by Alexey Samoshkin
通过阿列克谢·萨莫什金(Alexey Samoshkin)
OpenSSL命令速查表 (OpenSSL Command Cheatsheet)
最常见的OpenSSL命令和用例 (Most common OpenSSL commands and use cases)
When it comes to security-related tasks, like generating keys, CSRs, certificates, calculating digests, debugging TLS connections and other tasks related to PKI and HTTPS, you’d most likely end up using the OpenSSL tool.
当涉及到与安全相关的任务时,例如生成密钥,CSR,证书,计算摘要,调试TLS连接以及与PKI和HTTPS相关的其他任务,您很可能最终会使用OpenSSL工具。
OpenSSL includes tonnes of features covering a broad range of use cases, and it’s difficult to remember its syntax for all of them and quite easy to get lost. man
pages are not so helpful here, so often we just Google “openssl how to [use case here]” or look for some kind of “openssl cheatsheet” to recall the usage of a command and see examples.
OpenSSL包含许多功能,涵盖了广泛的用例,很难记住所有功能的语法,而且很容易迷失方向。 man
页在这里不是很有帮助,因此通常我们只是使用Google“ openssl如何使用[这里的用例]”或寻找某种“ openssl备忘单”来回顾命令的用法并查看示例。
This post is my personal collection of openssl
command snippets and examples, grouped by use case.
这篇文章是我的openssl
命令片段和示例的我的个人收藏,按用例分组。
用例 (Use cases)
Here is a list of use cases, that I’ll be covering:
这是用例列表,我将介绍这些用例:
Convert between encoding (PEM, DER) and container formats (PKCS12, PKCS7)
Manually check certificate revocation status from OCSP responder
Surely, this is not a complete list, but it covers the most common use cases and includes those I’ve been working with. For example, I skip encryption and decryption, or using openssl for CA management. openssl
is like a universe. You never know where it ends. ?
当然,这不是一个完整的列表,但是它涵盖了最常见的用例,并且包括我一直在使用的用例。 例如,我跳过加密和解密,或者使用openssl进行CA管理。 openssl
就像一个宇宙。 您永远不知道它的结尾。 ?
使用RSA和ECDSA密钥 (Working with RSA and ECDSA keys)
In the commands below, replace [bits]
with the key size (For example, 2048, 4096, 8192).
在下面的命令中,将[bits]
替换为密钥大小(例如2048、4096、8192)。
Generate an RSA key:openssl genrsa -out example.key [bits]
生成RSA密钥: openssl genrsa -out example.key [bits]
Print public key or modulus only:openssl rsa -in example.key -pubout
openssl rsa -in example.key -noout -modulus
仅打印公共密钥或模数: openssl rsa -in example.key -pubout
openssl rsa -in example.key -noout -modulus
Print textual representation of RSA key:openssl rsa -in example.key -text -noout
打印RSA密钥的文本表示形式: openssl rsa -in example.key -text -noout
Generate new RSA key and encrypt with a pass phrase based on AES CBC 256 encryption:openssl genrsa -aes256 -out example.key [bits]
生成新的RSA密钥并使用基于AES CBC 256加密的密码进行加密: openssl genrsa -aes256 -out example.key [bits]
Check your private key. If the key has a pass phrase, you’ll be prompted for it:openssl rsa -check -in example.key
检查您的私钥。 如果密钥具有密码,则会提示您输入: openssl rsa -check -in example.key
Remove passphrase from the key:openssl rsa -in example.key -out example.key
从密钥中删除密码: openssl rsa -in example.key -out example.key
Encrypt existing private key with a pass phrase:openssl rsa -des3 -in example.key -out example_with_pass.key
使用口令对现有私钥进行加密: openssl rsa -des3 -in example.key -out example_with_pass.key
Generate ECDSA key. curve
is to be replaced with: prime256v1
, secp384r1
, secp521r1
, or any other supported elliptic curve:openssl ecparam -genkey -name [curve] | openssl ec -out example.ec.key
生成ECDSA密钥。 curve
将替换为: prime256v1
, secp384r1
, secp521r1
或任何其他受支持的椭圆曲线: openssl ecparam -genkey -name [curve] | openssl ec -out example.ec.key
openssl ecparam -genkey -name [curve] | openssl ec -out example.ec.key
Print ECDSA key textual representation:openssl ec -in example.ec.key -text -noout
打印ECDSA密钥文本表示形式: openssl ec -in example.ec.key -text -noout
List available EC curves, that OpenSSL library supports:openssl ecparam -list_curves
列出OpenSSL库支持的可用EC曲线: openssl ecparam -list_curves
Generate DH params with a given length:openssl dhparam -out dhparams.pem [bits]
生成具有给定长度的DH参数: openssl dhparam -out dhparams.pem [bits]
创建证书签名请求(CSR) (Create certificate signing requests (CSR))
In the commands below, replace [digest]
with the name of the supported hash function: md5
, sha1
, sha224
, sha256
, sha384
or sha512
, etc. It’s better to avoid weak functions like md5
and sha1
, and stick to sha256
and above.
在下面的命令中,将[digest]
替换为受支持的哈希函数的名称: md5
, sha1
, sha224
, sha256
, sha384
或sha512
等。最好避免使用md5
和sha1
类的弱函数,并坚持使用sha256
及更高版本。
Create a CSR from existing private key.openssl req -new -key example.key -out example.csr -[digest]
从现有私钥创建CSR。 openssl req -new -key example.key -out example.csr -[digest]
Create a CSR and a private key without a pass phrase in a single command:openssl req -nodes -newkey rsa:[bits] -keyout example.key -out example.csr
在单个命令中创建不带口令的CSR和私钥: openssl req -nodes -newkey rsa:[bits] -keyout example.key -out example.csr
Provide CSR subject info on a command line, rather than through interactive prompt.openssl req -nodes -newkey rsa:[bits] -keyout example.key -out example.csr -subj "/C=UA/ST=Kharkov/L=Kharkov/O=Super Secure Company/OU=IT Department/CN=example.com"
在命令行上而不是通过交互式提示提供CSR主题信息。 openssl req -nodes -newkey rsa:[bits] -keyout example.key -out example.csr -subj "/C=UA/ST=Kharkov/L=Kharkov/O=Super Secure Company/OU=IT Department/CN=example.com"
Create a CSR from existing certificate and private key:openssl x509 -x509toreq -in cert.pem -out example.csr -signkey example.key
根据现有证书和私钥创建CSR: openssl x509 -x509toreq -in cert.pem -out example.csr -signkey example.key
Generate a CSR for multi-domain SAN certificate by supplying an openssl config file:openssl req -new -key example.key -out example.csr -config req.conf
通过提供一个openssl配置文件为多域SAN证书生成CSR: openssl req -new -key example.key -out example.csr -config req.conf
where req.conf
:
其中req.conf
:
[req]prompt=nodefault_md = sha256distinguished_name = dnreq_extensions = req_ext
[dn]CN=example.com
[req_ext]subjectAltName=@alt_names
[alt_names]DNS.1=example.comDNS.2=www.example.comDNS.3=ftp.example.com
创建X.509证书 (Create X.509 certificates)
Create self-signed certificate and new private key from scratch:openssl req -nodes -newkey rsa:2048 -keyout example.key -out example.crt -x509 -days 365
从头开始创建自签名证书和新私钥: openssl req -nodes -newkey rsa:2048 -keyout example.key -out example.crt -x509 -days 365
Create a self signed certificate using existing CSR and private key:openssl x509 -req -in example.csr -signkey example.key -out example.crt -days 365
使用现有的CSR和私钥创建自签名证书: openssl x509 -req -in example.csr -signkey example.key -out example.crt -days 365
Sign child certificate using your own “CA” certificate and it’s private key. If you were a CA company, this shows a very naive example of how you could issue new certificates.openssl x509 -req -in child.csr -days 365 -CA ca.crt -CAkey ca.key -set_serial 01 -out child.crt
使用您自己的“ CA”证书及其私钥签署子证书。 如果您是一家CA公司,这将显示一个非常幼稚的示例,说明如何发行新证书。 openssl x509 -req -in child.csr -days 365 -CA ca.crt -CAkey ca.key -set_serial 01 -out child.crt
Print textual representation of the certificateopenssl x509 -in example.crt -text -noout
打印证书的文本表示形式openssl x509 -in example.crt -text -noout
Print certificate’s fingerprint as md5, sha1, sha256 digest:openssl x509 -in cert.pem -fingerprint -sha256 -noout
将证书的指纹打印为md5,sha1,sha256摘要: openssl x509 -in cert.pem -fingerprint -sha256 -noout
验证CSR或证书 (Verify CSRs or certificates)
Verify a CSR signature:openssl req -in example.csr -verify
验证CSR签名: openssl req -in example.csr -verify
Verify that private key matches a certificate and CSR:openssl rsa -noout -modulus -in example.key | openssl sha256
openssl x509 -noout -modulus -in example.crt | openssl sha256
openssl req -noout -modulus -in example.csr | openssl sha256
验证私钥是否与证书和CSR匹配: openssl rsa -noout -modulus -in example.key | openssl sha256
openssl rsa -noout -modulus -in example.key | openssl sha256
openssl x509 -noout -modulus -in example.crt | openssl sha256
openssl x509 -noout -modulus -in example.crt | openssl sha256
openssl req -noout -modulus -in example.csr | openssl sha256
openssl req -noout -modulus -in example.csr | openssl sha256
Verify certificate, provided that you have root and any intemediate certificates configured as trusted on your machine:openssl verify example.crt
验证证书,前提是您已在计算机上将根证书和所有中间证书配置为受信任: openssl verify example.crt
Verify certificate, when you have intermediate certificate chain. Root certificate is not a part of bundle, and should be configured as a trusted on your machine.openssl verify -untrusted intermediate-ca-chain.pem example.crt
当您具有中间证书链时,请验证证书。 根证书不是捆绑软件的一部分,应该在计算机上配置为受信任的证书。 openssl verify -untrusted intermediate-ca-chain.pem example.crt
Verify certificate, when you have intermediate certificate chain and root certificate, that is not configured as a trusted one.openssl verify -CAFile root.crt -untrusted intermediate-ca-chain.pem child.crt
当您具有中间证书链和根证书(未配置为受信任证书)时,请验证证书。 openssl verify -CAFile root.crt -untrusted intermediate-ca-chain.pem child.crt
Verify that certificate served by a remote server covers given host name. Useful to check your mutlidomain certificate properly covers all the host names.openssl s_client -verify_hostname www.example.com -connect example.com:443
验证由远程服务器提供的证书是否覆盖给定的主机名。 检查您的mutlidomain证书正确覆盖所有主机名很有用。 openssl s_client -verify_hostname www.example.com -connect example.com:443
计算消息摘要和base64编码 (Calculate message digests and base64 encoding)
Calculate md5
, sha1
, sha256
, sha384
, sha512
digests:openssl dgst -[hash_function] <input.f
ile
cat input.file | openssl [hash_functi
on]
计算md5
, sha1
, sha256
, sha384
, sha512
消化: openssl dgst -[hash_function] <input.f
我le
cat input.file | openssl [hash_functi
cat input.file | openssl [hash_functi
开启]
Base64 encoding and decoding:cat /dev/urandom | head -c 50 | openssl base64 | openssl base64 -d
Base64编码和解码: cat /dev/urandom | head -c 50 | openssl base64 | openssl base64 -d
cat /dev/urandom | head -c 50 | openssl base64 | openssl base64 -d
TLS客户端连接到远程服务器 (TLS client to connect to a remote server)
Connect to a server supporting TLS:openssl s_client -connect example.com:443
openssl s_client -host example.com -port 443
连接到支持TLS的服务器: openssl s_client -connect example.com:443
openssl s_client -host example.com -port 443
Connect to a server and show full certificate chain:openssl s_client -showcerts -host example.com -port 443 </dev/n
ull
连接到服务器并显示完整的证书链: openssl s_client -showcerts -host example.com -port 443 </dev/n
ull
Extract the certificate:openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > certif
icate.pem
提取证书: openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > certif
openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > certif
certificate.pem
Override SNI (Server Name Indication) extension with another server name. Useful for testing when multiple secure sites are hosted on same IP address:openssl s_client -servername www.example.com -host example.com -port 443
用另一个服务器名称替代SNI(服务器名称指示)扩展名。 当在同一IP地址上托管多个安全站点时,对测试很有用: openssl s_client -servername www. example.com -host example.com -port 443
openssl s_client -servername www. example.com -host example.com -port 443
Test TLS connection by forcibly using specific cipher suite, e.g. ECDHE-RSA-AES128-GCM-SHA256
. Useful to check if a server can properly talk via different configured cipher suites, not one it prefers.openssl s_client -host example.com -port 443 -cipher ECDHE-RSA-AES128-GCM-SHA256 2>&1 </de
v/null
通过使用特定密码套件(例如ECDHE-RSA-AES128-GCM-SHA256
强制测试TLS连接。 这对于检查服务器是否可以通过不同配置的密码套件(而不是它首选的密码套件)正确通话很有用。 openssl s_client -host example.com -port 443 -cipher ECDHE-RSA-AES128-GCM-SHA256 2>&1 </de
v / null
测量TLS连接和握手时间 (Measure TLS connection and handshake time)
Measure SSL connection time without/with session reuse:openssl s_time -connect example.com:443 -new
openssl s_time -connect example.com:443 -reuse
在没有/有会话重用的情况下测量SSL连接时间: openssl s_time -connect example.com:443 -new
openssl s_time -connect example.com:443 -reuse
Roughly examine TCP and SSL handshake times using curl
:curl -kso /dev/null -w "tcp:%{time_connect}, ssldone:%{time_appconnect}\n" https://example.com
使用curl
大致检查TCP和SSL握手时间: curl -kso /dev/null -w "tcp:%{time_connect}, ssldone:%{time_appconnect}\n" https://example.com
Measure speed of various security algorithms:openssl speed rsa2048
openssl speed ecdsap256
测量各种安全算法的openssl speed rsa2048
: openssl speed rsa2048
openssl speed ecdsap256
在编码格式和容器格式之间转换 (Convert between encoding and container formats)
Convert certificate between DER and PEM formats:openssl x509 -in example.pem -outform der -out example.der
openssl x509 -in example.der -inform der -out example.pem
在DER和PEM格式之间转换证书: openssl x509 -in example.pem -outform der -out example.der
openssl x509 -in example.der -inform der -out example.pem
Combine several certificates in PKCS7 (P7B) file:openssl crl2pkcs7 -nocrl -certfile child.crt -certfile ca.crt -out example.p7b
在PKCS7(P7B)文件中合并多个证书: openssl crl2pkcs7 -nocrl -certfile child.crt -certfile ca.crt -out example.p7b
Convert from PKCS7 back to PEM. If PKCS7 file has multiple certificates, the PEM file will contain all of the items in it.openssl pkcs7 -in example.p7b -print_certs -out example.crt
从PKCS7转换回PEM。 如果PKCS7文件具有多个证书,则PEM文件将包含其中的所有项目。 openssl pkcs7 -in example.p7b -print_certs -out example.crt
Combine a PEM certificate file and a private key to PKCS#12 (.pfx .p12). Also, you can add a chain of certificates to PKCS12 file.openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in certificate.pem -certfile ca-chain.pem
将PEM证书文件和私钥组合到PKCS#12(.pfx .p12)。 另外,您可以将证书链添加到PKCS12文件。 openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in certificate.pem -certfile ca-chain.pem
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates back to PEM:openssl pkcs12 -in keystore.pfx -out keystore.pem -nodes
将包含私钥和证书的PKCS#12文件(.pfx .p12)转换回PEM: openssl pkcs12 -in keystore.pfx -out keystore.pem -nodes
列出密码套件 (List cipher suites)
List available TLS cipher suites, openssl client is capable of:openssl ciphers -v
列出可用的TLS密码套件,openssl客户端可以执行以下操作: openssl ciphers -v
Enumerate all individual cipher suites, which are described by a short-hand OpenSSL cipher list string. This is useful when you’re configuring server (like Nginx), and you need to test your ssl_ciphers
string.openssl ciphers -v 'EECDH+ECDSA+AESGCM:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4'
枚举所有单独的密码套件,由简短的OpenSSL密码列表字符串描述。 在配置服务器(例如Nginx)时,这很有用,并且需要测试ssl_ciphers
字符串。 openssl ciphers -v 'EECDH+ECDSA+AESGCM:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4'
从OCSP响应器手动检查证书吊销状态 (Manually check certificate revocation status from OCSP responder)
This is a multi-step process:
这是一个多步骤过程:
- Retrieve the certificate from a remote server 从远程服务器检索证书
- Obtain the intermediate CA certificate chain 获取中间CA证书链
- Read OCSP endpoint URI from the certificate 从证书中读取OCSP端点URI
- Request a remote OCSP responder for certificate revocation status 向远程OCSP响应者请求证书吊销状态
First, retrieve the certificate from a remote server:openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' >
cert.pem
首先,从远程服务器检索证书: openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' >
openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' >
cert.pem
You’d also need to obtain intermediate CA certificate chain. Use -showcerts
flag to show full certificate chain, and manually save all intermediate certificates to chain.pem
file:openssl s_client -showcerts -host example.com -port 443 </dev/n
ull
您还需要获取中间的CA证书链。 使用-showcerts
标志显示完整的证书链,并手动将所有中间证书保存到chain.pem
文件中: openssl s_client -showcerts -host example.com -port 443 </dev/n
ull
Read OCSP endpoint URI from the certificate:openssl x509 -in cert.pem -noout -ocsp_uri
从证书中读取OCSP端点URI: openssl x509 -in cert.pem -noout -ocsp_uri
Request a remote OCSP responder for certificate revocation status using the URI from the above step (e.g. http://ocsp.stg-int-x1.letsencrypt.org). openssl ocsp -header "Host" "ocsp.stg-int-x1.letsencrypt.org" -issuer chain.pem -VAfile chain.pem -cert cert.pem -text -url http://ocsp.stg-int-x1.letsencrypt.org
使用上述步骤中的URI向远程OCSP响应者请求证书吊销状态(例如http://ocsp.stg-int-x1.letsencrypt.org)。 openssl ocsp -header "Host" "ocsp.stg-int-x1.letsencrypt.org" -issuer chain.pem -VAfile chain.pem -cert cert.pem -text -url http://ocsp.stg-int-x1.letsencrypt.org
翻译自: https://www.freecodecamp.org/news/openssl-command-cheatsheet-b441be1e8c4a/