常用证书管理工具openssl
2013-02-03OpenSSL包含一个命令行工具用来完成OpenSSL库中的所有功能,OpenSSL采用C语言作为开发语言,这使得OpenSSL具有优秀的跨平台性能,OpenSSL支持Linux、Windows、BSD、Mac、VMS等平台.
下载 openssl
http://slproweb.com/products/Win32OpenSSL.html
http://www.slproweb.com/products/Win32OpenSSL.html
http://www.shininglightpro.com/download/
openssl.conf
http://www.securityfocus.com/data/tools/openssl.conf 。
1、To convert a private key from PEM to DER format:
openssl rsa -in key.pem -outform DER -out keyout.der
openssl rsa -in serverb.key -outform PEM -out serverb.der
2、文本化证书
openssl pkcs12 -in pfx -out a.txt
3、 导出公钥证书
openssl pkcs12 -in butterfly.pfx -nokeys -out certexport.pub
导出私钥
openssl pkcs12 -in butterfly.pfx -nocerts -out keyexport.pub
合并成pfx证书
openssl pkcs12 -export -clcerts -in client.crt -inkey key.pem -out client.p12
openssl pkcs12 -export -clcerts -in tom1.crt -inkey tom1.key -out tom1.p12
openssl pkcs12 -export -clcerts -in smics.crt -inkey cmics.b64 -out smics.p12
openssl pkcs12 -export -clcerts -in joyidyeah.crt -inkey joyidyeah.key -out joyidyeah.p12
openssl pkcs12 -export -clcerts -in aes.crt -inkey aes.key -out aes12.p12
4、 用openssl察看证书
openssl x509 -inform PEM -in rootcert.crt -noout -text
openssl x509 -inform PEM -in ca2.pem -text|more 查看64个字符一行证书
用openssl察看CSR
openssl req -in CSR.pem -text -noout
用openssl察看key(To print out the components of a private key to standard output):
openssl rsa -in key.pem -text -noout
5、To remove the pass phrase on an RSA private key: 去掉密码(windows,serv-u等需要)
openssl rsa -in key.pem -out keyout.pem
6、To encrypt a private key using triple DES:
openssl rsa -in key.pem -des3 -out keyout.pem
7、To just output the public part of a private key:
openssl rsa -in key.pem -pubout -out pubkey.pem
8、验证SSL连接
openssl s_client -connect localhost:443 -state -debug GET / HTTP/1.0
9、
1)、生成私钥
openssl genrsa -des3 -out domainname.key 1024 ///create a private key with file encryption:
2)、产生CSR文件
openssl req -config openssl.conf -new -key server.key -out server.csr
openssl req -new -key server.key -out server.csr
10、create 自签名的CA证书 ca.crt是自签名的CA证书,server.crt用CA证书签发的https服务器证书,server.key是https的服务器私钥.使用下列openssl提供的 命令我们可以生成这些文件.步骤如下:
1).生成自签名的CA证书ca.crt
/usr/bin/openssl genrsa -des3 -out ca.key 1024
/usr/bin/openssl req -new -x509 -days 365 -key ca.key -out ca.crt
2).生成密钥server.key后,使用CA密钥签发https服务器的证书server.crt
/usr/bin/openssl genrsa -out server.key 1024
/usr/bin/openssl req -new -key server.key -out server.csr
/usr/bin/openssl x509 -req -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365 这样,当浏览器访问我们的站点时,就会弹出一个窗口寻问是否相信这个证书,这实际是一个浏览器端认证服务器端的过程,一般我们都 会选相信,如果我们在浏览器端导入了文件ca.crt,那个窗口就不会弹出来,因为浏览器会自动用ca.crt来验证它收到的server.crt是否可信。 同样,我们的https服务器也可以要求验证浏览器端的身份,这是一个服务器端验证浏览器端的过程,也就是说我们可以用这个方法来要求浏览 器出示某个东东我们才让它访问我们的站点,这个东东就是一张客户证书client.p12,可以用下列步骤生成后分发给用户:
1).生成密钥client.key后,使用CA密钥签发client的证书client.crt
/usr/bin/openssl genrsa -out client.key 1024
/usr/bin/openssl req -new -key client.key -out client.csr
/usr/bin/openssl x509 -req -in client.csr -out client.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365
2).将client.key和client.crt转换成client.p12,IE和Mozilla都能识别这种格式的客户证书
/usr/bin/openssl pkcs12 -export -in client.crt -inkeyfile client.key -out client.p12 -name "Client Certificate"
3).最后注意的一点就是要在/etc/httpd/conf.d/ssl.conf打开 SSLVerifyClient require,因为缺省状态下服务器是不要求验证浏览器端 的身份的。
11、用user的private key在文件上簽名:
openssl smime -sign -inkey user.key -signer user.pem -in test.txt\-out test.sig 加密 openssl smime -decrypt -in txt_need_dec.fromali.enc -out org.txt3 -inkey boxbox.key -recip boxbox.crt 12、 签Cert openssl x509 -in mycert.pem -noout -fingerprint openssl x509 -in server.crt -noout -text
签Cert openssl req -x509 -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365 openssl req -x509 -key ca.key -in server.csr -out server.crt
参考:
http://pki.com.cn/showthread.php?s=c85a6575efdf8d86b6b4cc4c1038640f&threadid=102
http://www.openssl.org/docs/apps/openssl.html
13、加密列表 openssl ciphers -v
14、将p7b里面的证书导出 openssl pkcs7 -inform DER -in l.p7b -print_certs -out a.txt
15、生成version 3V证书 openssl x509 -req -extfile 0.txt -in oracle.csr -out server4.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 3655
0.txt [ req ] default_bits = 1024 default_keyfile = ca.key distinguished_name = req_distinguished_name attributes = req_attributes prompt = no output_password = password x509_extensions = v3_ca
[ req_distinguished_name ] C = CN ST = Beijing L = Beijing O = wallcopper Co.,Ltd. OU = technology department CN = www.wallcopper.com emailAddress = wall@wallcopper.com
[ req_attributes ] challengePassword = password
16、用私钥和CSR生成证书
openssl req -x509 -key www.example.com.key -in www.example.com.csr > www.example.com.crt
加密算法 openssl ciphers -v 要哈希一个叫fordesign.txt文件的内容,使用SHA算法
openssl dgst -md5 -c fordesign.txt
openssl dgst -sha -c fordesign.txt
17、格式转换
1) 把某二进制文件转换成base64编码方式: openssl base64 -in file.bin -out file.b64
2) 把某base64编码文件转换成二进制文件。 openssl base64 -d -in file.b64 -out file.bin
3) OpenSSL can also be used to convert the certificate to binary format www.openssl.org. The command is:
openssl x509 -in domain_name_com-cert.pem -inform PEM -outform DER -out domain_name_com-cert.der
To convert a private key from PEM to DER format: openssl dsa -in key.pem -outform DER -out keyout.der
4)从 PEM/DER 到 DER/PEM - RSA 密钥
openssl rsa -inform PEM|DER -outform DER|PEM -in pem-file|der-file -out der-file|pem-file
18、总结SSL
openssl genrsa -des3 -out domainname.key 1024 openssl req -new -key server.key -out server.csr
19. 验证服务器
SSL
openssl s_client -connect servername:443
openssl s_client -connect secure.allyes.com:443
openssl s_client -connect ip:443
openssl s_client -connect secure.allyes.com:443 -verify -1 -CAfile c:\c3.cer
openssl s_client -connect 211.147.31.56:443 -verify -1 -CAfile c:\c3.cer
openssl s_server -accept 443 -www openssl s_server -accept 9443 -cert c:\openssl\bin\ca.crt -key c:\openssl\bin\ca.key
openssl s_client -connect dns:443
$ openssl s_client -connect www.gmail.com:443 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
openssl s_client -host <imap server> -port <port> -verify -debug -no_tls1 openssl s_client -host <imap server> -port <port> -verify -debug -no_ssl2 openssl s_client -host <imap server> -port <port> -verify -debug -no_ssl3 openssl s_client -connect dns:443 -verify -debug -no_ssl3
20、p-m SSLRandomSeed startup builtin SSLPassPhraseDialog builtin #SSLPassPhraseDialog exec:conf/passphrase.bat SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex default
<VirtualHost www:443>
# General setup for the virtual host DocumentRoot "e:/Apache_2.0.54/htdocs" ServerName www.wallcopper.com:443 ServerAdmin you@example.com ErrorLog logs/error_log TransferLog logs/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateKeyFile conf/ssl.crt/www.key SSLCertificateFile conf/ssl.crt/www.crt </VirtualHost>
21、证书格式转换 openssl x509 -inform DER -in smics.der -outform PEM -out smics2.pem
openssl pkcs7 -inform DER -outform PEM -in 20110201.p7b -out 20110201-new.p7b
22、create CRL To create a CRL (Certificate Revocation List) file, we can use the following commands:
openssl ca -config $SSLDIR/openssl.cnf -gencrl -crlexts crl_ext -md sha1 -out $SSLDIR/crl.pem
23、apache ssl openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
24、字符串生成md5哈希值
echo -n String | openssl md5
25、ca.crt pem转为为单行模式
awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' cert-name.pem 带\n
awk 'NF {sub(/\r/, ""); printf "%s",$0;}' ca.crt