Synopsis
(1) Create RSA Private Key
openssl genrsa [-aes256] [-out filename] [numbits] |
(2) Create CSR (Certificate Signing Request)
openssl req -new [-key filename] [-subj args] -config configfilename |
(3) Display certificate fingerprinting
openssl x509 [-sha1|-sha256|-md5] -fingerprint -noout [-in file] |
(4) Create DH parameter file
openssl dhparam [-outform DER | PEM] [-out filename] numbits |
Description
This command creates an RSA private key, creates CSR (Certificate Signing Request), displays the certificate fingerprint, and creates a DH parameter file.
Options
genrsa sub command
Encrypt with aes256. If this option is omitted, no encryption is performed.
Specify the output file name. If this option is omitted, the data is output to the standard output.
Specify the bit size of the generated private key. This must be specified last. The default is 2048; values less than 512 are not allowed.
req sub command
Generate a new CSR (Certificate Signing Request).
Specify the private key file name to enter.
Sets the server information to be included in the certificate. Use the following format, separated by /.
/Attribute1=Value1/Attribute2=Value2/Attribute3=...
The attributes and values specify the following.
C: The two-letter country code for Japan is "JP"
ST: State/Province
L: City,Town,Street
O: Organization Name
OU: Organizational Unit Name
CN: Server FQDN
If you omit this option, you are prompted to enter the following command. The italics are the entry points.
# /opt/FJSVftlo/mpahs/oss/openssl/bin/openssl req -new -key server.key -config /opt/FJSVftlo/mpahs/oss/openssl/ssl/openssl.cnf Country Name (2 letter code) [GB]: JP State or Province Name (full name) [Berkshire]:Tokyo Locality Name (eg, city) [Newbury]:Shinagawa Organization Name (eg, company) [My Company Ltd]:Fujitsu Organizational Unit Name (eg, section) []:soft Common Name (eg, your name or your server's hostname) []:myhost.example.com Email Address []:Enter key Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:Enter key An optional company name []:Enter key
Specify the absolute path to the openssl configuration file (openssl.cnf). Do not omit this option.
The openssl configuration files are stored below.
[Windows]
Systemwalker Operation Manager installation directory\MPWALKER.JM\mpahs\conf\openssl.cnf |
[UNIX]
/opt/FJSVftlo/mpahs/oss/openssl/ssl/openssl.cnf |
x509 sub command
Specify the digest to use in the fingerprint display. If this option is omitted, the value is sha 256.
Outputs the computation result of the specified digest.
Suppresses certificate output.
Specify the name of the certificate file to enter.
dhparam sub command
Specify the output format. If this option is omitted, PEM is assumed.
Specify the output file name. If this option is omitted, the data is output to the standard output.
Specify the parameter bit size to generate. Must be last.
Command Location
Windows | Systemwalker Operation Manager installation directory\mpwalker.jm\mpahs\bin |
Solaris | /opt/FJSVftlo/mpahs/oss/openssl/bin |
Privilege Required
System administrator (user belonging to the Administrators group or superuser) privileges are required.
Cautions
To prevent the passphrase from being leaked on the network, we recommend that you execute this command at the console or at a terminal connected to a LAN that is not connected externally.
Example
[Windows]
c:\Systemwalker\MPWALKER.JM\mpahs\bin\openssl.exe genrsa -aes256 -out d:\mpahso\sslcert\server.key 2048 (The following is the result of executing the command.) Generating RSA private key, 2048 bit long modulus ......+++ ...........++ e is 65537 (0x10001) Enter pass phrase for server.key: (Note) Verifying - Enter pass phrase for server.key: (Note)
[UNIX]
# /opt/FJSVftlo/mpahs/oss/openssl/bin/openssl genrsa -aes256 -out /export/home/mpahso/sslcert/server.key 2048 (The following is the result of executing the command.) Generating RSA private key, 2048 bit long modulus ......+++ ...........++ e is 65537 (0x10001) Enter pass phrase for server.key: (Note) Verifying - Enter pass phrase for server.key: (Note)
Note) If this string is displayed, enter the passphrase. Note that characters entered are not echoed back.
[Windows]
c:\Systemwalker\MPWALKER.JM\mpahs\bin\openssl.exe req -new -key d:\mpahso\sslcert\server.key -config c:\Systemwalker\MPWALKER.JM\mpahs\conf\openssl.cnf -subj "/C=JP/ST=Shizuoka/L=Shizuoka-shi/O=fujitsu/OU=4-1f/CN=www.example.com" (The following is the result of executing the command.) Enter pass phrase for server.key: (Note)
[UNIX]
# /opt/FJSVftlo/mpahs/oss/openssl/bin/openssl req -new -key /export/home/mpahso/sslcert/server.key -config /opt/FJSVftlo/mpahs/oss/openssl/ssl/openssl.cnf -subj "/C=JP/ST=Shizuoka/L=Shizuoka-shi/O=fujitsu/OU=4-1f/CN=www.example.com" (The following is the result of executing the command.) Enter pass phrase for server.key: (Note)
Note) If this string is displayed, enter the passphrase. Note that characters entered are not echoed back.
[Windows]
c:\Systemwalker\MPWALKER.JM\mpahs\bin\openssl.exe x509 -sha256 -fingerprint -noout -in d:\mpahso\sslcert\ca.crt SHA256 Fingerprint=F7 16 00 6E A1 6E A2 14 ... <-32 bytes in decimal 16 are displayed.)
[UNIX]
# /opt/FJSVftlo/mpahs/oss/openssl/bin/openssl x509 -sha256 -fingerprint -noout -in /export/home/mpahso/sslcert/ca.crt SHA256 Fingerprint=F7 16 00 6E A1 6E A2 14 ... <-(32 bytes in decimal 16 are displayed.)
[Windows]
c:\Systemwalker\MPWALKER.JM\mpahs\bin\openssl.exe dhparam -out d:\mpahso\sslcert\dh2048.pem -outform PEM 2048
[UNIX]
# /opt/FJSVftlo/mpahs/oss/openssl/bin/openssl dhparam -out /export/home/mpahso/sslcert/dh2048.pem -outform PEM 2048
