Original
1.introduction of OpenSSL
OpenSSL is currently the most popular SSL password library tool, it provides a universal, robust, full-featured tool suite to support the implementation of the SSL/TLS protocol.
Official website: https://www.openssl.org/source/ composing partial cipher algorithm library key and certificate encapsulation management function SSL Communication API Interface use establish RSA, DH, DSA key parameters to establish X.509 Certificates, certificate signing requests (CSRs), and CRLs (certificate recycling list) Compute Message Digest use various cipher encryption/decryption SSL/TLS client and server tests to handle S/MIME or encrypted mail
2. RSA key operations
By default, the OpenSSL output format is PKCS#1-PEM
Generate RSA private key (no encryption)
OpenSSL genrsa-out Rsa_private.key 2048
Generate RSA Public key
OpenSSL rsa-in rsa_private.key-pubout-out Rsa_public.key
Generate RSA private key (using AES256 encryption)
OpenSSL genrsa-aes256-passout pass:111111-out Rsa_aes_private.key 2048
where passout instead of shell for password input, otherwise prompts to enter the password;
After you generate the encrypted content, such as:
-----BEGIN RSA PRIVATE KEY-----
proc-type:4,encrypted
DEK-INFO:AES-256-CBC, 5584d000dddd53dd5b12ae935f05a007
Base64 encoded Data
-----End RSA PRIVATE KEY-----
If you generate the public key at this time, you need to provide a password
OpenSSL rsa-in rsa_aes_private.key-passin pass:111111-pubout-out Rsa_public.key
Where the passout instead of the shell for password input, otherwise prompted to enter a password; conversion command
Private key to non-encryption
OpenSSL rsa-in rsa_aes_private.key-passin pass:111111-out Rsa_private.key
Private key transfer encryption
OpenSSL rsa-in rsa_private.key-aes256-passout pass:111111-out Rsa_aes_private.key
Private key Pem Turn der
OpenSSL rsa-in rsa_private.key-outform der-out Rsa_aes_private.der
-inform and-outform parameters are developed in the input-output format, which is the same as Der-PEM format
View private key Details
OpenSSL rsa-in Rsa_private.key-noout-text
Use the-pubin parameter to view public key details
Private key pkcs#1 Turn pkcs#8
OpenSSL pkcs8-topk8-in rsa_private.key-passout
pass:111111-out Pkcs8_private.key
Where-passout specified the password, the output of the PKCS8 format key is encrypted form, pkcs8 default using the DES3 encryption algorithm, the contents are as follows:
-----BEGIN ENCRYPTED Private key-----
Base64 encoded Data
-----End ENCRYPTED Private key-----
Use the-nocrypt parameter to output an unencrypted Pkcs8 key, as follows:
-----BEGIN Private Key-----
Base64 encoded Data
-----End Private Key-----
3. generate a self-signed certificate
Generate RSA private key and self-signed certificate
OpenSSL req-newkey rsa:2048-nodes-keyout
rsa_private.key-x509-days 365-out cert.crt
Req is the child command of the certificate request,-newkey Rsa:2048-keyout PRIVATE_KEY.PEM represents the generation of the private key (PKCS8 format),-nodes means the private key is not encrypted, if not with parameters will prompt input password;
-x509 indicates that the output certificate,-days365 for the validity period, then enter the certificate owner information according to the prompts;
To perform automatic input, use the-SUBJ option:
OpenSSL req-newkey rsa:2048-nodes-keyout rsa_private.key-x509-days
365-out cert.crt-subj "/C=CN/ST=GD/L=SZ/O=vihoo/ Ou=dev/cn=vivo.com/emailaddress=yy@vivo.com "
To generate a self-signed certificate using an existing RSA private key
OpenSSL req-new-x509-days 365-key rsa_private.key-out cert.crt
-new refers to generating a certificate request, plus-x509 representing the direct output certificate,-key specifies the private key file, and the remaining options are the same as the above command four, generating signature requests and CA signing
To generate a CSR signature request using the RSA private key
OpenSSL genrsa-aes256-passout pass:111111-out server.key
2048 OpenSSL req-new-key server.key-out SERVER.CSR
Then enter the password, server certificate information complete, or command line to specify various parameters
OpenSSL req-new-key server.key-passin pass:111111-out
server.csr-subj "/c=cn/st=gd/l=sz/o=vihoo/ou=dev/cn=vivo.com/ Emailaddress=yy@vivo.com "
The CSR signature request file generated at this time can be submitted to the CA for issuance * * *
View details of CSR
Cat SERVER.CSR
-----BEGIN Certificate Request-----
base64encodeddata
-----End Certificate Request-----
OpenSSL req-noout-text-in SERVER.CSR
Use CA certificate and CA key to sign the request issuing certificate, generate X509 Certificate
OpenSSL x509-req-days 3650-in server.csr-ca ca.crt-cakey
ca.key-passin pass:111111-cacreateserial-out server.crt
Where the CAXXX option is used to specify CA parameter input v. Certificate viewing and Conversion
View Certificate Details
OpenSSL x509-in Cert.crt-noout-text
Convert Certificate encoding format
OpenSSL x509-in cert.cer-inform der-outform pem-out Cert.pem
Synthetic PKCS#12 certificate (including private key)
* * Transfer PEM certificate and private key to PKCS#12 certificate * *
OpenSSL pkcs12-export-in server.crt-inkey server.key-passin
Pass:111111-password pass:111111-out
Where-export directs the PKCS#12 certificate,-inkey specifies the private key file,-passin the private key (file) password (nodes is unencrypted),-password the password for the specified P12 file (Import Export)
* * Combine the PEM certificate and private key/CA Certificate pkcs#12 Certificate * *
OpenSSL pkcs12-export-in server.crt-inkey server.key-passin
pass:111111 \-chain-cafile Ca.crt-password pass:111
111-out SERVER-ALL.P12
Where-chain indicates that the certificate chain is added at the same time,-cafile the CA certificate is specified, and the exported P12 file will contain multiple certificates. (Other option:-name can be used to specify a server certificate alias;-caname to specify the CA certificate alias)
* * Pcks#12 extract PEM file (including private key) * *
OpenSSL pkcs12-in server.p12-password pass:111111-passout pass:111111-out Out/server.pem
Where-password specifies the password for the P12 file (Import Export),-passout the encrypted password for the output private key (nodes is unencrypted)
The exported file is in PEM format and contains both the certificate and private key (PKCS#8):
Bag Attributes
localkeyid:97 DD 3D 1E EF 3B 2E 4 A (Bayi 4F) A6 E7 1F
subject=/c=cn/st=gd/l=sz/o= Vihoo/ou=dev/cn=vihoo.com/emailaddress=yy@vihoo.com
issuer=/c=cn/st=gd/l=sz/o=viroot/ou=dev/cn=viroot.com/ emailaddress=yy@viroot.com
-----BEGIN Certificate-----
miidazccalmccqciola9/ DCFEJANBGKQHKIG9W0BAQUFADB5MQSWCQYDVQQGEWJD
1LPQCA+2B6DN4SCZWACD
-----End Certificate-----
Bag Attributes
localkeyid:97 DD 3D 1E A6 EF 3B 2E 4 A, Bayi 4F one E7 1F
Key Attributes: <no attribut es>
-----BEGIN ENCRYPTED PRIVATE KEY-----
miievaibadanbgkqhkig9w0baqefaascbkywggsiageaaoibaqdc/ 6RAC1YAPRNF
k9zlhbybtkvaxehjxzjhhw==
-----End ENCRYPTED PRIVATE KEY-----
Extract private key only
OpenSSL pkcs12-in Server.p12-password pass:111111-passout Pass: