本頁是唯讀的，您可以看到原始碼，但不能更動它。您如果覺得它不應被鎖上，請詢問管理員。

====== OpenSSL ====== ===== Generate a Key ===== <code> openssl genrsa -out cakey.pem 4096 </code> ===== Generate CA ===== <code> openssl req -x509 -new -nodes -key cakey.pem -days 3650 -out cacert.pem </code> ===== Generate Cert key ===== <code> openssl genrsa -out key.pem 4096 </code> ===== Generate CSR ===== <code> openssl req -new -key key.pem -out csr.pem -sha256 </code> ===== Gen DH ===== <code> openssl dhparam -out dh.pem 2048 </code> ===== Self-signed ===== <code> openssl x509 -req -in csr.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out cert.pem -days 365 </code> ==== Convert to pfx format ==== <code> openssl pkcs12 -export -out myserver.pfx -inkey myserver.key -in myserver.crt </code> ===== Single Cert ===== <code> openssl genrsa -out bluenet-ride.com.key 4096 openssl req -new -key registry.bluenet-ride.com.key -out registry.bluenet-ride.com.key.csr openssl x509 -req -days 365 -in bluenet-ride.com.csr -signkey bluenet-ride.com.key -out bluenet-ride.com.crt </code> ===== Convert to PKCS12 format ===== <code> openssl pkcs12 -inkey bob_key.pem -in bob_cert.cert -export -out bob_pfx.pfx </code> ===== View cert ===== <code> openssl s_client -showcerts -connect encrypted.google.com:443 < /dev/null 2> /dev/null | openssl x509 -noout -enddate openssl x509 -noout -text -in cert.pem openssl req -noout -text -in req.pem </code> ===== Trust CA system-wide ===== <code> trust anchor ca.crt # trust anchor --remove ca.crt </code> **Ref:** * https://unix.stackexchange.com/questions/104623/how-to-get-servers-ssl-certificate-in-a-human-readable-form * https://bbs.archlinux.org/viewtopic.php?id=235724