Will be considered Popular modules from openssll:
- x509 — certificate display and signing utility
- req — PKCS#10 certificate request and certificate generating utility
- genrsa — generate an RSA private key
- dgst — perform digest operations
- pkcs12 — PKCS#12 file utility
x509
The x509 command is a multi purpose certificate utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a «mini CA» or edit certificate trust settings.
Examples:
Note: in these examples the ‘\’ means the example should be all on one line.
Display the contents of a certificate:
openssl x509 -in cert.pem -noout -text
Display the «Subject Alternative Name» extension of a certificate:
openssl x509 -in cert.pem -noout -ext subjectAltName
Display more extensions of a certificate:
openssl x509 -in cert.pem -noout -ext subjectAltName,nsCertType
Display the certificate serial number:
openssl x509 -in cert.pem -noout -serial
Display the certificate subject name:
openssl x509 -in cert.pem -noout -subject
Display the certificate subject name in RFC2253 form:
openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
Display the certificate subject name in oneline form on a terminal supporting UTF8:
openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb
Display the certificate SHA1 fingerprint:
openssl x509 -sha1 -in cert.pem -noout -fingerprint
Convert a certificate from PEM to DER format:
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
Convert a certificate to a certificate request:
openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
Convert a certificate request into a self signed certificate using extensions for a CA:
openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \ -signkey key.pem -out cacert.pem
Sign a certificate request using the CA certificate above and add user certificate extensions:
openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \ -CA cacert.pem -CAkey key.pem -CAcreateserial
Set a certificate to be trusted for SSL client use and change set its alias to «Steve’s Class 1 CA»
openssl x509 -in cert.pem -addtrust clientAuth \ -setalias "Steve's Class 1 CA" -out trust.pem
req
The req command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example.
Examples:
Examine and verify certificate request:
openssl req -in req.pem -text -verify -noout
Create a private key and then generate a certificate request from it:
openssl genrsa -out key.pem 2048 openssl req -new -key key.pem -out req.pem
The same but just using req:
openssl req -newkey rsa:2048 -keyout key.pem -out req.pem
Generate a self signed root certificate:
openssl req -newkey rsa:2048 -keyout key.pem -out req.pem
genrsa
The genrsa command generates an RSA private key.
Examples:
Create a private key:
openssl genrsa -out key.pem 2048
dgst
The digest functions output the message digest of a supplied file or files in hexadecimal. The digest functions also generate and verify digital signatures using message digests.
The generic name, dgst, may be used with an option specifying the algorithm to be used. The default digest is sha256. A supported digest name may also be used as the command name. To see the list of supported algorithms, use the list —digest-commands command.
pkcs12
The pkcs12 command allows PKCS#12 files (sometimes referred to as PFX files) to be created and parsed. PKCS#12 files are used by several programs including Netscape, MSIE and MS Outlook.