openssl常用命令大全
罗烨霖
产生密钥对
RSA
# 产生RSA私钥
openssl genrsa -out rsa_private_key.pem 1024
# 根据私钥产生公钥
openssl rsa -in rsa_private_key.pem -pubout -out rsa_public_key.pem
# 私钥PKCS1转为PKCS8格式
openssl pkcs8 -topk8 -in rsa_private_key.pem -out pkcs8_rsa_private_key.pem -nocrypt
# 私钥PKCS8转为PKCS1格式
openssl rsa -in pkcs8_rsa_private_key.pem -out pkcs1_rsa_private_key.pem
SM2
# 生成SM2密钥参数和私钥
openssl ecparam -name SM2 -out ec_param.pem -param_enc explicit -genkey
# 查看私钥信息
openssl ecparam -in ec_param.pem -text
# 验证参数
openssl ecparam -in ec_param.pem -check
# 将私钥转换为PKCS8编码
openssl pkcs8 -topk8 -inform PEM -in ec_param.pem -outform PEM -nocrypt -out sm2_private_key_pkcs8.pem
# 根据私钥产生公钥
openssl ec -in ec_param.pem -pubout -out sm2_public_key.pem
ECC
prime256v1曲线
# 产生ECC私钥(带曲线参数)
openssl ecparam -genkey -name prime256v1 -param_enc explicit -outform pem -out ec_prime256v1_prikey.pem
# 产生ECC私钥(不带曲线参数 RFC5915)
openssl ecparam -genkey -name prime256v1 -param_enc explicit -outform pem -noout -out ec_prime256v1_prikey.pem
# 显示私钥
openssl pkey -in ec_prime256v1_prikey.pem -text
# 产生ECC公钥
openssl ec -in ec_prime256v1_prikey.pem -pubout -out ec_pubkey.pem
secp256k1曲线
openssl ecparam -genkey -name secp256k1 -param_enc explicit -outform pem -noout -out ec_secp256k1_prikey.pem
openssl ec -in ec_secp256k1_prikey.pem -pubout -out ec_secp256k1_pubkey.pem
openssl req -x509 -new -days 3650 -key ec_secp256k1_prikey.pem -out ec_secp256k1.cer
查看ASN1编码文件
openssl asn1parse -i -in pkcs1.pem
证书相关
# 产生证书请求文件
openssl req -new -key rsa_private_key.pem -out rsaCerReq.csr
# 生成证书
openssl x509 -req -days 3650 -in rsaCerReq.csr -signkey rsa_private_key.pem -out rsaCert.crt
# 生成RSA密钥并生成证书
openssl req -x509 -nodes -newkey rsa:1024 -keyout keyfile.key -out certificate.cer
# 签名(不带证书)
openssl smime -sign -md sha1 -binary -nocerts -noattr -in data.txt -out data.txt.signed -outform der -inkey keyfile.key -signer certificate.cer
# 签名(带证书)
openssl smime -sign -md sha1 -binary -noattr -in data.txt -out data.txt.signed -outform der -inkey keyfile.key -signer certificate.cer
# 产生ECC证书
openssl req -x509 -new -days 3650 -key ec_prime256v1_prikey.pem -out ec.cer
签名验签
# 生成PKCS7签名结构
openssl smime -sign -md sha1 -binary -noattr -pk7out -in data.txt -out data.txt.signed -outform der -inkey keyfile.key -signer certificate.cer
# 从PKCS7结构中提取签名值
dd if=data.txt.signed of=signed-sha1.bin bs=1 skip=$[212+3] count=128
# 查看签名数据(签名数据最后128字节)
hexdump -C signed-sha1.bin
# 解析签名结果(最后一个OCTET STRING即为签名值)
openssl asn1parse -inform der -in data.txt.signed
# 从证书中提取公钥
openssl x509 -inform pem -in certificate.cer -noout -pubkey > pubkey.pem
# 验证签名(verifyed.bin中为数据的HASH值)
openssl rsautl -verify -pubin -inkey pubkey.pem < signed-sha1.bin > verifyed.bin
# 查看验签结果
openssl asn1parse -inform der -in verifyed.bin
# 对原文计算HASH
sha1sum data.txt
# 对比结果一致
CA签发证书
# 1.初始化目录
mkdir -p ./demoCA/newcerts
touch ./demoCA/index.txt
echo '02' > ./demoCA/serial
# 2.生成CA私钥
openssl ecparam -name SM2 -out ca.pem -param_enc explicit -genkey
# 3.根据私钥产生公钥
openssl ec -in ca.pem -pubout -out ca_pub.pem
# 4.生成CA证书请求文件
openssl req -new -key ca.pem -out ca.csr
# 5.生成CA证书
openssl x509 -req -in ca.csr -signkey ca.pem -days 3650 -out ca.cer
# 6.CA签发服务器证书
openssl ca -in server_rsa.csr -cert ca.cer -keyfile ca.pem -out server_rsa.cer
类似资料: