x509 命令

常用示例

说明

openssl x509 is a multi-purpose certificate utility that displays certificate information, converts between formats, signs certificate requests, and modifies trust settings. The command operates on X.509 certificates in PEM or DER format. Common operations include viewing certificate details (subject, issuer, validity, extensions), verifying signatures, converting between formats, and certificate signing. When signing certificates (acting as a mini-CA), it can self-sign using -signkey or sign using a CA certificate and key with -CA and -CAkey options. The -days option specifies the validity period. The command is typically invoked as openssl x509 rather than standalone x509.

参数

-in _file_

Input certificate file. Reads from stdin if not specified.

-out _file_

Output file. Writes to stdout if not specified.

-inform _format_

Input format: DER or PEM (default).

-outform _format_

Output format: DER or PEM (default).

-noout

Prevent output of the encoded certificate.

-text

Print certificate in human-readable text form.

-subject

Print the certificate subject name.

-issuer

Print the certificate issuer name.

-dates

Print the notBefore and notAfter dates.

-serial

Print the certificate serial number.

-fingerprint

Print certificate fingerprint (use with -sha256, -sha1, etc.).

-pubkey

Output the certificate's public key.

-req

Input is a certificate request, not a certificate.

-signkey _file_

Self-sign using the specified private key.

-days _n_

Validity period in days when signing.

-CA _file_

CA certificate to use for signing.

-CAkey _file_

CA private key for signing.

-CAcreateserial

Create a serial-number file for the CA if one does not already exist.

-hash

Print a hash of the certificate subject (useful for naming trust files).

-checkend _sec_

Exit 0 if certificate will not expire within _sec_ seconds, otherwise exit 1.

-purpose

Print out intended certificate purposes.