![shell openssl](https://i-blog.csdnimg.cn/blog_migrate/6a3d17b24a7eaeb61f65f8e1dcfc7428.png)
shell openssl
OpenSSL is free security protocols and implementation library provided by Free Software community. OpenSSL libraries are used by a lot of enterprises in their systems and products. OpenSSL libraries and algorithms can be used with openssl
command. In this tutorial we will look different use cases for openssl
command.
OpenSSL是自由软件社区提供的自由安全协议和实现库。 许多企业在其系统和产品中使用OpenSSL库。 OpenSSL库和算法可以与openssl
命令一起使用。 在本教程中,我们将介绍openssl
命令的不同用例。
私钥 (Private Key)
Private keys should kept secret. Private keys generally used to decrypt data.
私钥应保密。 私钥通常用于解密数据。
公钥 (Public Key)
Public keys are provided every one and it not secret. Public keys generally used to encrypt data.
公钥是每一个都提供的,它不是秘密。 公钥通常用于加密数据。
证书 (Certificate)
Certificates holds keys and related information. Certificates generally holds public keys.
证书包含密钥和相关信息。 证书通常具有公共密钥。
生成私钥和证书签名请求 (Generate Private Key and Certificate Signing Request)
We can generate a private key with a Certificate Signing Request. We can send generated CertificateSigningRequest.csr
to the Certificate Authority for approvel and then we can use privateKey.key
我们可以使用证书签名请求生成私钥。 我们可以将生成的CertificateSigningRequest.csr
发送到证书颁发机构进行privateKey.key
,然后可以使用privateKey.key
$ openssl req -out CertificateSigningRequest.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
![Generate Private Key and Certificate Signing Request](https://i-blog.csdnimg.cn/blog_migrate/f2d159ea21537bf9296fa72fd9e691bd.png)
生成自签名证书(Generate Self-Signed Certificate)
If we will use certificate in our local environment and systems we do not need to sign it by Global Certificate Authority. So we can generate a self signed certificate with the following command.
如果我们将在本地环境和系统中使用证书,则无需由全球证书颁发机构进行签名。 因此,我们可以使用以下命令生成自签名证书。
$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
生成具有现有证书的证书签名请求(CSR) (Generate Certificate Signing Request (CSR) with Existing Certificate)
If we have all ready a certificate but we need to approve it by Global Certificate Authorities we need to generate Certificate Signing Request with the following command.
如果我们已经准备好证书,但是需要获得全球证书颁发机构的批准,则需要使用以下命令生成证书签名请求。
$ openssl req -out CSR.csr -key privateKey.key -new
从私钥中删除密码短语 (Remove Passphrase From Private Key)
Private Keys generally stored as encrypted to make it more secure. But every time we want to use Private Key we have to decrypt it. To make it more practical we can extract Private Key and store as unencrypted.
私钥通常以加密方式存储,以使其更加安全。 但是每次我们要使用私钥时,我们都必须对其解密。 为了使它更实用,我们可以提取私钥并将其存储为未加密的。
$ openssl rsa -in privateKey.pem -out newPrivateKey.pem
检查并打印证书签名请求(CSR) (Check and Print Certificate Signing Request (CSR))
We can print every information provided by a Certificate Signing Request on the shell. We will use following command for this.
我们可以在外壳上打印“证书签名请求”提供的所有信息。 我们将使用以下命令。
$ openssl req -text -noout -verify -in CertificateSigningRequest.csr
![Check and Print Certificate Signing Request (CSR)](https://i-blog.csdnimg.cn/blog_migrate/6fec2511573175b96b38a0d2afc4a6f4.png)
检查并打印私钥 (Check and Print Private Key)
We can print and check a private key with the following command. This will print key information.
我们可以使用以下命令打印并检查私钥。 这将打印关键信息。
$ openssl rsa -in privateKey.key -check
检查并打印证书 (Check and Print Certificate)
We can print certificate information and related parts with the following command.
我们可以使用以下命令打印证书信息和相关部分。
$ openssl x509 -in certificate.crt -text -noout
检查并打印PKCS#12证书(.pfx,.p12) (Check and Print PKCS#12 Certificate (.pfx , .p12))
We can check and print PKCS#12
certificates with the following command.
我们可以使用以下命令检查和打印PKCS#12
证书。
$ openssl pkcs12 -info -in keyStore.p12
检查SSL连接和证书 (Check SSL Connection and Certificates)
OpenSSL provides a web client which can connect web servers with SSL/TLS and print SSL/TLS certificate information.
OpenSSL提供了一个Web客户端,该客户端可以将Web服务器与SSL / TLS连接并打印SSL / TLS证书信息。
$ openssl s_client -connect poftut.com:443
![Check SSL Connection and Certificates](https://i-blog.csdnimg.cn/blog_migrate/e824d49a3fc039189933a2150f8a3ac1.png)
将DER(.crt .cer .der)转换为PEM(Convert DER (.crt .cer .der) To PEM)
Certificates can be stored in different formats. DER
and PEM
are two popular format used to store certificates. We can convert DER
to PEM
with the following command.
证书可以以不同的格式存储。 DER
和PEM
是两种用于存储证书的流行格式。 我们可以使用以下命令将DER
转换为PEM
。
$ openssl x509 -inform der -in certificate.cer -out certificate.pem
将PEM转换为DER (Convert PEM To DER)
The reverse conversation from PEM
to DER
can be done with the following.
从PEM
到DER
的反向对话可以通过以下方式完成。
$ openssl x509 -outform der -in certificate.pem -out certificate.der
将PKCS#12(.pfx .p12)转换为PEM (Convert PKCS#12 (.pfx .p12) To PEM)
We can convert PKCS#12
format files to the PEM
files with the following command.
我们可以使用以下命令将PKCS#12
格式文件转换为PEM
文件。
$ openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
将PEM转换为PKCS#12(.pfx .p12) (Convert PEM To PKCS#12 (.pfx .p12))
We can convert PEM
format to the PKCS#12
format with the following command.
我们可以使用以下命令将PEM
格式转换为PKCS#12
格式。
$ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
翻译自: https://www.poftut.com/openssl-shell-commands-tutorial-examples/
shell openssl