Openssl req命令

一、简介

req指令用来创建和处理PKCS#10格式的证书

二、语法

openssl  req [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-out filename] [-text] [-pubkey] [-noout] [-verify] [-modulus] [-nodes] [-subject] [-passin arg] [-passout arg] [-key filename] [-keyform PEM|DER] [-keyout filename] [-rand file(s)] [-newkey rsa:bits] [-newkey dsa:file] [-newkey ec:file] [-digest] [-config filename] [-subj arg] [-multivalue-rdn] [-new] [-batch] [-x509] [-days n] [-set_serial n] [-newhdr][-asn1-kludge][ -no-asn1-kludge][-extensions section] [-reqexts section] [-utf8] [-nameopt option] [-reqopt option][-verbose] [engine id]

选项

-inform arg    input format - DER or PEM
-outform arg   output format - DER or PEM
-in arg        input file
-out arg       output file
-text          text form of request
-pubkey        output public key
-noout         do not output REQ
-verify        verify signature on REQ
-modulus       RSA modulus
-nodes         don't encrypt the output key
-engine e      use engine e, possibly a hardware device
-subject       output the request's subject
-passin        private key password source
-key file      use the private key contained in file
-keyform arg   key file format
-keyout arg    file to send the key to
-rand file:file:...
load the file (or the files in the directory) into
the random number generator
-newkey rsa:bits generate a new RSA key of 'bits' in size
-newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
-newkey ec:file generate a new EC key, parameters taken from CA in 'file'
-[digest]      Digest to sign with (see openssl dgst -h for list)
-config file   request template file.
-subj arg      set or modify request subject
-multivalue-rdn enable support for multivalued RDNs
-new           new request.
-batch         do not ask anything during request generation
-x509          output a x509 structure instead of a cert. req.
-days          number of days a certificate generated by -x509 is valid for.
-set_serial    serial number to use for a certificate generated by -x509.
-newhdr        output "NEW" in the header lines
-asn1-kludge   Output the 'request' in a format that is wrong but some CA's
have been reported as requiring
-extensions .. specify certificate extension section (override value in config file)
-reqexts ..    specify request extension section (override value in config file)
-utf8          input characters are UTF8 (default ASCII)
-nameopt arg    - various certificate name options
-reqopt arg    - various request text options

三、实例

1、根据私钥生成证书请求

方式1

openssl genrsa -des -passout pass:"123456" -out prikey.pem 1024
openssl req -key prikey.pem -passin pass:"123456" -new -out cerreq.pem

方式2

交互式

openssl req -newkey rsa:1024 -keyout prikey.pem -passout pass:"123456" -new -out cerreq.pem

非交互式

openssl req -newkey rsa:1024 -keyout prikey.pem -passout pass:"123456" -config openssl.cnf -new -out cerreq.pem

2、用私钥验证请求签名

openssl req -verify -key client_prikey.pem -in client_req.csr -passin pass:"123456" -noout

3、生成一个自签名的根证书

openssl req -x509 -newkey rsa:1024 -keyout prikey.pem -passout pass:"123456" -config openssl.cnf -new -out certself.pem

4、生成带中文支持的请求（UTF-8）

openssl req -newkey rsa:1024 -keyout ca_prikey.key -passout pass:"123456" -new -x509 -utf8 -config openssl_utf8.cnf -out ca_self.pem

参考：http://blog.chinaunix.net/uid-7591044-id-1742939.html

5、生成带扩展项的请求

http://bbs.csdn.net/topics/380025010

参考：http://blog.csdn.net/as3luyuan123/article/details/16811787