openssl req可生成请求文件及证书文件等;
req [options] <infile >outfile
where options are
-inform arg input format - DER or PEM
-outform arg output format - DER or PEM
-in arg input file
-out arg output file
-text text form of request
-pubkey output public key
-noout do not output REQ
-verify verify signature on REQ
-modulus RSA modulus
-nodes don't encrypt the output key
-engine e use engine e, possibly a hardware device
-subject output the request's subject
-passin private key password source
-key file use the private key contained in file
-keyform arg key file format
-keyout arg file to send the key to
-rand file:file:...
load the file (or the files in the directory) into
the random number generator
-newkey rsa:bits generate a new RSA key of 'bits' in size
-newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
-newkey ec:file generate a new EC key, parameters taken from CA in 'file'
-[digest] Digest to sign with (see openssl dgst -h for list)
-config file request template file.
-subj arg set or modify request subject
-multivalue-rdn enable support for multivalued RDNs
-new new request.
-batch do not ask anything during request generation
-x509 output a x509 structure instead of a cert. req.
-days number of days a certificate generated by -x509 is valid for.
-set_serial serial number to use for a certificate generated by -x509.
-newhdr output "NEW" in the header lines
-asn1-kludge Output the 'request' in a format that is wrong but some CA's
have been reported as requiring
-extensions .. specify certificate extension section (override value in config file)
-reqexts .. specify request extension section (override value in config file)
-utf8 input characters are UTF8 (default ASCII)
-nameopt arg - various certificate name options
-reqopt arg - various request text options
- 生成请求文件
[root@localhost 2]# openssl req -new -key 2.key -days 3650 -out 1.csr
Enter pass phrase for 2.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:FJ
Locality Name (eg, city) [Default City]:XM
Organization Name (eg, company) [Default Company Ltd]:YL
Organizational Unit Name (eg, section) []:YL
Common Name (eg, your name or your server's hostname) []:YLtls
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
-生成私钥+请求文件
openssl req -new -nodes -newkey rsa:2048 -keyout domain.key -out domain.csr -subj /C=CN/ST=FJ/L=xx/O=xx/OU=xx/CN=xxx.com/emailAddress=sss@xxx.com
需要输入的内容
字段 |说明 | 示例
Country Name |ISO国家代码(两位字符)| CN、EN
State or Province Name | 所在省份 | Beijing
Locality Name(eg, city) | 所在城市 | Beijing
Organization Name(eg, company) | 公司名称 | Beijing xxx Ltd
Organizational Unit Name(eg, section) | 部门名称 | IT Dept
Common Name(eg,your server's hostname)| 申请证书的域名 | www.xxx.com
Email Address | 邮箱 | 可不输入
A challenge password | 密码 | 可不输入
-查看请求文件
openssl req -text -in domain.csr