shell openssl_OpenSSL Shell命令教程与示例

shell openssl

OpenSSL is free security protocols and implementation library provided by Free Software community. OpenSSL libraries are used by a lot of enterprises in their systems and products. OpenSSL libraries and algorithms can be used with openssl command. In this tutorial we will look different use cases for openssl command.

OpenSSL是自由软件社区提供的自由安全协议和实现库。 许多企业在其系统和产品中使用OpenSSL库。 OpenSSL库和算法可以与openssl命令一起使用。 在本教程中，我们将介绍openssl命令的不同用例。

私钥 (Private Key)

Private keys should kept secret. Private keys generally used to decrypt data.

私钥应保密。 私钥通常用于解密数据。

公钥 (Public Key)

Public keys are provided every one and it not secret. Public keys generally used to encrypt data.

公钥是每一个都提供的，它不是秘密。 公钥通常用于加密数据。

证书 (Certificate)

Certificates holds keys and related information. Certificates generally holds public keys.

证书包含密钥和相关信息。 证书通常具有公共密钥。

生成私钥和证书签名请求 (Generate Private Key and Certificate Signing Request)

We can generate a private key with a Certificate Signing Request. We can send generated CertificateSigningRequest.csr to the Certificate Authority for approvel and then we can use privateKey.key

我们可以使用证书签名请求生成私钥。 我们可以将生成的CertificateSigningRequest.csr发送到证书颁发机构进行privateKey.key ，然后可以使用privateKey.key

$ openssl req -out CertificateSigningRequest.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

Generate Private Key and Certificate Signing Request

生成私钥和证书签名请求

生成自签名证书(Generate Self-Signed Certificate)

If we will use certificate in our local environment and systems we do not need to sign it by Global Certificate Authority. So we can generate a self signed certificate with the following command.

如果我们将在本地环境和系统中使用证书，则无需由全球证书颁发机构进行签名。 因此，我们可以使用以下命令生成自签名证书。

$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

生成具有现有证书的证书签名请求(CSR) (Generate Certificate Signing Request (CSR) with Existing Certificate)

If we have all ready a certificate but we need to approve it by Global Certificate Authorities we need to generate Certificate Signing Request with the following command.

如果我们已经准备好证书，但是需要获得全球证书颁发机构的批准，则需要使用以下命令生成证书签名请求。

$ openssl req -out CSR.csr -key privateKey.key -new

从私钥中删除密码短语 (Remove Passphrase From Private Key)

Private Keys generally stored as encrypted to make it more secure. But every time we want to use Private Key we have to decrypt it. To make it more practical we can extract Private Key and store as unencrypted.

私钥通常以加密方式存储，以使其更加安全。 但是每次我们要使用私钥时，我们都必须对其解密。 为了使它更实用，我们可以提取私钥并将其存储为未加密的。

$ openssl rsa -in privateKey.pem -out newPrivateKey.pem

检查并打印证书签名请求(CSR) (Check and Print Certificate Signing Request (CSR))

We can print every information provided by a Certificate Signing Request on the shell. We will use following command for this.

我们可以在外壳上打印“证书签名请求”提供的所有信息。 我们将使用以下命令。

$ openssl req -text -noout -verify -in CertificateSigningRequest.csr

Check and Print Certificate Signing Request (CSR)

检查并打印证书签名请求(CSR)

检查并打印私钥 (Check and Print Private Key)

We can print and check a private key with the following command. This will print key information.

我们可以使用以下命令打印并检查私钥。 这将打印关键信息。

$ openssl rsa -in privateKey.key -check

检查并打印证书 (Check and Print Certificate)

We can print certificate information and related parts with the following command.

我们可以使用以下命令打印证书信息和相关部分。

$ openssl x509 -in certificate.crt -text -noout

检查并打印PKCS＃12证书(.pfx，.p12) (Check and Print PKCS#12 Certificate (.pfx , .p12))

We can check and print PKCS#12 certificates with the following command.

我们可以使用以下命令检查和打印PKCS#12证书。

$ openssl pkcs12 -info -in keyStore.p12

检查SSL连接和证书 (Check SSL Connection and Certificates)

OpenSSL provides a web client which can connect web servers with SSL/TLS and print SSL/TLS certificate information.

OpenSSL提供了一个Web客户端，该客户端可以将Web服务器与SSL / TLS连接并打印SSL / TLS证书信息。

$ openssl s_client -connect poftut.com:443

Check SSL Connection and Certificates

检查SSL连接和证书

将DER(.crt .cer .der)转换为PEM(Convert DER (.crt .cer .der) To PEM)

Certificates can be stored in different formats. DER and PEM are two popular format used to store certificates. We can convert DER to PEM with the following command.

证书可以以不同的格式存储。 DER和PEM是两种用于存储证书的流行格式。 我们可以使用以下命令将DER转换为PEM 。

$ openssl x509 -inform der -in certificate.cer -out certificate.pem

将PEM转换为DER (Convert PEM To DER)

The reverse conversation from PEM to DER can be done with the following.

从PEM到DER的反向对话可以通过以下方式完成。

$ openssl x509 -outform der -in certificate.pem -out certificate.der

将PKCS＃12(.pfx .p12)转换为PEM (Convert PKCS#12 (.pfx .p12) To PEM)

We can convert PKCS#12 format files to the PEM files with the following command.

我们可以使用以下命令将PKCS#12格式文件转换为PEM文件。

$ openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

将PEM转换为PKCS＃12(.pfx .p12) (Convert PEM To PKCS#12 (.pfx .p12))

We can convert PEM format to the PKCS#12 format with the following command.

我们可以使用以下命令将PEM格式转换为PKCS#12格式。

$ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

LEARN MORE  How To Create Self Signed Root Certificate with OpenSSL

了解更多信息如何使用OpenSSL创建自签名根证书

翻译自: https://www.poftut.com/openssl-shell-commands-tutorial-examples/

shell openssl