In OpenSSL sind mehrere Anwendungen zusammengefasst, die im Weiteren als COMMANDS bezeichnet werden. Im Folgenden sind einige COMMANDS aufgef\u00fchrt, die beim Betrieb einer RootCA Verwendung gefunden haben.<\/p>\n
openssl – OpenSSL command line tool<\/p>\n
openssl command [ command_opts ] [ command_args ]
\n
\nSTANDARD COMMANDS:
\ngenrsa Generation of RSA Parameters.
\nreq X.509 Certificate Signing Request (CSR) Management.
\nca Certificate Authority (CA) Management.
\nx509 X.509 Certificate Data Management.
\npkcs12 PKCS#12 Data Management.<\/p>\n
genrsa – generate an RSA private key<\/strong><\/p>\n SYNOPSIS DESCRIPTION OPTIONS -passout arg -des|-des3|-idea -F4|-3 -rand file(s) -engine id numbits req – PKCS#10 certificate request and certificate generating utility.<\/strong><\/p>\n SYNOPSIS DESCRIPTION COMMAND OPTIONS -outform DER|PEM -in filename -verify -new If the -key option is not used it will generate a new RSA private key using information specified in the configuration file.<\/p>\n -key filename -keyform PEM|DER -x509 -days n -set_serial n -verbose ca – sample minimal CA application<\/strong><\/p>\n SYNOPSIS DESCRIPTION The options descriptions will be divided into each purpose.<\/p>\n x509 – Certificate display and signing utility<\/strong><\/p>\n SYNOPSIS<\/p>\n openssl x509 [-in filename] [-out filename] [-purpose] [-dates] [-noout] [-inform DER|PEM] [-outform DER|PEM]<\/p>\n DESCRIPTION Since there are a large number of options they will split up into OPTIONS -outform DER|PEM|NET -in filename -out filename -text -noout -dates pkcs12 – PKCS#12 file utility<\/strong><\/p>\n SYNOPSIS DESCRIPTION In OpenSSL sind mehrere Anwendungen zusammengefasst, die im Weiteren als COMMANDS bezeichnet werden. Im Folgenden sind einige COMMANDS aufgef\u00fchrt, die beim Betrieb einer RootCA Verwendung gefunden haben. openssl – OpenSSL command line tool openssl command [ command_opts ] [ command_args … Weiterlesen
\nopenssl genrsa [-out filename] [-passout arg] [-des] [-des3] [-idea] [-f4] [-3] [-rand file(s)] [-engine id] [numbits]<\/p>\n
\nThe genrsa command generates an RSA private key.<\/p>\n
\n-out filename
\nthe output filename. If this argument is not specified then standard output is used.<\/p>\n
\nthe output file password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).<\/p>\n
\nThese options encrypt the private key with the DES, triple DES, or the IDEA ciphers respectively before outputting it. If none of these options is specified no encryption is
\nused. If encryption is used a pass phrase is prompted for if it is not supplied via the -passout argument.<\/p>\n
\nthe public exponent to use, either 65537 or 3. The default is 65537.<\/p>\n
\na file or files containing random data used to seed the random number generator, or an EGD socket (see RAND_egd(3)). Multiple files can be specified separated by a OS-
\ndependent character. The separator is ; for MS-Windows, , for OpenVMS, and : for all others.<\/p>\n
\nspecifying an engine (by it’s unique id string) will cause req to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine
\nwill then be set as the default for all available algorithms.<\/p>\n
\nthe size of the private key to generate in bits. This must be the last option specified. The default is 512.<\/p>\n
\nopenssl req [-inform PEM|DER] [-outform PEM|DER] [-out filename] [-verify] [-new] [-key filename]
\n[-configfilename] [-x509] [-days n] [-set_serial n] [-extensions section] [-reqexts section] [verbose]<\/p>\n
\nThe req command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example.<\/p>\n
\n-inform DER|PEM
\nThis specifies the input format. The DER option uses an ASN1 DER encoded form compatible with the PKCS#10. The PEM form is the default format: it consists of the DER format
\nbase64 encoded with additional header and footer lines.<\/p>\n
\nThis specifies the output format, the options have the same meaning as the -inform option.<\/p>\n
\nThis specifies the input filename to read a request from or standard input if this option is not specified. A request is only read if the creation options (-new and -newkey)
\nare not specified.<\/p>\n
\nverifies the signature on the request.<\/p>\n
\nthis option generates a new certificate request. It will prompt the user for the relevant field values. The actual fields prompted for and their maximum and minimum sizes are
\nspecified in the configuration file and any requested extensions.<\/p>\n
\nThis specifies the file to read the private key from. It also accepts PKCS#8 format private keys for PEM format files.<\/p>\n
\nthe format of the private key file specified in the -key argument. PEM is the default.<\/p>\n
\nthis option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions
\nadded to the certificate (if any) are specified in the configuration file. Unless specified using the set_serial option 0 will be used for the serial number.<\/p>\n
\nwhen the -x509 option is being used this specifies the number of days to certify the certificate for. The default is 30 days.<\/p>\n
\nserial number to use when outputting a self signed certificate. This may be specified as a decimal value or a hex value if preceded by 0x. It is possible to use negative
\nserial numbers but this is not recommended.<\/p>\n
\nprint extra details about the operations being performed.<\/p>\n
\nopenssl ca [-verbose] [-config filename] [-name section] [-gencrl] [-revoke file] [-crl_reason reason] [-crl_hold instruction] [-crl_compromise time] [-crl_CA_compromise time]
\n[-crldays days] [-crlhours hours] [-crlexts section] [-startdate date] [-enddate date] [-days arg] [-md arg] [-policy arg] [-keyfile arg] [-key arg] [-passin arg] [-cert file]
\n[-selfsign] [-in file] [-out file] [-notext] [-outdir dir] [-infiles] [-spkac file] [-ss_cert file] [-preserveDN] [-noemailDN] [-batch] [-msie_hack] [-extensions section]
\n[-extfile section] [-engine id] [-subj arg] [-utf8] [-multivalue-rdn]<\/p>\n
\nThe ca command is a minimal CA application. It can be used to sign certificate requests in a variety of forms and generate CRLs it also maintains a text database of issued
\ncertificates and their status.<\/p>\n
\nThe x509(1) command is a multi purpose certificate utility. It can be used
\nto display certificate information, convert certificates to various
\nforms, sign certificate requests like a „mini CA“ or edit certificate
\ntrust settings.<\/p>\n
\nvarious sections.<\/p>\n
\nINPUT, OUTPUT AND GENERAL PURPOSE OPTIONS
\n-inform DER|PEM|NET
\nThis specifies the input format normally the command will expect an
\nX509 certificate but this can change if other options such as -req
\nare present. The DER format is the DER encoding of the certificate
\nand PEM is the base64 encoding of the DER encoding with header and
\nfooter lines added. The NET option is an obscure Netscape server
\nformat that is now obsolete.<\/p>\n
\nThis specifies the output format, the options have the same meaning
\nas the -inform option.<\/p>\n
\nThis specifies the input filename to read a certificate from or
\nstandard input if this option is not specified.<\/p>\n
\nThis specifies the output filename to write to or standard output
\nby default.
\nDISPLAY OPTIONS
\nNote: the -alias and -purpose options are also display options but are
\ndescribed in the TRUST SETTINGS section.<\/p>\n
\nprints out the certificate in text form. Full details are output
\nincluding the public key, signature algorithms, issuer and subject
\nnames, serial number any extensions present and any trust settings.<\/p>\n
\nthis option prevents output of the encoded version of the request.<\/p>\n
\nprints out the start and expiry dates of a certificate.<\/p>\n
\nopenssl pkcs12 [-export] [-chain] [-inkey filename] [-certfile
\nfilename] [-name name] [-caname name] [-in filename] [-out filename]
\n[-noout] [-nomacver] [-nocerts] [-clcerts] [-cacerts] [-nokeys] [-info]
\n[-des | -des3 | -idea | -aes128 | -aes192 | -aes256 | -camellia128 |
\n-camellia192 | -camellia256 | -nodes] [-noiter] [-maciter | -nomaciter
\n| -nomac] [-twopass] [-descert] [-certpbe cipher] [-keypbe cipher]
\n[-macalg digest] [-keyex] [-keysig] [-password arg] [-passin arg]
\n[-passout arg] [-rand file(s)] [-CAfile file] [-CApath dir] [-CSP name]<\/p>\n
\nThe pkcs12 command allows PKCS#12 files (sometimes referred to as PFX
\nfiles) to be created and parsed. PKCS#12 files are used by several
\nprograms including Netscape, MSIE and MS Outlook.<\/p>\n","protected":false},"excerpt":{"rendered":"