openssl req 证书请求及自签名证书

原文：http://blog.csdn.net/fym0121/article/details/7992340

<opensl req> <fym0121@163.com>

介绍

openssl req 用于生成证书请求，以让第三方权威机构CA来签发，生成我们需要的证书。req 命令也可以调用x509命令，以进行格式转换及显示证书文件中的text，modulus等信息。如果你还没有密钥对，req命令可以一统帮你生成密钥对和证书请求，也可以指定是否对私钥文件进行加密。

语法

openssl req[-inform PEM|DER] [-outform PEM|DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-text] [-pubkey]
[-noout] [-verify] [-modulus] [-new] [-rand file(s)] [-newkey rsa:bits] [-newkey alg:file] [-nodes] [-key filename]
[-keyform PEM|DER] [-keyout filename] [-keygen_engine id] [-[digest]] [-config filename] [-subj arg] [-multivalue-rdn] [-x509]
[-days n] [-set_serial n] [-asn1-kludge] [-no-asn1-kludge] [-newhdr] [-extensions section] [-reqexts section] [-utf8] [-nameopt]
[-reqopt] [-subject] [-subj arg] [-batch] [-verbose] [-engine id]

-new

这个选项用于生成一个新的证书请求，并提示用户输入个人信息。如果没有指定-key 则会先生成一个私钥文件，再生成证书请求。

E:\OpenSSL\foo>openssl req -new -key rsa_pri_nopw.pem -out crs.pem

Loading 'screen' into random state - done

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:HeBei

Locality Name (eg, city) []:SJZ

Organization Name (eg, company) [Internet Widgits Pty Ltd]:CCIT

Organizational Unit Name (eg, section) []:CCIT

Common Name (eg, YOUR name) []:fym

Email Address []:fym0121@163.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

E:\OpenSSL\foo>ls

crs.pem

rsa_pri_nopw.pem

没有指定-key选项时，会生成私钥文件，默认是有密码保护的，-nodes（no des），可以明确指定不需要密码保护。-keyout可以指定生成的私钥文件名，-pubout可以指定生成的公钥文件名

openssl req -new -out crs.pem

openssl req -new -out crs.pem -nodes

-subj 替换或指定证书申请者的个人信息

格式是：/type0=value0/type1=value1/type2=...（其中C是Country，ST是state，L是local，O是Organization，OU是Organization Unit，CN是common name）

E:\OpenSSL\foo>openssl req -new -key rsa_pri_nopw.pem -out crs.pem -subj /C=CN/S

T=HB/L=SJZ/O=CCIT/OU=CCIT/CN=fym/emailAddress=fym0121@163.com

Loading 'screen' into random state - done

-newkey arg 生成私钥和证书请求，类似与-new

arg的格式是rsa:nbit ，还有几个格式，我只能看懂这个

openssl req -newkey rsa:1024 -out crs.pem

-xf09 生成自签名证书

openssl req -newkey rsa:1024 -x509 -nodes -out selfsing.pem

-config 指定配置文件，参见config

产生自签名的root CA

1、建立目录结构(参加ca directory structure)

假设当前工作目录为E:\OpenSSL\foo，在此目录下建立以下目录结构

E:\OpenSSL\foo>mkdir demoCA

E:\OpenSSL\foo>mkdir demoCA\private demoCA\newcerts

在demoCA目录下建立两个空文件，serial和index.txt，并向serial文件中写入"01"两个字符

2、产生自签名证书，作为root ca使用

E:\OpenSSL\foo>openssl req -new -x509 -keyout cakey.pem -out cacert.pem

提示输入密码保护私钥，和自签名root ca的信息。生成两个文件，将cakey.pem放到demoCA\private目录下，将cacert.pem放到demoCA目录下。

E:\OpenSSL\foo>move cacert.pem demoCA

E:\OpenSSL\foo>move cakey.pem demoCA\private

至此，root ca已经建立完毕。

证书请求及签名

1、生成请求

E:\OpenSSL\foo>openssl req -new -nodes -out req.pem

提示输入个人信息，最后生成req.pem证书请求文件。

2、签名，生成证书

E:\OpenSSL\foo>openssl ca -in req.pem -out newcert.pem

Using configuration from e:\OpenSSL\bin\openssl.cfg

Loading 'screen' into random state - done

Enter pass phrase for ./demoCA/private/cakey.pem:

Check that the request matches the signature

Signature ok