Openssl 常见命令
合成证书链
cat issuingCA intermidateCA rootCA > certchain.pem
OpenSSL合成P12/PFX文件
#从证书文件和私钥合成
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
# 从p7b合成
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt
OpenSSL解析P12/PFX文件
openssl pkcs12 -in certificate.p12 -out key.pem -nocerts -nodes
openssl pkcs12 -in certificate.p12 -out cert.pem -nokeys
# openssl pkcs12 -in certificate.p12 -out cert.pem -clcerts -nokeys
OpenSSL私钥保护
openssl pkcs8 -topk8 -inform PEM -outform DER -in key.pem -out passed_key.pem -nocrypt
openssl pkcs8 -topk8 -inform PEM -outform PEM -in key.pem -out passed_key.pem
# 转换为pkcs8格式
openssl pkcs8 -topk8 -nocrypt -outform der -in key.pem -out key.p8
# 为RSA密钥增加口令保护
openssl rsa -in RSA.pem -des3 -passout pass:123456 -out E_RSA.pem
openssl ec -aes256 -in key.pem -out key1.pem
# 为RSA密钥去除口令保护
openssl rsa -in E_RSA.pem -passin pass:123456 -out P_RSA.pem
OpenSSL查看证书内容和CRL
openssl x509 -in cert.pem -noout -text
openssl x509 -in -inform DER cert.der -noout -text
openssl crl -inform DER -text -noout -in xxxx.crl
OpenSSL证书格式转换
# PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
# DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
# P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
OpenSSL生成证书请求文件或自签名证书
# 生成私钥和证书请求文件
openssl req -newkey rsa:2048 -new -nodes -keyout my.key -out my.csr
# 生成自签名证书
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
#查看CSR文件
openssl req -in my.csr -noout -text
#续签证书, cert.key=key.pem
openssl x509 -x509toreq -in cert.pem -out cert.csr -signkey cert.key
openssl x509 -req -days 3650 -in cert.csr -out cert.new.pem -signkey cert.key
BKS/JKS 格式
# P12 to BKS
keytool -importkeystore -srckeystore client.p12 -srcstoretype pkcs12 -destkeystore client.bks -deststoretype bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath bcprov-ext-jdk15on-158.jar
# P12 to JKS
keytool -importkeystore -srckeystore D:\server.pfx -destkeystore D:\server.jks -
srcstoretype PKCS12 -deststoretype JKS
# Import CA Certificate To JKS
keytool -import -alias evca -keystore d:\server.jks -trustcacerts -file d:\CFCA_EV_CA.cer
# 直接使用keytool生成并分别为store和key设置不同的密码
keytool -genkey -alias newkey -keyalg RSA -keysize 2048 -keystore wso2carbon.jks -dname "CN=localhost, OU=IT,O=ABC,L=SL,S=WS,C=LK" -storepass wso2carbon -keypass wso2carbon
# 查看bks格式证书
keytool -list -rfc -keystore updatesdkcas.bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath ../../../zips/bcprov.jar -storetype BKS
keytool -list -v -keystore updatesdkcas.bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath ../../../zips/bcprov.jar -storetype BKS
# JKS show keystore
keytool -v -list -keystore truststore.jks
生成 Key或者Key Pair
# AES KEY
openssl enc -aes-256-cbc -k secret -P -md sha256
openssl enc -aes-256-gcm -nosalt -p -in private-keyset.cfg -out test.out
# 特定曲线的Key
openssl ecparam -name prime256v1 -out prime256v1.pem
# SM2 KEY
openssl ecparam -list_curves | grep SM2
# 如果查询结果有内容,则说明该版本支持SM2参数,也就可以生成SM2的公私钥对。
# 1.创建EC参数和原始私钥文件:
openssl ecparam -out ec_param.pem -name SM2 -param_enc explicit -genkey
#注:生成完成后可以查看一下EC私钥信息:
openssl ecparam -in ec_param.pem -text
#然后验证一下参数:
openssl ecparam -in ec_param.pem -check
# 2.将原始的私钥文件,转换为pkcs8格式:
openssl pkcs8 -topk8 -inform PEM -in ec_param.pem -outform pem -nocrypt -out pri_key_pkcs8.pem
# 3.利用原始的私钥,生成对应的公钥:
openssl ec -in ec_param.pem -pubout -out pub_key.pem
# 至此SM2的秘钥对已经生成结束,pri_key_pkcs8.pem是SM2私钥,而pub_key.pem是公钥。
# RSA
查看私钥和公钥是否匹配
#RSA算法
openssl x509 -noout -modulus -in cert.crt | openssl md5
openssl rsa -noout -modulus -in privkey.txt | openssl md5
# SM2 算法
openssl pkey -in ec_param.pem -text
openssl pkey -in pub_key.pem -text -pubin
生成ssh/sftp Key
ssh-keygen -f privatekeyname -C commentname
# 转换为PEM 格式
ssh-keygen -p -m PEM -f privatekeyname
# 制定算法和长度
ssh-keygen -t rsa -b 4096 -o -a 100
2.3 生成随机数
openssl rand -hex 13
对称加密
# 命令行输入,密码123456
openssl enc -aes-128-cbc -in plain.txt -out out.txt -pass pass:123456
# 文件输入,密码123456
echo 123456 > passwd.txt
openssl enc -aes-128-cbc -in plain.txt -out out.txt -pass file:passwd.txt
# 环境变量输入,密码123456
export passwd=123456
openssl enc -aes-128-cbc -in plain.txt -out out.txt -pass env:passwd
# 从文件描述输入
openssl enc -aes-128-cbc -in plain.txt -out out.txt -pass fd:1
# 从标准输入输入
openssl enc -aes-128-cbc -in plain.txt -out out.txt -pass stdin
非对称加密
# 使用RSA作为密钥进行加密,实际上使用其中的公钥进行加密
openssl rsautl -encrypt -in plain.txt -inkey RSA.pem -passin pass:123456 -out enc.txt
# 使用RSA作为密钥进行解密,实际上使用其中的私钥进行解密
openssl rsautl -decrypt -in enc.txt -inkey RSA.pem -passin pass:123456 -out replain.txt
# 公钥进行加密
openssl rsautl -encrypt -in plain.txt -inkey pub.pem -pubin -out enc1.txt
# 进行解密
openssl rsautl -decrypt -in enc1.txt -inkey RSA.pem -passin pass:123456 -out replain1.txt
签名/验签
# 提取PCKS8格式的私钥
openssl pkcs8 -topk8 -in RSA.pem -passin pass:123456 -out pri.pem -nocrypt
# 使用RSA密钥进行签名,实际上使用私钥进行加密
openssl rsautl -sign -in plain.txt -inkey RSA.pem -passin pass:123456 -out sign.txt
# 使用RSA密钥进行验证,实际上使用公钥进行解密
openssl rsautl -verify -in sign.txt -inkey RSA.pem -passin pass:123456 -out replain.txt
# 使用私钥进行签名
openssl rsautl -sign -in plain.txt -inkey pri.pem -out sign1.txt
# 使用公钥进行验证
openssl rsautl -verify -in sign1.txt -inkey pub.pem -pubin -out replain1.txt
哈希/摘要
openssl dgst -md5 a.txt
openssl sha512 a.txt
# 摘要并签名
openssl dgst -md5 -hex -sign key.pem a.txt
# 验证签名
openssl dgst -md5 -out md5_nohex.sign -sign key.pem a.txt
openssl dgst -md5 -hex -out md5_hex.sign -sign key.pem a.txt
2.7 编码/解码
# 对文件进行base64编码
openssl enc -base64 -in plain.txt -out base64.txt
# 对base64格式文件进行解密
openssl enc -base64 -d -in base64.txt -out plain2.txt
people found this article helpful. What about you?