欢迎来到尧图网

客户服务 关于我们

您的位置:首页 > 新闻 > 国际 > openssl 基本命令使用方法

openssl 基本命令使用方法

2024/12/27 10:49:19 来源:https://blog.csdn.net/youngzhiyong/article/details/144070996  浏览:    关键词:openssl 基本命令使用方法

查看OpenSSL的版本信息:

root@ openssl version
OpenSSL 3.4.0 22 Oct 2024 (Library: OpenSSL 3.4.0 22 Oct 2024)

注:root@ 代表命令行提示符,不属于输入部分。

获取OpenSSL的帮助信息:

root@ openssl help
help:Standard commands  # 基本命令工具
asn1parse         ca                ciphers           cmp
cms               crl               crl2pkcs7         dgst
dhparam           dsa               dsaparam          ec
ecparam           enc               engine            errstr
fipsinstall       gendsa            genpkey           genrsa
help              info              kdf               list
mac               nseq              ocsp              passwd
pkcs12            pkcs7             pkcs8             pkey
pkeyparam         pkeyutl           prime             rand
rehash            req               rsa               rsautl
s_client          s_server          s_time            sess_id
smime             speed             spkac             srp
storeutl          ts                verify            version
x509# 消息摘要相关的算法
Message Digest commands (see the `dgst' command for more details)
blake2b512        blake2s256        md4               md5
mdc2              rmd160            sha1              sha224
sha256            sha3-224          sha3-256          sha3-384
sha3-512          sha384            sha512            sha512-224
sha512-256        shake128          shake256          sm3# 加密相关的算法
Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64
bf                bf-cbc            bf-cfb            bf-ecb
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb
cast5-ofb         des               des-cbc           des-cfb
des-ecb           des-ede           des-ede-cbc       des-ede-cfb
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb
des-ede3-ofb      des-ofb           des3              desx
idea              idea-cbc          idea-cfb          idea-ecb
idea-ofb          rc2               rc2-40-cbc        rc2-64-cbc
rc2-cbc           rc2-cfb           rc2-ecb           rc2-ofb
rc4               rc4-40            seed              seed-cbc
seed-cfb          seed-ecb          seed-ofb          sm4-cbc
sm4-cfb           sm4-ctr           sm4-ecb           sm4-ofb

具体某一个工具的帮助:

root@ openssl enc -help

加密

aes-128-ecb加密

加密

echo hello >>test.txt
openssl enc -e -aes-128-ecb -in test.txt -out enc_test.txt -pass pass:123
  • e:加密;d: 解密;
  • aes-128-ecb:aes加密,加密的秘钥长度是128bit,加密模式采用ecb模式;
  • in/out: 输入/输出文本
  • pass:加密密码,真实的密码是在pass:后的字符

加密后的结果:

Salted__+□□¶□ڨ<□♣□1?S□↕□□I☻0□cp

解密

openssl enc -d -aes-128-ecb -in enc_test.txt -out decrypt_test.txt -pass pass:123

加密+base64编码

openssl enc -e -aes-128-ecb -base64 -in test.txt -out enc_test.txt -pass pass:123 -p
  • p:是打印加密时的密文、盐值和初始化向量等信息。

上述命令执行后,打印出以下信息:

salt=225FD3B76BD6D783
key=C46F6DE636A12D8096B110D12C27EE98
  • salt:当前加密的盐值。有了这个盐值后,多次对相同密文使用相同密码加密的密文都不同。
  • key:由盐值和密码派生出来实际用于加密的秘钥。秘钥的长度与分组长度相同,均为128bits。

加密后的结果:

U2FsdGVkX18F8pAVPvcIbYUgFYDBZtKGEKSvOwRqloY=

解密+base64编码

使用base64进行编码,在解密时也需要告知base64编码的。

openssl enc -d -aes-128-ecb -base64 -in enc_test.txt -out decrypt_test.txt -pass pass:123

若加密时,采用base64编码,解密时未指定,将会出现下面的错误:

bad decrypt
34359836736:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:crypto/evp/evp_enc.c:572:

加密不带盐值
不带盐值,ECB模式对相同明文的多次加密后的密文就是相同。大家可以使用下面的命令多次重复加密相同的明文,再用前面的带盐值的命令加密进行对比。

openssl enc -e -aes-128-ecb -in test.txt -out enc_test.txt -pass pass:123 -nosalt -base64 -p
  • nosalt:不加入盐值。这就会造成多次加密后的密文是相同的。

上述命令执行后,打印出以下信息:

salt=225FD3B76BD6D783
key=A665A45920422F9D417E4867EFDC4FB8

解密不带盐值

openssl enc -d -aes-128-ecb -in enc_test.txt -out decrypt_test.txt -pass pass:123 -nosalt -base64 -p

解密时,也许指定不带盐值,否则报告下面的错误。

bad magic number

aes-128-cbc加密

加密

openssl enc -e -aes-128-cbc -in test.txt -out enc_test.txt -pass pass:123 -nosalt -base64 -p

上述命令执行后,打印出以下信息:

key=A665A45920422F9D417E4867EFDC4FB8
iv =A04A1F3FFF1FA07E998E86F7F7A27AE3
  • iv:即为CBC模式的初始化向量值。这个初始化向量可以人工指定,也可以采用随机生成,也可以有OpenSSL自动生成。

解密

openssl enc -d -aes-128-cbc -in enc_test.txt -out decrypt_test.txt -pass pass:123 -nosalt -base64 -p

aes-128-ctr加密

该加密模式,分块的末块长度不足,无需填充。因此,待加密的明文数据量较少时,加密后的密文数据量也较少。

加密

openssl enc -e -aes-128-ctr -in test.txt -out enc_test.txt -pass pass:123 -nosalt -base64 -p

上述命令执行后,打印出以下信息:

key=A665A45920422F9D417E4867EFDC4FB8
iv =A04A1F3FFF1FA07E998E86F7F7A27AE3

解密

openssl enc -d -aes-128-ctr -in enc_test.txt -out decrypt_test.txt -pass pass:123 -nosalt -base64 -p

散列函数和消息验证码

散列函数

MD5

root@ openssl dgst -md5 test.txt
MD5(test.txt)= de1ec876fbb738255aa58bdb775d93c2

SHA256

root@ openssl dgst -sha256 test.txt
SHA256(test.txt)= ec58ec95a10466fa34edd4790dd822ab849b2562bfd700c53c31e2cf39dc695a

SHA3-256

root@ openssl dgst -sha3-256 test.txt
SHA3-256(test.txt)= af5b10d616cadd83f643d842e1c199d2d15c2800a8a8f5f19d1f259be92970c1

消息验证码

root@ openssl dgst -sha256 -hmac 123 test.txt
HMAC-SHA256(test.txt)= e5b12545e3f7e19b4f623ec70b110f70c65af7c7b8bc768663d5a27e33d332b3

公私钥生成

1. 生成私钥明文文件

root@ openssl genrsa -out self_private.pem 2048
  • out: 输出的文件名。
  • 2048:指的是私钥的长度,默认是2048bits。最短:512,最长16384。不建议太长,也不建议太短。太短,秘钥安全等级不够;太长生成秘钥的时间很长,更别说用于加解密了。使用默认值2048即可,不填写时就是默认2048bits。

生成的私钥文件内容如下:

-----BEGIN RSA PRIVATE KEY-----                                 
MIIEowIBAAKCAQEAxby5Z/WPn0SoKl6R+Wh9Og/FGc0S5Mek7Bd5Z7VqAtEuqYt5
tVWv76Gqmv5hGKAcHt2SCUpyxHYhTaXQug0TJfuJHK5tuUxwkblznUpbRgp2PK9k
...
3HgG4jZXSAw9kW4hJFkMHuEKciL/G2VBjmERc0ew/C7xjKoC4cBQrfHqx2hzPKnw
M/2El4Erby8O//J+tgk9c2zEtK19MIUwUstt03z9JgdsBZZjbmRj            
-----END RSA PRIVATE KEY-----                                   

2. 查看明文私钥内容

openssl rsa -in self_private.pem -text
  • text:表示将输入的文件信息以文本方式呈现。

输出内容如下,作者未对每个参数的用途做深入研究,感兴趣的读者可以从其他途径进一步了解:

RSA Private-Key: (2048 bit, 2 primes)
modulus:00:c5:bc:b9:67:f5:8f:9f:44:a8:2a:5e:91:f9:68:...e6:ce:69:e4:79:7e:87:ed:c6:c2:5b:6b:9e:69:41:78:2d
publicExponent: 65537 (0x10001)
privateExponent:70:59:0e:2e:d7:02:c7:47:47:14:eb:ae:9c:ba:95:...55:3b:53:90:42:6f:77:2a:31:c3:5a:04:9c:7b:ce:b1
prime1:00:f5:9f:0f:67:97:5b:73:0b:cd:c6:ff:04:c0:93:...89:14:b8:f2:23:8b:54:63:4b:b7:23:7a:7e:88:ac:8b:0b:7c:b2:eb:5f:c9:1b:af
prime2:00:ce:17:b0:e4:1c:5a:c7:a5:77:59:2e:c6:bf:03:...   7d:83:a9:17:1f:d8:d2:f5:1c:1a:9d:ef:a4:1e:de:7e:f2:34:78:04:dc:4f:d4:e3
exponent1:28:33:f3:ca:89:ec:af:05:04:96:88:d1:57:50:06:...c7:36:8a:73:a4:ef:98:1d:21:89:ce:17:fd:f8:f7:fd:56:58:d6:cb:e3:d8:03
exponent2:1c:22:a9:d8:8a:72:6e:3d:0d:ad:14:30:b7:d5:13:...3d:1b:31:77:fc:8e:d8:3d:8c:f8:b0:c5:94:1d:45:f1:64:ee:59:a3:86:16:87
coefficient:00:96:a3:ee:9e:3e:1c:93:00:20:d7:f4:9f:35:8e:...73:6c:c4:b4:ad:7d:30:85:30:52:cb:6d:d3:7c:fd:26:07:6c:05:96:63:6e:64:63
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxby5Z/WPn0SoKl6R+Wh9Og/FGc0S5Mek7Bd5Z7VqAtEuqYt5
tVWv76Gqmv5hGKAcHt2SCUpyxHYhTaXQug0TJfuJHK5tuUxwkblznUpbRgp2PK9k
...
3HgG4jZXSAw9kW4hJFkMHuEKciL/G2VBjmERc0ew/C7xjKoC4cBQrfHqx2hzPKnw
M/2El4Erby8O//J+tgk9c2zEtK19MIUwUstt03z9JgdsBZZjbmRj
-----END RSA PRIVATE KEY-----

3. 从私钥文件中提取公钥
注:从原理上是不能从公钥中提取私钥信息的。

openssl rsa -pubout -in self_private.pem -out self_public.pem
  • pubout:表示输出的是公钥信息

生成的公钥文件内容如下:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxby5Z/WPn0SoKl6R+Wh9
...
N2qaDYc7XCg4QRotKTb0DP9c7cmTle+88OCYUrK1CZPmzmnkeX6H7cbCW2ueaUF4
LQIDAQAB
-----END PUBLIC KEY-----

4. 查看明文公钥内容

openssl rsa -pubin -in self_public.pem -text
  • pubin:表示输入是公钥文件

输出内容如下:

RSA Public-Key: (2048 bit)
Modulus:00:c5:bc:b9:67:f5:8f:9f:44:a8:2a:5e:91:f9:68:...e6:ce:69:e4:79:7e:87:ed:c6:c2:5b:6b:9e:69:41:78:2d
Exponent: 65537 (0x10001)
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxby5Z/WPn0SoKl6R+Wh9
...
N2qaDYc7XCg4QRotKTb0DP9c7cmTle+88OCYUrK1CZPmzmnkeX6H7cbCW2ueaUF4
LQIDAQAB
-----END PUBLIC KEY-----

5. 生成私钥密文文件

openssl genrsa -aes-128-cbc -passout pass:123 -out self_private.pem 2048
  • aes-128-cbc:对私钥的加密的算法。
  • passout:加密的密码。一定要以pass:开头,123:才是密码。

生成的私钥密文文件内容如下,输出内容中有表明该私钥文件时已经加密过:

-----BEGIN ENCRYPTED PRIVATE KEY-----                            
MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQYxNNgN4T33Kab8LP 
...
DwlZu+UpVvxWIqZ71uEmO4zuMMrq+AAGKYP9tT6dexZ1d8dXkfhqAlXRfPrF84h 
UFNSLz4or3kBL0SLsZfdGkNlC04OY+FfIvspn+w6KJmk7MY9Uc6bN6A=         
-----END ENCRYPTED PRIVATE KEY-----                              

6. 解密私钥密文文件

openssl rsa -passin pass:123 -in self_private.pem -out decrypt.pem

解密后的明文私钥:

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC2bzXPBenjjFqb
...
24JN99YfT3Ib/cTiY9gTaQ0yFMng6zpGu47NiL4F1x1TQsWt/v2edMa5d+MaLFyX
HiF54f/y8YemhZp6fp5MSIyC
-----END PRIVATE KEY-----

直接从私钥密文文件提取公钥:

openssl rsa -passin pass:123 -pubout -in self_private.pem -out self_public.pem

7. 校验私钥文件秘钥对匹配

root@ openssl rsa -check -in self_private.pem -passin pass:123 -noout
RSA key ok
  • check:校验私钥文件
  • noout:不输出秘钥信息

8. 比较私钥文件中的公钥信息和公钥文件中的公钥信息

从私钥文件中提取公钥,计算sha256值:

root@ openssl rsa -passin pass:123 -in self_private.pem -pubout | openssl sha256
writing RSA key
SHA2-256(stdin)= 56698700a3328d088755be4ebe9215dd847c44a4a77ad1ad8baf96b5045f24cf

提取公钥文件公钥,计算公钥的sha256值:

root@ openssl rsa -pubin -in self_public.pem -pubout | openssl sha256
writing RSA key
SHA2-256(stdin)= 56698700a3328d088755be4ebe9215dd847c44a4a77ad1ad8baf96b5045f24cf

或者,直接计算公钥文件的sha256值:

root@ openssl sha256 self_public.pem
SHA2-256(self_public.pem)= 56698700a3328d088755be4ebe9215dd847c44a4a77ad1ad8baf96b5045f24cf

公私钥加解密

公钥加密

openssl pkeyutl -encrypt -pubin -inkey self_public.pem -in test.txt -out encrypt_test.txt
  • encrypt:加密。
  • pubin:输入是公钥
  • inkey:因为pubin是表示公钥,此处传入的就是公钥文件

私钥解密
因为私钥文件是密文,因此需要包含 -passin pass:123来对密文的私钥解密。

openssl pkeyutl -decrypt -inkey self_private.pem -passin pass:123 -in encrypt_test.txt -out decrypt_test.txt
  • decrypt:解密。
  • inkey:因为没有指定是公钥,此处就默认是私钥文件。

私钥签名,公钥验签

私钥签名

openssl pkeyutl -sign -inkey self_private.pem -passin pass:123 -digest sha256 -rawin -in test.txt -out sign_test.txt -hexdump
  • sign:签名
  • digest:签名时所用的Hash函数,且限制输入文件为raw类型。
  • rawin:指示raw类型的文件输入。未经过压缩处理的,即原生的。所有文件都可以认为是原始文件。
  • hexdump:十六进制打印输出。在生成签名文件时,需要去掉,否则在验签时无法验证通过。

等效命令如下:

openssl dgst -sha256 -sign self_private.pem -passin pass:123 -out sign_test.txt -hex test.txt

打印输出签名文件内容如下:

root@ cat sign_test.txt  
}□□♠□□□□▲□□N□□□.□OF□□-□□□♣G□□□☺□*►↕□□
$m□q□□c□♥8~ǕuxO□□□□□□ □R□♥,□□□H□%☼□E□̆□□W<_♫>□↑d□∟{[□□□TL☻□□□□B□>□►|■q□8
□□□□□□□♠գPp□j3☺q□□□□□D
□▲□J|□□□^#□□i□↨͓1Ӌо□♠□JI9□g□\□p↨□□►□♦§˜□"□☻O□□<□2#8□□UΞI→Π□Ϙh□□?'3□l□h□□
□►□i□□□-□)`□v□□M□ꦿ

按照十六进制输出如下:

root@ cat sign_test.txt                                                      
0000 - 7d e4 af 06 bf dd e9 98-1e f9 c1 4e 96 bf d8 2e   }..........N....
0010 - e0 4f 46 8c 92 2d 98 b0-90 05 47 83 e6 9c 01 b7   .OF..-....G.....
0020 - 2a 10 12 9e df 1b 45 24-6d f2 71 95 d6 63 e6 03   *.....E$m.q..c..
0030 - 38 7e c7 95 75 78 4f 9c-e6 8b e6 95 d0 20 b6 52   8~..uxO...... .R
0040 - f5 03 2c be 88 c9 48 80-25 0f ff 45 f5 cc 86 a1   ..,...H.%..E....
0050 - bd 57 3c 5f 0e 3e b2 18-64 fa 1c 7b a4 5b ba 8e   .W<_.>..d..{.[..
0060 - df 54 4c 02 c0 a3 b2 85-42 c5 3e 86 10 7c 16 71   .TL.....B.>..|.q
0070 - 8a 38 aa 90 72 05 fa 41-f9 04 cc 6a 1f d8 4e 9c   .8..r..A...j..N.
0080 - c8 41 97 c4 f5 f2 b0 44-0d ad 9e c6 e3 f9 8f a6   .A.....D........
0090 - 06 d5 a3 50 70 98 6a 33-01 71 0a b7 1e b1 4a 7c   ...Pp.j3.q....J|
00a0 - a2 dd df 5e 23 94 b7 69-c3 17 cd 93 31 d3 8b d0   ...^#..i....1...
00b0 - be bb 06 dd 4a 49 39 df-67 d0 5c d3 70 17 bd d8   ....JI9.g.\.p...
00c0 - 10 b2 04 00 15 c2 98 eb-22 f5 02 4f b6 a7 3c f9   ........"..O..<.
00d0 - 32 23 38 8e db 55 ce 9e-49 1a ce a0 ab cf 98 68   2#8..U..I......h
00e0 - 94 bc 3f 27 33 99 6c c2-68 ba 9a fa 10 f6 69 8d   ..?'3.l.h.....i.
00f0 - b1 f7 2d cb 29 60 a9 76-d8 dd 4d b7 ea a6 bf d8   ..-.)`.v..M.....

公钥验签

root@ openssl pkeyutl -verify -pubin -inkey self_public.pem -rawin -in test.txt -sigfile sign_test.txt
Signature Verified Successfully

等效命令如下:

root@ openssl dgst -verify self_public.pem -signature sign_test.txt test.txt
Verified OK

身份证书

1. 生成证书签名请求文件

a. 生成一对公私钥

openssl genrsa -aes-128-cbc -passout pass:123 -out self_private.pem 2048
openssl rsa -pubout -passin pass:123 -in self_private.pem -out self_public.pem

私钥文件:self_private.pem
公钥文件:self_public.pem

b. 基于公私钥生成签名请求

openssl req -new -key self_private.pem -passin pass:123 -subj "/CN=*example.com/O=Test, Inc./C=CN/ST=Sichuan/L=Chengdu" -out self_csr.pem
  • req:签名请求命令
  • key:私钥文件
  • subj:主体信息,主要包含以下信息:
    • C:国家代码(Country Name),此处填写:中国CN。
    • ST:省份或州(State or Province Name),此处填写:Sichuan。
    • L:城市或地区(Locality Name),此处填写:Chengdu。
    • O:组织名称(Organization Name),此处填写Test, Inc.公司。
    • OU:组织单位名称(Organizational Unit Name),表示组织内部的部门或单位。一般可不填写。
    • CN:通用名称(Common Name),对于服务器证书,这通常是服务器的域名或IP地址,此处填写*example.com网址;对于个人证书,这通常是证书持有者的姓名或别名。

签名请求文件原始信息如下:

-----BEGIN CERTIFICATE REQUEST-----
MIICojCCAYoCAQAwXTEVMBMGA1UEAwwMKmV4YW1wbGUuY29tMRMwEQYDVQQKDApU
...
HIFgyPBTc0gUXvHCLqoseVXuUUeOL6zThgQOCWj9WP2XgCyzY/Gqzbq003aBa58a
9Ov/84+n
-----END CERTIFICATE REQUEST-----

通过下列的命令,可以查看签名请求文件信息:

openssl req -in self_csr.pem -noout -text

输出内容如下:

Certificate Request:Data:Version: 1 (0x0)# 主体信息Subject: CN=*example.com, O=Test, Inc., C=CN, ST=Sichuan, L=Chengdu# 主体的公钥信息Subject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:e4:cf:dc:1f:35:5f:58:c0:1b:1c:b3:7d:ff:fe:...97:88:fc:5a:65:00:2f:28:78:03:5a:65:89:8d:ee:ea:efExponent: 65537 (0x10001)Attributes:(none)Requested Extensions:# 对签名请求信息的签名算法和签名值Signature Algorithm: sha256WithRSAEncryption Signature Value:cb:bd:2b:71:ff:2f:f4:f3:e0:ec:7c:4d:e0:13:e1:72:54:fd:...97:80:2c:b3:63:f1:aa:cd:ba:b4:d3:76:81:6b:9f:1a:f4:eb:ff:f3:8f:a7

c. 一步生成签名请求
生成私钥的同时也生成签名请求文件。

openssl req -new -newkey rsa:2048 -passout pass:123 -subj "/CN=*example.com/O=Test, Inc./C=CN/ST=Sichuan/L=Chengdu" -keyout self_private.pem -out self_csr.pem
  • newkey:生成私钥,rsa算法,2048bits的秘钥长度。

d. 校验签名请求文件

root@ openssl req -verify -in self_csr.pem -key self_private.pem -passin pass:123 -noout
Warning: Not placing -key in cert or request since request is used
Certificate request self-signature verify OK

2. 证书颁发机构签名身份证书

a. 证书机构生成自签名的根证书

生成根私钥和证书签名请求文件

openssl req -new -newkey rsa:2048 -passout pass:123 -subj "/CN=*root_cert.com/O=root_cert.Inc./C=CN/ST=Sichuan/L=Chengdu" -keyout root_private.pem -out root_csr.pem
  • 根私钥文件:root_private.pem
  • 根证书请求文件:root_csr.pem

自签发根证书

openssl x509 -req -days 3650 -in root_csr.pem -signkey root_private.pem -passin pass:123 -out root_cert.pem -extensions v3_ca -extfile <(cat <<-EOF
[v3_ca]
basicConstraints = critical,CA:true
keyUsage = critical, keyCertSign, cRLSign
EOF
)
Certificate request self-signature ok
subject=CN=*root_cert.com, O=root_cert.Inc., C=CN, ST=Sichuan, L=Chengdu
  • x509:是一个标准协议,此处是满足协议的x509命令。

自签发的证书内容如下:

root@ cat root_cert.pem
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgIUAKR3xmTKbjm9lW13Zq8QUFIWNaAwDQYJKoZIhvcNAQEL
...
C6FBSwbFbI8hh+GrpPeydvM9s1UtgYGo0Y7ngvMPNyOo5viz5cbDLQ4nL224i2Ii
MP9FXzU9ETlolRBau6h/IF8H4Rp3xwrMSw==
-----END CERTIFICATE-----

利用如下命令查看根证书:

openssl x509 -in root_cert.pem -noout -text
Certificate:                                                                       Data:                                                                          Version: 3 (0x2)                                                           Serial Number:                                                             68:08:bc:c3:99:19:45:37:57:0a:99:34:99:72:37:0e:b4:16:da:05            Signature Algorithm: sha256WithRSAEncryption                               Issuer: CN=*root_cert.com, O=root_cert.Inc., C=CN, ST=Sichuan, L=Chengdu   Validity                                                                   Not Before: Nov 25 16:45:39 2024 GMT                                   Not After : Nov 23 16:45:39 2034 GMT                                   Subject: CN=*root_cert.com, O=root_cert.Inc., C=CN, ST=Sichuan, L=Chengdu  Subject Public Key Info:                                                   Public Key Algorithm: rsaEncryption                                    Public-Key: (2048 bit)                                             Modulus:                                                           00:e0:f9:37:a9:c9:ff:2c:8b:a9:fb:76:4c:7a:d4:                  ...94:70:00:09:1b:b2:4b:e6:10:68:ad:c3:cb:67:ff:                  52:9d                                                          Exponent: 65537 (0x10001)                                          X509v3 extensions:                                                         X509v3 Basic Constraints: critical                                     CA:TRUE # 证书机构颁发的证书                                                           X509v3 Key Usage: critical                                             Certificate Sign, CRL Sign  # 证书签名,证书吊销列表签名                                        X509v3 Subject Key Identifier:                                         52:56:00:0C:28:98:26:2E:56:70:7E:84:62:7B:A2:81:95:2E:C9:50        Signature Algorithm: sha256WithRSAEncryption                                   Signature Value:                                                               29:e1:51:8d:9a:c0:56:c3:e8:5c:12:15:08:30:75:06:b3:17:                     18:d8:89:6b:2b:4d:87:d7:34:3f:99:09:ba:28:e9:91:e0:13:                    ...04:c6:b9:3e                                                                

b. 利用自签发的根证书,签发其他实体组织的证书签名

openssl x509 -req -days 180 -CA root_cert.pem -CAkey root_private.pem -passin pass:123 -in self_csr.pem -out self_cert.pem -CAcreateserial -extfile <(cat <<-EOF
[v3_server]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
EOF
)
Certificate request self-signature ok  # 表明签名请求信息时自签名,且状态OK。
subject=CN=*example.com, O=Test, Inc., C=CN, ST=Sichuan, L=Chengdu

查看身份证书信息

openssl x509 -in self_cert.pem -noout -text
Certificate:                                                                         Data:                                                                            Version: 3 (0x2)                                                             Serial Number:                                                               71:32:19:0a:09:10:b6:a9:a0:b8:3e:65:3d:59:7f:0e:18:a2:cd:cd              Signature Algorithm: sha256WithRSAEncryption                                 Issuer: CN=*root_cert.com, O=root_cert.Inc., C=CN, ST=Sichuan, L=Chengdu   # 签发机构信息  Validity                                                                     Not Before: Nov 24 15:15:53 2024 GMT                                     Not After : May 23 15:15:53 2025 GMT                                     Subject: CN=*example.com, O=Test, Inc., C=CN, ST=Sichuan, L=Chengdu          Subject Public Key Info:                                                     Public Key Algorithm: rsaEncryption                                      Public-Key: (2048 bit)                                               Modulus:                                                             00:e2:48:5a:74:18:7d:80:e8:5c:4a:99:bd:f8:76:                    97:a0:e7:48:d9:15:27:7f:40:6a:ca:da:16:00:b2:                    ...dd:10:41:ca:18:49:38:2f:22:cb:05:11:ae:b6:a8:                    68:e9                                                            Exponent: 65537 (0x10001)                                            X509v3 extensions:                                                           X509v3 Subject Key Identifier:                                           5C:8C:46:0E:B8:6D:49:E5:EE:A8:6E:92:90:84:10:E9:C3:A2:E0:E7          X509v3 Authority Key Identifier:                                         CA:D1:4A:2A:47:A6:CF:9F:96:C3:26:C9:B6:52:AF:6C:7E:DA:56:E1          Signature Algorithm: sha256WithRSAEncryption                                     Signature Value:                                                                 05:dd:8b:60:a1:e5:80:82:fc:63:e0:20:a9:37:b4:62:b2:23:                       ...             dc:5f:db:81:c2:9e:23:35:32:0c:31:f1:c1:18:43:ac:ff:9c:                       56:93:32:40                                                                  

c. 验证身份信息

openssl verify -CAfile root_cert.pem self_cert.pem

验证成功,输出如下内容:

self_cert.pem: OK

如果在签发证书时,未提供扩展信息字段内容,将出现下面的错误:

CN=*root_cert.com, O=root_cert.Inc., C=CN, ST=Sichuan, L=Chengdu
error 18 at 0 depth lookup: self-signed certificate
error root_cert.pem: verification failed
CN=*example.com, O=Test, Inc., C=CN, ST=Sichuan, L=Chengdu
error 20 at 0 depth lookup: unable to get local issuer certificate
error self_cert.pem: verification failed

版权声明:

本网仅为发布的内容提供存储空间,不对发表、转载的内容提供任何形式的保证。凡本网注明“来源:XXX网络”的作品,均转载自其它媒体,著作权归作者所有,商业转载请联系作者获得授权,非商业转载请注明出处。

我们尊重并感谢每一位作者,均已注明文章来源和作者。如因作品内容、版权或其它问题,请及时与我们联系,联系邮箱:809451989@qq.com,投稿邮箱:809451989@qq.com