目录

1、实例2、帮助命令3、常用命令

1、实例

----------------------------pem格式的证书-------------1、CA的私钥，自签名证书     openssl genrsa -out ca-key.pem -aes128 2048    openssl req -new -x509 -key ca-key.pem -out ca-cert.pem  -days 1000    牢记下面三个属性值，生成csr.pem时需要保持一致：        Country Name,State or Province Name,Organization Name2、server端的私钥，证书请求，证书    openssl genrsa -out server-key.pem -aes128 2048    openssl req -new -key server-key.pem -out server-csr.pem    openssl ca -in server-csr.pem -cert ca-cert.pem -keyfile ca-key.pem -out server-cert.pem -days 365    如果发生以下错误：        "I am unable to access the ../../CA/newcerts directory ../../CA/newcerts: No such file or directory"    只需要：        # create directory            $ mkdir ../../CA            $ mkdir ../../CA/newcerts        # create empty file ：        $ vi ../../CA/index.txt        # create file and input 01 (the content is 01) ：        $ vi ../../CA/serial3、client端的私钥，证书请求，证书    openssl genrsa -out client-key.pem -aes128 2048    openssl req -new -key client-key.pem -out client-csr.pem    openssl ca -in client-csr.pem -cert ca-cert.pem -keyfile ca-key.pem -out client-cert.pem -days 365----------------------------p12格式的证书------------- openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -out client-cert.p12----------------------------jks格式的证书-------------  keytool -genkeypair -keyalg RSA -alias client -keystore client.jks# 删除PrivateKeyEntrykeytool -delete -alias client -keystore client.jks# check keystore#keytool -list -v -keystore client.jks  # covert format，否则不能把private-key导入到jksopenssl pkcs8 -in client-key.pem -inform pem -out client-key.pk8 -outform der -topk8 -nocrypt# 需要下载pkeytool.jar到当前目录# import client-key.pk8,client-cert.pemjava -jar pkeytool.jar -importkey -keyfile client-key.pk8 -certfile client-cert.pem -alias myclient -keystore client.jks# import ca-certkeytool -importcert -v -trustcacerts -file ca-cert.pem -alias myCA -keystore client.jks

2、帮助命令____

openssl --helpopenssl x509 --help

3、常用命令

1、生成普通私钥：openssl genrsa -out ca-key.pem 10242、生成带加密口令的密钥：openssl genrsa -des3 -out ca-key.pem 10243、去除密钥的口令：openssl rsa -in ca-key.pem -out ca-key.pem4、通过生成的私钥去生成证书：openssl req -new -x509 -key ca-key.pem -out ca-cert.pem -days 1095     5、通过私钥生成公钥：openssl rsa -in ca-key.pem -pubout -out pub-key.pem6、格式转换：（证书、私钥、公钥）（PEM DER）openssl x509 -in ca-cert.pem -inform PEM -out ca-cert.der -outform DERopenssl rsa -in ca-key.pem -inform PEM -out ca-key.der -outform DERopenssl rsa -pubin -in pub-key.pem -inform PEM -pubout -out pub-key.der -outform DER7、合并成pfx证书（p12）：openssl pkcs12 -export -in server-cert.pem -out server.p12 -inkey server-key.pem8、p12证书文本化：openssl pkcs12 -in server.p12 -out server.txt9、屏幕模式显式：（证书、私钥、公钥）openssl x509 -in ca-cert.pem -noout -text -modulusopenssl rsa -in ca-key.pem -noout -text -modulusopenssl rsa -in pub-key.pem -noout -text -modulus