一、简介

req指令用来创建和处理PKCS#10格式的证书

 

二、语法

openssl  req [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-out filename] [-text] [-pubkey] [-noout] [-verify] [-modulus] [-nodes] [-subject] [-passin arg] [-passout arg] [-key filename] [-keyform PEM|DER] [-keyout filename] [-rand file(s)] [-newkey rsa:bits] [-newkey dsa:file] [-newkey ec:file] [-digest] [-config filename] [-subj arg] [-multivalue-rdn] [-new] [-batch] [-x509] [-days n] [-set_serial n] [-newhdr][-asn1-kludge][ -no-asn1-kludge][-extensions section] [-reqexts section] [-utf8] [-nameopt option] [-reqopt option][-verbose] [engine id]

选项

 -inform arg    input format - DER or PEM
 -outform arg   output format - DER or PEM
 -in arg        input file
 -out arg       output file
 -text          text form of request
 -pubkey        output public key
 -noout         do not output REQ
 -verify        verify signature on REQ
 -modulus       RSA modulus
 -nodes         don't encrypt the output key
 -engine e      use engine e, possibly a hardware device
 -subject       output the request's subject
 -passin        private key password source
 -key file      use the private key contained in file
 -keyform arg   key file format
 -keyout arg    file to send the key to
 -rand file:file:...
                load the file (or the files in the directory) into
                the random number generator
 -newkey rsa:bits generate a new RSA key of 'bits' in size
 -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
 -newkey ec:file generate a new EC key, parameters taken from CA in 'file'
 -[digest]      Digest to sign with (see openssl dgst -h for list)
 -config file   request template file.
 -subj arg      set or modify request subject
 -multivalue-rdn enable support for multivalued RDNs
 -new           new request.
 -batch         do not ask anything during request generation
 -x509          output a x509 structure instead of a cert. req.
 -days          number of days a certificate generated by -x509 is valid for.
 -set_serial    serial number to use for a certificate generated by -x509.
 -newhdr        output "NEW" in the header lines
 -asn1-kludge   Output the 'request' in a format that is wrong but some CA's
                have been reported as requiring
 -extensions .. specify certificate extension section (override value in config file)
 -reqexts ..    specify request extension section (override value in config file)
 -utf8          input characters are UTF8 (default ASCII)
 -nameopt arg    - various certificate name options
 -reqopt arg    - various request text options

 

三、实例

1、根据私钥生成证书请求

方式1

openssl genrsa -des -passout pass:"123456" -out prikey.pem 1024
openssl req -key prikey.pem -passin pass:"123456" -new -out cerreq.pem

方式2

交互式

openssl req -newkey rsa:1024 -keyout prikey.pem -passout pass:"123456" -new -out cerreq.pem

image

非交互式

openssl req -newkey rsa:1024 -keyout prikey.pem -passout pass:"123456" -config openssl.cnf -new -out cerreq.pem

image

2、用私钥验证请求签名

openssl req -verify -key client_prikey.pem -in client_req.csr -passin pass:"123456" -noout

image

3、生成一个自签名的根证书

openssl req -x509 -newkey rsa:1024 -keyout prikey.pem -passout pass:"123456" -config openssl.cnf -new -out certself.pem

image

4、生成带中文支持的请求(UTF-8)

openssl req -newkey rsa:1024 -keyout ca_prikey.key -passout pass:"123456" -new -x509 -utf8 -config openssl_utf8.cnf -out ca_self.pem

参考:http://blog.chinaunix.net/uid-7591044-id-1742939.html

5、生成带扩展项的请求

 

posted on 2015-07-23 22:18  红孩儿你好  阅读(1415)  评论(0编辑  收藏  举报