a serial file to label the CA and all subsequent certificates.
echo '1000' > /etc/pki/CA/serial
```

## 5. 生成p12格式证书

```
openssl pkcs12 -export -inkey client.key -in client.crt -out client.pfx
openssl pkcs12 -export -inkey server.key -in server.crt -out server.pfx
```

## 6. 生成pem格式证书

有时需要用到pem格式的证书，可以用以下方式合并证书文件（crt）和私钥文件（key）来生成

```
cat client.crt client.key > client.pem
cat server.crt server.key > server.pem
```

## 7. PFX文件转换为X509证书文件和RSA密钥文件

```
openssl pkcs12 -in server.pfx -nodes -out server.pem
openssl rsa -in server.pem -out server2.key
openssl x509 -in server.pem -out server2.crt
```

## 8. PEM--DER/CER(BASE64--DER编码的转换)

```
openssl x509 -outform der -in server.pem -out server.cer
```

这样生成服务端证书：ca.crt, server.key, server.crt, server.pem, server.pfx，
客户端证书：ca.crt, client.key, client.crt, client.pem, client.pfx

# openssl x509部分查看命令

## 1. 打印出证书的内容

```
openssl x509 -in cert.pem -noout -text
openssl x509 -pubkey -noout -in cert.crt

# 校验证书、key
diff -eq <(openssl x509 -pubkey -noout -in cert.crt) <(openssl rsa -pubout -in cert.key)
```

## 2. 打印出证书的系列号

```
openssl x509 -in cert.pem -noout -serial
```

## 3. 打印出证书的拥有者名字

```
openssl x509 -in cert.pem -noout -subject
```

## 4. 以RFC2253规定的格式打印出证书的拥有者名字

```
openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
```

## 5. 在支持UTF8的终端一行过打印出证书的拥有者名字

```
openssl x509 -in cert.pem -noout -subject -nameopt oneline -nameopt -escmsb
```

## 6. 打印出证书的MD5特征参数

```
openssl x509 -in cert.pem -noout -fingerprint
```

## 7. 打印出证书的SHA特征参数

```
openssl x509 -sha1 -in cert.pem -noout -fingerprint
```

## 8. 把PEM格式的证书转化成DER格式

```
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
```

## 9. 把一个证书转化成CSR

```
openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
```

## 10. 给一个CSR进行处理，颁发字签名证书，增加CA扩展项

```
openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca -signkey key.pem -out cacert.pem
```

## 11. 给一个CSR签名，增加用户证书扩展项

```
openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr -CA cacert.pem -CAkey key.pem -CAcreateserial
```

## 12. 查看csr文件细节

```
openssl req -in my.csr -noout -text
```

> 原文链接：[https://www.cnblogs.com/threegun/p/7130985.html](https://www.cnblogs.com/threegun/p/7130985.html)
> 可参考链接：[http://seanlook.com/2015/01/18/openssl-self-sign-ca/](http://seanlook.com/2015/01/18/openssl-self-sign-ca/)

Jim's Blog

Navigation

Recent Posts

Friend Links