一、简介
req指令用来创建和处理PKCS#10格式的证书
二、语法
openssl req [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-out filename] [-text] [-pubkey] [-noout] [-verify] [-modulus] [-nodes] [-subject] [-passin arg] [-passout arg] [-key filename] [-keyform PEM|DER] [-keyout filename] [-rand file(s)] [-newkey rsa:bits] [-newkey dsa:file] [-newkey ec:file] [-digest] [-config filename] [-subj arg] [-multivalue-rdn] [-new] [-batch] [-x509] [-days n] [-set_serial n] [-newhdr][-asn1-kludge][ -no-asn1-kludge][-extensions section] [-reqexts section] [-utf8] [-nameopt option] [-reqopt option][-verbose] [engine id]
选项
-inform arg input format - DER or PEM-outform arg output format - DER or PEM-in arg input file-out arg output file-text text form of request-pubkey output public key-noout do not output REQ-verify verify signature on REQ-modulus RSA modulus-nodes don't encrypt the output key-engine e use engine e, possibly a hardware device-subject output the request's subject-passin private key password source-key file use the private key contained in file-keyform arg key file format-keyout arg file to send the key to-rand file:file:...load the file (or the files in the directory) intothe random number generator-newkey rsa:bits generate a new RSA key of 'bits' in size-newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'-newkey ec:file generate a new EC key, parameters taken from CA in 'file'-[digest] Digest to sign with (see openssl dgst -h for list)-config file request template file.-subj arg set or modify request subject-multivalue-rdn enable support for multivalued RDNs-new new request.-batch do not ask anything during request generation-x509 output a x509 structure instead of a cert. req.-days number of days a certificate generated by -x509 is valid for.-set_serial serial number to use for a certificate generated by -x509.-newhdr output "NEW" in the header lines-asn1-kludge Output the 'request' in a format that is wrong but some CA's have been reported as requiring-extensions .. specify certificate extension section (override value in config file)-reqexts .. specify request extension section (override value in config file)-utf8 input characters are UTF8 (default ASCII)-nameopt arg - various certificate name options-reqopt arg - various request text options
三、实例
1、根据私钥生成证书请求
方式1
openssl genrsa -des -passout pass:"123456" -out prikey.pem 1024 openssl req -key prikey.pem -passin pass:"123456" -new -out cerreq.pem
方式2
交互式
openssl req -newkey rsa:1024 -keyout prikey.pem -passout pass:"123456" -new -out cerreq.pem
非交互式
openssl req -newkey rsa:1024 -keyout prikey.pem -passout pass:"123456" -config openssl.cnf -new -out cerreq.pem
2、用私钥验证请求签名
openssl req -verify -key client_prikey.pem -in client_req.csr -passin pass:"123456" -noout
3、生成一个自签名的根证书
openssl req -x509 -newkey rsa:1024 -keyout prikey.pem -passout pass:"123456" -config openssl.cnf -new -out certself.pem
4、生成带中文支持的请求(UTF-8)
openssl req -newkey rsa:1024 -keyout ca_prikey.key -passout pass:"123456" -new -x509 -utf8 -config openssl_utf8.cnf -out ca_self.pem
参考:http://blog.chinaunix.net/uid-7591044-id-1742939.html
5、生成带扩展项的请求
http://bbs.csdn.net/topics/380025010
参考:http://blog.csdn.net/as3luyuan123/article/details/16811787
