OpenSSL初探

几种典型的密码交换信息文件格式:
DER - encoded certificate: .cer/.crt(.cer/.crt是用于存放证书,以二进制形式存放,不含私钥)
PEM - encoded message: .pem(.pem跟crt/cer的区别是它以ASCII来表示)
PKCS#12 - Personal Information Exchange: .pfx/.p12(pfx/p12用于存放个人证书/私钥,通常包含保护密码,二进制方式)
PKCS#10 - Certification Request: .p10(p10是证书请求)
PKCS#7 - cert request response: .p7r(p7r是CA对证书请求的回复,只用于导入)
PKCS#7 - binary message: .p7b(p7b以树状展示证书链(certificate chain),同时也支持单个证书,不含私钥)


OpenSSL RSA部分命令:
生成rsa密钥
openssl genrsa -des3 -out prikey.pem
去除掉密钥文件保护密码
openssl rsa -in prikey.pem -out prikey.pem
分离出公钥
openssl rsa -in prikey.pem -pubout -out pubkey.pem
对文件进行签名
openssl rsautl -sign -inkey prikey.pem -in a.txt -out sig.dat
验证签名
openssl rsautl -verify -inkey prikey.pem -pubin -in sig.dat -out unsig.dat
用公钥对文件加密
openssl rsautl -encrypt -pubin -inkey pubkey.pem -in a.text -out b.text
用私钥解密
openssl rsautl -decrypt -inkey prikey.pem -in b.text
用证书中的公钥加密(未验证)
opensll rsautl -encrypt -certin -inkey cert1.pem -in a.txt


OpenSSL X509部分命令:
打印出证书的内容
openssl x509 -in cert.pem -noout -text 
打印出证书的系列号 
openssl x509 -in cert.pem -noout -serial
打印出证书的拥有者名字
openssl x509 -in cert.pem -noout -subject 
以RFC2253规定的格式打印出证书的拥有者名字
openssl x509 -in cert.pem -noout -subject -nameopt RFC2253 
打印出证书的MD5特征参数
openssl x509 -in cert.pem -noout -fingerprint 
打印出证书的SHA特征参数
openssl x509 -sha1 -in cert.pem -noout -fingerprint 
把PEM格式的证书转化成DER格式
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER 
把一个证书转化成CSR
openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem 
给一个CSR进行处理,颁发字签名证书,增加CA扩展项
openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca -signkey key.pem -out cacert.pem 
给一个CSR签名,增加用户证书扩展项 

openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr -CA cacert.pem -CAkey key.pem -CAcreateserial 


下面是一个创建及验证私钥公钥的Shell脚本:

#!/bin/bash

if [ "$1" == "" ]; then
    echo "Create a test certificate key."
    echo "Usage: $0 NAME"
    echo "Will generate NAME.pk8 and NAME.x509.pem"
    echo "  /C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com"
    exit
fi
 
# PEM RSA private key
openssl genrsa -3 -out $1.pem 2048

# PEM certificate (PKCS#10 X.509 Certificate Signing Request)
# -x509 option outputs a self signed certificate
openssl req -new -x509 -key $1.pem -out $1.x509.pem -days 10000 \
    -subj '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'

# PKCS#8 format private key
openssl pkcs8 -topk8 -inform PEM -outform DER -in $1.pem -out $1.pk8 -nocrypt

######################################################
openssl rsa -in $1.pem -pubout -out $1_pub.key
openssl rsa -in $1.pem -RSAPublicKey_out -out $1_rsa_pub.key

# encrypt
openssl rsautl -encrypt -in hello -inkey $1_pub.key -pubin -out hello.en
openssl rsautl -decrypt -in hello.en -inkey $1.pem -out hello.de
# signature
openssl rsautl -sign -inkey $1.pem -in hello -out hello.sign
openssl rsautl -verify -inkey $1_pub.key -pubin -in hello.sign -out hello.unsign

######################################################
## 检查私钥是否与证书匹配
######################################################
openssl rsa -noout -modulus -in $1.pem | openssl md5		# private key
openssl x509 -noout -modulus -in $1.x509.pem | openssl md5	# CA


 




评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值