Show certificate information $ openssl x509 -text -in cert_filename Show certificate fingerprint $ openssl x509 -noout -in cert_filename -fingerprint -digest Tip: To speed up generating, especially when not on high-end hardware, add the -dsaparam option. $ openssl req -noout -text -in filename Generate a self-signed certificate To view the request in human readable format: $ openssl req -new -sha256 -key private_key -out filename Show a certificate signing requestĬertificate signing requests are stored in an encoded format. If an encrypted key is desired, use the -aes-256-cbc option. $ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits: keysize -out file With genpkey(1ssl), which supersedes genrsa according to openssl(1ssl): Generate a Curve25519 private key $ openssl genpkey -algorithm x25519 -out file Generate an ECDSA private key $ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out file Generate an RSA private key This sections assumes you have read Transport Layer Security#Obtaining a certificate. $ openssl x509 -subject -noout < /etc/ssl/certs/Equifax_Secure_CA.pem subject= /C=US/O=Equifax/OU=Equifax Secure Certificate Authority Usage Some CA certificates do not even have a CN, such as Equifax: End-user certificates need to have the machine hostname as CN, whereas CA should not have a valid TLD, so that there is no chance that, between the possible combinations of certified end-users' CN and the CA certificate's, there is a match that could be misinterpreted by some software as meaning that the end-user certificate is self-signed. A general misconception is the Common Name (CN) prompt, which suggests that it should have the user's proper name as a value. The req section is responsible for the DN prompts. Settings related to generating keys, requests and self-signed certificates.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |