OpenSSL 命令说明
An openssl command line takes the following form:
openssl utility argumentsopenssl x509 -in OrbixCA -textEach command is individually described in this appendix. To get a list of the arguments associated with a particular command, use the -help option as follows:
openssl utility -helpopenssl x509 -help
The x509 Utility
In Orbix 2000 SSL/TLS the x509 utility is mainly used for:
Printing text details of certificates you wish to examine.
Converting certificates to different formats.
The options supported by the openssl x509 utility are as follows:
Using the x509 Utility
To print the text details of an existing PEM-format X.509 certificate, use the x509 utility as follows:
openssl x509 -in MyCert.pem -inform PEM -textTo print the text details of an existing DER-format X.509 certificate, use the x509 utility as follows:
openssl x509 -in MyCert.der -inform DER -textTo change a certificate from PEM format to DER format, use the x509 utility as follows:
openssl x509 -in MyCert.pem -inform PEM -outform DER -out MyCert.der
The req Utility
The req utility is used to generate a self-signed certificate or a certificate signing request (CSR). A CSR contains details of a certificate to be issued by a CA. When creating a CSR, the req command prompts you for the necessary information from which a certificate request file and an encrypted private key file are produced. The certificate request is then submitted to a CA for signing.
If the -nodes (no DES) parameter is not supplied to req, you are prompted for a pass phrase which will be used to protect the private key.
Note:
It is important to specify a validity period (using the -days parameter). If the certificate expires, applications that are using that certificate will not be authenticated successfully.The options supported by the openssl req utility are as follows:
Using the req Utility
To create a self-signed certificate with an expiry date a year from now, the req utility can be used as follows to create the certificate CA_cert.pem and the corresponding encrypted private key file CA_pk.pem:
openssl req -config ssl_conf_path_name -days 365 -out CA_cert.pem -new -x509 -keyout CA_pk.pemThis following command creates the certificate request MyReq.pem and the corresponding encrypted private key file MyEncryptedKey.pem:
openssl req -config ssl_conf_path_name -days 365 -out MyReq.pem -new -keyout MyEncryptedKey.pem
The rsa Utility
The rsa command is a useful utility for examining and modifying RSA private key files. Generally RSA keys are stored encrypted with a symmetric algorithm using a user-supplied pass phrase. The OpenSSL req command prompts the user for a pass phrase in order to encrypt the private key. By default, req uses the triple DES algorithm. The rsa command can be used to change the password that protects the private key and to convert the format of the private key. Any rsa command that involves reading an encrypted rsa private key will prompt for the PEM pass phrase used to encrypt it.
The options supported by the openssl rsa utility are as follows:
Using the rsa Utility
Converting a private key to PEM format from DER format involves using the rsa utility as follows:
openssl rsa -inform DER -in MyKey.der -outform PEM -out MyKey.pemChanging the pass phrase which is used to encrypt the private key involves using the rsa utility as follows:
openssl rsa -inform PEM -in MyKey.pem -outform PEM -out MyKey.pem -des3Removing encryption from the private key (which is not recommended) involves using the rsa command utility as follows:
openssl rsa -inform PEM -in MyKey.pem -outform PEM -out MyKey2.pemNote:
Do not specify the same file for the -in and -out parameters, because this can corrupt the file.
The ca Utility
You can use the ca utility create X.509 certificates by signing existing signing requests. It is imperative that you check the details of a certificate request before signing. Your organization should have a policy with respect to the issuing of certificates. Before implementing CAs, refer to Managing Certificates for more information.
The ca utility is used to sign certificate requests thereby creating a valid X.509 certificate which can be returned to the request submitter. It can also be used to generate Certificate Revocation Lists (CRLS). For information on the ca -policy and -name options, refer to "The OpenSSL Configuration File" on page?117.
To create a new CA using the openssl ca utility, two files (serial and index.txt) need to be created in the location specified by the openssl configuration file that you are using.
The options supported by the openssl ca utility are as follows:
Note:
Most of the above parameters have default values as defined in openssl.cnf.Using the ca Utility
Converting a private key to PEM format from DER format involves using the ca utility as shown in the following example. To sign the supplied CSR MyReq.pem to be valid for 365 days and create a new X.509 certificate in PEM format, use the ca utility as follows:
openssl ca -config ssl_conf_path_name -days 365 -in MyReq.pem -out MyNewCert.pem