将.pem转换为.crt和.key
本文翻译自:Convert .pem to .crt and .key
Can anyone tell me the correct way/command to extract/convert the certificate .crt and private key .key files from a .pem file? 谁能告诉我从.pem文件中提取/转换证书.crt和私钥.key文件的正确方法/命令? I just read they are interchangable, but not how. 我只是读到它们是可以互换的,但不能互换。
#1楼
参考:https://stackoom.com/question/vcXC/将-pem转换为-crt和-key
#2楼
我能够使用以下方法将pem转换为crt:
openssl x509 -outform der -in your-cert.pem -out your-cert.crt
#3楼
Converting Using OpenSSL 使用OpenSSL进行转换
These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. 这些命令使您可以将证书和密钥转换为不同的格式,以使其与特定类型的服务器或软件兼容。
Convert a DER file (.crt .cer .der) to PEM 将DER文件(.crt .cer .der)转换为PEM
openssl x509 -inform der -in certificate.cer -out certificate.pemConvert a PEM file to DER 将PEM文件转换为DER
openssl x509 -outform der -in certificate.pem -out certificate.derConvert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM 将包含私钥和证书的PKCS#12文件(.pfx .p12)转换为PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes You can add -nocerts to only output the private key or add -nokeys to only output the certificates.Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12) 将PEM证书文件和私钥转换为PKCS#12(.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crtConvert PEM to CRT (.CRT file) 将PEM转换为CRT(.CRT文件)
openssl x509 -outform der -in certificate.pem -out certificate.crt
OpenSSL Convert PEM OpenSSL转换PEM
Convert PEM to DER 将PEM转换为DER
openssl x509 -outform der -in certificate.pem -out certificate.derConvert PEM to P7B 转换PEM到P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cerConvert PEM to PFX 将PEM转换为PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
OpenSSL Convert DER OpenSSL转换DER
Convert DER to PEM 将DER转换为PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
OpenSSL Convert P7B OpenSSL转换P7B
Convert P7B to PEM 将P7B转换为PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cerConvert P7B to PFX 将P7B转换为PFX
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
OpenSSL Convert PFX OpenSSL转换PFX
Convert PFX to PEM 将PFX转换为PEM
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
Generate rsa keys by OpenSSL 通过OpenSSL生成rsa密钥
Using OpenSSL on the command line you'd first need to generate a public and private key, you should password protect this file using the -passout argument, there are many different forms that this argument can take so consult the OpenSSL documentation about that. 首先需要在命令行上使用OpenSSL生成公用密钥和专用密钥,您应该使用-passout参数对该文件进行密码保护,该参数可以采用多种形式,因此请查阅OpenSSL文档。
openssl genrsa -out private.pem 1024This creates a key file called private.pem that uses 1024 bits. 这将创建一个使用1024位的名为private.pem的密钥文件。 This file actually have both the private and public keys, so you should extract the public one from this file: 该文件实际上同时具有私钥和公钥,因此您应该从该文件中提取公钥:
openssl rsa -in private.pem -out public.pem -outform PEM -pubout or openssl rsa -in private.pem -pubout > public.pem or openssl rsa -in private.pem -pubout -out public.pemYou'll now have public.pem containing just your public key, you can freely share this with 3rd parties. 现在,您将拥有仅包含公用密钥的public.pem,您可以与第三方自由共享此密钥。 You can test it all by just encrypting something yourself using your public key and then decrypting using your private key, first we need a bit of data to encrypt: 您可以通过使用公共密钥自己加密某些东西,然后使用私有密钥解密,来进行全部测试,首先我们需要一点数据来加密:
Example file : 示例文件:
echo 'too many secrets' > file.txtYou now have some data in file.txt, lets encrypt it using OpenSSL and the public key: 现在,您在file.txt中有一些数据,让我们使用OpenSSL和公共密钥对其进行加密:
openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file.sslThis creates an encrypted version of file.txt calling it file.ssl, if you look at this file it's just binary junk, nothing very useful to anyone. 这会创建一个名为file.ssl的file.txt加密版本,如果您查看该文件,它只是二进制垃圾,对任何人都没有什么用。 Now you can unencrypt it using the private key: 现在,您可以使用私钥对其解密:
openssl rsautl -decrypt -inkey private.pem -in file.ssl -out decrypted.txtYou will now have an unencrypted file in decrypted.txt: 现在,decrypted.txt中将有一个未加密的文件:
cat decrypted.txt |output -> too many secrets
RSA TOOLS Options in OpenSSL OpenSSL中的RSA TOOLS选项
NAME 名称
rsa - RSA key processing tool rsa-RSA密钥处理工具
SYNOPSIS 概要
openssl rsa [-help] [-inform PEM|NET|DER] [-outform PEM|NET|DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-aes128] [-aes192] [-aes256] [-camellia128] [-camellia192] [-camellia256] [-des] [-des3] [-idea] [-text] [-noout] [-modulus] [-check] [-pubin] [-pubout] [-RSAPublicKey_in] [-RSAPublicKey_out] [-engine id] openssl rsa [-help] [-通知PEM | NET | DER] [-form PEM | NET | DER] [-输入文件名] [-passin arg] [-输出文件名] [-passout arg] [-aes128] [- aes192] [-aes256] [-camellia128] [-camellia192] [-camellia256] [-des] [-des3] [-idea] [-text] [-noout] [-modulus] [-check] [-pubin] [-pubout] [-RSAPublicKey_in] [-RSAPublicKey_out] [-引擎ID]
DESCRIPTION 描述
The rsa command processes RSA keys. rsa命令处理RSA密钥。 They can be converted between various forms and their components printed out. 它们可以在各种形式之间转换,并可以打印出其组件。 Note this command uses the traditional SSLeay compatible format for private key encryption: newer applications should use the more secure PKCS#8 format using the pkcs8 utility. 请注意,此命令使用传统的SSLeay兼容格式进行私钥加密:较新的应用程序应使用pkcs8实用程序使用更安全的PKCS#8格式。
COMMAND OPTIONS 命令选项
-helpPrint out a usage message. 打印出使用情况消息。
-inform DER|NET|PEMThis specifies the input format. 这指定输入格式。 The DER option uses an ASN1 DER encoded form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format. DER选项使用与PKCS#1 RSAPrivateKey或SubjectPublicKeyInfo格式兼容的ASN1 DER编码形式。 The PEM form is the default format: it consists of the DER format base64 encoded with additional header and footer lines. PEM格式是默认格式:它由DER格式base64编码,并带有附加的页眉和页脚行。 On input PKCS#8 format private keys are also accepted. 输入PKCS#8格式的私钥也被接受。 The NET form is a format is described in the NOTES section. NET表单是一种在NOTES部分中描述的格式。
-outform DER|NET|PEMThis specifies the output format, the options have the same meaning as the -inform option. 这指定了输出格式,这些选项与-inform选项具有相同的含义。
-in filenameThis specifies the input filename to read a key from or standard input if this option is not specified. 如果未指定此选项,则它指定从中读取键的输入文件名或标准输入。 If the key is encrypted a pass phrase will be prompted for. 如果密钥已加密,将提示您输入密码。
-passin argthe input file password source. 输入文件密码源。 For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl. 有关arg格式的更多信息,请参见openssl中的PASS PHRASE ARGUMENTS部分。
-out filenameThis specifies the output filename to write a key to or standard output if this option is not specified. 如果未指定此选项,则它指定要向其中写入密钥的输出文件名或标准输出。 If any encryption options are set then a pass phrase will be prompted for. 如果设置了任何加密选项,则将提示您输入密码。 The output filename should not be the same as the input filename. 输出文件名不应与输入文件名相同。
-passout passwordthe output file password source. 输出文件密码源。 For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl. 有关arg格式的更多信息,请参见openssl中的PASS PHRASE ARGUMENTS部分。
-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-ideaThese options encrypt the private key with the specified cipher before outputting it. 这些选项在输出私钥之前使用指定的密码对其进行加密。 A pass phrase is prompted for. 提示输入密码。 If none of these options is specified the key is written in plain text. 如果未指定这些选项,则密钥以纯文本形式编写。 This means that using the rsa utility to read in an encrypted key with no encryption option can be used to remove the pass phrase from a key, or by setting the encryption options it can be use to add or change the pass phrase. 这意味着使用rsa实用程序读取没有加密选项的加密密钥可用于从密钥中删除密码短语,或者通过设置加密选项可将其用于添加或更改密码短语。 These options can only be used with PEM format output files. 这些选项只能与PEM格式输出文件一起使用。
-textprints out the various public or private key components in plain text in addition to the encoded version. 除了编码版本外,还以纯文本形式打印各种公共或私有密钥组件。
-nooutthis option prevents output of the encoded version of the key. 此选项可防止输出密钥的编码版本。
-modulusthis option prints out the value of the modulus of the key. 此选项打印出密钥的模数值。
-checkthis option checks the consistency of an RSA private key. 此选项检查RSA私钥的一致性。
-pubinby default a private key is read from the input file: with this option a public key is read instead. 默认情况下,从输入文件中读取一个私钥:使用此选项时,将读取一个公钥。
-puboutby default a private key is output: with this option a public key will be output instead. 默认情况下,将输出私钥:使用此选项时,将输出公钥。 This option is automatically set if the input is a public key. 如果输入是公钥,则自动设置此选项。
-RSAPublicKey_in, -RSAPublicKey_outlike -pubin and -pubout except RSAPublicKey format is used instead. 类似于-pubin和-pubout,但是使用RSAPublicKey格式代替。
-engine idspecifying an engine (by its unique id string) will cause rsa to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. 指定引擎(通过其唯一的ID字符串)将导致rsa尝试获取对指定引擎的功能引用,从而在需要时对其进行初始化。 The engine will then be set as the default for all available algorithms. 然后,引擎将被设置为所有可用算法的默认引擎。
NOTES 笔记
The PEM private key format uses the header and footer lines: PEM私钥格式使用页眉和页脚行:
-----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----The PEM public key format uses the header and footer lines: PEM公钥格式使用页眉和页脚行:
-----BEGIN PUBLIC KEY----- -----END PUBLIC KEY-----The PEM RSAPublicKey format uses the header and footer lines: PEM RSAPublicKey格式使用页眉和页脚行:
-----BEGIN RSA PUBLIC KEY----- -----END RSA PUBLIC KEY-----The NET form is a format compatible with older Netscape servers and Microsoft IIS .key files, this uses unsalted RC4 for its encryption. NET表单是与较早的Netscape服务器和Microsoft IIS .key文件兼容的格式,该格式使用无盐RC4进行加密。 It is not very secure and so should only be used when necessary. 它不是很安全,因此仅在必要时使用。
Some newer version of IIS have additional data in the exported .key files. 某些较新版本的IIS在导出的.key文件中具有其他数据。 To use these with the utility, view the file with a binary editor and look for the string "private-key", then trace back to the byte sequence 0x30, 0x82 (this is an ASN1 SEQUENCE). 要将其与实用程序一起使用,请使用二进制编辑器查看文件并查找字符串“ private-key”,然后追溯到字节序列0x30、0x82(这是ASN1 SEQUENCE)。 Copy all the data from this point onwards to another file and use that as the input to the rsa utility with the -inform NET option. 从此以后将所有数据复制到另一个文件,并通过-inform NET选项将其用作rsa实用程序的输入。
EXAMPLES 例子
To remove the pass phrase on an RSA private key: 要删除RSA私钥上的密码,请执行以下操作:
openssl rsa -in key.pem -out keyout.pemTo encrypt a private key using triple DES: 要使用三重DES加密私钥:
openssl rsa -in key.pem -des3 -out keyout.pemTo convert a private key from PEM to DER format: 要将私钥从PEM转换为DER格式:
openssl rsa -in key.pem -outform DER -out keyout.derTo print out the components of a private key to standard output: 要将私钥的组件输出到标准输出,请执行以下操作:
openssl rsa -in key.pem -text -nooutTo just output the public part of a private key: 要仅输出私钥的公共部分:
openssl rsa -in key.pem -pubout -out pubkey.pemOutput the public part of a private key in RSAPublicKey format: 以RSAPublicKey格式输出私钥的公共部分:
openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem
#4楼
To extract the key and cert from a pem file: 要从pem文件中提取密钥和证书:
Extract key 提取密钥
openssl pkey -in foo.pem -out foo.key
Another method of extracting the key... 提取密钥的另一种方法...
openssl rsa -in foo.pem -out foo.key
Extract all the certs, including the CA Chain 提取所有证书,包括CA链
openssl crl2pkcs7 -nocrl -certfile foo.pem | openssl pkcs7 -print_certs -out foo.cert
Extract the textually first cert as DER 将文本第一证书提取为DER
openssl x509 -in foo.pem -outform DER -out first-cert.der
#5楼
A .crt stores the certificate.. in pem format. .crt以pem格式存储证书。 So a .pem, while it can also have other things like a csr (Certificate signing request), a private key, a public key, or other certs, when it is storing just a cert, is the same thing as a .crt. 因此,.pem虽然还可以存储其他内容,例如csr(证书签名请求),私钥,公钥或其他证书,但它仅存储证书时,它与.crt是同一回事。
A pem is a base 64 encoded file with a header and a footer between each section. pem是基数为64的编码文件,每个部分之间都有一个页眉和页脚。
To extract a particular section, a perl script such as the following is totally valid, but feel free to use some of the openssl commands. 要提取特定部分,如下所示的perl脚本是完全有效的,但是可以随意使用一些openssl命令。
perl -ne "\$n++ if /BEGIN/; print if \$n == 1 && /BEGIN/.../END/;" mydomain.pem
where ==1 can be changed to which ever section you need. == 1可以更改为您需要的任何部分。 Obviously if you know exactly the header and footer you require and there is only one of those in the file (usually the case if you keep just the cert and the key in there), you can simplify it: 显然,如果您确切知道所需的页眉和页脚,并且文件中只有其中的一个(通常在其中仅保留证书和密钥的情况下),则可以简化它:
perl -ne "print if /^-----BEGIN CERTIFICATE-----\$/.../END/;" mydomain.pem
#6楼
If you asked this question because you're using mkcert then the trick is that the .pem file is the cert and the -key.pem file is the key. 如果由于使用mkcert而问这个问题,那么窍门就是.pem文件是cert,而-key.pem文件是密钥。
(You don't need to convert, just run mkcert yourdomain.dev otherdomain.dev ) (您不需要进行转换,只需运行mkcert yourdomain.dev otherdomain.dev )