I. Introduction of OpenSSL
OpenSSL is currently the most popular SSL cipher library tool that provides a common, robust, and fully functional suite of tools to support the implementation of the SSL/TLS protocol.
Official website: https://www.openssl.org/source/ component cipher algorithm library key and certificate encapsulation management function SSL Communication API Interface use establish RSA, DH, DSA key parameter establish the certificate of , Certificate signing Request (CSR), and CRLs (certificate recycling list) Compute Message digest use various cipher encrypt/Decrypt SSL/TLS client and Server test processing S/MIME or encrypted mail Two, RSA key operation
By default, the OpenSSL output format is Pkcs#1-pem
Generate RSA private key (no encryption)
OpenSSL genrsa-out Rsa_private.key 2048
generate RSA Public key
OpenSSL rsa-in rsa_private.key-pubout-out Rsa_public.key
Generate RSA private key (using aes256 encryption)
OpenSSL genrsa-aes256-passout pass:111111-out Rsa_aes_private.key 2048
where passout instead of the shell for password input, otherwise you will be prompted to enter a password;
After generating the encrypted content, such as:
-----BEGIN RSA PRIVATE KEY-----
proc-type:4,encrypted
DEK-INFO:AES-256-CBC, 5584d000dddd53dd5b12ae935f05a007
Base64 encoded Data
-----END RSA PRIVATE KEY-----
If a public key is generated , a password is required
OpenSSL rsa-in rsa_aes_private.key-passin pass:111111-pubout-out Rsa_public.key
where passout in place of the shell for password input, otherwise you will be prompted to enter a password; conversion command
private key to non-encrypted
OpenSSL rsa-in rsa_aes_private.key-passin pass:111111-out Rsa_private.key
private key to encryption
OpenSSL rsa-in rsa_private.key-aes256-passout pass:111111-out Rsa_aes_private.key
private key Pem Goto der
OpenSSL rsa-in rsa_private.key-outform der-out Rsa_aes_private.der
The-inform and-outform parameters are developed in the input/output format, which is the same as the DER to PEM format
View private key details
OpenSSL rsa-in Rsa_private.key-noout-text
Use the-pubin parameter to view public key details
private key pkcs#1 turn pkcs#8
OpenSSL pkcs8-topk8-in rsa_private.key-passout pass:111111-out Pkcs8_private.key
Where-passout specified the password, the output of the PKCS8 format key is encrypted form, PKCS8 by default DES3 encryption algorithm, the content is as follows:
-----BEGIN ENCRYPTED Private key-----
Base64 encoded Data
-----END ENCRYPTED PRIVATE Key-----
Use the-nocrypt parameter to output a non-encrypted PKCS8 key, as follows:
-----BEGIN Private Key-----
Base64 encoded Data
-----END Private Key-----
Iii. generating a self-signed certificate
generate RSA private and self-signed certificates
OpenSSL req-newkey rsa:2048-nodes-keyout rsa_private.key-x509-days 365-out cert.crt
Req is a sub-command of the certificate request,-newkey Rsa:2048-keyout PRIVATE_KEY.PEM represents the generated private key (PKCS8 format),-nodes indicates that the private key is not encrypted, if no parameters will prompt for the password;
-x509 represents the output certificate,-days365 is the validity period, after which the certificate owner information is entered as prompted;
To perform automatic input, use the -subj option:
OpenSSL req-newkey rsa:2048-nodes-keyout rsa_private.key-x509-days 365-out cert.crt-subj "/C=CN/ST=GD/L=SZ/O=vihoo/ Ou=dev/cn=vivo.com/emailaddress=yy@vivo.com "
generating a self-signed certificate using an existing RSA private key
OpenSSL req-new-x509-days 365-key rsa_private.key-out cert.crt
-new refers to generating a certificate request, plus-x509 for direct output of the certificate,-key specifying the private key file, the remaining options are the same as the above command four, generating a signature request and CA signing
generating a CSR signing request using the RSA private key
OpenSSL genrsa-aes256-passout pass:111111-out server.key 2048
OpenSSL req-new-key server.key-out SERVER.CSR
After that, enter the password, the server certificate information is complete, or you can specify various parameters on the command line
OpenSSL req-new-key server.key-passin pass:111111-out server.csr-subj "/c=cn/st=gd/l=sz/o=vihoo/ou=dev/cn=vivo.com/ Emailaddress=yy@vivo.com "
The resulting CSR signature request file can be submitted to the CA for issuance * * *
View the details of a CSR
Cat SERVER.CSR
-----BEGIN CERTIFICATE Request-----
base64encodeddata
-----END CERTIFICATE Request-----
OpenSSL req-noout-text-in SERVER.CSR
use CA certificate and CA key to sign the request to issue certificate, generate X509 certificate
OpenSSL x509-req-days 3650-in server.csr-ca ca.crt-cakey ca.key-passin pass:111111-cacreateserial-out server.crt
Where the CAXXX option is used to specify the CA parameter input v. Certificate viewing and Conversion
View Certificate Details
OpenSSL x509-in Cert.crt-noout-text
Convert certificate encoding format
OpenSSL x509-in cert.cer-inform der-outform pem-out Cert.pem
Synthetic pkcs#12 certificate (with private key)
* * transfer PEM certificate and private key to PKCS#12 certificate * *
OpenSSL pkcs12-export-in server.crt-inkey server.key-passin pass:111111-password pass:111111-out server.p12
Where-export directs the PKCS#12 certificate,-inkey specifies the private key file,-passin the private key (file) password (nodes to no encryption),-password Specify the password for the P12 file (Import Export)
* * synthesize the PEM certificate and private key/CA certificate pkcs#12 Certificate * *
OpenSSL pkcs12-export-in server.crt-inkey server.key-passin pass:111111 \
-chain-cafile Ca.crt-password pass:111 111-out SERVER-ALL.P12
Where-chain indicates that the certificate chain is added at the same time,-cafile specifies the CA certificate, and the exported P12 file will contain multiple certificates. (Other options:-name can be used to specify server certificate aliases;-caname to specify CA certificate aliases)
* * pcks#12 extracting PEM file (with private key) * *
OpenSSL pkcs12-in server.p12-password pass:111111-passout pass:111111-out Out/server.pem
Where-password specifies the password for the P12 file (Import Export),-passout refers to the encrypted password of the output private key (nodes is no encryption)
The exported file is in PEM format and contains both the certificate and the private key (PKCS#8):
Bag Attributes
localkeyid:97 DD 3D 1E A6 EF 3B 2E 4 A a bayi 4F one-E7 1F
subject=/c=cn/st=gd/l=sz/o= Vihoo/ou=dev/cn=vihoo.com/emailaddress=yy@vihoo.com
issuer=/c=cn/st=gd/l=sz/o=viroot/ou=dev/cn=viroot.com/ emailaddress=yy@viroot.com
-----BEGIN CERTIFICATE-----
miidazccalmccqciola9/ DCFEJANBGKQHKIG9W0BAQUFADB5MQSWCQYDVQQGEWJD
1LPQCA+2B6DN4SCZWACD
-----END CERTIFICATE-----
Bag Attributes
localkeyid:97 DD 3D 1E A6 EF 3B 2E 4 A, Bayi 4F one, E7 1F
, Key Attributes: <no attribut es>
-----BEGIN ENCRYPTED PRIVATE KEY-----
miievaibadanbgkqhkig9w0baqefaascbkywggsiageaaoibaqdc/ 6RAC1YAPRNF
k9zlhbybtkvaxehjxzjhhw==
-----END ENCRYPTED PRIVATE KEY-----
extract private key only
OpenSSL pkcs12-in server.p12-password pass:111111-passout pass:111111-nocerts-out Out/key.pem
Extract certificates only (all certificates)
OpenSSL pkcs12-in Server.p12-password pass:111111-nokeys-out Out/key.pem
extracting CA certificates only
extracting only server certificates
vi.. OpenSSL Command Reference
1. OpenSSL list-standard-commands (Standard command) 1) Asn1parse:asn1parse used to interpret statements written in ans.1 syntax (ASN is typically used to define the composition of the syntax) 2) CA:CA for CA management OpenSSL CA [options]: 2.1)-selfsign The certificate is issued using a key pair that is signed for the certificate request.
That is, "self-signed," which occurs when the client generating the certificate, the CA that issued the certificate is the same machine (and most of our experiments), we can use the same key pair for "self-signed" 2.2)-in file needs to be processed in PEM format certificate 2.3)-out The certificate file that was output after the file processing ended 2.4)-cert file for issuing the root CA certificate 2.5)-days ARG designation issued The certificate's valid time 2.6)-keyfile arg CA's private key certificate file 2.7)-keyform arg CA's root private key certificate file format: 2.7.1)
PEM 2.7.2) ENGINE 2.8)-key arg CA's root private key certificate file decryption password (if encrypted) 2.9)-config file Configuration file example1: Signing request certificate with CA certificate OpenSSL ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.key 3)
REQ:X.509 Certificate Issuance request (CSR) Management OpenSSL req [options] <infile >outfile 3.1)-inform arg input file format 3.1.1) DER 3.1.2) PEM 3.2)-outform arg
Output file format 3.2.1) DER 3.2.2) PEM 3.3)-in arg pending file 3.4)-out arg
Pending output file 3.5)-passin The private key file that is used to sign the request certificate to be generated 3.6)-key file is used to sign the private key of the requested certificate to be generated 3.7)-keyform Arg 3.7.1) DER 3.7.2) NET 3.7.3) PEM 3.8)-new New Request 3.9)-x509 output a X509-formatted certificate 3.10)-days X509 The valid time 3.11)-newkey RS A:bits generates a BITS-length RSA private key file for signing 3.12)-[digest] hash algorithm 3.12.1) MD5 3.12. 2) SHA1 3.12.3) MD2 3.12.4) mdc2 3.12.5) MD4 3.13)-config file Specify O Penssl configuration file 3.14)-text:text display format example1: Create a self-signed CA certificate with CA's RSA key (the structure of the last) OpenSSL Req-new-x509-days 3 650-key server.key-out ca.crt example2: Generate certificate with Server.key sign request CSR (this CSR is used to send out pending CA center pending issue) OpenSSL Req-new-key serv
Er.key-out SERVER.CSR Example3: View the details of the CSR OpenSSL req-noout-text-in SERVER.CSR 4) Genrsa: Generating RSA parameters OpenSSL Genrsa [args] [Numbi TS] [args] 4.1) whether the generated private key file is to be symmetric encrypted using an encryption algorithm: 4.1.1)-DES:CBC mode des encryption 4.1.2)-DES3:CB C-mode des encryption 4.1.3)-AES128:CBC mode AES128 encryption 4.1.4)-AES192:CBC-mode AES192 encryption 4.1.5)-aes256 : CBC mode of AES256 encryption 4.2)-passout Arg:arg for symmetric encryption (DES, DES, AES) password (using this parameter eliminates the console interaction prompts to enter the password link) 4.3)-out file: Output certificate private key file [Numbits]: Key Length example: Generate a 1024-bit RSA private key with DES encryption (password 1111), save as Server.key file OpenSSL genrsa-out se Rver.key-passout pass:1111-des3 1024x768 5) RSA:RSA Data Management openssl RSA [options] <infile >outfile 5.1)
-inform arg input key file format: 5.1.1) DER (ASN1) 5.1.2) NET 5.1.3) PEM (Base64 encoded format) 5.2)-outform arg output key file format 5.2.1) DER 5.2.2) NET 5.2.3) PEM 5.3) -in arg pending key file
5.4)-passin Arg Enter the decryption key for this encryption key file (if the encryption algorithm is selected when generating this key file) 5.5)-out arg to output key file
5.6)-passout ARG If you want the output key file to continue to use the encryption algorithm then specify the password 5.7)-DES:CBC Mode des encryption 5.8)-DES3:CBC Mode des encryption 5.9)-AES128:CBC mode AES128 encryption 5.10)-AES192:CBC mode AES192 encryption 5.11)-AES256:CBC mode AES256 encryption 5. -text: Print key in text form key data 5.13)-noout: Do not print key key data 5.14)-pubin: Check whether the pending file is a public key file 5.15)-pubout: Output public key file example1: Decryption of the private key file OpenSSL rsa-in server.key-passin pass:111-out server_nopass.key example:2: Using the private key File generates corresponding public key file OpenSSL rsa-in server.key-passin pass:111-pubout-out server_public.key 6) X509: This directive is a very rich card Book Processing tools.
Can be used to display the contents of the certificate, to convert its format, to the CSR signature, such as the management of the certificates of the certificate of "OpenSSL X509 [args] 6.1)-inform arg pending processing X509 certificate file format
6.1.1) DER 6.1.2) NET 6.1.3) PEM 6.2)-outform arg to output X509 certificate file format
6.2.1) DER 6.2.2) NET 6.2.3) PEM 6.3)-in arg pending X509 certificate file 6.4)-out arg pending output X509 certificate file 6.5)-req indicates that the input file is a "request to sign a certificate file (CSR)", waiting to be issued 6.6)-days ARG indicates that it will
The validity time of the issued Certificate 6.7)-ca arg specifies the root CA certificate used to issue the request Certificate 6.8)-caform ARG root CA certificate format (default is PEM)
6.9)-cakey ARG specifies the CA private key certificate file that is used to issue the request certificate, and if the option has no parameter input, the default is that the private key is 6.10 in the CA certificate file)-cakeyform arg Specify the root CA private key certificate file format (default to PEM format) 6.11)-caserial arg Specifies the serial number file (serial. a) 6.12)-cacreateser Ial automatically creates a serial number file if it is not specified example1: Convert der Certificate to PEM format OpenSSL x509-in cert.cer-inform Der-outform pem-out Cert.pem example2: Use the root CA certificate to sign the "Request signing certificate", generate x509 format certificate OpenSSL x509-req-days 3650-in server. Csr-ca ca.crt-cakey ca.key-cacreateserial-out server.crt example3: Print out the contents of the certificate OpenSSL x509-in server.crt-noout -text 7) Crl:crlis the format used to manage CRL list OpenSSL CRL [args] 7.1)-inform arg input file 7.1.1) DER (DER Encoded CRL object)
7.1.2) PEM (default format) (Base64 encoded CRL object) 7.2)-outform arg Specifies the output format of the file 7.2.1) DER (DER-Encoded CRL object) 7.2.2) PEM (default format)
(Base64 encoded CRL object) 7.3)-text: Prints the CRL information value in text format. 7.4)-in The input file name specified by filename.
The default is standard input. 7.5)-out The output file name specified by filename.
The default is standard output. 7.6)-hash The hash value of the output issuer information value.
This can be used to query a CRL object in a file based on the hash value of the issuer information value. 7.7)-