最終更新:2023-10-12 (木) 13:23:59 (191d)
openssl req
Top / openssl req
PKCS ♯10 certificate request and certificate generating utility.
https://www.openssl.org/docs/manmaster/man1/req.html
openssl req [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-text] [-pubkey] [-noout] [-verify] [-modulus] [-new] [-rand file(s)] [-newkey rsa:bits] [-newkey alg:file] [-nodes] [-key filename] [-keyform PEM|DER] [-keyout filename] [-keygen_engine id] [-[digest]] [-config filename] [-subj arg] [-multivalue-rdn] [-x509] [-days n] [-set_serial n] [-asn1-kludge] [-no-asn1-kludge] [-newhdr] [-extensions section] [-reqexts section] [-utf8] [-nameopt] [-reqopt] [-subject] [-subj arg] [-batch] [-verbose] [-engine id]
形式 openssl req [-new] [-in filename] [-out filename] [-key filename] [-x509] [-days n] 機能 証明書の署名要求(CSR)の作成 オプション -new 新規に証明書要求ファイルを作成 -in filename 入力する証明書要求のファイル名(filename) デフォルトは、標準出力 -out filename 出力する証明書要求のファイル名(filename) デフォルトは、標準出力 -key filename 入力する秘密鍵のファイル名(filename) パスフレーズ付き秘密鍵の場合は、パスフレーズの入力が必要 -x509 X.509形式の証明書要求ファイルを作成する this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions added to the certificate (if any) are specified in the configuration file. Unless specified using the set_serial option 0 will be used for the serial number. -days n X.509形式の証明書の有効期限をn日とする 例 1年間有効なX.509形式の証明書の署名要求(CSR)を作成する openssl req -new -x509 -days 365 -key ca.key -out ca.crt
例
- openssl req -new : New request
有効期限
- -days - The default is 30 days.
証明書署名要求(CSR)の生成
openssl req -new -key (秘密鍵ファイル名) -out (CSRファイル名) openssl req -new -key server.key -out server.csr
- 国名とか会社名とか入力する。
表示されること
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: State or Province Name (full name) [Berkshire]: Locality Name (eg, city) [Newbury]: Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
自己署名証明書の生成
- -x509を指定。
openssl req -new -key (秘密鍵ファイル名) -out (CRTファイル名)-x509 -days 365 openssl req -new -key server.key -x509 -days 365 -out server.crt -set_serial 0
- CSRを作ってからじゃなくても生成できる。
CSRを指定して証明書を生成
openssl req -in server.csr -key server.key -x509 -out server.crt -set_serial 0
help
Usage: req [options] General options: -help Display this summary -engine val Use engine, possibly a hardware device -keygen_engine val Specify engine to be used for key generation operations -in infile X.509 request input file (default stdin) -inform PEM|DER Input format - DER or PEM -verify Verify self-signature on the request Certificate options: -new New request -config infile Request template file -section val Config section to use (default "req") -utf8 Input characters are UTF8 (default ASCII) -nameopt val Certificate subject/issuer name printing options -reqopt val Various request text options -text Text form of request -x509 Output an X.509 certificate structure instead of a cert request -CA infile Issuer cert to use for signing a cert, implies -x509 -CAkey val Issuer private key to use with -CA; default is -CA arg (Required by some CA's) -subj val Set or modify subject of request or cert -subject Print the subject of the output request or cert -multivalue-rdn Deprecated; multi-valued RDNs support is always on. -days +int Number of days cert is valid for -set_serial val Serial number to use -copy_extensions val copy extensions from request when using -x509 -addext val Additional cert extension key=value pair (may be given more than once) -extensions val Cert extension section (override value in config file) -reqexts val Request extension section (override value in config file) -precert Add a poison extension to the generated cert (implies -new) Keys and Signing options: -key val Key for signing, and to include unless -in given -keyform format Key file format (ENGINE, other values ignored) -pubkey Output public key -keyout outfile File to write private key to -passin val Private key and certificate password source -passout val Output file pass phrase source -newkey val Generate new key with [<alg>:]<nbits> or <alg>[:<file>] or param:<file> -pkeyopt val Public key options as opt:value -sigopt val Signature parameter in n:v form -vfyopt val Verification parameter in n:v form -* Any supported digest Output options: -out outfile Output file -outform PEM|DER Output format - DER or PEM -batch Do not ask anything during request generation -verbose Verbose output -noenc Don't encrypt private keys -nodes Don't encrypt private keys; deprecated -noout Do not output REQ -newhdr Output "NEW" in the header lines -modulus RSA modulus Random state options: -rand val Load the given file(s) into the random number generator -writerand outfile Write random data to the specified file Provider options: -provider-path val Provider load path (must be before 'provider' argument if required) -provider val Provider to load (can be specified multiple times) -propquery val Property query used when fetching algorithms