Openssl常用命令
Opness介绍
openssl是一个安全套接字层密码库,囊括主要的密码算法、常用密钥、证书封装管理功能及实现ssl协议。OpenSSL整个软件包大概可以分成三个主要的功能部分:SSL协议库libssl、应用程序命令工具以及密码算法库libcrypto。
简言之,日常中和密钥相关的操作都可以使用opnessl完成,下面将梳理一下日常常用的命令
命令
密钥相关
创建RSA私钥
$ openssl genrsa -out privkey.pem 2048
生成RSA公钥
$ openssl rsa -in privkey.pem -inform pem -pubout -out pubkey.pem
解析RSA私钥/公钥
$ openssl rsa -text -in privkey.pem
$ openssl rsa -text -pubin -in pubkey.pem
RSA私钥 PKCS1格式转PKCS8格式:PKCS8是私钥通用编码格式
$ openssl pkcs8 -topk8 -inform PEM -in privkey.pem -outform pem -nocrypt -out a.pem
RSA私钥 PKCS8转PKCS1格式
$ openssl rsa -in pkcs8_privkey.pem -out b.pem
可以检查,发现b.pem和privkey.pem完全一致
将RSA私钥从PEM格式转成DER格式:DER和PEM格式密钥内容完全一致,只是编码方式不同,PEM是BASE64,而DER为二进制形式
$ openssl rsa -inform PEM -outform DER -in privkey.pem -out privkey.der
将RSA私钥从DER格式转成PEM格式
$ openssl rsa -inform DER -outform PEM -in privkey.der -out privkey_new_pem.pem
使用RSA公钥对数据加密
$ openssl rsautl -encrypt -inkey pubkey.pem -pubin -in hash.bin -out encrypted.bin
使用RSA私钥对数据解密
$ openssl rsautl -decrypt -inkey privkey.pem -in encrypted.bin -out decrypted.bin
然后对比hash.bin和decrypted.bin的md5值,发现完全一致
$ md5sum.exe hash.bin
f5291538e95fff1380a3279068485955 *hash.bin
$ md5sum.exe decrypted.bin
f5291538e95fff1380a3279068485955 *decrypted.bin
使用RSA私钥签名,会对hash.bin进行hash运算后再进行加密
$ openssl dgst -sha256 -sign privkey.pem -out sign.bin hash.bin
使用RSA公钥验签,会对sign.bin进行hash后与解密后的sign.bin进行对比
$ openssl dgst -sha256 -verify pubkey.pem -signature sign.bin hash.bin
Verified OK
创建ECC密钥,先查看支持哪些椭圆曲线
$ openssl ecparam -list_curves
secp112r1 : SECG/WTLS curve over a 112 bit prime field
secp112r2 : SECG curve over a 112 bit prime field
secp128r1 : SECG curve over a 128 bit prime field
secp128r2 : SECG curve over a 128 bit prime field
secp160k1 : SECG curve over a 160 bit prime field
secp160r1 : SECG curve over a 160 bit prime field
secp160r2 : SECG/WTLS curve over a 160 bit prime field
secp192k1 : SECG curve over a 192 bit prime field
secp224k1 : SECG curve over a 224 bit prime field
secp224r1 : NIST/SECG curve over a 224 bit prime field
secp256k1 : SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
prime192v2: X9.62 curve over a 192 bit prime field
prime192v3: X9.62 curve over a 192 bit prime field
prime239v1: X9.62 curve over a 239 bit prime field
prime239v2: X9.62 curve over a 239 bit prime field
prime239v3: X9.62 curve over a 239 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
sect113r1 : SECG curve over a 113 bit binary field
sect113r2 : SECG curve over a 113 bit binary field
sect131r1 : SECG/WTLS curve over a 131 bit binary field
sect131r2 : SECG curve over a 131 bit binary field
sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field
sect163r1 : SECG curve over a 163 bit binary field
sect163r2 : NIST/SECG curve over a 163 bit binary field
sect193r1 : SECG curve over a 193 bit binary field
sect193r2 : SECG curve over a 193 bit binary field
sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field
sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field
sect239k1 : SECG curve over a 239 bit binary field
sect283k1 : NIST/SECG curve over a 283 bit binary field
sect283r1 : NIST/SECG curve over a 283 bit binary field
sect409k1 : NIST/SECG curve over a 409 bit binary field
sect409r1 : NIST/SECG curve over a 409 bit binary field
sect571k1 : NIST/SECG curve over a 571 bit binary field
sect571r1 : NIST/SECG curve over a 571 bit binary field
c2pnb163v1: X9.62 curve over a 163 bit binary field
c2pnb163v2: X9.62 curve over a 163 bit binary field
c2pnb163v3: X9.62 curve over a 163 bit binary field
c2pnb176v1: X9.62 curve over a 176 bit binary field
c2tnb191v1: X9.62 curve over a 191 bit binary field
c2tnb191v2: X9.62 curve over a 191 bit binary field
c2tnb191v3: X9.62 curve over a 191 bit binary field
c2pnb208w1: X9.62 curve over a 208 bit binary field
c2tnb239v1: X9.62 curve over a 239 bit binary field
c2tnb239v2: X9.62 curve over a 239 bit binary field
c2tnb239v3: X9.62 curve over a 239 bit binary field
c2pnb272w1: X9.62 curve over a 272 bit binary field
c2pnb304w1: X9.62 curve over a 304 bit binary field
c2tnb359v1: X9.62 curve over a 359 bit binary field
c2pnb368w1: X9.62 curve over a 368 bit binary field
c2tnb431r1: X9.62 curve over a 431 bit binary field
wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field
wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field
wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field
wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field
wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field
wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field
wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field
wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field
wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field
wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field
wap-wsg-idm-ecid-wtls12: WTLS curve over a 224 bit prime field
Oakley-EC2N-3:
IPSec/IKE/Oakley curve #3 over a 155 bit binary field.
Not suitable for ECDSA.
Questionable extension field!
Oakley-EC2N-4:
IPSec/IKE/Oakley curve #4 over a 185 bit binary field.
Not suitable for ECDSA.
Questionable extension field!
brainpoolP160r1: RFC 5639 curve over a 160 bit prime field
brainpoolP160t1: RFC 5639 curve over a 160 bit prime field
brainpoolP192r1: RFC 5639 curve over a 192 bit prime field
brainpoolP192t1: RFC 5639 curve over a 192 bit prime field
brainpoolP224r1: RFC 5639 curve over a 224 bit prime field
brainpoolP224t1: RFC 5639 curve over a 224 bit prime field
brainpoolP256r1: RFC 5639 curve over a 256 bit prime field
brainpoolP256t1: RFC 5639 curve over a 256 bit prime field
brainpoolP320r1: RFC 5639 curve over a 320 bit prime field
brainpoolP320t1: RFC 5639 curve over a 320 bit prime field
brainpoolP384r1: RFC 5639 curve over a 384 bit prime field
brainpoolP384t1: RFC 5639 curve over a 384 bit prime field
brainpoolP512r1: RFC 5639 curve over a 512 bit prime field
brainpoolP512t1: RFC 5639 curve over a 512 bit prime field
SM2 : SM2 curve over a 256 bit prime field
选择prime256v1,生成ECC私钥
$ openssl ecparam -name secp256k1 -genkey -out priv_ecc.pem
$ cat priv_ecc.pem
-----BEGIN EC PARAMETERS-----
BgUrgQQACg==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHQCAQEEIMvayO4BXdBZ28Yua2hxk4HJWYqu4TZ7HINsvYR7U1U5oAcGBSuBBAAK
oUQDQgAE++1tvy4ou7dbKcaIJabSNfYY7bSZerIYzGHkh8pOz3+Ox41p5f+ioZaY
hQIBP9/AjNPmMYExxxbuaNZ+913JaQ==
-----END EC PRIVATE KEY-----
使用ECC私钥生成公钥
$ openssl ec -in priv_ecc.pem -pubout -out pub_ecc.pem
$ cat pub_ecc.pem
-----BEGIN PUBLIC KEY-----
MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAE++1tvy4ou7dbKcaIJabSNfYY7bSZerIY
zGHkh8pOz3+Ox41p5f+ioZaYhQIBP9/AjNPmMYExxxbuaNZ+913JaQ==
-----END PUBLIC KEY-----
证书相关
还是先利用上面生成ECC密钥对,生成一张X509证书,首先需要生成CSR,CSR就是证书请求文件,用于声明申请证书的部分信息,比如声明证书颁发给的主体、国家等等
$ openssl req -new -sha256 -key priv_ecc.pem -out ca.csr
$ cat ca.csr
-----BEGIN CERTIFICATE REQUEST-----
MIHpMIGQAgEAMB0xCzAJBgNVBAYTAkNOMQ4wDAYDVQQDDAVKYXNvbjBWMBAGByqG
SM49AgEGBSuBBAAKA0IABPvtbb8uKLu3WynGiCWm0jX2GO20mXqyGMxh5IfKTs9/
jseNaeX/oqGWmIUCAT/fwIzT5jGBMccW7mjWfvddyWmgFDASBgkqhkiG9w0BCQIx
BQwDeHh4MAoGCCqGSM49BAMCA0gAMEUCIQDXKrzgvTwtpUJNuMjaABB/ggUqbHYo
zD9HymzyW3MxQwIgPOTYwcjJbB4AEGA1G08hDaJrA0aRhR2lFFkT4ZFjjSk=
-----END CERTIFICATE REQUEST-----
$ openssl req -text -noout -in ca.csr
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = CN, CN = Jason
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:fb:ed:6d:bf:2e:28:bb:b7:5b:29:c6:88:25:a6:
d2:35:f6:18:ed:b4:99:7a:b2:18:cc:61:e4:87:ca:
4e:cf:7f:8e:c7:8d:69:e5:ff:a2:a1:96:98:85:02:
01:3f:df:c0:8c:d3:e6:31:81:31:c7:16:ee:68:d6:
7e:f7:5d:c9:69
ASN1 OID: secp256k1
Attributes:
unstructuredName :xxx
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:d7:2a:bc:e0:bd:3c:2d:a5:42:4d:b8:c8:da:
00:10:7f:82:05:2a:6c:76:28:cc:3f:47:ca:6c:f2:5b:73:31:
43:02:20:3c:e4:d8:c1:c8:c9:6c:1e:00:10:60:35:1b:4f:21:
0d:a2:6b:03:46:91:85:1d:a5:14:59:13:e1:91:63:8d:29
生成证书
$ openssl req -in ca.csr -x509 -days 100 -key priv_ecc.pem -out ca.cert
$ openssl x509 -in ca.cer -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
78:fb:74:1f:45:35:db:6a:91:c3:c5:5b:38:ee:01:29:6e:68:5c:52
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = CN, CN = Jason
Validity
Not Before: Aug 8 10:42:06 2024 GMT
Not After : Nov 16 10:42:06 2024 GMT
Subject: C = CN, CN = Jason
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:fb:ed:6d:bf:2e:28:bb:b7:5b:29:c6:88:25:a6:
d2:35:f6:18:ed:b4:99:7a:b2:18:cc:61:e4:87:ca:
4e:cf:7f:8e:c7:8d:69:e5:ff:a2:a1:96:98:85:02:
01:3f:df:c0:8c:d3:e6:31:81:31:c7:16:ee:68:d6:
7e:f7:5d:c9:69
ASN1 OID: secp256k1
X509v3 extensions:
X509v3 Subject Key Identifier:
44:00:34:3C:59:A9:80:98:67:7E:C8:76:91:E2:A8:FC:45:1F:C4:26
X509v3 Authority Key Identifier:
keyid:44:00:34:3C:59:A9:80:98:67:7E:C8:76:91:E2:A8:FC:45:1F:C4:26
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:ce:46:41:c1:27:72:60:76:98:01:85:4d:da:
83:52:eb:b7:26:55:5c:ca:0d:fe:06:c1:3b:f5:3e:04:f7:20:
79:02:20:69:76:df:8c:ff:53:df:dc:ed:de:a0:07:1e:86:73:
e5:fe:a9:2a:fa:34:c6:e2:76:02:6a:bd:31:a1:76:50:0f
将PEM编码的证书转为DER
$ openssl x509 -in ca.cer -inform PEM -outform DER -out ca.der
# 查看der证书内容,发现一致
$ openssl x509 -in ca.der -inform DER -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
78:fb:74:1f:45:35:db:6a:91:c3:c5:5b:38:ee:01:29:6e:68:5c:52
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = CN, CN = Jason
Validity
Not Before: Aug 8 10:42:06 2024 GMT
Not After : Nov 16 10:42:06 2024 GMT
Subject: C = CN, CN = Jason
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:fb:ed:6d:bf:2e:28:bb:b7:5b:29:c6:88:25:a6:
d2:35:f6:18:ed:b4:99:7a:b2:18:cc:61:e4:87:ca:
4e:cf:7f:8e:c7:8d:69:e5:ff:a2:a1:96:98:85:02:
01:3f:df:c0:8c:d3:e6:31:81:31:c7:16:ee:68:d6:
7e:f7:5d:c9:69
ASN1 OID: secp256k1
X509v3 extensions:
X509v3 Subject Key Identifier:
44:00:34:3C:59:A9:80:98:67:7E:C8:76:91:E2:A8:FC:45:1F:C4:26
X509v3 Authority Key Identifier:
keyid:44:00:34:3C:59:A9:80:98:67:7E:C8:76:91:E2:A8:FC:45:1F:C4:26
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:ce:46:41:c1:27:72:60:76:98:01:85:4d:da:
83:52:eb:b7:26:55:5c:ca:0d:fe:06:c1:3b:f5:3e:04:f7:20:
79:02:20:69:76:df:8c:ff:53:df:dc:ed:de:a0:07:1e:86:73:
e5:fe:a9:2a:fa:34:c6:e2:76:02:6a:bd:31:a1:76:50:0f
将私钥和证书封装到PKCS12格式的文件中
$ openssl pkcs12 -export -out ca.p12 -inkey priv_ecc.pem -in ca.cer -passout pass:123456
# 查看PKCS12文件内容,可以看到展示出证书和加密私钥的内容
$ openssl pkcs12 -info -in ca.p12 -passout pass:123456 -passin pass:123456
Bag Attributes
localKeyID: 6D FE 26 A5 2F 5E FD 3E 54 12 AF 2A 97 CB 5F 45 36 55 B6 37
subject=C = CN, CN = Jason
issuer=C = CN, CN = Jason
-----BEGIN CERTIFICATE-----
MIIBjDCCATKgAwIBAgIUePt0H0U122qRw8VbOO4BKW5oXFIwCgYIKoZIzj0EAwIw
HTELMAkGA1UEBhMCQ04xDjAMBgNVBAMMBUphc29uMB4XDTI0MDgwODEwNDIwNloX
DTI0MTExNjEwNDIwNlowHTELMAkGA1UEBhMCQ04xDjAMBgNVBAMMBUphc29uMFYw
EAYHKoZIzj0CAQYFK4EEAAoDQgAE++1tvy4ou7dbKcaIJabSNfYY7bSZerIYzGHk
h8pOz3+Ox41p5f+ioZaYhQIBP9/AjNPmMYExxxbuaNZ+913JaaNTMFEwHQYDVR0O
BBYEFEQANDxZqYCYZ37IdpHiqPxFH8QmMB8GA1UdIwQYMBaAFEQANDxZqYCYZ37I
dpHiqPxFH8QmMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAM5G
QcEncmB2mAGFTdqDUuu3JlVcyg3+BsE79T4E9yB5AiBpdt+M/1Pf3O3eoAcehnPl
/qkq+jTG4nYCar0xoXZQDw==
-----END CERTIFICATE-----
Bag Attributes
localKeyID: 6D FE 26 A5 2F 5E FD 3E 54 12 AF 2A 97 CB 5F 45 36 55 B6 37
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHbME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAgvYN4uo8RKmwICCAAw
DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIHwrRdCxByXgEgYihKAiFjn0eRddn
ManumsgDrzPUX1wAnDBeS+gIxRXH9Aa/xkTwJG9QtxazzbtCid36DrRLCQJQXkgW
IoXd2/AVAcy4MSav2KGyxpRIdeRP8TpjPOp/iLhJNAT+/FDx368bUhIbtZ5jqVTX
o9qLxyHL8Y69EtYHg//ybq8sADspRg2k8wrutdaP
-----END ENCRYPTED PRIVATE KEY-----
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
从PKCS12文件中提取私钥
$ openssl pkcs12 -in ca.p12 -nocerts -nodes -out pri_ecc.pem -passin pass:123456 -passout pass:123456
$ cat pri_ecc.pem
Bag Attributes
localKeyID: 6D FE 26 A5 2F 5E FD 3E 54 12 AF 2A 97 CB 5F 45 36 55 B6 37
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQgy9rI7gFd0Fnbxi5raHGT
gclZiq7hNnscg2y9hHtTVTmhRANCAAT77W2/Lii7t1spxoglptI19hjttJl6shjM
YeSHyk7Pf47HjWnl/6KhlpiFAgE/38CM0+YxgTHHFu5o1n73Xclp
-----END PRIVATE KEY-----
# 从PKCS12文件中提取私钥 这里的私钥是PKCS8格式的,转换之后能发现和priv_ecc.pem的内容是一致的
$ openssl pkcs12 -in ca.p12 -nodes -out pri_ecc.pem -passin pass:123456 -passout pass:123456
$ cat pri_ecc.pem
Bag Attributes
localKeyID: 6D FE 26 A5 2F 5E FD 3E 54 12 AF 2A 97 CB 5F 45 36 55 B6 37
subject=C = CN, CN = Jason
issuer=C = CN, CN = Jason
-----BEGIN CERTIFICATE-----
MIIBjDCCATKgAwIBAgIUePt0H0U122qRw8VbOO4BKW5oXFIwCgYIKoZIzj0EAwIw
HTELMAkGA1UEBhMCQ04xDjAMBgNVBAMMBUphc29uMB4XDTI0MDgwODEwNDIwNloX
DTI0MTExNjEwNDIwNlowHTELMAkGA1UEBhMCQ04xDjAMBgNVBAMMBUphc29uMFYw
EAYHKoZIzj0CAQYFK4EEAAoDQgAE++1tvy4ou7dbKcaIJabSNfYY7bSZerIYzGHk
h8pOz3+Ox41p5f+ioZaYhQIBP9/AjNPmMYExxxbuaNZ+913JaaNTMFEwHQYDVR0O
BBYEFEQANDxZqYCYZ37IdpHiqPxFH8QmMB8GA1UdIwQYMBaAFEQANDxZqYCYZ37I
dpHiqPxFH8QmMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAM5G
QcEncmB2mAGFTdqDUuu3JlVcyg3+BsE79T4E9yB5AiBpdt+M/1Pf3O3eoAcehnPl
/qkq+jTG4nYCar0xoXZQDw==
-----END CERTIFICATE-----
Bag Attributes
localKeyID: 6D FE 26 A5 2F 5E FD 3E 54 12 AF 2A 97 CB 5F 45 36 55 B6 37
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQgy9rI7gFd0Fnbxi5raHGT
gclZiq7hNnscg2y9hHtTVTmhRANCAAT77W2/Lii7t1spxoglptI19hjttJl6shjM
YeSHyk7Pf47HjWnl/6KhlpiFAgE/38CM0+YxgTHHFu5o1n73Xclp
-----END PRIVATE KEY-----
使用根CA签发下级CA证书
# 生成下级公私钥对
$ openssl ecparam -name secp256k1 -genkey -out server_priv_ecc.pem
$ openssl ec -in server_priv_ecc.pem -pubout -out server_pub_ecc.pem
# 利用下级公钥生成CSR文件
$ openssl req -new -sha256 -key server_priv_ecc.pem -out server.csr
# 使用上级CA对CSR进行验证签发,这里指定了extfile openssl配置文件路径,实际使用时可以根据实际情况选择
$ openssl x509 -req -days 100 -sha256 -extfile ./openssl.cnf -extensions v3_req -CA ca.cer -CAkey priv_ecc.pem -CAserial ca.srl -CAcreateserial -in server.csr -out server.cer
Signature ok
subject=C = CN, CN = myserver
Getting CA Private Key
# 查看下级证书
$ openssl x509 -in server.cer -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
23:52:cf:c3:d6:b2:f4:00:42:2f:b1:3d:63:f8:14:9d:68:4a:84:ce
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = CN, CN = Jason
Validity
Not Before: Aug 8 11:39:13 2024 GMT
Not After : Nov 16 11:39:13 2024 GMT
Subject: C = CN, CN = myserver
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:98:30:11:06:27:eb:5c:96:48:c7:a3:df:d1:70:
2c:ff:54:18:fd:38:32:11:48:9c:0d:b1:8b:f1:3f:
56:db:12:3b:c4:84:d2:c1:09:b9:4e:a9:3c:4f:64:
b2:75:28:05:e8:de:6b:55:79:4a:67:d1:67:a6:e3:
57:31:26:7c:02
ASN1 OID: secp256k1
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:f1:e3:d1:13:0e:58:4c:3e:9f:95:84:72:64:
bd:e0:83:45:27:a9:09:94:14:10:32:c1:f4:b2:da:83:4a:cd:
a2:02:20:72:ee:e9:3e:81:8d:8c:a7:0d:1a:2e:a2:97:7f:c6:
25:a0:cc:05:2b:23:c3:19:c1:b6:49:fa:d2:1c:0c:7c:7d
# 可以看到Issuer: C = CN, CN = Jason,就是根CA的信息,使用上级对下级进行证书验证
$ openssl verify -CAfile ca.cer server.cer
server.cer: OK
# OK!! 证书链验证完成
使用ocsp验证证书状态
# 由于没有ocsp服务器,只能借助globalsign的ocsp和百度的证书进行示范,ocsp地址可从百度证书的Authority Info Access(AIA 授权访问信息)中获取
$ openssl ocsp -issuer issuing_ca.crt -cert baidu.crt -url http://ocsp.globalsign.com/gsrsaovsslca2018 -text
..... 前面太长了 省略
-----BEGIN CERTIFICATE-----
MIIDuTCCAqGgAwIBAgIMA/PSLy5LqdXUTk2cMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yNDA3MDQxMDExNDRaFw0y
NDEwMDQxMDExNDNaMGsxCzAJBgNVBAYTAkJFMRkwFwYDVQQKDBBHbG9iYWxTaWdu
IG52LXNhMRUwEwYDVQQFEwwyMDE5MDYxMTAwMDQxKjAoBgNVBAMMIWdzcnNhb3Zz
c2xjYTIwMThDQSBPQ1NQIFJlc3BvbmRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAKHq2bSdttHs6Ofo6I5L3DjHZQEMcK3sKjL9ENtCvIwIjBWV+XZR
/0TaxTLRS5eZJoQivCjuB9bbXoezj0ksWczVA9IppkUImkj/RF62pWVG4PQ1nBaR
pLHO08zsA4LnA+VMtUKN5pGyRyutyUPDVuaKSCgl19xOjDjXAs6vKgpEHm269XwW
IE5YUOCpZlDopmNczEUjFl7Lk3SBXCNqdvc+19IvWeCmAeLzWP8VzWHpMmnGLPST
l96FbxqCb65XImCXiPce1fEvSdf/LEOUHdE83Shsjb7QtTyifkWbp/HWx/a/gkeL
+nhYcuMcsEgzIg/Z5NFDO9gyIQEw8o30vvcCAwEAAaN4MHYwHwYDVR0jBBgwFoAU
+O9/8s14Z6jeb48kjYjxhwMCs+swDwYJKwYBBQUHMAEFBAIFADATBgNVHSUEDDAK
BggrBgEFBQcDCTAdBgNVHQ4EFgQU1nf+WF2zDn1akOrasVP/qLp0zKYwDgYDVR0P
AQH/BAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQCWzB78gOHjTiFcqwQEDT/pwJiE
xfsz9MbI7cwoHqc0HuxGT4EFWA68vEEhVZMwPx4tFomvWRKoxXyM/NOV5mP8zNOk
S3kAmghm4YR2SCkOtkzdvRIEL+8axhbuGf90/UMT5zuppiWCJydxsoOhgi/dVMX6
msRzAla6c3RYTmk9NipHs9UMWMUG/1Vt4IDmi3E16LTEGUDvXzreFaAtd+cU3cUq
Y0tzhyuJGa32Kqw0ojZcfz8cCSEmjHLBkne0uXySYoFMOAPAPy6md9Gq07s/jPX7
DAnwKtGlw5ej1FJRIbA/et8Htconhyy3Ku5VrnV20V0Y6ZgY2gbT5x0CAKWv
-----END CERTIFICATE-----
baidu.crt: good
This Update: Aug 13 08:24:14 2024 GMT
Next Update: Aug 17 08:24:13 2024 GMT
WARNING: no nonce in response
Response verify OK
# 可以看到ocsp响应验证成功,证书状态good
1026
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
