引用页
创建
创建 RSA
openssl genrsa -aes128 -out test.key 2048
openssl rsa -in test.key -pubout -out test.pub
openssl rsa -text -in test.key
创建 DSA
openssl dsaparam -genkey 2048 | openssl dsa -out test.key -aes128
openssl ecparam -genkey -name secp256r1 | openssl ec -out test.key -aes128
创建证书
- pkcs8与传统RSA的区别在于:传统rsa内容开头为
BEGIN RSA PRIVATE KEY
,pkcs8 则为:PRIVATE KEY
- 通过req直接生成的私钥为pkcs8格式,使用genrsa生成为传统秘钥格式
openssl req -x509 -new -days 10950 -newkey rsa:2048 -keyout CA.key -nodes -out CA.crt -subj "/C=GB/L=London/o=Feisty Duck Ltd/CN=www.ca.com"
openssl req -new -newkey rsa:2048 -keyout test.key -nodes -out test.csr -subj "/CN=example.com"
openssl x509 -req -days 10950 -in test.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out test.crt
openssl req -new -newkey rsa:2048 -keyout client.key -nodes -out client.csr -subj "/CN=example.com"
openssl x509 -req -days 10950 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -extfile test.txt
openssl x509 -x509toreq -in test.crt -out test.csr -signkey test.key
openssl req -text -in test.csr -noout
openssl x509 -text -in test.crt -noout
转换
将二进制类型转成PEM格式
openssl x509 -inform der -in certificate.cer -outform pem -out certificate.crt
openssl x509 -outform der -in certificate.pem -out certificate.der
证书套件打包(pkcs12)
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt
openssl pkcs12 -in server.pfx -nodes -out server.pem
openssl rsa -in server.pem -out server.key
openssl x509 -in server.pem -out server.crt
openssl pkcs12 -in server.pfx -nocerts -out server.key -nodes
openssl pkcs12 -in server.pfx -nokeys -clcerts -out server.crt
openssl pkcs12 -in server.pfx -nokeys -cacerts -out server-chain.crt
转换传统证书<=>PKCS8
openssl pkcs8 -topk8 -in server.key -inform pem -out server.pem -outform pem -nocrypt
openssl rsa -in newkey.pem -out newkey.pem
从证书中提取公钥
openssl x509 -pubkey -in server.cer -inform DER -outform PEM -noout
创建自签名证书脚本
openssl genrsa -out /tmp/certs/ca.key 2048
openssl req -new -x509 -nodes -key /tmp/certs/ca.key -out /tmp/certs/ca.crt -subj "/CN=abc.cn" -days 10950
openssl genrsa -out /tmp/certs/client.key 2048
openssl req -new -key /tmp/certs/client.key -out /tmp/certs/client.csr -subj "/CN=abc.cn"
openssl x509 -req -in /tmp/certs/client.csr -CA /tmp/certs/ca.crt -CAkey /tmp/certs/ca.key -CAcreateserial -days 10950 -out /tmp/certs/client.crt
openssl genrsa -out /tmp/certs/server.key 2048
openssl req -new -key /tmp/certs/server.key -out /tmp/certs/server.csr -subj "/CN=${domain_name}"
openssl x509 -req -in /tmp/certs/server.csr -CA /tmp/certs/ca.crt -CAkey /tmp/certs/ca.key -CAcreateserial -days 10950 -out /tmp/certs/server.crt
OPENSSL 测试案例
查询可用的加密算法
openssl ciphers -v 'ECHDE AES'
检测指定网站的证书信息
openssl s_client -connect www.changel.cn:443
openssl s_client -connect smtp.exmail.qq.com:25 -starttls smtp
openssl s_client -connect www.changel.cn:443 -no_ssl3 -no_tls1 -no_tls1_1 -no_tls1_2
echo | openssl s_client -connect www.changel.cn:443 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > changel.crt
openssl s_client -connect www.changel.cn:443 -cipher ECDHE-RSA-AES128-GCM-SHA256
openssl x509 -noout -ocsp_uri -in changel.crt
openssl ocsp -issuer changel-chain.crt -cert changel.crt -url http://ocsp.comodoca.com -CAfile changel-chain.crt
openssl s_client -connect www.changel.cn:443 -status
openssl x509 -in changel.crt -noout -text | grep crl
openssl crl -in ssl.crl -inform der -text -noout
安全检查
openssl s_client -connect www.changel.cn:443 -cipher kEDH
openssl s_client -connect www.changel.cn:443 -tlsextdebug -msg
echo | openssl s_client -connect www.changel.cn:443 -cipher 'RC4'
JKS 转换
keytool -list -v -keystore test.jks -storepass abcdefg
keytool -list -rfc -keystore test.jks -storepass abcdefg
keytool -v -importkeystore -srckeystore test.jks -srcstoretype jks -srcstorepass abcdefg -destkeystore server.pfx -deststoretype pkcs12 -deststorepass aliases -destkeypass 123456
keytool -importkeystore -srckeystore server.pfx -srcstoretype pkcs12 -destkeystore test.jks -deststoretype JKS