In OpenSSL sind mehrere Anwendungen zusammengefasst, die im Weiteren als COMMANDS bezeichnet werden. Im Folgenden sind einige COMMANDS aufgeführt, die beim Betrieb einer RootCA Verwendung gefunden haben.
openssl – OpenSSL command line tool
openssl command [ command_opts ] [ command_args ]
STANDARD COMMANDS:
genrsa Generation of RSA Parameters.
req X.509 Certificate Signing Request (CSR) Management.
ca Certificate Authority (CA) Management.
x509 X.509 Certificate Data Management.
pkcs12 PKCS#12 Data Management.
genrsa – generate an RSA private key
SYNOPSIS
openssl genrsa [-out filename] [-passout arg] [-des] [-des3] [-idea] [-f4] [-3] [-rand file(s)] [-engine id] [numbits]
DESCRIPTION
The genrsa command generates an RSA private key.
OPTIONS
-out filename
the output filename. If this argument is not specified then standard output is used.
-passout arg
the output file password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).
-des|-des3|-idea
These options encrypt the private key with the DES, triple DES, or the IDEA ciphers respectively before outputting it. If none of these options is specified no encryption is
used. If encryption is used a pass phrase is prompted for if it is not supplied via the -passout argument.
-F4|-3
the public exponent to use, either 65537 or 3. The default is 65537.
-rand file(s)
a file or files containing random data used to seed the random number generator, or an EGD socket (see RAND_egd(3)). Multiple files can be specified separated by a OS-
dependent character. The separator is ; for MS-Windows, , for OpenVMS, and : for all others.
-engine id
specifying an engine (by it’s unique id string) will cause req to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine
will then be set as the default for all available algorithms.
numbits
the size of the private key to generate in bits. This must be the last option specified. The default is 512.
req – PKCS#10 certificate request and certificate generating utility.
SYNOPSIS
openssl req [-inform PEM|DER] [-outform PEM|DER] [-out filename] [-verify] [-new] [-key filename]
[-configfilename] [-x509] [-days n] [-set_serial n] [-extensions section] [-reqexts section] [verbose]
DESCRIPTION
The req command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example.
COMMAND OPTIONS
-inform DER|PEM
This specifies the input format. The DER option uses an ASN1 DER encoded form compatible with the PKCS#10. The PEM form is the default format: it consists of the DER format
base64 encoded with additional header and footer lines.
-outform DER|PEM
This specifies the output format, the options have the same meaning as the -inform option.
-in filename
This specifies the input filename to read a request from or standard input if this option is not specified. A request is only read if the creation options (-new and -newkey)
are not specified.
-verify
verifies the signature on the request.
-new
this option generates a new certificate request. It will prompt the user for the relevant field values. The actual fields prompted for and their maximum and minimum sizes are
specified in the configuration file and any requested extensions.
If the -key option is not used it will generate a new RSA private key using information specified in the configuration file.
-key filename
This specifies the file to read the private key from. It also accepts PKCS#8 format private keys for PEM format files.
-keyform PEM|DER
the format of the private key file specified in the -key argument. PEM is the default.
-x509
this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions
added to the certificate (if any) are specified in the configuration file. Unless specified using the set_serial option 0 will be used for the serial number.
-days n
when the -x509 option is being used this specifies the number of days to certify the certificate for. The default is 30 days.
-set_serial n
serial number to use when outputting a self signed certificate. This may be specified as a decimal value or a hex value if preceded by 0x. It is possible to use negative
serial numbers but this is not recommended.
-verbose
print extra details about the operations being performed.
ca – sample minimal CA application
SYNOPSIS
openssl ca [-verbose] [-config filename] [-name section] [-gencrl] [-revoke file] [-crl_reason reason] [-crl_hold instruction] [-crl_compromise time] [-crl_CA_compromise time]
[-crldays days] [-crlhours hours] [-crlexts section] [-startdate date] [-enddate date] [-days arg] [-md arg] [-policy arg] [-keyfile arg] [-key arg] [-passin arg] [-cert file]
[-selfsign] [-in file] [-out file] [-notext] [-outdir dir] [-infiles] [-spkac file] [-ss_cert file] [-preserveDN] [-noemailDN] [-batch] [-msie_hack] [-extensions section]
[-extfile section] [-engine id] [-subj arg] [-utf8] [-multivalue-rdn]
DESCRIPTION
The ca command is a minimal CA application. It can be used to sign certificate requests in a variety of forms and generate CRLs it also maintains a text database of issued
certificates and their status.
The options descriptions will be divided into each purpose.
x509 – Certificate display and signing utility
SYNOPSIS
openssl x509 [-in filename] [-out filename] [-purpose] [-dates] [-noout] [-inform DER|PEM] [-outform DER|PEM]
DESCRIPTION
The x509(1) command is a multi purpose certificate utility. It can be used
to display certificate information, convert certificates to various
forms, sign certificate requests like a „mini CA“ or edit certificate
trust settings.
Since there are a large number of options they will split up into
various sections.
OPTIONS
INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS
-inform DER|PEM|NET
This specifies the input format normally the command will expect an
X509 certificate but this can change if other options such as -req
are present. The DER format is the DER encoding of the certificate
and PEM is the base64 encoding of the DER encoding with header and
footer lines added. The NET option is an obscure Netscape server
format that is now obsolete.
-outform DER|PEM|NET
This specifies the output format, the options have the same meaning
as the -inform option.
-in filename
This specifies the input filename to read a certificate from or
standard input if this option is not specified.
-out filename
This specifies the output filename to write to or standard output
by default.
DISPLAY OPTIONS
Note: the -alias and -purpose options are also display options but are
described in the TRUST SETTINGS section.
-text
prints out the certificate in text form. Full details are output
including the public key, signature algorithms, issuer and subject
names, serial number any extensions present and any trust settings.
-noout
this option prevents output of the encoded version of the request.
-dates
prints out the start and expiry dates of a certificate.
pkcs12 – PKCS#12 file utility
SYNOPSIS
openssl pkcs12 [-export] [-chain] [-inkey filename] [-certfile
filename] [-name name] [-caname name] [-in filename] [-out filename]
[-noout] [-nomacver] [-nocerts] [-clcerts] [-cacerts] [-nokeys] [-info]
[-des | -des3 | -idea | -aes128 | -aes192 | -aes256 | -camellia128 |
-camellia192 | -camellia256 | -nodes] [-noiter] [-maciter | -nomaciter
| -nomac] [-twopass] [-descert] [-certpbe cipher] [-keypbe cipher]
[-macalg digest] [-keyex] [-keysig] [-password arg] [-passin arg]
[-passout arg] [-rand file(s)] [-CAfile file] [-CApath dir] [-CSP name]
DESCRIPTION
The pkcs12 command allows PKCS#12 files (sometimes referred to as PFX
files) to be created and parsed. PKCS#12 files are used by several
programs including Netscape, MSIE and MS Outlook.
