è¿ä¸ª OpenSSL å¿«éåèå¤å¿åå±ç¤ºäºå®ç常ç¨å½ä»¤ä½¿ç¨æ¸ å
æ£æ¥çæ¬
$ openssl version -a
å®å¨ä½¿ç¨å个 CPU å æ ¸å¹¶æµè¯ RSA ç®æ³çç³»ç»ä¸è¿è¡é度æå¤å¿«
$ openssl speed -multi 4 rsa
è·å¾åºæ¬å¸®å©
$ openssl help
çæ 20 个éæºåè并å°å®ä»¬æ¾ç¤ºå¨å±å¹ä¸
$ openssl rand -hex 20
ä½¿ç¨ Base64 ç¼ç æ件
$ openssl base64 -in file.data
ä½¿ç¨ Base64 ç¼ç ä¸äºææ¬
$ echo -n "some text" | openssl base64
Base64 解ç ä¸ä¸ªæ件并è¾åºå°å¦ä¸ä¸ªæ件
$ openssl base64 -d -in encodeÂd.data -out decodeÂd.data
ååºå¯ç¨çæè¦ç®æ³
$ openssl list -digesÂt-aÂlgoÂrithms
ä½¿ç¨ SHA256 æ£åæ件
$ openssl dgst -sha256 file.data
ä½¿ç¨ SHA256 æ£åæ件åå ¶äºè¿å¶å½¢å¼çè¾åºï¼æ è¾åºåå è¿å¶ç¼ç ï¼ æ²¡æ ASCII æç¼ç å符å°æå°å°æ§å¶å°ï¼åªæ纯åèã æ¨å¯ä»¥éå ' | xxd'
$ openssl dgst -binary -sha256 file.data
ä½¿ç¨ SHA3-512 çåå¸ææ¬
$ echo -n "some text" | openssl dgst -sha3-512
å建 HMAC - 使ç¨ç¹å®å¯é¥ï¼ä»¥åè为åä½ï¼çæ件ç SHA384
$ openssl dgst -SHA384 -mac HMAC -macopt hexkey:369bd7d655 file.data
å建 HMAC - ä¸äºææ¬ç SHA512
$ echo -n "some text" | openssl dgst -mac HMAC -macopt hexkeyÂ:36Â9bdÂ7d655 -sha512
ååºå¯ç¨çæ¤åæ²çº¿
$ openssl ecparam -list_Âcurves
å建 4096 ä½ RSA å ¬ç§å¯é¥å¯¹
$ openssl genrsa -out pub_prÂiv.key 4096
æ¾ç¤ºè¯¦ç»çç§é¥ä¿¡æ¯
$ openssl rsa -text -in pub_priv.key -noout
ä½¿ç¨ AES-256 ç®æ³å å¯å ¬ç§é¥å¯¹
$ openssl rsa -in pub_priv.key -out encrypted.key -aes256
å é¤å¯é¥æ件å å¯å¹¶å°å®ä»¬ä¿åå°å¦ä¸ä¸ªæ件
$ openssl rsa -in encrypted.key -out cleartext.key
å°å ¬ç§é¥å¯¹æ件çå ¬é¥å¤å¶å°å¦ä¸ä¸ªæ件ä¸
$ openssl rsa -in pub_priv.key -pubout -out pubkey.key
ä½¿ç¨ RSA å ¬é¥å å¯æ件
$ openssl rsautl -encrypt -inkey pubkey.key -pubin -in cleartext.file -out ciphertext.file
ä½¿ç¨ RSA ç§é¥è§£å¯æ件
$ openssl rsautl -decrypt -inkey pub_priv.key -in ciphertext.file -out decrypted.file
ä½¿ç¨ P-224 æ¤åæ²çº¿å建ç§é¥
$ openssl ecparam -name secp224k1 -genkey -out ecpriv.key
ä½¿ç¨ 3DES ç®æ³å å¯ç§é¥
$ openssl ec -in ecP384priv.key -des3 -out ecP384priv_enc.key
ååºæææ¯æç对称å å¯å¯ç
$ openssl enc -list
使ç¨æä¾ç ASCII ç¼ç å¯ç å AES-128-ECB ç®æ³å å¯æ件
$ openssl enc -aes-128-ecb -in cleartext.file -out ciphertext.file -pass pass:thisisthepassword
ä½¿ç¨ AES-256-CBC åå¯é¥æ件解å¯æ件
$ openssl enc -d -aes-256-cbc -in ciphertext.file -out cleartext.file -pass file:./key.file
使ç¨ä»¥åå è¿å¶æ°åå½¢å¼æä¾çç¹å®å å¯å¯é¥ (K) å å¯æ件
$ openssl enc -aes-128-ecb -in cleartext.file -out ciphertext.file -K 1881807b2d1b3d22f14e9ec52563d981 -nosalt
使ç¨æå®çå å¯å¯é¥ï¼Kï¼256 ä½ï¼ååå§ååéï¼ivï¼128 ä½ï¼å¨ CBC åå¯ç 模å¼ä¸ä½¿ç¨ ARIA 256 å å¯æ件
$ openssl enc -aria-256-cbc -in cleartext.file -out ciphertext.file -K f92d2e986b7a2a01683b4c40d0cbcf6feaa669ef2bb5ec3a25ce85d9548291c1 -iv 470bc29762496046882b61ecee68e07c -nosalt
使ç¨æä¾çå¯é¥å iv å¨ COUNTER åå¯ç 模å¼ä¸ä½¿ç¨ Camellia 192 ç®æ³å å¯æ件
$ openssl enc -camellia-192-ctr -in cleartext.file -out ciphertext.file -K 6c7a1b3487d28d3bf444186d7c529b48d67dd6206c7a1b34 -iv 470bc29762496046882b61ecee68e07c
为ç§é¥çæ DSA åæ°ã 2048 ä½é¿åº¦
$ openssl dsaparam -out dsaparam.pem 2048
çæç¨äºç¾ç½²ææ¡£ç DSA å ¬ç§å¯é¥å¹¶ä½¿ç¨ AES128 ç®æ³å¯¹å ¶è¿è¡ä¿æ¤
$ openssl gendsa -out dsaprivatekey.pem -aes-128-cbc dsaparam.pem
å°DSAå ¬ç§é¥æ件çå ¬é¥å¤å¶å°å¦ä¸ä¸ªæ件ä¸
$ openssl dsa -in dsaprivatekey.pem -pubout -out dsapublickey.pem
æå°åº DSA å¯é¥å¯¹æ件çå 容
$ openssl dsa -in dsaprivatekey.pem -text -noout
ä½¿ç¨ RSA ç§é¥å¯¹æ件ç sha-256 åå¸è¿è¡ç¾å
$ openssl dgst -sha256 -sign rsakey.key -out signature.data document.pdf
使ç¨å ¬é¥éªè¯ SHA-256 æ件ç¾å
$ openssl dgst -sha256 -verify publickey.pem -signature signature.data original.file
ä½¿ç¨ DSA ç§é¥å¯¹æ件ç sha3-512 åå¸è¿è¡ç¾å
$ openssl pkeyutl -sign -pkeyopt digest:sha3-512 -in document.docx -inkey dsaprivatekey.pem -out signature.data
éªè¯ DSA ç¾å
$ openssl pkeyutl -verify -sigfile dsasignature.data -inkey dsakey.pem -in document.docx
ä½¿ç¨ P-384 æ¤åæ²çº¿å建ç§é¥
$ openssl ecparam -name secp384r1 -genkey -out ecP384priv.key
使ç¨3DESç®æ³å å¯ç§é¥
$ openssl ec -in ecP384priv.key -des3 -out ecP384priv_enc.key
使ç¨å¸¦æçæå¯é¥çæ¤åæ²çº¿å¯¹ PDF æ件è¿è¡ç¾å
$ openssl pkeyutl -sign -inkey ecP384priv_enc.key -pkeyopt digest:sha3-512 -in document.pdf -out signature.data
éªè¯æ件çç¾åã å¦æ没é®é¢ï¼æ¨å¿ é¡»æ¶å°âç¾åéªè¯æåâ
$ openssl pkeyutl -verify -in document.pdf -sigfile signature.data -inkey ecP384priv_enc.key
çæ CSR æ件å 4096 ä½ RSA å¯é¥å¯¹
$ openssl req -newkey rsa:4096 -keyout private.key -out request.csr
æ¾ç¤ºè¯ä¹¦ç¾åè¯·æ± ( CSR ) å 容
$ openssl req -text -noout -in request.csr
æ¾ç¤º CSR æ件ä¸å å«çå ¬é¥
$ openssl req -pubkey -noout -in request.csr
使ç¨ç°æç§é¥å建è¯ä¹¦ç¾åè¯·æ± ( CSR )ã å½æ¨éè¦å¨ä¸æ´æ¹ç§é¥çæ åµä¸æ´æ°å ¬å ±æ°åè¯ä¹¦æ¶ï¼è¿ä¼å¾æç¨
$ openssl req -new -key private.key -out request.csr
å建 EC P384 æ²çº¿åæ°æ件以å¨ä¸ä¸æ¥ä¸ä½¿ç¨æ¤åæ²çº¿çæ CSR
$ openssl genpkey -genparam -algorithm EC -out EC_params.pem -pkeyopt ec_paramgen_curve:secp384r1 -pkeyopt ec_param_enc:named_curve
使ç¨å¨ä¸ä¸æ¥ä¸å建çæ¤åæ²çº¿ P384 åæ°æ件å建 CSR æ件ã èä¸æ¯ä½¿ç¨ RSA å¯é¥ã
$ openssl req -newkey ec:EC_params.pem -keyout EC_P384_priv.key -out EC_request.csr
å建èªç¾åè¯ä¹¦ï¼æ°ç 2048 ä½ RSA å¯é¥å¯¹ï¼æææ为ä¸å¹´
$ openssl req -newkey rsa:2048 -nodes -keyout priv.key -x509 -days 365 -out cert.crt
ä½¿ç¨ CSR æ件åç¨äºç¾åçç§é¥å建并ç¾ç½²æ°è¯ä¹¦ï¼æ¨å¿ é¡»åå¤å¥½ openssl.cnf æ件ï¼
$ openssl ca -in request.csr -out certificate.crt -config ./CA/config/openssl.cnf
æ¾ç¤ºPEMæ ¼å¼è¯ä¹¦ä¿¡æ¯
$ openssl x509 -text -noout -in cert.crt
以 Abstract Sintax Notation One (ASN.1) æ¾ç¤ºè¯ä¹¦ä¿¡æ¯
$ openssl asn1parse -in cert.crt
æåè¯ä¹¦çå ¬é¥
$ openssl x509 -pubkey -noout -in cert.crt
å¨è¯ä¹¦ä¸æåå ¬é¥ç模æ°
$ openssl x509 -modulus -noout -in cert.crt
ä» HTTPS/TLS è¿æ¥ä¸æååè¯ä¹¦
$ openssl s_client -connect domain.com:443 | openssl x509 -out certificate.crt
å°è¯ä¹¦ä» PEM æ ¼å¼è½¬æ¢ä¸º DER æ ¼å¼
$ openssl x509 -inform PEM -outform DER -in cert.crt -out cert.der
æ£æ¥è¯ä¹¦å ¬é¥æ¯å¦ä¸ç§é¥å请æ±æ件å¹é ã æ¯ä¸ªæ件ä¸æ¥ã å¿ é¡»å¨è¾åºåå¸ä¸å¹é
$ openssl x509 -modulus -in certificate.crt -noout | openssl dgst -sha256
$ openssl rsa -modulus -in private.key -noout | openssl dgst -sha256
$ openssl req -modulus -in request.csr -noout | openssl dgst -sha256
ååºæææ¯æçå¯ç å¥ä»¶
$ openssl ciphers -V 'ALL'
ååº AES æ¯æçææå¯ç å¥ä»¶
$ openssl ciphers -V 'AES'
ååºæææ¯æ CAMELLIA å SHA256 ç®æ³çå¯ç å¥ä»¶ã
$ openssl ciphers -V 'CAMELLIA+SHA256'
使ç¨ç«¯å£ 443 (HTTPS) ä¸æå¡å¨ç TLS è¿æ¥
$ openssl s_client -connect domain.com:443
ä½¿ç¨ v1.2 ä¸æå¡å¨ç TLS è¿æ¥
$ openssl s_client -tls1_2 -connect domain.com:443
TLS è¿æ¥åç¦ç¨ v1.0
$ openssl s_client -no_tls1 domain.com:443
使ç¨ç¹å®å¯ç å¥ä»¶ç TLS è¿æ¥
$ openssl s_client -cipher DHE-RSA-AES256-GCM-SHA384 domain.com:443
æ¾ç¤ºæå¡å¨æä¾çææè¯ä¹¦ç TLS è¿æ¥
$ openssl s_client -showcerts domain.com:443
使ç¨è¯ä¹¦ãç§é¥åä» æ¯æ TLS 1.2 设置çå¬ç«¯å£ä»¥æ¥æ¶ TLS è¿æ¥
$ openssl s_server -port 443 -cert cert.crt -key priv.key -tls1_2
ä» HTTPS/TLS è¿æ¥ä¸æååè¯ä¹¦
$ openssl s_client -connect domain.com:443 | openssl x509 -out certificate.crt
nmap å½ä»¤ï¼éè¿ HTTPS/TLS è¿æ¥æ¾ç¤ºå¯ç¨çå¯ç å¥ä»¶
$ nmap --script ssl-enum-ciphers -p 443 domain.com
nmap å½ä»¤ï¼ä½¿ç¨ SNI éè¿ TLS (HTTPS) è¿æ¥æ¾ç¤ºå¯ç¨çå¯ç å¥ä»¶ã ï¼å°å ¶æ´æ¹ä¸ºæéç IP åååï¼
$ nmap --script ssl-enum-ciphers --script-args=tls.servername=domain.com 172.67.129.11
å°è¯ä¹¦ä» PEM (base64) æ ¼å¼è½¬æ¢ä¸º DERï¼äºè¿å¶ï¼æ ¼å¼
$ openssl x509 -in certifÂicaÂte.pem -outform DER -out certifÂicaÂte.der
å°è¯ä¹¦åç§é¥æå ¥ PKCS #12 æ ¼å¼æ件ã è¿äºæ件å¯ä»¥å¯¼å ¥å° Windows è¯ä¹¦ç®¡çå¨æ Java Key Store (jks) æ件ä¸
$ openssl pkcs12 -export -out cert_key.p12 -inkey private.key -in certificate.crt
æ¾ç¤º PKCS #12 æ件çå 容
$ openssl pkcs12 -in cert_kÂey.p12
å° .p12 æ件转æ¢ä¸º Java Key Storeã æ¤å½ä»¤ä½¿ç¨ java keytool èä¸æ¯ opensslã
keytool -importkeystore -destkeystore javakeystore.jks -srckeystore cert_key.p12 -srcstoretype pkcs12
å° PEM è¯ä¹¦è½¬æ¢ä¸º PKCS #7 æ ¼å¼
$ openssl crl2pkcs7 -nocrl -certfile certificate.crt -out cert.p7b
å° PKCS #7 æä»¶ä» PEM 转æ¢ä¸º DER
$ openssl pkcs7 -in cert.p7b -outform DER -out p7.der
使ç¨å ·æè¯ä¹¦æ©å±åçå½ä»¤å° cert.xxx æ¿æ¢ä¸ºè¯ä¹¦å称
$ openssl x509 -in cert.pem -text -noout
$ openssl x509 -in cert.cer -text -noout
$ openssl x509 -in cert.crt -text -noout
å¦ææ¨æ¶å°ä»¥ä¸é误ï¼å表示æ¨æ£å¨å°è¯æ¥ç DER ç¼ç çè¯ä¹¦ï¼å¹¶ä¸éè¦ä½¿ç¨ä¸é¢âæ¥ç DER ç¼ç çè¯ä¹¦âé¨åä¸çå½ä»¤ï¼
unable to load certificate
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE View DER encoded Certificate
openssl x509 -in certificate.der -inform der -text -noout
å¦ææ¨æ¶å°ä»¥ä¸é误ï¼å表示æ¨æ£å¨å°è¯ä½¿ç¨ç¨äº DER ç¼ç è¯ä¹¦çå½ä»¤æ¥ç PEM ç¼ç è¯ä¹¦ã 使ç¨ä¸é¢âæ¥ç PEM ç¼ç è¯ä¹¦âé¨åä¸çå½ä»¤ï¼
unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509
# subject + issuer
openssl crl2pkcs7 -nocrl -certfile host.domain.tld-ca-chain.pem | openssl pkcs7 -print_certs -noout
# full public keys
openssl crl2pkcs7 -nocrl -certfile host.domain.tld-ca-chain.pem | openssl pkcs7 -print_certs -text -noout
å° DER æ件 (.crt .cer .der) 转æ¢ä¸º PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
å° PEM æ件转æ¢ä¸º DER
openssl x509 -outform der -in certificate.pem -out certificate.der
å°å å«ç§é¥åè¯ä¹¦ç PKCS#12 æ件 (.pfx .p12) 转æ¢ä¸º PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
# æ¨å¯ä»¥æ·»å -nocerts 以ä»
è¾åºç§é¥ææ·»å -nokeys 以ä»
è¾åºè¯ä¹¦
å° PEM è¯ä¹¦æ件åç§é¥è½¬æ¢ä¸º PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
å° PEM 转æ¢ä¸º CRTï¼.CRT æ件ï¼
openssl x509 -outform der -in certificate.pem -out certificate.crt
å° PEM 转æ¢ä¸º DER
$ openssl x509 -outform der -in certificate.pem -out certificate.der
å° PEM 转æ¢ä¸º P7B
$ openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
å° PEM 转æ¢ä¸º PFX
$ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
å° DER 转æ¢ä¸º PEM
$ openssl x509 -inform der -in certificate.cer -out certificate.pem
å° PFX 转æ¢ä¸º PEM
$ openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
å° P7B 转æ¢ä¸º PEM
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
å° P7B 转æ¢æ PFX
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
$ openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
å¨å½ä»¤è¡ä¸ä½¿ç¨ OpenSSL æ¨é¦å
éè¦çæå
¬é¥åç§é¥ã æ¨åºè¯¥ä½¿ç¨ -passout åæ°å¯¹è¿ä¸ªæ件è¿è¡å¯ç ä¿æ¤ï¼è¿ä¸ªåæ°å¯ä»¥éç¨è®¸å¤ä¸åçå½¢å¼ï¼å æ¤è¯·æ¥é
OpenSSL ææ¡£
$ openssl genrsa -out private.pem 4096
è¿å°å建ä¸ä¸ªå为 private.pem çå¯é¥æ件ï¼å®ä½¿ç¨ 4096 ä½ã è¿ä¸ªæ件å®é ä¸æç§é¥åå ¬é¥ï¼æä»¥ä½ åºè¯¥ä»è¿ä¸ªæ件ä¸æåå ¬é¥ï¼
$ openssl rsa -in private.pem -out public.pem -outform PEM -pubout
# or
$ openssl rsa -in private.pem -pubout > public.pem
# or
$ openssl rsa -in private.pem -pubout -out public.pem
æ¨ç°å¨å°æ¥æä» å å«æ¨çå ¬é¥ç public.pemï¼æ¨å¯ä»¥ä¸ç¬¬ 3 æ¹èªç±å ±äº«ã æ¨å¯ä»¥éè¿ä½¿ç¨æ¨çå ¬é¥èªå·±å å¯ä¸äºä¸è¥¿ç¶å使ç¨æ¨çç§é¥è§£å¯æ¥æµè¯è¿ä¸åï¼é¦å æ们éè¦ä¸äºæ°æ®æ¥å å¯ï¼
示ä¾æ件ï¼
$ echo 'too many secrets' > file.txt
æ¨ç°å¨å¨ file.txt ä¸æä¸äºæ°æ®ï¼è®©æä»¬ä½¿ç¨ OpenSSL åå ¬é¥å¯¹å ¶è¿è¡å å¯ï¼
$ openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file.ssl
è¿ä¼å建ä¸ä¸ª file.txt çå å¯çæ¬ï¼ç§°ä¸º file.sslï¼å¦æä½ çè¿ä¸ªæ件ï¼å®åªæ¯äºè¿å¶åå¾ï¼å¯¹ä»»ä½äººé½æ²¡æä»ä¹ç¨å¤ã ç°å¨æ¨å¯ä»¥ä½¿ç¨ç§é¥å¯¹å ¶è¿è¡è§£å¯ï¼
$ openssl rsautl -decrypt -inkey private.pem -in file.ssl -out decrypted.txt
æ¨ç°å¨å°å¨ decrypted.txt ä¸æä¸ä¸ªæªå å¯çæ件ï¼
cat decrypted.txt
|output -> too many secrets
NAME
$ rsa - RSA key processing tool
SYNOPSIS æ¦è¦
$ openssl rsa [-help] [-inform PEM|NET|DER] [-outform PEM|NET|DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-aes128] [-aes192] [-aes256] [-camellia128] [-camellia192] [-camellia256] [-des] [-des3] [-idea] [-text] [-noout] [-modulus] [-check] [-pubin] [-pubout] [-RSAPublicKey_in] [-RSAPublicKey_out] [-engine id]
DESCRIPTION æè¿°
rsa å½ä»¤å¤ç RSA å¯é¥ã å®ä»¬å¯ä»¥å¨åç§å½¢å¼ä¹é´è½¬æ¢ï¼å¹¶ä¸å¯ä»¥æå°åºå®ä»¬çç»æé¨åã
请注æï¼æ¤å½ä»¤ä½¿ç¨ä¼ ç»ç SSLeay å
¼å®¹æ ¼å¼è¿è¡ç§é¥å å¯ï¼è¾æ°çåºç¨ç¨åº
åºè¯¥ä½¿ç¨ pkcs8 å®ç¨ç¨åºä½¿ç¨æ´å®å
¨ç PKCS#8 æ ¼å¼ã
COMMAND OPTIONS å½ä»¤é项
-help
#> æå°åºä½¿ç¨ä¿¡æ¯ã
-inform DER|NET|PEM
#> è¿æå®äºè¾å
¥æ ¼å¼ã DER é项使ç¨ä¸ PKCS #1 RSAPrivateKey æ SubjectPublicKeyInfo æ ¼å¼å
¼å®¹ç ASN1 DER ç¼ç å½¢å¼ã PEM å½¢å¼æ¯é»è®¤æ ¼å¼ï¼å®ç± DER æ ¼å¼ base64 ç¼ç ï¼å¹¶å¸¦æé¢å¤ç页çå页èè¡ã è¾å
¥ PKCS#8 æ ¼å¼çç§é¥ä¹ æ¥åã NET å½¢å¼æ¯ä¸ç§å¨æ³¨éé¨åä¸æè¿°çæ ¼å¼ã
-outform DER|NET|PEM
#> è¿æå®äºè¾åºæ ¼å¼ï¼éé¡¹ä¸ -inform é项å
·æç¸åçå«ä¹ã
-in filename
#> å¦ææªæå®æ¤é项ï¼è¿å°æå®è¦ä»ä¸è¯»åå¯é¥çè¾å
¥æ件åææ åè¾å
¥ã å¦æå¯é¥è¢«å å¯ï¼å°æ示è¾å
¥å¯ç ã
-passin arg
#> è¾å
¥æ件å¯ç æºãæå
³ arg æ ¼å¼çæ´å¤ä¿¡æ¯ï¼è¯·åé
openssl ä¸ç PASS PHRASE ARGUMENTS é¨åã
-out filename
#> å¦ææªæå®æ¤é项ï¼è¿å°æå®è¦åå
¥å¯é¥çè¾åºæ件åææ åè¾åºãå¦æ设置äºä»»ä½å å¯é项ï¼åä¼æ示è¾å
¥å¯ç ãè¾åºæ件åä¸åºä¸è¾å
¥æ件åç¸åã
-passout password
#> è¾åºæ件å¯ç æºãæå
³ arg æ ¼å¼çæ´å¤ä¿¡æ¯ï¼è¯·åé
openssl ä¸ç PASS PHRASE ARGUMENTS é¨åã
-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea
#> è¿äºé项å¨è¾åºä¹å使ç¨æå®çå¯ç å å¯ç§é¥ãæ示è¾å
¥å¯ç ãå¦ææªæå®è¿äºé项ï¼åå¯é¥å°ä»¥çº¯ææ¬å½¢å¼åå
¥ãè¿æå³çä½¿ç¨ rsa å®ç¨ç¨åºè¯»å没æå å¯é项çå å¯å¯é¥å¯ç¨äºä»å¯é¥ä¸å é¤å¯ç çè¯ï¼æè
éè¿è®¾ç½®å¯ç¨äºæ·»å ææ´æ¹å¯ç çè¯çå å¯é项ãè¿äºé项åªè½ç¨äº PEM æ ¼å¼çè¾åºæ件ã
-text
#> é¤äºç¼ç çæ¬ä¹å¤ï¼è¿ä»¥çº¯ææ¬å½¢å¼æå°åºåç§å
¬é¥æç§é¥ç»ä»¶ã
-noout
#> æ¤é项å¯é²æ¢è¾åºå¯é¥çç¼ç çæ¬ã
-modulus
#> æ¤é项æå°åºå¯é¥æ¨¡æ°çå¼ã
-check
#> æ¤é项æ£æ¥ RSA ç§é¥çä¸è´æ§ã
-pubin
#> é»è®¤æ
åµä¸ï¼ä»è¾å
¥æ件ä¸è¯»åç§é¥ï¼ä½¿ç¨æ¤é项ï¼æ¹ä¸ºè¯»åå
¬é¥ã
-pubout
#> é»è®¤æ
åµä¸è¾åºç§é¥ï¼ä½¿ç¨æ¤é项å°è¾åºå
¬é¥ã å¦æè¾å
¥æ¯å
¬é¥ï¼åä¼èªå¨è®¾ç½®æ¤é项ã
-RSAPublicKey_in, -RSAPublicKey_out
#> ç±»ä¼¼äº -pubin å -puboutï¼é¤äºä½¿ç¨ RSAPublicKey æ ¼å¼ã
-engine id
#> æå®å¼æï¼éè¿å
¶å¯ä¸ ID å符串ï¼å°å¯¼è´ rsa å°è¯è·å对æå®å¼æçåè½å¼ç¨ï¼ä»èå¨éè¦æ¶å¯¹å
¶è¿è¡åå§åã ç¶åå¼æå°è¢«è®¾ç½®ä¸ºææå¯ç¨ç®æ³çé»è®¤å¼ã
-aes128-aes192-aes256-des3-desè¦å é¤ RSA ç§é¥ä¸çå¯ç çè¯ï¼
$ openssl rsa -in key.pem -out keyout.pem
è¦ä½¿ç¨ä¸é DES å å¯ç§é¥ï¼
$ openssl rsa -in key.pem -des3 -out keyout.pem
è¦å°ç§é¥ä» PEM æ ¼å¼è½¬æ¢ä¸º DER æ ¼å¼ï¼
$ openssl rsa -in key.pem -outform DER -out keyout.der
å°ç§é¥çç»ä»¶æå°å°æ åè¾åºï¼
$ openssl rsa -in key.pem -text -noout
ä» è¾åºç§é¥çå ¬å ±é¨åï¼
$ openssl rsa -in key.pem -pubout -out pubkey.pem
以 RSAPublicKey æ ¼å¼è¾åºç§é¥çå ¬å ±é¨åï¼
$ openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
-----END RSA PRIVATE KEY-----
为äºè®© OpenSSL å°å ¶è¯å«ä¸º PEM æ ¼å¼ï¼å®å¿ é¡»ä½¿ç¨ Base64 è¿è¡ç¼ç ï¼å¹¶å¸¦æ以ä¸æ 头ï¼
-----BEGIN CERTIFICATE-----
and footer :
-----END CERTIFICATE-----
æ¤å¤ï¼æ¯è¡çé¿åº¦ä¸å¾è¶ è¿ 79 个å符ã å¦åä½ ä¼æ¶å°é误ï¼
2675996:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:818:
注æï¼PEM æ å (RFC1421) è¦æ±è¡é¿åº¦ä¸º 64 个å符ã å¯ä»¥ä½¿ç¨ UNIX å½ä»¤è¡å®ç¨ç¨åºè½¬æ¢åå¨ä¸ºåè¡ç PEM è¯ä¹¦ï¼
$ fold -w 64
-----BEGIN X509 CRL-----
-----END X509 CRL-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
-----END RSA PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
-----BEGIN PKCS7-----
-----END PKCS7-----
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
-----BEGIN DSA PRIVATE KEY-----
-----END DSA PRIVATE KEY-----
-----BEGIN EC PRIVATE KEY-----
-----BEGIN EC PRIVATE KEY-----
-----BEGIN PGP PRIVATE KEY BLOCK-----
-----END PGP PRIVATE KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----
å¨å»ºç« SSL/TLS è¿æ¥ä¹åï¼å®¢æ·ç«¯éè¦ç¡®ä¿æ¶å°çè¯ä¹¦ææã为äºåå°è¿ä¸ç¹ï¼å®¢æ·ç«¯ä¸ä» è¦éªè¯å ¶å ¬é¥ççå®æ§ï¼è¿è¦éªè¯ä¸ä¹ç¸å ³çå ¶ä»å æ°æ®ï¼äºè§£è¿ä¸ç¹å¯¹äºäºè§£å ¸åæ°åè¯ä¹¦çå 容å¾éè¦ï¼ï¼
ç¾åéªè¯ è¿ç¡®ä¿äºè¯ä¹¦æ²¡æ以任ä½æ¹å¼è¢«æ´æ¹è¯ä¹¦å°æªè¿æ å½è¯ä¹¦ç± CA é¢åæ¶ï¼å®ä¼æå®ä¸ä¸ªå°ææ¥æè¯ä¹¦ä¸»é¢ä¸ä¸»æºåå¹é
è¯ä¹¦æ¯ä¸ºç¹å®æå¡å¨é¢åçãå æ¤ï¼è¯ä¹¦ä¸»é¢å称éè¦ä¸å®¢æ·ç«¯å°è¯è¿æ¥ç URL ç¸å¹é
å®æ²¡æ被æ¤é ææ¶è¯ä¹¦å¯ä»¥å¨ä»»ä½éè¦çæ
åµä¸è¢«å
¶é¢åè
æ¤éï¼ä¾å¦ï¼å
³èçç§é¥å·²è¢«å
¬å¼ï¼å æ¤è¯ä¹¦æ æï¼å®ç±åä¿¡ä»»ç CA ç¾å 为äºè¯æè¯ä¹¦ççå®æ§ï¼æ们éè¦è·å CA è¯ä¹¦å¹¶éªè¯å
¶å¯ä¿¡åº¦ãç¶èå¨ PKI ä¸æä¸ä¸ªä¿¡ä»»é¾çæ¦å¿µï¼å æ¤ CA è¯ä¹¦å¯è½æ¯ç±å¦ä¸ä¸ª CA é¢åçãå æ¤æ们éè¦è·å¾å¦ä¸ä¸ª CA çè¯ä¹¦å¹¶éªè¯å®ãä¾æ¤ç±»æ¨â¦â¦å æ¤ï¼ä¸ºäºä¿¡ä»»è¯ä¹¦ï¼æ们éè¦ä¸ç´å¯¼èªå°æ ¹ CAãæåï¼å¦ææä»¬ä¿¡ä»»æ ¹ CAï¼å¯ä»¥è¯å®å°è¯´æ们信任æ´ä¸ªé¾a) æ¨çæ´ä¸ª CA é¾å¨ä¸ä¸ªæ件ä¸ï¼å®é çç½ç»æå¡å¨æ客æ·ç«¯è¯ä¹¦å¨å¦ä¸ä¸ªæ件ä¸
$ openssl verify -untrusted ca-chain.pem 客æ·ç«¯è¯ä¹¦.pem
b) åç¬æ件ä¸çæ ¹è¯ä¹¦åä¸é´è¯ä¹¦ä»¥åå¦ä¸ä¸ªæ件ä¸çå®é ç½ç»æå¡å¨æ客æ·ç«¯è¯ä¹¦
$ openssl verify -CAfile root.pem -untrusted intermediate-chain.pem client-cert.pem
å¦ææ¨æå¤ä¸ªä¸é´ CAï¼ä¾å¦ root.pem -> intermediate1.pem -> intermediate2.pem -> client-cert.pemï¼ï¼å°å®ä»¬è¿æ¥å°ä¸ä¸ªæ件ä¸å¹¶éè¿ï¼-untrusted intermediate-chain.pem ææ§è¡å®ä¸ catï¼
$ openssl verify -CAfile root.pem -untrusted <(cat intermediate1.pem intermediate2.pem) client-cert.pem
å®ä¾
$ openssl verify -CAfile letsencrypt-root-cert/isrgrootx1.pem.txt -untrusted letsencrypt-intermediate-cert/letsencryptauthorityx3.pem.txt /etc/letsencrypt/live/sitename.tld/cert.pem
/etc/letsencrypt/live/sitename.tld/cert.pem: OK
$ openssl x509 -enddate -noout -in file.pem
è¿æ¯æç bash å½ä»¤è¡ï¼ç¨äºæè¿æ顺åºååºå¤ä¸ªè¯ä¹¦ï¼æè¿è¿æçè¯ä¹¦æå è¿æã
for pem in /etc/ssl/certs/*.pem; do
printf '%s: %s\n' \
"$(date --date="$(openssl x509 -enddate -noout -in "$pem"|cut -d= -f 2)" --iso-8601)" \
"$pem"
done | sort
示ä¾è¾åºï¼
2015-12-16: /etc/ssl/certs/Staat_der_Nederlanden_Root_CA.pem
2016-03-22: /etc/ssl/certs/CA_Disig.pem
2016-08-14: /etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_S.pem
è¿æ¯ä¸ä¸ª bash å½æ°ï¼å®ä¼æ£æ¥ä½ ææçæå¡å¨ï¼åè®¾ä½ æ£å¨ä½¿ç¨ DNS 循ç¯æ³ã 请注æï¼è¿éè¦ GNU æ¥æ并ä¸ä¸è½å¨ Mac OS ä¸è¿è¡
function check_certs () {
if [ -z "$1" ]
then
echo "domain name missing"
exit 1
fi
name="$1"
shift
now_epoch=$( date +%s )
dig +noall +answer $name | while read _ _ _ _ ip;
do
echo -n "$ip:"
expiry_date=$( echo | openssl s_client -showcerts -servername $name -connect $ip:443 2>/dev/null | openssl x509 -inform pem -noout -enddate | cut -d "=" -f 2 )
echo -n " $expiry_date";
expiry_epoch=$( date -d "$expiry_date" +%s )
expiry_days="$(( ($expiry_epoch - $now_epoch) / (3600 * 24) ))"
echo " $expiry_days days"
done
}
è¾åºç¤ºä¾ï¼
$ check_certs stackoverflow.com
151.101.1.69: Aug 14 12:00:00 2019 GMT 603 days
151.101.65.69: Aug 14 12:00:00 2019 GMT 603 days
151.101.129.69: Aug 14 12:00:00 2019 GMT 603 days
151.101.193.69: Aug 14 12:00:00 2019 GMT 603 days
curl --insecure -v https://www.google.com 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=www.google.com
* start date: Mar 1 09:46:35 2019 GMT
* expire date: May 24 09:25:00 2019 GMT
* issuer: C=US; O=Google Trust Services; CN=Google Internet Authority G3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7ff5dc803600)
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* Connection #0 to host www.google.com left intact
æ¨éè¦ä¸º curl æä¾æ´ä¸ªè¯ä¹¦é¾ï¼å 为 curl ä¸åéå¸¦ä»»ä½ CA è¯ä¹¦ã ç±äº cacert é项åªè½ä½¿ç¨ä¸ä¸ªæ件ï¼å æ¤æ¨éè¦å°å®æ´çé¾ä¿¡æ¯è¿æ¥å° 1 个æ件ä¸ã ä» https://curl.haxx.se/ca/cacert.pem è·åæ ¹ CA è¯ä¹¦å ã
$ curl --cacert certRepo -u user:passwd -X GET -H 'Content-Type: application/json' "https//somesecureserver.com/rest/field"
å¦æè¿ç¨æå¡å¨ä½¿ç¨ SNIï¼å³å¨ä¸ä¸ª IP å°åä¸å
±äº«å¤ä¸ª SSL 主æºï¼ï¼æ¨å°éè¦åéæ£ç¡®ç主æºå以è·å¾æ£ç¡®çè¯ä¹¦ï¼-servername é项ç¨äºå¯ç¨ SNI æ¯æï¼ã
$ openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 </dev/null
å¦æè¿ç¨æå¡å¨æ²¡æä½¿ç¨ SNIï¼é£ä¹ä½ å¯ä»¥è·³è¿ -servername åæ°ï¼
openssl s_client -showcerts -connect www.example.com:443 </dev/null
è¦æ¥çç«ç¹è¯ä¹¦çå®æ´è¯¦ç»ä¿¡æ¯ï¼æ¨ä¹å¯ä»¥ä½¿ç¨ä»¥ä¸å½ä»¤é¾ï¼
$ echo | \
openssl s_client -servername www.example.com -connect www.example.com:443 2>/dev/null | \
openssl x509 -text
对äºå¸¦æ starttls ç SMTPï¼è¯·ä½¿ç¨ï¼
$ openssl s_client -connect server:port -starttls smtp
å¯¹äº Client Auth ä¿æ¤çèµæºï¼è¯·ä½¿ç¨ï¼
$ openssl s_client -connect host:port -key our_private_key.pem -showcerts \
-cert our_server-signed_cert.pem
-prexit ä¹ä¼è¿åæ°æ®ï¼
$ openssl s_client -connect host:port -prexit
å¸ææ¨æ°¸è¿ä¸ä¼éå°ä¸ç¥éç¨äºçæ TLS è¯ä¹¦çç§é¥çæ åµï¼ä½å¦ææ¨ç¥éâ¦â¦è¿éæ¯æ¨å¯ä»¥æ£æ¥çæ¹æ³ã
注æï¼è¿æ¯å°è¯ä¹¦ä¸ä¼ å°ç产ç¯å¢ä»¥æ£æ¥å®ä»¬æ´å¥½ð
å设æ们已ç»çæäºä¸ä¸ªå为 example.com.key çç§é¥åä¸ä¸ªå为 example.com.crt çè¯ä¹¦ï¼æ们å¯ä»¥ä½¿ç¨ openssl æ£æ¥ MD5 åå¸å¼æ¯å¦ç¸åï¼
$ openssl x509 -noout -modulus -in example.com.crt | openssl md5
$ openssl rsa -noout -modulus -in example.com.key | openssl md5
为äºè®©äºæ åå¾æ´å¥½ï¼ä½ å¯ä»¥åä¸ä¸ªèæ¬ï¼
#!/bin/bash
CERT_MD5=$(openssl x509 -noout -modulus -in example.com.crt | openssl md5)
KEY_MD5=$(openssl rsa -noout -modulus -in example.com.key | openssl md5)
if [ "$CERT_MD5" == "$KEY_MD5" ]; then
echo "Private key matches certificate"
else
echo "Private key does not match certificate"
fi
$ keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias"
$ ..\..\bin\keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias yourAliasName -file path\to\certificate.cer
$ keytool -import -alias joe -file mycert.cer -keystore mycerts -storepass changeit
certstrap å建å¼åè¯ä¹¦$ brew install certstrap
$ certstrap init --common-name "ExampleDevCA" --expires "10 years" -o "My Tech Inc." -c "DE" -l "Muenchen" --st "Bayern" --stdout
$ certstrap request-cert --common-name "example.localhost" -o "My Tech Inc." -c "DE" -l "Muenchen" --st "Bayern" --stdout --domain "*.example.localhost","example.localhost","localhost"
$ certstrap sign "example.localhost" --CA ExampleDevCA
mkcert å建å¼åè¯ä¹¦$ brew install mkcert
$ mkcert "*.example.localhost"
# Clean up with:
$ rm -vrf "$HOME/Library/Application Support/mkcert" _wildcard.example*