OpenSSL

Table of Contents

1 OpenSSL命令行简介

openssl 命令行工具的基本格式为:

$ openssl command [ command_opts ] [ command_args ]

它支持3类命令,你可以使用下面命令分别列出这3类命令:

$ openssl list-standard-commands
$ openssl list-cipher-commands
$ openssl list-message-digest-commands

使用下面命令可列出openssl支持的密码学算法:

$ openssl list-cipher-algorithms
$ openssl list-message-digest-algorithms
$ openssl list-public-key-algorithms

参考:
OpenSSL Command-Line HOWTO
OpenSSL Command Line Utilities
man x509
man req
man ca
man pkcs12

2 加解密操作

openssl支持使用对称密钥进行使用加解密操作,这些命令以 openssl enc 开头。

2.1 实例:使用des算法加解密文件

可以用openssl对文件进行加密,它的使用比gpg简单得多。

加密操作:
把文件file1.txt用des加密算法加密为file1.txt.enc

$ openssl enc -des -e -in file1.txt -out file1.txt.enc

其中:
enc表明你打算使用某个算法加密或解密文件;
-des表明使用des算法进行加密(也可以选择其它加密算法);
-e表明要加密;
-in要加密的文件名字;
-out加密后的文件名字。

运行上面命令,会提示输入密码,要记住这个密码以便解密文件。运行完成后生成的file1.txt.enc文件是“乱码”。

解密操作:

$ openssl enc -des -d -in file1.txt.enc -out file1.txt

其中:-d表明要进行解密

运行上面会提示输入口令,输入正确的口令后,就可以得到解密后的文件了。

2.1.1 Tips:用-pass选项传入口令

如果要在脚本中自动化,可以使用选项-pass的输入口令,如:

$ openssl enc -des -e -in file1.txt -out file1.txt.enc -pass pass:12345
$ openssl enc -des -d -in file1.txt.enc -out file1.txt -pass pass:12345

3 处理非对称密码

3.1 生成密钥

3.1.1 生成RSA密钥

下面命令可生成RSA密钥(包含公钥和私钥信息):

$ openssl genrsa -out myrsa.key 1024          # 1024-bit key
$ cat myrsa.key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDDH3m3N37C2JNb6NcnYmQieLD6lW/y0LNCbwDNfAi5UKlWHdaM
/S+BgIiCwh+QCJQoCdj/K8tEED5m34pVs78YapAVsypiLAOGY7Kqm08gxc/GI+OX
UsF7KZVWhiEitVJNMRwXo1+7dyhuXyVii3UQMYV8DkyBtzxo4GL9AN4NcQIDAQAB
AoGANQUIfdCGkUtoP0E1tW3256cD8BNLKB+tlg+zmCJr/G7+lHfnJMhncDkM3vsA
uJKcL4T9gdjUktoXGr0DSeZdtjs73dZAACPZ5Ie1Z0jKZuoh+/7I+lJ79IUuVxUC
SeSOYk+QZQFmQ6owjB01T9A0KgYawRmxV0B31ojrkg/iFwECQQDl6+gd+gzcwEqT
/HkaLfee2bfhV7C5dyZltA+ulkAwte269fBFOlYyUORHU1UmsZVBMrs76gajcUzR
FksbseLlAkEA2UEkz99HOUR+Qs2rNIMmGM18bFYtgb08I0rnkfHx1Ij0E6qSwZP1
BJvgYPFgWPnYZ6EVK9K2KeMo7esDYjzbnQJAVUsGeNhiHSJYiD2Iz2VuDsfFpxrY
vHSvEduSVbn3ZhqXblv+HjBd+Zx4kt0fIZOPQviG7NsMS2WkkYwroMKE4QJAWFuU
Oy7V6saei1DWVo8YSXIZLn6GF4P9F2V5dPPvpL7mdbEj6rLgLbWvtf21b7p9dvge
gio6iCKpHMo+IBAcSQJBAJUgIXv0mIfWiWuibaCwbmfIuSU2HY4yVk36rCGLzTt8
BlEIoPjXo1jJ3zi37CGZNWthf7qEyELSFm1nSSUaTvE=
-----END RSA PRIVATE KEY-----

使用 openssl rsa -pubout 命令可以从生成的myrsa.key文件中导出RSA公钥,如:

$ openssl rsa -pubout -in myrsa.key
writing RSA key
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDH3m3N37C2JNb6NcnYmQieLD6
lW/y0LNCbwDNfAi5UKlWHdaM/S+BgIiCwh+QCJQoCdj/K8tEED5m34pVs78YapAV
sypiLAOGY7Kqm08gxc/GI+OXUsF7KZVWhiEitVJNMRwXo1+7dyhuXyVii3UQMYV8
DkyBtzxo4GL9AN4NcQIDAQAB
-----END PUBLIC KEY-----

3.2 Certificates AKA x509

3.2.1 x509证书编码格式(PEM,DER)

有两种常用的x509证书编码格式:PEM(纯文本,以 -----BEGIN CERTIFICATE----- 开始,以 -----END CERTIFICATE----- 结束,中间是base64编码)、DER(二进制编码,直接用文本编辑器打开是乱码)。PEM格式证书文件常用 .pem 后缀,DER格式证书文件常用 .der 后缀;有时证书文件使用 .crt 后缀,这时它可能是PEM格式,也可能是DER格式。

说明:当我们提到“证书格式”时,有时还会遇到 .pfx 后缀或者 .p12 后缀的证书,它们是一种同时包含私钥(应该绝对保密)、公钥及公钥证书的文件(二进制编码),文件本身可以用密码加密,相关标准可参考 pkcs12 。而本节所说的x509证书是指公钥证书,它不会包含私钥。

3.2.1.1 PEM和DER的相互转换(-outform)

指定 -outform pem|der 可以进行PEM和DER的相互转换。如:

$ openssl x509 -in cert.pem -outform der -out cert.der             # 从PEM到DER的转换
$ openssl x509 -in cert.der -inform der -outform pem -out cert.pem # 从DER到PEM的转换

3.2.2 获取https服务器的证书

当我们访问https服务器时,在tls的handshake阶段client会获取server的证书。

下面脚本可以把https服务器证书显示到stdout:

#!/bin/sh
#
# usage: retrieve-cert.sh remote.host.name [port]
#
# This script is copied from http://www.lagmonster.org/docs/openssl.html#cert-retrieve
REMHOST=$1
REMPORT=${2:-443}

echo |\
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

比如,下载baidu.com的证书:

$ ./retrieve-cert.sh baidu.com 443
-----BEGIN CERTIFICATE-----
MIIHKDCCBhCgAwIBAgIQCdi4dJ3JNIJeg1mgZUbAmTANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgwNDAzMDAwMDAwWhcN
MTkwNDAzMTIwMDAwWjCBmDELMAkGA1UEBhMCQ04xEDAOBgNVBAcTB0JlaWppbmcx
OTA3BgNVBAoTMEJlaUppbmcgQmFpZHUgTmV0Y29tIFNjaWVuY2UgVGVjaG5vbG9n
eSBDby4sIEx0ZDElMCMGA1UECxMcc2VydmljZSBvcGVyYXRpb24gZGVwYXJ0bWVu
dDEVMBMGA1UEAxMMd3d3LmJhaWR1LmNuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAxfCR6IaIbCkh5kwSSkcvj7DDjx4eGMeqPDNoGdPVZ62muX6gLIPK
RqvpcDD9Dxz86oxgh58tWJGnSXk4gaeKOpAfm8JoxegrRmE5uOMjM+F1U50rFscx
w9h1czPkPpwLV3l+zP8kwVLtWLuesRMVpPgyFXr5W5db6r1Ixh0YjoQB1S1OalZh
j/7BKnMpj/Fg3/tAqu0ONBDMcJmD4e3Qgupd8PmZmidcwWGb3JW7tBm4y78CKQFW
b6eW5zzEwPnKHPJbHwmOTHgK0V03eXShlLVbURytO78r69P5Zp6bbVS8AK7e220k
IOhDodV/AX6jAxIIvdiBD649se7eqcgpwQIDAQABo4IDtjCCA7IwHwYDVR0jBBgw
FoAUD4BhHIIxYdUvKOeNRji0LOHG2eIwHQYDVR0OBBYEFHcpf65dezsVZo5DXWOZ
avbPOoc4MIH0BgNVHREEgewwgemCCGJhaWR1LmNuggliYWlkdS5jb22CDGJhaWR1
LmNvbS5jboILdy5iYWlkdS5jb22CDHd3LmJhaWR1LmNvbYIMd3d3LmJhaWR1LmNu
ghB3d3cuYmFpZHUuY29tLmNughB3d3cuYmFpZHUuY29tLmhrggx3d3cuYmFpZHUu
aGuCEHd3dy5iYWlkdS5uZXQuYXWCEHd3dy5iYWlkdS5uZXQucGiCEHd3dy5iYWlk
dS5uZXQudHeCEHd3dy5iYWlkdS5uZXQudm6CDnd3d3cuYmFpZHUuY29tghF3d3d3
LmJhaWR1LmNvbS5jbjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2lj
ZXJ0LmNvbS9zc2NhLXNoYTItZzYuY3JsMC+gLaArhilodHRwOi8vY3JsNC5kaWdp
Y2VydC5jb20vc3NjYS1zaGEyLWc2LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwB
ATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgG
BmeBDAECAjB8BggrBgEFBQcBAQRwMG4wJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw
LmRpZ2ljZXJ0LmNvbTBGBggrBgEFBQcwAoY6aHR0cDovL2NhY2VydHMuZGlnaWNl
cnQuY29tL0RpZ2lDZXJ0U0hBMlNlY3VyZVNlcnZlckNBLmNydDAJBgNVHRMEAjAA
MIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYApLkJkLQYWBSHuxOizGdwCjw1mAT5
G9+443fNDsgN3BAAAAFiinOKcwAABAMARzBFAiEAyQLGZj3uzygOaWt53R1Ji3RD
Cc7Lz6HUaEWr/zFmiUICIBCLM91ecE3U2cNutgS1utN3zjDEMPNHmAwUOiRMXbWP
AHYAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAFiinOLnwAABAMA
RzBFAiAoUXB7X5N85XIw/bVouSFq7xReRS89hIeGELWODBAXmAIhAMUcYHdSnypC
2hr17OzaP742IV9CM1nFczFNdargkkbxMA0GCSqGSIb3DQEBCwUAA4IBAQAX+Sc3
rS9iZBPvqdL5mLAXaprHwR4L/hSNkknwkmh0+JJlRYrXu0T9qecUXDst093HsTYk
MIxicSXga2wW+SNTZLj/6vXrCZs39ZvIZYAj2L0m01EuVHsTLIKVoxi+aZpXfUNB
WRDB1XAnZbNDwWl7mQtAwr3/wIJnGtPuSHzWYkY4Aoi5UjMnh0I3ndljqTKBTCi0
F7iwcptcyihwsKojdfOBF4WbwQLA/JMh2fhF062zUWCz3L76zmzQ6007IIUurH0/
5Yc3daUgxeV8J8qHVo7NOwbaPnrq1gTfzO0nw5oFtyJeqgyQ/BCaTXxyauDbprSP
rPhAyWO3cT1sMaqu
-----END CERTIFICATE-----

注:你不能在代理服务器后面运行上面脚本。从openssl v1.1.0起 openssl s_client 才支持 -proxy 选项,可参考:https://stackoverflow.com/questions/3220419/openssl-s-client-using-a-proxy

3.2.3 查看x509证书内容(-text)

使用 -text 可以dump出证书的详细信息。如:

$ openssl x509 -in baidu.com.pem -text         # 查看PEM证书详细信息(DER格式时应指定-inform der)
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            09:d8:b8:74:9d:c9:34:82:5e:83:59:a0:65:46:c0:99
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
        Validity
            Not Before: Apr  3 00:00:00 2018 GMT
            Not After : Apr  3 12:00:00 2019 GMT
        Subject: C=CN, L=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c5:f0:91:e8:86:88:6c:29:21:e6:4c:12:4a:47:
                    2f:8f:b0:c3:8f:1e:1e:18:c7:aa:3c:33:68:19:d3:
                    d5:67:ad:a6:b9:7e:a0:2c:83:ca:46:ab:e9:70:30:
                    fd:0f:1c:fc:ea:8c:60:87:9f:2d:58:91:a7:49:79:
                    38:81:a7:8a:3a:90:1f:9b:c2:68:c5:e8:2b:46:61:
                    39:b8:e3:23:33:e1:75:53:9d:2b:16:c7:31:c3:d8:
                    75:73:33:e4:3e:9c:0b:57:79:7e:cc:ff:24:c1:52:
                    ed:58:bb:9e:b1:13:15:a4:f8:32:15:7a:f9:5b:97:
                    5b:ea:bd:48:c6:1d:18:8e:84:01:d5:2d:4e:6a:56:
                    61:8f:fe:c1:2a:73:29:8f:f1:60:df:fb:40:aa:ed:
                    0e:34:10:cc:70:99:83:e1:ed:d0:82:ea:5d:f0:f9:
                    99:9a:27:5c:c1:61:9b:dc:95:bb:b4:19:b8:cb:bf:
                    02:29:01:56:6f:a7:96:e7:3c:c4:c0:f9:ca:1c:f2:
                    5b:1f:09:8e:4c:78:0a:d1:5d:37:79:74:a1:94:b5:
                    5b:51:1c:ad:3b:bf:2b:eb:d3:f9:66:9e:9b:6d:54:
                    bc:00:ae:de:db:6d:24:20:e8:43:a1:d5:7f:01:7e:
                    a3:03:12:08:bd:d8:81:0f:ae:3d:b1:ee:de:a9:c8:
                    29:c1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2

            X509v3 Subject Key Identifier:
                77:29:7F:AE:5D:7B:3B:15:66:8E:43:5D:63:99:6A:F6:CF:3A:87:38
            X509v3 Subject Alternative Name:
                DNS:baidu.cn, DNS:baidu.com, DNS:baidu.com.cn, DNS:w.baidu.com, DNS:ww.baidu.com, DNS:www.baidu.cn, DNS:www.baidu.com.cn, DNS:www.baidu.com.hk, DNS:www.baidu.hk, DNS:www.baidu.net.au, DNS:www.baidu.net.ph, DNS:www.baidu.net.tw, DNS:www.baidu.net.vn, DNS:wwww.baidu.com, DNS:wwww.baidu.com.cn
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl3.digicert.com/ssca-sha2-g6.crl

                Full Name:
                  URI:http://crl4.digicert.com/ssca-sha2-g6.crl

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.114412.1.1
                  CPS: https://www.digicert.com/CPS
                Policy: 2.23.140.1.2.2

            Authority Information Access:
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt

            X509v3 Basic Constraints:
                CA:FALSE
            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
                                3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
                    Timestamp : Apr  3 07:40:50.675 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:C9:02:C6:66:3D:EE:CF:28:0E:69:6B:
                                79:DD:1D:49:8B:74:43:09:CE:CB:CF:A1:D4:68:45:AB:
                                FF:31:66:89:42:02:20:10:8B:33:DD:5E:70:4D:D4:D9:
                                C3:6E:B6:04:B5:BA:D3:77:CE:30:C4:30:F3:47:98:0C:
                                14:3A:24:4C:5D:B5:8F
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77:
                                15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13
                    Timestamp : Apr  3 07:40:50.975 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:28:51:70:7B:5F:93:7C:E5:72:30:FD:B5:
                                68:B9:21:6A:EF:14:5E:45:2F:3D:84:87:86:10:B5:8E:
                                0C:10:17:98:02:21:00:C5:1C:60:77:52:9F:2A:42:DA:
                                1A:F5:EC:EC:DA:3F:BE:36:21:5F:42:33:59:C5:73:31:
                                4D:75:AA:E0:92:46:F1
    Signature Algorithm: sha256WithRSAEncryption
         17:f9:27:37:ad:2f:62:64:13:ef:a9:d2:f9:98:b0:17:6a:9a:
         c7:c1:1e:0b:fe:14:8d:92:49:f0:92:68:74:f8:92:65:45:8a:
         d7:bb:44:fd:a9:e7:14:5c:3b:2d:d3:dd:c7:b1:36:24:30:8c:
         62:71:25:e0:6b:6c:16:f9:23:53:64:b8:ff:ea:f5:eb:09:9b:
         37:f5:9b:c8:65:80:23:d8:bd:26:d3:51:2e:54:7b:13:2c:82:
         95:a3:18:be:69:9a:57:7d:43:41:59:10:c1:d5:70:27:65:b3:
         43:c1:69:7b:99:0b:40:c2:bd:ff:c0:82:67:1a:d3:ee:48:7c:
         d6:62:46:38:02:88:b9:52:33:27:87:42:37:9d:d9:63:a9:32:
         81:4c:28:b4:17:b8:b0:72:9b:5c:ca:28:70:b0:aa:23:75:f3:
         81:17:85:9b:c1:02:c0:fc:93:21:d9:f8:45:d3:ad:b3:51:60:
         b3:dc:be:fa:ce:6c:d0:eb:4d:3b:20:85:2e:ac:7d:3f:e5:87:
         37:75:a5:20:c5:e5:7c:27:ca:87:56:8e:cd:3b:06:da:3e:7a:
         ea:d6:04:df:cc:ed:27:c3:9a:05:b7:22:5e:aa:0c:90:fc:10:
         9a:4d:7c:72:6a:e0:db:a6:b4:8f:ac:f8:40:c9:63:b7:71:3d:
         6c:31:aa:ae
-----BEGIN CERTIFICATE-----
MIIHKDCCBhCgAwIBAgIQCdi4dJ3JNIJeg1mgZUbAmTANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgwNDAzMDAwMDAwWhcN
MTkwNDAzMTIwMDAwWjCBmDELMAkGA1UEBhMCQ04xEDAOBgNVBAcTB0JlaWppbmcx
OTA3BgNVBAoTMEJlaUppbmcgQmFpZHUgTmV0Y29tIFNjaWVuY2UgVGVjaG5vbG9n
eSBDby4sIEx0ZDElMCMGA1UECxMcc2VydmljZSBvcGVyYXRpb24gZGVwYXJ0bWVu
dDEVMBMGA1UEAxMMd3d3LmJhaWR1LmNuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAxfCR6IaIbCkh5kwSSkcvj7DDjx4eGMeqPDNoGdPVZ62muX6gLIPK
RqvpcDD9Dxz86oxgh58tWJGnSXk4gaeKOpAfm8JoxegrRmE5uOMjM+F1U50rFscx
w9h1czPkPpwLV3l+zP8kwVLtWLuesRMVpPgyFXr5W5db6r1Ixh0YjoQB1S1OalZh
j/7BKnMpj/Fg3/tAqu0ONBDMcJmD4e3Qgupd8PmZmidcwWGb3JW7tBm4y78CKQFW
b6eW5zzEwPnKHPJbHwmOTHgK0V03eXShlLVbURytO78r69P5Zp6bbVS8AK7e220k
IOhDodV/AX6jAxIIvdiBD649se7eqcgpwQIDAQABo4IDtjCCA7IwHwYDVR0jBBgw
FoAUD4BhHIIxYdUvKOeNRji0LOHG2eIwHQYDVR0OBBYEFHcpf65dezsVZo5DXWOZ
avbPOoc4MIH0BgNVHREEgewwgemCCGJhaWR1LmNuggliYWlkdS5jb22CDGJhaWR1
LmNvbS5jboILdy5iYWlkdS5jb22CDHd3LmJhaWR1LmNvbYIMd3d3LmJhaWR1LmNu
ghB3d3cuYmFpZHUuY29tLmNughB3d3cuYmFpZHUuY29tLmhrggx3d3cuYmFpZHUu
aGuCEHd3dy5iYWlkdS5uZXQuYXWCEHd3dy5iYWlkdS5uZXQucGiCEHd3dy5iYWlk
dS5uZXQudHeCEHd3dy5iYWlkdS5uZXQudm6CDnd3d3cuYmFpZHUuY29tghF3d3d3
LmJhaWR1LmNvbS5jbjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2lj
ZXJ0LmNvbS9zc2NhLXNoYTItZzYuY3JsMC+gLaArhilodHRwOi8vY3JsNC5kaWdp
Y2VydC5jb20vc3NjYS1zaGEyLWc2LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwB
ATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgG
BmeBDAECAjB8BggrBgEFBQcBAQRwMG4wJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw
LmRpZ2ljZXJ0LmNvbTBGBggrBgEFBQcwAoY6aHR0cDovL2NhY2VydHMuZGlnaWNl
cnQuY29tL0RpZ2lDZXJ0U0hBMlNlY3VyZVNlcnZlckNBLmNydDAJBgNVHRMEAjAA
MIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYApLkJkLQYWBSHuxOizGdwCjw1mAT5
G9+443fNDsgN3BAAAAFiinOKcwAABAMARzBFAiEAyQLGZj3uzygOaWt53R1Ji3RD
Cc7Lz6HUaEWr/zFmiUICIBCLM91ecE3U2cNutgS1utN3zjDEMPNHmAwUOiRMXbWP
AHYAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAFiinOLnwAABAMA
RzBFAiAoUXB7X5N85XIw/bVouSFq7xReRS89hIeGELWODBAXmAIhAMUcYHdSnypC
2hr17OzaP742IV9CM1nFczFNdargkkbxMA0GCSqGSIb3DQEBCwUAA4IBAQAX+Sc3
rS9iZBPvqdL5mLAXaprHwR4L/hSNkknwkmh0+JJlRYrXu0T9qecUXDst093HsTYk
MIxicSXga2wW+SNTZLj/6vXrCZs39ZvIZYAj2L0m01EuVHsTLIKVoxi+aZpXfUNB
WRDB1XAnZbNDwWl7mQtAwr3/wIJnGtPuSHzWYkY4Aoi5UjMnh0I3ndljqTKBTCi0
F7iwcptcyihwsKojdfOBF4WbwQLA/JMh2fhF062zUWCz3L76zmzQ6007IIUurH0/
5Yc3daUgxeV8J8qHVo7NOwbaPnrq1gTfzO0nw5oFtyJeqgyQ/BCaTXxyauDbprSP
rPhAyWO3cT1sMaqu
-----END CERTIFICATE-----

在上面输出的最后部分,会把证书原始内容直接输出,可通过 -noout 选项抑制证书原始内容的输出。

3.2.3.1 查询证书的某项信息

除了使用 -text dump出证书的详细信息,还可以查询指定的某项信息。

查询证书的序列号(选项 -serial ):

$ openssl x509 -in baidu.com.pem -noout -serial
serial=09D8B8749DC934825E8359A06546C099

查询证书的签发者(选项 -issuer ):

$ openssl x509 -in baidu.com.pem -noout -issuer
issuer= /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA

查询证书的有效期(选项 -dates ):

$ openssl x509 -in baidu.com.pem -noout -dates
notBefore=Apr  3 00:00:00 2018 GMT
notAfter=Apr  3 12:00:00 2019 GMT

导出证书中的公钥(选项 -pubkey ):

$ openssl x509 -in baidu.com.pem -noout -pubkey
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxfCR6IaIbCkh5kwSSkcv
j7DDjx4eGMeqPDNoGdPVZ62muX6gLIPKRqvpcDD9Dxz86oxgh58tWJGnSXk4gaeK
OpAfm8JoxegrRmE5uOMjM+F1U50rFscxw9h1czPkPpwLV3l+zP8kwVLtWLuesRMV
pPgyFXr5W5db6r1Ixh0YjoQB1S1OalZhj/7BKnMpj/Fg3/tAqu0ONBDMcJmD4e3Q
gupd8PmZmidcwWGb3JW7tBm4y78CKQFWb6eW5zzEwPnKHPJbHwmOTHgK0V03eXSh
lLVbURytO78r69P5Zp6bbVS8AK7e220kIOhDodV/AX6jAxIIvdiBD649se7eqcgp
wQIDAQAB
-----END PUBLIC KEY-----

3.3 申请证书过程(openssl req)

生成X509数字证书的流程是:先由用户提交证书申请文件(证书请求的语法标准定义在PKCS#10中),然后由CA来签发证书。

3.3.1 生成证书申请文件(openssl req -new)

证书申请文件主要包括了用户信息、公钥以及一些可选的属性信息,并用自己的私钥给该内容签名。所以,生成证书申请文件时既要有公钥,还要有私钥。

如果你手头有密钥对,想为它生成证书申请文件,可以执行:

$ openssl req -new -key mykey.pem -out myreq.csr        # 你需要交互式地回答一系列问题
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

如果你手头没有密钥对,则生成证书申请文件指定 -newkey 选项可以创建一个密钥对,并为相应公钥生成证书申请文件。如:

$ openssl req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.csr  # 你需要交互式地回答一系列问题

如果指定 -subj 选项,则不用交互式地回答一系列问题,可直接生成证书申请文件。如:

$ openssl req \
  -new -newkey rsa:1024 -nodes \
  -subj '/CN=www.mydom.com/O=My Dom, Inc./C=US/ST=Oregon/L=Portland' \
  -keyout mykey.pem -out myreq.csr

注1: -nodes 选项意思是“No DES”,即不加密私钥(不加密上面输出密钥mykey.pem中的私钥)。
注2: subj 选项参数中“CN”域必须和你想部署证书的服务器域名匹配,否则会验证不过。

3.3.1.1 查看证书申请文件(openssl req -text)

使用 openssl req 命令的 -text 选项可以查看证书申请文件的相关信息。如:

$ openssl req -in myreq.csr -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=www.mydom.com, O=My Dom, Inc., C=US, ST=Oregon, L=Portland
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:a5:40:9c:0c:82:80:c1:e6:10:17:db:8e:a8:88:
                    84:a5:72:dc:89:a3:32:d5:9d:eb:ea:74:ca:e5:18:
                    f4:a0:a4:d0:9e:c7:b8:35:f3:d9:ff:05:42:47:30:
                    1a:b0:cc:42:43:11:97:0f:f1:cc:a9:80:5b:db:b3:
                    bc:90:01:67:55:1e:57:6e:22:f1:a4:89:9b:33:40:
                    bf:a0:6f:fa:7b:23:5b:5b:8a:a9:78:e0:d7:ae:ab:
                    18:a1:5e:3f:81:57:85:c1:96:4a:5f:53:16:93:47:
                    20:f2:66:de:b1:95:66:31:fb:ba:5a:9c:b5:09:3a:
                    f6:6c:ef:e9:b3:25:4e:d6:bb
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         31:6c:e3:7f:cc:cc:7c:13:44:bc:0f:0a:24:06:cb:8c:bf:c7:
         ba:93:52:5c:3f:f7:4d:96:44:14:b8:cf:cb:e0:94:d7:e2:4d:
         40:6e:76:2d:f9:d9:4a:79:4c:f6:f4:e3:61:e7:23:0f:43:d9:
         47:8c:95:eb:5f:e6:cc:25:51:2f:9b:07:93:f7:a6:38:78:77:
         01:d6:48:f6:88:33:62:43:c7:e4:c9:0b:1d:d9:93:ea:e1:72:
         ec:48:d4:56:a0:b3:3e:5d:73:86:12:1a:ab:93:33:6c:25:1b:
         be:65:3d:08:99:96:43:47:f2:89:e1:f1:31:69:d5:08:a1:b1:
         ed:23
-----BEGIN CERTIFICATE REQUEST-----
MIIBoDCCAQkCAQAwYDEWMBQGA1UEAwwNd3d3Lm15ZG9tLmNvbTEVMBMGA1UECgwM
TXkgRG9tLCBJbmMuMQswCQYDVQQGEwJVUzEPMA0GA1UECAwGT3JlZ29uMREwDwYD
VQQHDAhQb3J0bGFuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApUCcDIKA
weYQF9uOqIiEpXLciaMy1Z3r6nTK5Rj0oKTQnse4NfPZ/wVCRzAasMxCQxGXD/HM
qYBb27O8kAFnVR5XbiLxpImbM0C/oG/6eyNbW4qpeODXrqsYoV4/gVeFwZZKX1MW
k0cg8mbesZVmMfu6Wpy1CTr2bO/psyVO1rsCAwEAAaAAMA0GCSqGSIb3DQEBCwUA
A4GBADFs43/MzHwTRLwPCiQGy4y/x7qTUlw/902WRBS4z8vglNfiTUBudi352Up5
TPb042HnIw9D2UeMletf5swlUS+bB5P3pjh4dwHWSPaIM2JDx+TJCx3Zk+rhcuxI
1Fagsz5dc4YSGquTM2wlG75lPQiZlkNH8onh8TFp1Qihse0j
-----END CERTIFICATE REQUEST-----

3.3.2 向CA申请证书(openssl ca)

在实际应用中,用户可以通过向知名CA递交证书请求来申请证书。我们可以自己建立的是一个根CA。首先,准备如配置文件,一般名为openssl.cnf,其相关配置参见 man 5 openssl.cnf

向自建CA申请证书的命令如下:

$ openssl ca -config ./openssl.cnf -in myreq.csr

命令执行成功后,新证书位于openssl.cnf文件中 new_certs_dir 配置项所指定的目录中,一般以序号命名,如01.pem等。

参考:
基于OpenSSL的CA建立及证书签发
Openssl.conf Walkthru

3.4 Client Certificates AKA pkcs12

在TLS双向认证时,不仅client要认证server,server也需要认证client,这时client需要提供证书。这种证书包含了私钥、公钥及公钥证书等信息,一般保存为pkcs12格式(二进制格式)。

下面是生成pkcs12证书的例子:

$ openssl pkcs12 -export -out certificate.p12 -inkey privateKey.pem -in certificate.pem    # 会提示输入保护p12文件的密码
Enter Export Password:

3.4.1 转换pkcs12证书为PEM格式

curl命令的 --cert 选项就是指定client证书,它默认使用PEM格式。

下面命令可以把pkcs12证书导出为PEM文本格式(保存着公钥证书及私钥文件):

$ openssl pkcs12 -in certificate.p12 -out client.pem -nodes  # 会提示输入p12文件的密码
$ openssl pkcs12 -in certificate.p12 -out client.pem         # 会提示输入p12文件的密码,以及想要设置的私钥保护密码

生成的client.pem文件中同时保存着公钥证书及私钥文件,组织方法是直接concate,如:

$ cat client.pem
-----BEGIN CERTIFICATE-----
......
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
......
-----END ENCRYPTED PRIVATE KEY-----

Author: cig01

Created: <2018-03-22 Thu 00:00>

Last updated: <2018-05-21 Mon 12:19>

Creator: Emacs 25.3.1 (Org mode 9.1.4)