openssl x509 -in signed.crt -noout -dates             # 打印证书的过期时间
openssl x509 -in cert.pem -noout -text                # 打印证书的内容
openssl x509 -in cert.pem -noout -serial              # 打印证书的序列号
openssl x509 -in cert.pem -noout -subject             # 打印证书的拥有者名字
# 按 RFC2253 格式打印拥有者名字
openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
# 在支持 UTF8 的终端中一行打印拥有者名字
openssl x509 -in cert.pem -noout -subject -nameopt oneline -nameopt -escmsb
openssl x509 -in cert.pem -noout -fingerprint         # 打印证书的 MD5 指纹
openssl x509 -sha1 -in cert.pem -noout -fingerprint   # 打印证书的 SHA 指纹

openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

# 将证书转为 CSR
openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem

# 使用 CSR 生成自签名证书并增加 CA 扩展项
openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca -signkey key.pem -out cacert.pem

# 使用 CSR 生成用户证书并增加扩展项
openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr -CA cacert.pem -CAkey key.pem -CAcreateserial

# 查看 CSR 文件细节
openssl req -in my.csr -noout -text

$ openssl rsa -text -noout -in server.key
Private-Key: (2048 bit)
modulus:
00:b0:fd:c2:81:60:3f:d2:dc:fe:2d:34:c6:46:1e:
08:72:c3:78:f3:4d:12:16:b9:39:3e:0b:d3:8b:e7:
…

$ openssl rsa -des -in server.key -out encrypt.key
writing RSA key
Enter PEM pass phrase:               # 输入密码
Verifying - Enter PEM pass phrase:   # 再次输入密码
encrypt.key                          # 这个文件就是加密过的私钥

$ openssl rsa -in encrypt.key -out nopassword.key
writing RSA key
Enter PEM pass phrase:               # 输入密码
Verifying - Enter PEM pass phrase:   # 再次输入密码

openssl pkcs12 -info -in cert.pfx

openssl pkcs12 -in cert.pfx -out cert2.pem

# 提取公钥
openssl x509 -in cert2.pem -out cert2.crt

# 提取私钥
openssl rsa -in cert2.pem -out cert2.key

openssl rsa -in cert2.key -out cert22.key

openssl pkcs12 -export -inkey cert22.key -in cert2.crt -out cert2.pfx

openssl pkcs12 -in cert2.pfx -out cert22.pem