OpenSSL 是一个SSL（2.0、3.0）和TLS（1.0）协议工具，它实现了这两个协议的所有功能。

功能：
o  Creation and management of private keys, public keys and parameters
o  Public key cryptographic operations
o  Creation of X.509 certificates, CSRs and CRLs
o  Calculation of Message Digests
o  Encryption and Decryption with Ciphers
o  SSL/TLS Client and Server Tests
o  Handling of S/MIME signed or encrypted mail
o  Time Stamp requests, generation and verification

举例：

req类

Examine and verify certificate request:
openssl req -in req.pem -text -verify -noout

Create a private key and then generate a certificate request from it:
openssl genrsa -out key.pem 1024
openssl req -new -key key.pem -out req.pem

The same but just using req:
openssl req -newkey rsa:1024 -keyout key.pem -out req.pem

Generate a self signed root certificate:
openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem

rsa类

To remove the pass phrase on an RSA private key:
openssl rsa -in key.pem -out keyout.pem

To encrypt a private key using triple DES:
openssl rsa -in key.pem -des3 -out keyout.pem

To convert a private key from PEM to DER format:
openssl rsa -in key.pem -outform DER -out keyout.der

To print out the components of a private key to standard output:
openssl rsa -in key.pem -text -noout

To just output the public part of a private key:
openssl rsa -in key.pem -pubout -out pubkey.pem

s_connect类

openssl s_client -connect epp.publicinterestregistry.net:700 -cert cert.pem -key key.pem -CAfile cacert.pem -showcerts -state

Where:
cert.pem is the public key (registrar's x.509 certificate). In your
case, it is "55hl_ee.cer"

key.pem - registrar's private key. It must be with you.

cacert.pem - The Root Certificate for the Certificate Authority that signed your certificate. In this case the attached combined_ca.cer file.


x509类

Display the contents of a certificate:

openssl x509 -in cert.pem -noout -text

Display the certificate serial number:

openssl x509 -in cert.pem -noout -serial

Display the certificate subject name:

openssl x509 -in cert.pem -noout -subject

Display the certificate subject name in RFC2253 form:

openssl x509 -in cert.pem -noout -subject -nameopt RFC2253

Display the certificate subject name in oneline form on a terminal supporting UTF8:

openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb

Display the certificate MD5 fingerprint:

openssl x509 -in cert.pem -noout -fingerprint

Display the certificate SHA1 fingerprint:

openssl x509 -sha1 -in cert.pem -noout -fingerprint

Convert a certificate from PEM to DER format:

openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

Convert a certificate to a certificate request:

openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem

Convert a certificate request into a self signed certificate using extensions for a CA:

openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
       -signkey key.pem -out cacert.pem

Sign a certificate request using the CA certificate above and add user certificate extensions:

openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \
       -CA cacert.pem -CAkey key.pem -CAcreateserial

Set a certificate to be trusted for SSL client use and change set its alias to ``Steve's Class 1 CA''

openssl x509 -in cert.pem -addtrust clientAuth \
       -setalias "Steve's Class 1 CA" -out trust.pem