openssl certificate
1, Introduction to openssl
openssl is the most popular SSL cryptographic library tool at present. It provides a general, robust and fully functional tool suite to support the implementation of SSL/TLS protocol.
Official website: https://www.openssl.org/source/
Component
Cryptographic algorithm library
Key and certificate encapsulation management function
SSL communication API interface
purpose
Establish RSA, DH and DSA key parameters
Establish X.509 certificate, certificate signing request (CSR) and CRLs (certificate recycling list)
Calculate message summary
Encryption / decryption using various ciphers
SSL/TLS client and server testing
Process S/MIME or encrypted mail
2, RSA key operation
By default, the output format of openssl is PKCS#1-PEM
Generate RSA private key (no encryption)
openssl genrsa -out rsa_private.key 2048
Generate RSA public key
openssl rsa -in rsa_private.key -pubout -out rsa_public.key
Generate RSA private key (encrypted with aes256)
openssl genrsa -aes256 -passout pass:111111 -out rsa_aes_private.key 2048
passout replaces the shell to enter the password, otherwise you will be prompted to enter the password;
Generate encrypted content, such as:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,5584D000DDDD53DD5B12AE935F05A007
Base64 Encoded Data
-----END RSA PRIVATE KEY-----
At this time, if the public key is generated, the password needs to be provided
openssl rsa -in rsa_aes_private.key -passin pass:111111 -pubout -out rsa_public.key
passout replaces the shell to enter the password, otherwise you will be prompted to enter the password;
Conversion command
Private key to unencrypted
openssl rsa -in rsa_aes_private.key -passin pass:111111 -out rsa_private.key
Private key encryption
openssl rsa -in rsa_private.key -aes256 -passout pass:111111 -out rsa_aes_private.key
Private key PEM to DER
openssl rsa -in rsa_private.key -outform der-out rsa_aes_private.der
-The input / output format is determined by the inform ation and - output parameters, and the same is true for the conversion from der to pem format
View private key details
openssl rsa -in rsa_private.key -noout -text
Use the - pubin parameter to view the public key details
Private key PKCS#1 to PKCS#8
openssl pkcs8 -topk8 -in rsa_private.key -passout pass:111111 -out pkcs8_private.key
Where - passout specifies the password, and the output pkcs8 format key is encrypted. Pkcs8 adopts des3 encryption algorithm by default, as follows:
-----BEGIN ENCRYPTED PRIVATE KEY-----
Base64 Encoded Data
-----END ENCRYPTED PRIVATE KEY-----
Use the - nocrypt parameter to output the unencrypted pkcs8 key as follows:
-----BEGIN PRIVATE KEY-----
Base64 Encoded Data
-----END PRIVATE KEY-----
3, Generate self signed certificate
Generate RSA private key and self signed certificate
openssl req -newkey rsa:2048 -nodes -keyout rsa_private.key -x509 -days 365 -out cert.crt
req is the subcommand of certificate request, - newkey rsa:2048 -keyout private_key.pem means to generate the private key (PKCS8 format), - nodes means that the private key is not encrypted. If there are no parameters, you will be prompted to enter the password;
-x509 indicates the output certificate, - days365 is the validity period, and then enter the certificate owner information according to the prompt;
To perform automatic input, use the - subj option:
openssl req -newkey rsa:2048 -nodes -keyout rsa_private.key -x509 -days 365 -out cert.crt -subj "/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=vivo.com/emailAddress=yy@vivo.com"
Generate a self signed certificate using an existing RSA private key
openssl req -new -x509 -days 365 -key rsa_private.key -out cert.crt
-new means to generate a certificate request, plus - x509 means to output the certificate directly, and - key specifies the private key file. Other options are the same as the above command
4, Generate signature request and CA signature
Generate CSR signature request using RSA private key
openssl genrsa -aes256 -passout pass:111111 -out server.key 2048
openssl req -new -key server.key -out server.csr
After that, enter the password and server certificate information, or specify various parameters on the command line
openssl req -new -key server.key -passin pass:111111 -out server.csr -subj "/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=vivo.com/emailAddress=yy@vivo.com"
***At this time, the generated csr signature request file can be submitted to CA for signing***
View CSR details
Copy code
cat server.csr
-----BEGIN CERTIFICATE REQUEST-----
Base64EncodedData
-----END CERTIFICATE REQUEST-----
openssl req -noout -text -in server.csr
Copy code
Use the CA certificate and Ca key to issue the requested certificate and generate an x509 certificate
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -passin pass:111111 -CAcreateserial -out server.crt
The CAxxx option is used to specify the CA parameter input
5, Certificate viewing and conversion
View certificate details
openssl x509 -in cert.crt -noout -text
Convert certificate encoding format
openssl x509 -in cert.cer -inform DER -outform PEM -out cert.pem
Composite pkcs#12 Certificate (including private key)
**Convert pem certificate and private key to pkcs#12 certificate**
openssl pkcs12 -export -in server.crt -inkey server.key -passin pass:111111 -password pass:111111 -out server.p12
Where - export instructs the pkcs#12 certificate, - inkey specifies the private key file, - passin is the password of the private key (file) (nodes is unencrypted), and - password specifies the password of the p12 file (import and export)
**Combine pem certificate and private key / CA certificate into pkcs#12 certificate**
openssl pkcs12 -export -in server.crt -inkey server.key -passin pass:111111
-chain -CAfile ca.crt -password pass:111111 -out server-all.p12
Where - chain indicates to add the certificate chain at the same time, - CAfile specifies the CA certificate, and the exported p12 file will contain multiple certificates. (other options: - name can be used to specify the server certificate alias; - caname can be used to specify the CA certificate alias)
**pcks#12 extract PEM file (including private key)**
openssl pkcs12 -in server.p12 -password pass:111111 -passout pass:111111 -out out/server.pem
Where - password specifies the password of the p12 file (import and export), and - passout refers to the encrypted password of the output private key (nodes is unencrypted)
The exported file is in pem format and contains both certificate and private key (pkcs#8):
Copy code
Bag Attributes
localKeyID: 97 DD 46 3D 1E 91 EF 01 3B 2E 4A 75 81 4F 11 A6 E7 1F 79 40
subject=/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=vihoo.com/emailAddress=yy@vihoo.com
issuer=/C=CN/ST=GD/L=SZ/O=viroot/OU=dev/CN=viroot.com/emailAddress=yy@viroot.com
-----BEGIN CERTIFICATE-----
MIIDazCCAlMCCQCIOlA9/dcfEjANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJD
1LpQCA+2B6dn4scZwaCD
-----END CERTIFICATE-----
Bag Attributes
localKeyID: 97 DD 46 3D 1E 91 EF 01 3B 2E 4A 75 81 4F 11 A6 E7 1F 79 40
Key Attributes:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDC/6rAc1YaPRNf
K9ZLHbyBTKVaxehjxzJHHw==
-----END ENCRYPTED PRIVATE KEY-----
Copy code
Extract private key only
openssl pkcs12 -in server.p12 -password pass:111111 -passout pass:111111 -nocerts -out out/key.pem
Extract certificates only (all certificates)
openssl pkcs12 -in server.p12 -password pass:111111 -nokeys -out out/key.pem
Extract ca certificate only
openssl pkcs12 -in server-all.p12 -password pass:111111 -nokeys -cacerts -out out/cacert.pem
Extract server certificate only
openssl pkcs12 -in server-all.p12 -password pass:111111 -nokeys -clcerts -out out/cert.pem
6, openssl Command Reference
1. openssl list-standard-commands(Standard command)
1) asn1parse: asn1parse For interpretation ANS.1 Grammatically written statements(ASN It is generally used to define the composition of grammar)
2) ca: ca be used for CA Management of
openssl ca [options]:
2.1) -selfsign
A certificate is issued using a key pair that signs the certificate request. Namely"Self signature",This happens on the client that generates the certificate and the server that issues the certificate CA It's the same machine(This is also the case in most of our experiments),We can use the same
Key pair"Self signature"
2.2) -in file
To be processed PEM Format certificate
2.3) -out file
Certificate file output after processing
2.4) -cert file
Root for issuing CA certificate
2.5) -days arg
Specify the validity time of the issued certificate
2.6) -keyfile arg
CA Private key certificate file for
2.7) -keyform arg
CA Root private key certificate file format:
2.7.1) PEM
2.7.2) ENGINE
2.8) -key arg
CA Decryption password for the root private key certificate file(If it's encrypted)
2.9) -config file
configuration file
example1: utilize CA Certificate signing request certificate
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
3) req: X.509 Certificate issuance request(CSR)Administration
openssl req [options] <infile >outfile
3.1) -inform arg
Input file format
3.1.1) DER
3.1.2) PEM
3.2) -outform arg
Output file format
3.2.1) DER
3.2.2) PEM
3.3) -in arg
Pending documents
3.4) -out arg
File to be output
3.5) -passin
The decryption password used to sign the private key file of the request certificate to be generated
3.6) -key file
The private key file used to sign the request certificate to be generated
3.7) -keyform arg
3.7.1) DER
3.7.2) NET
3.7.3) PEM
3.8) -new
New request
3.9) -x509
Output a X509 Format certificate
3.10) -days
X509 Validity time of certificate
3.11) -newkey rsa:bits
Generate a bits Length RSA Private key file for issuing
3.12) -[digest]
HASH algorithm
3.12.1) md5
3.12.2) sha1
3.12.3) md2
3.12.4) mdc2
3.12.5) md4
3.13) -config file
appoint openssl configuration file
3.14) -text: text Display format
example1: utilize CA of RSA Create a self signed key CA certificate(X.509 structure)
openssl req -new -x509 -days 3650 -key server.key -out ca.crt
example2: use server.key Generate certificate signing request CSR(this CSR Used to send messages to be sent outside CA Center waiting for issuance)
openssl req -new -key server.key -out server.csr
example3: see CSR Details of
openssl req -noout -text -in server.csr
4) genrsa: generate RSA parameter
openssl genrsa [args] [numbits]
[args]
4.1) Do you want to use the encryption algorithm for symmetric encryption of the generated private key file:
4.1.1) -des: CBC Patterned DES encryption
4.1.2) -des3: CBC Patterned DES encryption
4.1.3) -aes128: CBC Patterned AES128 encryption
4.1.4) -aes192: CBC Patterned AES192 encryption
4.1.5) -aes256: CBC Patterned AES256 encryption
4.2) -passout arg: arg Symmetric encryption(des,des,aes)Password for(Using this parameter eliminates the need for console Interactive prompt for password input)
4.3) -out file: Output certificate private key file
[numbits]: Key length
example: Generate a 1024 bit RSA Private key, and DES encryption(The password is 1111),Save as server.key file
openssl genrsa -out server.key -passout pass:1111 -des3 1024
5) rsa: RSA data management
openssl rsa [options] <infile >outfile
5.1) -inform arg
Enter key file format:
5.1.1) DER(ASN1)
5.1.2) NET
5.1.3) PEM(base64 Coding format)
5.2) -outform arg
Output key file format
5.2.1) DER
5.2.2) NET
5.2.3) PEM
5.3) -in arg
Pending key file
5.4) -passin arg
Enter the decryption key for this encryption key file(If the encryption algorithm is selected when generating the key file)
5.5) -out arg
Key file to be output
5.6) -passout arg
Specify the password if you want the output key file to continue using the encryption algorithm
5.7) -des: CBC Patterned DES encryption
5.8) -des3: CBC Patterned DES encryption
5.9) -aes128: CBC Patterned AES128 encryption
5.10) -aes192: CBC Patterned AES192 encryption
5.11) -aes256: CBC Patterned AES256 encryption
5.12) -text: with text Form print key key data
5.13) -noout: Do not print keys key data
5.14) -pubin: Check whether the pending file is a public key file
5.15) -pubout: Output public key file
example1: Decrypt the private key file
openssl rsa -in server.key -passin pass:111 -out server_nopass.key
example:2: Use the private key file to generate the corresponding public key file
openssl rsa -in server.key -passin pass:111 -pubout -out server_public.key
6) x509:
This instruction is a certificate processing tool with rich functions. Can be used to display the contents of the certificate, convert its format, and CSR Signature, etc X.509 Certificate management
openssl x509 [args]
6.1) -inform arg
Pending X509 Certificate file format
6.1.1) DER
6.1.2) NET
6.1.3) PEM
6.2) -outform arg
To be output X509 Certificate file format
6.2.1) DER
6.2.2) NET
6.2.3) PEM
6.3) -in arg
Pending X509 Certificate file
6.4) -out arg
To be output X509 Certificate file
6.5) -req
Indicates that the input file is a"Request for certificate documents(CSR)",Waiting for issuance
6.6) -days arg
Indicates the validity time of the certificate to be issued
6.7) -CA arg
Specifies the root used to issue the request certificate CA certificate
6.8) -CAform arg
root CA Certificate format(The default is PEM)
6.9) -CAkey arg
Specifies the certificate used to issue the request CA Private key certificate file, if this option If there is no parameter input, the private key is assumed to be in by default CA It's in the certificate file
6.10) -CAkeyform arg
Specify root CA Private key certificate file format(Default to PEM format)
6.11) -CAserial arg
Specify serial number file(serial number file)
6.12) -CAcreateserial
If serial number file(serial number file)If not specified, it is created automatically
example1: transformation DER Certificate is PEM format
openssl x509 -in cert.cer -inform DER -outform PEM -out cert.pem
example2: Use root CA Certificate pair"Request for certificate"Issue and generate x509 Format certificate
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
example3: Print out the contents of the certificate
openssl x509 -in server.crt -noout -text
7) crl: crl Is used for management CRL list
openssl crl [args]
7.1) -inform arg
Format of input file
7.1.1) DER(DER Coded CRL object)
7.1.2) PEM(Default format)(base64 Coded CRL object)
7.2) -outform arg
Specifies the output format of the file
7.2.1) DER(DER Coded CRL object)
7.2.2) PEM(Default format)(base64 Coded CRL object)
7.3) -text:
Print in text format CRL Information value.
7.4) -in filename
The specified input file name. The default is standard input.
7.5) -out filename
The specified output file name. The default is standard output.
7.6) -hash
Outputs the hash value of the issuer information value. This item can be used to query in the file according to the hash value of the issuer information value CRL Object.
7.7) -fingerprint
Print CRL The identity of the object.
7.8) -issuer
Output the information value of the issuer.
7.9) -lastupdate
Output the time of the last update.
7.10) -nextupdate
Print out the time of the next update.
7.11) -CAfile file
appoint CA File to verify the CRL Whether the object is legal.
7.12) -verify
Verify certificate.
example1: output CRL Documents, including(Issuer information HASH Value, time of last update, time of next update)
openssl crl -in crl.crl -text -issuer -hash -lastupdate –nextupdate
example2: take PEM Formatted CRL Convert file to DER format
openssl crl -in crl.pem -outform DER -out crl.der
8) crl2pkcs7: be used for CRL and PKCS#7 conversion between
openssl crl2pkcs7 [options] <infile >outfile
transformation pem reach spc
openssl crl2pkcs7 -nocrl -certfile venus.pem -outform DER -out venus.spc
https://www.openssl.org/docs/apps/crl2pkcs7.html
9) pkcs12: PKCS#12 data management
pkcs12 File tool, which can generate and analyze pkcs12 File. PKCS#12 files can be used for multiple projects, such as Netscape, MSIE, and MS Outlook
openssl pkcs12 [options]
http://blog.csdn.net/as3luyuan123/article/details/16105475
https://www.openssl.org/docs/apps/pkcs12.html
10) pkcs7: PCKS#7 data management
For processing DER perhaps PEM Formatted pkcs#7 documents
openssl pkcs7 [options] <infile >outfile
http://blog.csdn.net/as3luyuan123/article/details/16105407
https://www.openssl.org/docs/apps/pkcs7.html
2. openssl list-message-digest-commands(Message summary command)
1) dgst: dgst Used to calculate message digest
openssl dgst [args]
1.1) -hex
Output summary in hexadecimal
1.2) -binary
Output summary in binary form
1.3) -sign file
Sign the generated digest with the private key file
1.4) -verify file
Use the public key file to verify the digest file signed by the private key
1.5) -prverify file
Verify the digest file signed by the public key with the private key file
verify a signature using private key in file
1.6) Encryption processing
1.6.1) -md5: MD5
1.6.2) -md4: MD4
1.6.3) -sha1: SHA1
1.6.4) -ripemd160
example1: use SHA1 Algorithm calculation file file.txt Hassy value of, output to stdout
openssl dgst -sha1 file.txt
example2: use dss1 Algorithm verification file.txt Digital signature of dsasign.bin,Verified private key by DSA File generated by algorithm dsakey.pem
openssl dgst -dss1 -prverify dsakey.pem -signature dsasign.bin file.txt
2) sha1: Used for RSA handle
openssl sha1 [args]
2.1) -sign file
be used for RSA Algorithm's private key file
2.2) -out file
Output file love you
2.3) -hex
Output in hexadecimal form
2.4) -binary
Output in binary form
example1: use SHA1 Algorithm calculation file file.txt of HASH value,output to a file digest.txt
openssl sha1 -out digest.txt file.txt
example2: use sha1 Algorithm as file file.txt autograph,output to a file rsasign.bin,Signed private key by RSA File generated by algorithm rsaprivate.pem
openssl sha1 -sign rsaprivate.pem -out rsasign.bin file.txt
3. openssl list-cipher-commands (Cipher List of commands)
1) aes-128-cbc
2) aes-128-ecb
3) aes-192-cbc
4) aes-192-ecb
5) aes-256-cbc
6) aes-256-ecb
7) base64
8) bf
9) bf-cbc
10) bf-cfb
11) bf-ecb
12) bf-ofb
13) cast
14) cast-cbc
15) cast5-cbc
16) cast5-cfb
17) cast5-ecb
18) cast5-ofb
19) des
20) des-cbc
21) des-cfb
22) des-ecb
23) des-ede
24) des-ede-cbc
25) des-ede-cfb
26) des-ede-ofb
27) des-ede3
28) des-ede3-cbc
29) des-ede3-cfb
30) des-ede3-ofb
31) des-ofb
32) des3
33) desx
34) rc2
35) rc2-40-cbc
36) rc2-64-cbc
37) rc2-cbc
38) rc2-cfb
39) rc2-ecb
40) rc2-ofb
41) rc4
42) rc4-40
reference resources:
https://www.cnblogs.com/littleatp/p/5878763.html