openssl commonly used commands

before use Configure to generate Makefile, should notice follow options

--prefix=DIR  // install dir

--libdir=DIR  // install dir

--openssldir=DIR  // Directory for OpenSSL configuration files, and also the default certificate and key store

use no-[option] or enable-[option] to turn off/on certion function.

# openssl genrsa -des3 -out private.key 2048

# public key is also contained by private.key

openssl genrsa -out private.key 2048

openssl req -new -key private.key -out cert.csr -subj "/C=CN/ST=sh/O=Internet Widgits Pty Ltd/CN=www.baidu.com"

openssl x509 -days 360 -req -in cert.csr -signkey private.key -out cert.crt

openssl x509 -in cert.crt -noout -text

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out cert.crt  -subj "/C=CN/ST=sh/O=Internet Widgits Pty Ltd/CN=www.baidu.com" -extensions v3_ca

# CA

# if we want to sign a self-signed certificate we can use command:

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out cert.crt "/C=CN/ST=sh/O=Internet Widgits Pty Ltd/CN=www.baidu.com"  # -extensions v3_ca

# if not, we use step 2), for which we must build an CA first.

echo "create CA"

mkdir demoCA

cd demoCA

mkdir certs crl private newcerts

touch index.txt index.txt.attr

echo "01" > serial

cd ..

openssl genrsa -out demoCA/private/cakey.pem 2048

openssl req -new -key demoCA/private/cakey.pem -out cert.csr -subj "/C=CN/ST=sh/O=Internet Widgits Pty Ltd/CN=www.baidu.com"

yes|openssl ca -selfsign -in cert.csr -extensions v3_ca

cp demoCA/newcerts/01.pem demoCA/cacert.pem

echo "Done"

echo " using CA sign a certificate, same countryName, provinceName, OrganizationName"

openssl genrsa -out private.key 2048

openssl req -new -key private.key -out cert.csr -subj "/C=CN/ST=sh/O=Internet Widgits Pty Ltd/CN=www.bing.com"

yes|openssl ca -in cert.csr 

# install CA or certificates to openssl's default stroe

# if dont do so, when test, we should use -CAfile or -CApath to specify CA

sudo cp demoCA/newcerts/01.pem /usr/local/ssl/certs

cd /usr/local/ssl/certs

sudo ln -s 01.pem `openssl x509 -noout -hash -in 01.pem`.0

openssl verify -CApath ./ 01.pem

# test

openssl s_server -key key.pem -cert cert.pem -CAfile demoCA/cacert.pem -accept 44330 -www -Verify 2

# or through browser

# here we can generate another certificate for client

openssl s_client -key key.pem -cert cert.pem -CAfile demoCA/cacert.pem -connect localhost:44330

# add extention to certificate

# or we can create a extion file

https://comm.support.ca.com/kb/adding-custom-x509-extensions-to-certificate-signing-requests/kb000042912

# is common name mandatory?

https://security.stackexchange.com/questions/55414/is-the-common-name-mandatory-for-digital-certificates

  

certificate & encryption的更多相关文章

  1. The encryption certificate of the relying party trust identified by thumbprint is not valid

    CRM2013部署完ADFS后通过url在浏览器中訪问測试是否成功,成功进入登陆界面但在登陆界面输入username和password后始终报身份验证失败,系统中的报错信息例如以下:Microsoft ...

  2. SQL Server 2014 Backup Encryption

    转载自: Microsoft MVP Award Program Blog 来源:Microsoft MVP Award Program Blog 的博客:https://blogs.msdn.mic ...

  3. SQL Server安全(9/11):透明数据加密(Transparent Data Encryption)

    在保密你的服务器和数据,防备当前复杂的攻击,SQL Server有你需要的一切.但在你能有效使用这些安全功能前,你需要理解你面对的威胁和一些基本的安全概念.这篇文章提供了基础,因此你可以对SQL Se ...

  4. SQL Server安全(8/11):数据加密(Data Encryption)

    在保密你的服务器和数据,防备当前复杂的攻击,SQL Server有你需要的一切.但在你能有效使用这些安全功能前,你需要理解你面对的威胁和一些基本的安全概念.这篇文章提供了基础,因此你可以对SQL Se ...

  5. How To Set Up Apache with a Free Signed SSL Certificate on a VPS

    Prerequisites Before we get started, here are the web tools you need for this tutorial: Google Chrom ...

  6. (转)pem, cer, p12 and the pains of iOS Push Notifications encryption

    转自:http://cloudfields.net/blog/ios-push-notifications-encryption/ The serious pains of setting up a ...

  7. freeradius 错误: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate

    在进行802.1x 测试时遇到如下问题: Waking up in 4.6 seconds.(156) Received Access-Request Id 82 from 192.168.1.126 ...

  8. Certificate Formats | Converting Certificates between different Formats

    Different Platforms & Devices requires SSL certificates in different formatseg:- A Windows Serve ...

  9. Initializing the FallBack certificate failed . TDSSNIClient initialization failed

    安装SQL后服务不能启动,报错: 2014-03-24 14:33:10.06 spid13s     Error: 17190, Severity: 16, State: 1.2014-03-24 ...

随机推荐

  1. 按PEP8风格自动排版Python代码

    Autopep8是一个将Python代码自动排版为PEP8风格的小工具.它使用pep8工具来决定代码中的哪部分需要被排版.Autopep8可以修复大部分pep8工具中报告的排版问题. 安装步骤如下: ...

  2. Spring Boot 2.x 编写 RESTful API (六) 事务

    用Spring Boot编写RESTful API 学习笔记 Transactional 判定顺序 propagation isolation 脏读 不可重复读 幻读 不可重复读是指记录不同 (upd ...

  3. git学习03 - 撤销修改&删除文件

    撤销修改:git checkout -- filename :将工作区文件回到最近一次add 或者 commit的状态 撤销修改分为三种情况: 1.未提交至暂存区 使用git checkout -- ...

  4. [ZJOI2011]营救皮卡丘

    题目描述 皮卡丘被火箭队用邪恶的计谋抢走了!这三个坏家伙还给小智留下了赤果果的挑衅!为了皮卡丘,也为了正义,小智和他的朋友们义不容辞的踏上了营救皮卡丘的道路. 火箭队一共有N个据点,据点之间存在M条双 ...

  5. vim命令替换操作

    替换当前行第一个 vivian为sky :s/vivian/sky/ 替换当前行所有 vivian为sky :s/vivian/sky/g 替换第 n 行开始到最后一行中,每一行的第一个vivian为 ...

  6. JavaScript千分符---正则实现

    一般在JavaScript中实现千分符,是使用切割+连接一顿操作 这里尝试一下使用正则快速实现千分符 let num0 = '12' let num1 = '123' let num2 = '1234 ...

  7. 第二周博客作业<西北师范大学|李晓婷>

    1.助教博客链接:https://home.cnblogs.com/u/lxt-/ 2.点评作业内容: https://www.cnblogs.com/dxd123/p/10494907.html#4 ...

  8. 计算机网络(HTTP)之客户识别:cookie机制

    什么是cookie? 承载用户相关信息的HTTP首部 cookie的工作原理 cookie的缺陷 一.什么是cookie? cookie是由服务器生成,发送给USER-Agent(一般是浏览器),(服 ...

  9. [Android] Android 支持下拉刷新、上拉加载更多 的 XRecyclerview

    XRecyclerView一个实现了下拉刷新,滚动到底部加载更多以及添加header功能的的RecyclerView.使用方式和RecyclerView完全一致,不需要额外的layout,不需要写特殊 ...

  10. 电梯系列——OO Unit2分析和总结

    一.摘要 本文是BUAA OO课程Unit2在课程讲授.三次作业完成.自测和互测时发现的问题,以及倾听别人的思路分享所引起个人的一些思考的总结性博客.主要包含设计策略.代码度量.BUG测试和心得体会等 ...