openssl req命令

openssl req可生成请求文件及证书文件等；

req [options] <infile >outfile
where options  are
 -inform arg    input format - DER or PEM
 -outform arg   output format - DER or PEM
 -in arg        input file
 -out arg       output file
 -text          text form of request
 -pubkey        output public key
 -noout         do not output REQ
 -verify        verify signature on REQ
 -modulus       RSA modulus
 -nodes         don't encrypt the output key
 -engine e      use engine e, possibly a hardware device
 -subject       output the request's subject
 -passin        private key password source
 -key file      use the private key contained in file
 -keyform arg   key file format
 -keyout arg    file to send the key to
 -rand file:file:...
                load the file (or the files in the directory) into
                the random number generator
 -newkey rsa:bits generate a new RSA key of 'bits' in size
 -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
 -newkey ec:file generate a new EC key, parameters taken from CA in 'file'
 -[digest]      Digest to sign with (see openssl dgst -h for list)
 -config file   request template file.
 -subj arg      set or modify request subject
 -multivalue-rdn enable support for multivalued RDNs
 -new           new request.
 -batch         do not ask anything during request generation
 -x509          output a x509 structure instead of a cert. req.
 -days          number of days a certificate generated by -x509 is valid for.
 -set_serial    serial number to use for a certificate generated by -x509.
 -newhdr        output "NEW" in the header lines
 -asn1-kludge   Output the 'request' in a format that is wrong but some CA's
                have been reported as requiring
 -extensions .. specify certificate extension section (override value in config file)
 -reqexts ..    specify request extension section (override value in config file)
 -utf8          input characters are UTF8 (default ASCII)
 -nameopt arg    - various certificate name options
 -reqopt arg    - various request text options

- 生成请求文件

[root@localhost 2]# openssl req -new -key 2.key  -days 3650 -out 1.csr
Enter pass phrase for 2.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:FJ
Locality Name (eg, city) [Default City]:XM
Organization Name (eg, company) [Default Company Ltd]:YL
Organizational Unit Name (eg, section) []:YL
Common Name (eg, your name or your server's hostname) []:YLtls
Email Address []:


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

-生成私钥+请求文件

openssl req -new -nodes -newkey rsa:2048 -keyout domain.key -out domain.csr -subj /C=CN/ST=FJ/L=xx/O=xx/OU=xx/CN=xxx.com/emailAddress=sss@xxx.com

需要输入的内容

字段                                  |说明                   | 示例  
Country Name                          |ISO国家代码（两位字符）| CN、EN
State or Province Name                | 所在省份              | Beijing
Locality Name(eg, city)               | 所在城市              | Beijing
Organization Name(eg, company)        | 公司名称              | Beijing xxx Ltd
Organizational Unit Name(eg, section) | 部门名称              | IT Dept
Common Name(eg,your server's hostname)| 申请证书的域名        | www.xxx.com
Email Address                         | 邮箱                  | 可不输入
A challenge password                  | 密码                  | 可不输入

-查看请求文件

openssl req -text -in domain.csr