OpenSSL命令速查表

最新推荐文章于 2024-03-13 22:15:43 发布

cumian9828

最新推荐文章于 2024-03-13 22:15:43 发布

阅读量244

点赞数

文章标签： python java linux 数据库 https

原文链接：https://www.freecodecamp.org/news/openssl-command-cheatsheet-b441be1e8c4a/

版权

by Alexey Samoshkin

通过阿列克谢·萨莫什金(Alexey Samoshkin)

OpenSSL命令速查表 (OpenSSL Command Cheatsheet)

最常见的OpenSSL命令和用例 (Most common OpenSSL commands and use cases)

When it comes to security-related tasks, like generating keys, CSRs, certificates, calculating digests, debugging TLS connections and other tasks related to PKI and HTTPS, you’d most likely end up using the OpenSSL tool.

当涉及到与安全相关的任务时，例如生成密钥，CSR，证书，计算摘要，调试TLS连接以及与PKI和HTTPS相关的其他任务，您很可能最终会使用OpenSSL工具。

OpenSSL includes tonnes of features covering a broad range of use cases, and it’s difficult to remember its syntax for all of them and quite easy to get lost. man pages are not so helpful here, so often we just Google “openssl how to [use case here]” or look for some kind of “openssl cheatsheet” to recall the usage of a command and see examples.

OpenSSL包含许多功能，涵盖了广泛的用例，很难记住所有功能的语法，而且很容易迷失方向。 man页在这里不是很有帮助，因此通常我们只是使用Google“ openssl如何使用[这里的用例]”或寻找某种“ openssl备忘单”来回顾命令的用法并查看示例。

This post is my personal collection of openssl command snippets and examples, grouped by use case.

这篇文章是我的openssl命令片段和示例的我的个人收藏，按用例分组。

用例 (Use cases)

Here is a list of use cases, that I’ll be covering:

这是用例列表，我将介绍这些用例：

Surely, this is not a complete list, but it covers the most common use cases and includes those I’ve been working with. For example, I skip encryption and decryption, or using openssl for CA management. openssl is like a universe. You never know where it ends. ?

当然，这不是一个完整的列表，但是它涵盖了最常见的用例，并且包括我一直在使用的用例。例如，我跳过加密和解密，或者使用openssl进行CA管理。 openssl就像一个宇宙。您永远不知道它的结尾。？

使用RSA和ECDSA密钥 (Working with RSA and ECDSA keys)

In the commands below, replace [bits] with the key size (For example, 2048, 4096, 8192).

在下面的命令中，将[bits]替换为密钥大小(例如2048、4096、8192)。

Generate an RSA key:openssl genrsa -out example.key [bits]

生成RSA密钥： openssl genrsa -out example.key [bits]

Print public key or modulus only:openssl rsa -in example.key -puboutopenssl rsa -in example.key -noout -modulus

仅打印公共密钥或模数： openssl rsa -in example.key -pubout openssl rsa -in example.key -noout -modulus

Print textual representation of RSA key:openssl rsa -in example.key -text -noout

打印RSA密钥的文本表示形式： openssl rsa -in example.key -text -noout

Generate new RSA key and encrypt with a pass phrase based on AES CBC 256 encryption:openssl genrsa -aes256 -out example.key [bits]

生成新的RSA密钥并使用基于AES CBC 256加密的密码进行加密： openssl genrsa -aes256 -out example.key [bits]

Check your private key. If the key has a pass phrase, you’ll be prompted for it:openssl rsa -check -in example.key

检查您的私钥。如果密钥具有密码，则会提示您输入： openssl rsa -check -in example.key

Remove passphrase from the key:openssl rsa -in example.key -out example.key

从密钥中删除密码： openssl rsa -in example.key -out example.key

Encrypt existing private key with a pass phrase:openssl rsa -des3 -in example.key -out example_with_pass.key

使用口令对现有私钥进行加密： openssl rsa -des3 -in example.key -out example_with_pass.key

Generate ECDSA key. curve is to be replaced with: prime256v1, secp384r1, secp521r1, or any other supported elliptic curve:openssl ecparam -genkey -name [curve] | openssl ec -out example.ec.key

生成ECDSA密钥。 curve将替换为： prime256v1 ， secp384r1 ， secp521r1或任何其他受支持的椭圆曲线： openssl ecparam -genkey -name [curve] | openssl ec -out example.ec.key openssl ecparam -genkey -name [curve] | openssl ec -out example.ec.key

Print ECDSA key textual representation:openssl ec -in example.ec.key -text -noout

打印ECDSA密钥文本表示形式： openssl ec -in example.ec.key -text -noout

List available EC curves, that OpenSSL library supports:openssl ecparam -list_curves

列出OpenSSL库支持的可用EC曲线： openssl ecparam -list_curves

Generate DH params with a given length:openssl dhparam -out dhparams.pem [bits]

生成具有给定长度的DH参数： openssl dhparam -out dhparams.pem [bits]

创建证书签名请求(CSR) (Create certificate signing requests (CSR))

In the commands below, replace [digest] with the name of the supported hash function: md5, sha1, sha224, sha256, sha384 or sha512, etc. It’s better to avoid weak functions like md5 and sha1, and stick to sha256 and above.

在下面的命令中，将[digest]替换为受支持的哈希函数的名称： md5 ， sha1 ， sha224 ， sha256 ， sha384或sha512等。最好避免使用md5和sha1类的弱函数，并坚持使用sha256及更高版本。

Create a CSR from existing private key.openssl req -new -key example.key -out example.csr -[digest]

从现有私钥创建CSR。 openssl req -new -key example.key -out example.csr -[digest]

Create a CSR and a private key without a pass phrase in a single command:openssl req -nodes -newkey rsa:[bits] -keyout example.key -out example.csr

在单个命令中创建不带口令的CSR和私钥： openssl req -nodes -newkey rsa:[bits] -keyout example.key -out example.csr

Provide CSR subject info on a command line, rather than through interactive prompt.openssl req -nodes -newkey rsa:[bits] -keyout example.key -out example.csr -subj "/C=UA/ST=Kharkov/L=Kharkov/O=Super Secure Company/OU=IT Department/CN=example.com"

在命令行上而不是通过交互式提示提供CSR主题信息。 openssl req -nodes -newkey rsa:[bits] -keyout example.key -out example.csr -subj "/C=UA/ST=Kharkov/L=Kharkov/O=Super Secure Company/OU=IT Department/CN=example.com"

Create a CSR from existing certificate and private key:openssl x509 -x509toreq -in cert.pem -out example.csr -signkey example.key

根据现有证书和私钥创建CSR： openssl x509 -x509toreq -in cert.pem -out example.csr -signkey example.key

Generate a CSR for multi-domain SAN certificate by supplying an openssl config file:openssl req -new -key example.key -out example.csr -config req.conf

通过提供一个openssl配置文件为多域SAN证书生成CSR： openssl req -new -key example.key -out example.csr -config req.conf

where req.conf:

其中req.conf ：

[req]prompt=nodefault_md = sha256distinguished_name = dnreq_extensions = req_ext

[dn]CN=example.com

[req_ext]subjectAltName=@alt_names

[alt_names]DNS.1=example.comDNS.2=www.example.comDNS.3=ftp.example.com

创建X.509证书 (Create X.509 certificates)

Create self-signed certificate and new private key from scratch:openssl req -nodes -newkey rsa:2048 -keyout example.key -out example.crt -x509 -days 365

从头开始创建自签名证书和新私钥： openssl req -nodes -newkey rsa:2048 -keyout example.key -out example.crt -x509 -days 365

Create a self signed certificate using existing CSR and private key:openssl x509 -req -in example.csr -signkey example.key -out example.crt -days 365

使用现有的CSR和私钥创建自签名证书： openssl x509 -req -in example.csr -signkey example.key -out example.crt -days 365

Sign child certificate using your own “CA” certificate and it’s private key. If you were a CA company, this shows a very naive example of how you could issue new certificates.openssl x509 -req -in child.csr -days 365 -CA ca.crt -CAkey ca.key -set_serial 01 -out child.crt

使用您自己的“ CA”证书及其私钥签署子证书。如果您是一家CA公司，这将显示一个非常幼稚的示例，说明如何发行新证书。 openssl x509 -req -in child.csr -days 365 -CA ca.crt -CAkey ca.key -set_serial 01 -out child.crt

Print textual representation of the certificateopenssl x509 -in example.crt -text -noout

打印证书的文本表示形式openssl x509 -in example.crt -text -noout

Print certificate’s fingerprint as md5, sha1, sha256 digest:openssl x509 -in cert.pem -fingerprint -sha256 -noout

将证书的指纹打印为md5，sha1，sha256摘要： openssl x509 -in cert.pem -fingerprint -sha256 -noout

验证CSR或证书 (Verify CSRs or certificates)

Verify a CSR signature:openssl req -in example.csr -verify

验证CSR签名： openssl req -in example.csr -verify

Verify that private key matches a certificate and CSR:openssl rsa -noout -modulus -in example.key | openssl sha256openssl x509 -noout -modulus -in example.crt | openssl sha256openssl req -noout -modulus -in example.csr | openssl sha256

验证私钥是否与证书和CSR匹配： openssl rsa -noout -modulus -in example.key | openssl sha256 openssl rsa -noout -modulus -in example.key | openssl sha256 openssl x509 -noout -modulus -in example.crt | openssl sha256 openssl x509 -noout -modulus -in example.crt | openssl sha256 openssl req -noout -modulus -in example.csr | openssl sha256 openssl req -noout -modulus -in example.csr | openssl sha256

Verify certificate, provided that you have root and any intemediate certificates configured as trusted on your machine:openssl verify example.crt

验证证书，前提是您已在计算机上将根证书和所有中间证书配置为受信任： openssl verify example.crt

Verify certificate, when you have intermediate certificate chain. Root certificate is not a part of bundle, and should be configured as a trusted on your machine.openssl verify -untrusted intermediate-ca-chain.pem example.crt

当您具有中间证书链时，请验证证书。根证书不是捆绑软件的一部分，应该在计算机上配置为受信任的证书。 openssl verify -untrusted intermediate-ca-chain.pem example.crt

Verify certificate, when you have intermediate certificate chain and root certificate, that is not configured as a trusted one.openssl verify -CAFile root.crt -untrusted intermediate-ca-chain.pem child.crt

当您具有中间证书链和根证书(未配置为受信任证书)时，请验证证书。 openssl verify -CAFile root.crt -untrusted intermediate-ca-chain.pem child.crt

Verify that certificate served by a remote server covers given host name. Useful to check your mutlidomain certificate properly covers all the host names.openssl s_client -verify_hostname www.example.com -connect example.com:443

验证由远程服务器提供的证书是否覆盖给定的主机名。检查您的mutlidomain证书正确覆盖所有主机名很有用。 openssl s_client -verify_hostname www.example.com -connect example.com:443

计算消息摘要和base64编码 (Calculate message digests and base64 encoding)

Calculate md5, sha1, sha256, sha384, sha512digests:openssl dgst -[hash_function] <input.filecat input.file | openssl [hash_function]

计算md5 ， sha1 ， sha256 ， sha384 ， sha512消化： openssl dgst -[hash_function] <input.f我le cat input.file | openssl [hash_functi cat input.file | openssl [hash_functi开启]

Base64 encoding and decoding:cat /dev/urandom | head -c 50 | openssl base64 | openssl base64 -d

TLS客户端连接到远程服务器 (TLS client to connect to a remote server)

Connect to a server supporting TLS:openssl s_client -connect example.com:443openssl s_client -host example.com -port 443

连接到支持TLS的服务器： openssl s_client -connect example.com:443 openssl s_client -host example.com -port 443

Connect to a server and show full certificate chain:openssl s_client -showcerts -host example.com -port 443 </dev/null

连接到服务器并显示完整的证书链： openssl s_client -showcerts -host example.com -port 443 </dev/n ull

Extract the certificate:openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > certificate.pem

提取证书： openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > certif openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > certif certificate.pem

Override SNI (Server Name Indication) extension with another server name. Useful for testing when multiple secure sites are hosted on same IP address:openssl s_client -servername www.example.com -host example.com -port 443

用另一个服务器名称替代SNI(服务器名称指示)扩展名。当在同一IP地址上托管多个安全站点时，对测试很有用： openssl s_client -servername www. example.com -host example.com -port 443 openssl s_client -servername www. example.com -host example.com -port 443

Test TLS connection by forcibly using specific cipher suite, e.g. ECDHE-RSA-AES128-GCM-SHA256. Useful to check if a server can properly talk via different configured cipher suites, not one it prefers.openssl s_client -host example.com -port 443 -cipher ECDHE-RSA-AES128-GCM-SHA256 2>&1 </dev/null

通过使用特定密码套件(例如ECDHE-RSA-AES128-GCM-SHA256强制测试TLS连接。这对于检查服务器是否可以通过不同配置的密码套件(而不是它首选的密码套件)正确通话很有用。 openssl s_client -host example.com -port 443 -cipher ECDHE-RSA-AES128-GCM-SHA256 2>&1 </de v / null

测量TLS连接和握手时间 (Measure TLS connection and handshake time)

Measure SSL connection time without/with session reuse:openssl s_time -connect example.com:443 -newopenssl s_time -connect example.com:443 -reuse

在没有/有会话重用的情况下测量SSL连接时间： openssl s_time -connect example.com:443 -new openssl s_time -connect example.com:443 -reuse

Roughly examine TCP and SSL handshake times using curl:curl -kso /dev/null -w "tcp:%{time_connect}, ssldone:%{time_appconnect}\n" https://example.com

使用curl大致检查TCP和SSL握手时间： curl -kso /dev/null -w "tcp:%{time_connect}, ssldone:%{time_appconnect}\n" https://example.com

Measure speed of various security algorithms:openssl speed rsa2048openssl speed ecdsap256

测量各种安全算法的openssl speed rsa2048 ： openssl speed rsa2048 openssl speed ecdsap256

在编码格式和容器格式之间转换 (Convert between encoding and container formats)

Convert certificate between DER and PEM formats:openssl x509 -in example.pem -outform der -out example.deropenssl x509 -in example.der -inform der -out example.pem

在DER和PEM格式之间转换证书： openssl x509 -in example.pem -outform der -out example.der openssl x509 -in example.der -inform der -out example.pem

Combine several certificates in PKCS7 (P7B) file:openssl crl2pkcs7 -nocrl -certfile child.crt -certfile ca.crt -out example.p7b

在PKCS7(P7B)文件中合并多个证书： openssl crl2pkcs7 -nocrl -certfile child.crt -certfile ca.crt -out example.p7b

Convert from PKCS7 back to PEM. If PKCS7 file has multiple certificates, the PEM file will contain all of the items in it.openssl pkcs7 -in example.p7b -print_certs -out example.crt

从PKCS7转换回PEM。如果PKCS7文件具有多个证书，则PEM文件将包含其中的所有项目。 openssl pkcs7 -in example.p7b -print_certs -out example.crt

Combine a PEM certificate file and a private key to PKCS#12 (.pfx .p12). Also, you can add a chain of certificates to PKCS12 file.openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in certificate.pem -certfile ca-chain.pem

将PEM证书文件和私钥组合到PKCS＃12(.pfx .p12)。另外，您可以将证书链添加到PKCS12文件。 openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in certificate.pem -certfile ca-chain.pem

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates back to PEM:openssl pkcs12 -in keystore.pfx -out keystore.pem -nodes

将包含私钥和证书的PKCS＃12文件(.pfx .p12)转换回PEM： openssl pkcs12 -in keystore.pfx -out keystore.pem -nodes

列出密码套件 (List cipher suites)

List available TLS cipher suites, openssl client is capable of:openssl ciphers -v

列出可用的TLS密码套件，openssl客户端可以执行以下操作： openssl ciphers -v

Enumerate all individual cipher suites, which are described by a short-hand OpenSSL cipher list string. This is useful when you’re configuring server (like Nginx), and you need to test your ssl_ciphers string.openssl ciphers -v 'EECDH+ECDSA+AESGCM:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4'

枚举所有单独的密码套件，由简短的OpenSSL密码列表字符串描述。在配置服务器(例如Nginx)时，这很有用，并且需要测试ssl_ciphers字符串。 openssl ciphers -v 'EECDH+ECDSA+AESGCM:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4'

从OCSP响应器手动检查证书吊销状态 (Manually check certificate revocation status from OCSP responder)

This is a multi-step process:

这是一个多步骤过程：

Retrieve the certificate from a remote server
从远程服务器检索证书
Obtain the intermediate CA certificate chain
获取中间CA证书链
Read OCSP endpoint URI from the certificate
从证书中读取OCSP端点URI
Request a remote OCSP responder for certificate revocation status
向远程OCSP响应者请求证书吊销状态

First, retrieve the certificate from a remote server:openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > cert.pem

首先，从远程服务器检索证书： openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > cert.pem

You’d also need to obtain intermediate CA certificate chain. Use -showcerts flag to show full certificate chain, and manually save all intermediate certificates to chain.pem file:openssl s_client -showcerts -host example.com -port 443 </dev/null

您还需要获取中间的CA证书链。使用-showcerts标志显示完整的证书链，并手动将所有中间证书保存到chain.pem文件中： openssl s_client -showcerts -host example.com -port 443 </dev/n ull

Read OCSP endpoint URI from the certificate:openssl x509 -in cert.pem -noout -ocsp_uri

从证书中读取OCSP端点URI： openssl x509 -in cert.pem -noout -ocsp_uri

Request a remote OCSP responder for certificate revocation status using the URI from the above step (e.g. http://ocsp.stg-int-x1.letsencrypt.org). openssl ocsp -header "Host" "ocsp.stg-int-x1.letsencrypt.org" -issuer chain.pem -VAfile chain.pem -cert cert.pem -text -url http://ocsp.stg-int-x1.letsencrypt.org

使用上述步骤中的URI向远程OCSP响应者请求证书吊销状态(例如http://ocsp.stg-int-x1.letsencrypt.org)。 openssl ocsp -header "Host" "ocsp.stg-int-x1.letsencrypt.org" -issuer chain.pem -VAfile chain.pem -cert cert.pem -text -url http://ocsp.stg-int-x1.letsencrypt.org