几种典型的密码交换信息文件格式:
DER - encoded certificate: .cer/.crt(.cer/.crt是用于存放证书,以二进制形式存放,不含私钥)
PEM - encoded message: .pem(.pem跟crt/cer的区别是它以ASCII来表示)
PKCS#12 - Personal Information Exchange: .pfx/.p12(pfx/p12用于存放个人证书/私钥,通常包含保护密码,二进制方式)
PKCS#10 - Certification Request: .p10(p10是证书请求)
PKCS#7 - cert request response: .p7r(p7r是CA对证书请求的回复,只用于导入)
PKCS#7 - binary message: .p7b(p7b以树状展示证书链(certificate chain),同时也支持单个证书,不含私钥)
OpenSSL RSA部分命令:
生成rsa密钥
openssl genrsa -des3 -out prikey.pem
去除掉密钥文件保护密码
openssl rsa -in prikey.pem -out prikey.pem
分离出公钥
openssl rsa -in prikey.pem -pubout -out pubkey.pem
对文件进行签名
openssl rsautl -sign -inkey prikey.pem -in a.txt -out sig.dat
验证签名
openssl rsautl -verify -inkey prikey.pem -pubin -in sig.dat -out unsig.dat
用公钥对文件加密
openssl rsautl -encrypt -pubin -inkey pubkey.pem -in a.text -out b.text
用私钥解密
openssl rsautl -decrypt -inkey prikey.pem -in b.text
用证书中的公钥加密(未验证)
opensll rsautl -encrypt -certin -inkey cert1.pem -in a.txt
OpenSSL X509部分命令:
打印出证书的内容
openssl x509 -in cert.pem -noout -text
打印出证书的系列号
openssl x509 -in cert.pem -noout -serial
打印出证书的拥有者名字
openssl x509 -in cert.pem -noout -subject
以RFC2253规定的格式打印出证书的拥有者名字
openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
打印出证书的MD5特征参数
openssl x509 -in cert.pem -noout -fingerprint
打印出证书的SHA特征参数
openssl x509 -sha1 -in cert.pem -noout -fingerprint
把PEM格式的证书转化成DER格式
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
把一个证书转化成CSR
openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
给一个CSR进行处理,颁发字签名证书,增加CA扩展项
openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca -signkey key.pem -out cacert.pem
给一个CSR签名,增加用户证书扩展项
DER - encoded certificate: .cer/.crt(.cer/.crt是用于存放证书,以二进制形式存放,不含私钥)
PEM - encoded message: .pem(.pem跟crt/cer的区别是它以ASCII来表示)
PKCS#12 - Personal Information Exchange: .pfx/.p12(pfx/p12用于存放个人证书/私钥,通常包含保护密码,二进制方式)
PKCS#10 - Certification Request: .p10(p10是证书请求)
PKCS#7 - cert request response: .p7r(p7r是CA对证书请求的回复,只用于导入)
PKCS#7 - binary message: .p7b(p7b以树状展示证书链(certificate chain),同时也支持单个证书,不含私钥)
OpenSSL RSA部分命令:
生成rsa密钥
openssl genrsa -des3 -out prikey.pem
去除掉密钥文件保护密码
openssl rsa -in prikey.pem -out prikey.pem
分离出公钥
openssl rsa -in prikey.pem -pubout -out pubkey.pem
对文件进行签名
openssl rsautl -sign -inkey prikey.pem -in a.txt -out sig.dat
验证签名
openssl rsautl -verify -inkey prikey.pem -pubin -in sig.dat -out unsig.dat
用公钥对文件加密
openssl rsautl -encrypt -pubin -inkey pubkey.pem -in a.text -out b.text
用私钥解密
openssl rsautl -decrypt -inkey prikey.pem -in b.text
用证书中的公钥加密(未验证)
opensll rsautl -encrypt -certin -inkey cert1.pem -in a.txt
OpenSSL X509部分命令:
打印出证书的内容
openssl x509 -in cert.pem -noout -text
打印出证书的系列号
openssl x509 -in cert.pem -noout -serial
打印出证书的拥有者名字
openssl x509 -in cert.pem -noout -subject
以RFC2253规定的格式打印出证书的拥有者名字
openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
打印出证书的MD5特征参数
openssl x509 -in cert.pem -noout -fingerprint
打印出证书的SHA特征参数
openssl x509 -sha1 -in cert.pem -noout -fingerprint
把PEM格式的证书转化成DER格式
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
把一个证书转化成CSR
openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
给一个CSR进行处理,颁发字签名证书,增加CA扩展项
openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca -signkey key.pem -out cacert.pem
给一个CSR签名,增加用户证书扩展项
openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr -CA cacert.pem -CAkey key.pem -CAcreateserial
下面是一个创建及验证私钥公钥的Shell脚本:
#!/bin/bash
if [ "$1" == "" ]; then
echo "Create a test certificate key."
echo "Usage: $0 NAME"
echo "Will generate NAME.pk8 and NAME.x509.pem"
echo " /C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com"
exit
fi
# PEM RSA private key
openssl genrsa -3 -out $1.pem 2048
# PEM certificate (PKCS#10 X.509 Certificate Signing Request)
# -x509 option outputs a self signed certificate
openssl req -new -x509 -key $1.pem -out $1.x509.pem -days 10000 \
-subj '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
# PKCS#8 format private key
openssl pkcs8 -topk8 -inform PEM -outform DER -in $1.pem -out $1.pk8 -nocrypt
######################################################
openssl rsa -in $1.pem -pubout -out $1_pub.key
openssl rsa -in $1.pem -RSAPublicKey_out -out $1_rsa_pub.key
# encrypt
openssl rsautl -encrypt -in hello -inkey $1_pub.key -pubin -out hello.en
openssl rsautl -decrypt -in hello.en -inkey $1.pem -out hello.de
# signature
openssl rsautl -sign -inkey $1.pem -in hello -out hello.sign
openssl rsautl -verify -inkey $1_pub.key -pubin -in hello.sign -out hello.unsign
######################################################
## 检查私钥是否与证书匹配
######################################################
openssl rsa -noout -modulus -in $1.pem | openssl md5 # private key
openssl x509 -noout -modulus -in $1.x509.pem | openssl md5 # CA