准备openssl dhparamgenrsagenrsa生成私钥输出到文件加个密码帮助还有无参数时rsa 查看私钥、导出公钥去除密码加密码更改密码输入原密码，参数指定新密码仅输入新密码同时输入原密码、新密码校验文件是否被修改speed加密性能测试rank生成伪随机数作密码生成器passwdpkcs12 p12 pfx查看一个通过在线pfx生成网站上制作的文件openssl pkcs12制作转换pfxpfx转pem-->crt key只导出ca证书或client certificate证书pkcs12帮助细节PEMjks（多用于tomcat）类似于pfx生成jks导出jks为pem补全证书链文件格式与类型配置实例yum连接双向认证yum源nginxtomcatiis证书管理iis6 （2003）iis7.5（server2008R2）x509生成证书部分信息输出ca签暑选项流程证书查看命令查看常识应用ssh密钥生成yum curl 使用网站使用其它工具导出公钥网站https安全等级检测（推荐）在线生成网站证书相关refers

准备

windows版本的往往需要额外支持下载：

https://wiki.openssl.org/index.php/Binaries

https://slproweb.com/products/Win32OpenSSL.html

安装后将安装路径中的bin目录，添加到环境变量：path

openssl

dhparam

openssl dhparam用于生成和管理dh文件。dh(Diffie-Hellman)是著名的密钥交换协议，或称为密钥协商协议，它可以保证通信双方安全地交换密钥。但注意，它不是加密算法，所以不提供加密功能，仅仅只是保护密钥交换的过程。在openvpn中就使用了该交换协议。关于dh算法的整个过程，见下文。

openssl dhparam命令集合了老版本的openssl dh和openssl gendh，后两者可能已经失效了，即使存在也仅表示未来另有用途。

生成与生成后的信息查看


xxxxxxxxxx
7
1
[root@centos ~]# openssl dhparam -out /some/dir/dhpara.pem 4096
2
Generating DH parameters, 4096 bit long safe prime, generator 2
3
This is going to take a long time
4
......................................................................................................................................................................................................+............................................................................................................................................+.............................+.......................................+.....................................................................................................................+...+.................................................................+.............................+............................视电脑性能确定生成时间，可作为cpu占用命令使用。4核需要重启动1-4分钟左右。
5

6

7

纯文本查看

cat dh.pem


xxxxxxxxxx
13
1
-----BEGIN DH PARAMETERS-----
2
MIICCAKCAgEA0cbLOZtUVZy3sjcItQfhEaFctopJ2qE5Wu8/Zl/tK0gh9vWL1Gs4
3
HlkFEm5K61ziSwvQH+Se1OI4nGGDuycqrF1EWtZy9aSFHCKspWYZ+EhWrLnNMoxS
4
nthhieEfDwINWXxT4YLry5+ryafokr3o9EDRXZhUhCyn1mMQAzVAqh9qXFuCtUaw
5
DmSrvC381jstQv2PaTURExA8LTYG5ib8UQ8sQqs6iwJCpq0WXMtlgYutEGED7ECN
6
H2J111WyweTfUMGUUEshMWs6zKUaVzCuYkPd/ZUdsVxvAvTO5ipmf2YT+tVLEbZA
7
zJPofLlIE5rJ4nWwXDDkdFJEMZBzLh50DbrIMGpKS0fcLqzgGAJDbyZq4ICmPfHJ
8
dzinNEnqDDRF7QSSKMozjqzcKUr3VqF0hxOhfBVUPdI4JjEyRSdqdGbPjtZffANx
9
lUSBeyeLm8oS8GN9wxOrOlmJs1UnhGxJwbx9bmCuDlGRvJyCxW50YJAamJy+mciH
10
MfilzE9YSEoyu1uSBDR+iuhKKGldoASwVZ1NoPP55GxTJw0YamFxiU771WgSXXEJ
11
Ym6Q5NSb8E7i4J7o6GtqVaVK7jqQhvzfOl8W0ALEietHfqDYnergkWx2L5cWmycp
12
5DwLd9Fk7RWBSHqmtdqwWX0ssbYxcggEytvPioliPRWmESJZNR3fWlsCAQI=
13
-----END DH PARAMETERS-----

直接替换文件内容，同时添加个性注释段在结尾


xxxxxxxxxx
24
1
rm -fr /opt/ecloud_server/ecloud-nginx/dhparam.pem
2
cat  << EOF > /opt/ecloud_server/ecloud-nginx/dhparam.pem
3
-----BEGIN DH PARAMETERS-----
4
MIICCAKCAgEA0cbLOZtUVZy3sjcItQfhEaFctopJ2qE5Wu8/Zl/tK0gh9vWL1Gs4
5
HlkFEm5K61ziSwvQH+Se1OI4nGGDuycqrF1EWtZy9aSFHCKspWYZ+EhWrLnNMoxS
6
nthhieEfDwINWXxT4YLry5+ryafokr3o9EDRXZhUhCyn1mMQAzVAqh9qXFuCtUaw
7
DmSrvC381jstQv2PaTURExA8LTYG5ib8UQ8sQqs6iwJCpq0WXMtlgYutEGED7ECN
8
H2J111WyweTfUMGUUEshMWs6zKUaVzCuYkPd/ZUdsVxvAvTO5ipmf2YT+tVLEbZA
9
zJPofLlIE5rJ4nWwXDDkdFJEMZBzLh50DbrIMGpKS0fcLqzgGAJDbyZq4ICmPfHJ
10
dzinNEnqDDRF7QSSKMozjqzcKUr3VqF0hxOhfBVUPdI4JjEyRSdqdGbPjtZffANx
11
lUSBeyeLm8oS8GN9wxOrOlmJs1UnhGxJwbx9bmCuDlGRvJyCxW50YJAamJy+mciH
12
MfilzE9YSEoyu1uSBDR+iuhKKGldoASwVZ1NoPP55GxTJw0YamFxiU771WgSXXEJ
13
Ym6Q5NSb8E7i4J7o6GtqVaVK7jqQhvzfOl8W0ALEietHfqDYnergkWx2L5cWmycp
14
5DwLd9Fk7RWBSHqmtdqwWX0ssbYxcggEytvPioliPRWmESJZNR3fWlsCAQI=
15
-----END DH PARAMETERS-----
16

17
-----BEGIN DH REMAKKS-----
18
# generate pem
19
openssl dhparam -out /opt/path/to/nginx/dhparam.pem 4096
20
# resolve pem
21
openssl dhparam -in  /opt/path/to/nginx/dhparam.pem -text
22
-----END DH REMAKKS-----
23

24
EOF

解析查看

解析时原pem内容会在最后输出。


xxxxxxxxxx
28
1
[root@centos ~]# openssl dhparam -in /opt/ecloud_server/ecloud-nginx/dhparam.pem -text
2
    DH Parameters: (4096 bit)
3
        prime:
4
            00:d1:c6:cb:39:9b:54:55:9c:b7:b2:37:08:b5:07:
5
            e1:11:a1:5c:b6:8a:49:da:a1:39:5a:ef:3f:66:5f:
6
            ed:2b:48:21:f6:f5:8b:d4:6b:38:1e:59:05:12:6e:
7
            ...
8
            ... 省略30行
9
            ...
10
            04:ca:db:cf:8a:89:62:3d:15:a6:11:22:59:35:1d:
11
            df:5a:5b
12
        generator: 2 (0x2)
13
-----BEGIN DH PARAMETERS-----
14
MIICCAKCAgEA0cbLOZtUVZy3sjcItQfhEaFctopJ2qE5Wu8/Zl/tK0gh9vWL1Gs4
15
HlkFEm5K61ziSwvQH+Se1OI4nGGDuycqrF1EWtZy9aSFHCKspWYZ+EhWrLnNMoxS
16
nthhieEfDwINWXxT4YLry5+ryafokr3o9EDRXZhUhCyn1mMQAzVAqh9qXFuCtUaw
17
DmSrvC381jstQv2PaTURExA8LTYG5ib8UQ8sQqs6iwJCpq0WXMtlgYutEGED7ECN
18
H2J111WyweTfUMGUUEshMWs6zKUaVzCuYkPd/ZUdsVxvAvTO5ipmf2YT+tVLEbZA
19
zJPofLlIE5rJ4nWwXDDkdFJEMZBzLh50DbrIMGpKS0fcLqzgGAJDbyZq4ICmPfHJ
20
dzinNEnqDDRF7QSSKMozjqzcKUr3VqF0hxOhfBVUPdI4JjEyRSdqdGbPjtZffANx
21
lUSBeyeLm8oS8GN9wxOrOlmJs1UnhGxJwbx9bmCuDlGRvJyCxW50YJAamJy+mciH
22
MfilzE9YSEoyu1uSBDR+iuhKKGldoASwVZ1NoPP55GxTJw0YamFxiU771WgSXXEJ
23
Ym6Q5NSb8E7i4J7o6GtqVaVK7jqQhvzfOl8W0ALEietHfqDYnergkWx2L5cWmycp
24
5DwLd9Fk7RWBSHqmtdqwWX0ssbYxcggEytvPioliPRWmESJZNR3fWlsCAQI=
25
-----END DH PARAMETERS-----
26

27

28

genrsa

genrsa生成私钥

哪里可以用：？ssh、crt

以下直接输出不同位数的rsa到控制台，不生成文件，可另存为


xxxxxxxxxx
3
1
-----BEGIN RSA PRIVATE KEY-----
2
只需要这2段之间的内容
3
-----END RSA PRIVATE KEY-----


xxxxxxxxxx
53
1

2
[root@centos openssl_test]# openssl genrsa 512
3
Generating RSA private key, 512 bit long modulus
4
.....................++++++++++++
5
.....++++++++++++
6
e is 65537 (0x10001)
7
-----BEGIN RSA PRIVATE KEY-----
8
MIIBOgIBAAJBALjm2uAPy097+KEMz90tgSIuEzxL7s0FBI9r2jtZhWlH1bPxUfCX
9
Km1cbI42DZeJZp+ZSKO0Q69qwhd77Tms33cCAwEAAQJAc2r/Y2/YfFQpXfaOZkT6
10
X6idLz1C4k1ojFJJllSKN62jy370f49Rp3WydxSAlz9HlRiijGzrUavKt30ycJlr
11
cQIhAO6j3Il1DuiOuQ78Vd2S4rM+YNZgJfB+yNUcGiowoRNfAiEAxlo80g3CXAwi
12
5/GJ7qadu/6QpvKm/Q9vKpT3p7pEgukCICA1E1Wl684tPQKtwbT21wvT9mPYdCZi
13
Jh7E/S8GgybHAiBSOEmJ0MZGHYnCl27TjCFKMiWH7oGl2GX+Qq29ywpnMQIhAKWx
14
HEbGNhbCp4MrVmyNH/0g9y4wVDgrn2TVfBPi0O7/
15
-----END RSA PRIVATE KEY-----
16
[root@centos openssl_test]# openssl genrsa 2048
17
Generating RSA private key, 2048 bit long modulus
18
.................................................................................................................................................+++
19
.........+++
20
e is 65537 (0x10001)
21
-----BEGIN RSA PRIVATE KEY-----
22
MIIEpAIBAAKCAQEA3yaF+bjHyJbHzV1bm734WJYMgmYyCOUGJ5l8zewbHoiqTIhY
23
ANERDmQbyteNYYc4LqbkaCuG1U/jkHSLw54Ke1hFJbt2XlAivfB8O0y7kGtFbNMq
24
FLjvU9/Xepxi6E1Q/FC/bQF3XEAGubI8SJIt35pd7oNWFLGnx+isMxM9D25L3/e1
25
 ...
26
 省略备注：2048位 RSA BEGIN -- END 区间总共约24行
27
 ...
28
8t6KKVsCgYBgWbn5suIqOFCFh/WmBSkzHDRfehLbAigBAc9Gy554JV9SdBIeFGnr
29
BYxyrMxUdMfhyrJci5MbFX+qunj3pVAc0v/bixUJqAGddeSqmVCRNK/y3nX6gjdi
30
hTdlBQFy6djzInr41LKp+B1bV6pWiLCpfwQMZdqWhDOZuVfnwlL+Jw==
31
-----END RSA PRIVATE KEY-----
32
[root@centos openssl_test]# openssl genrsa 4096
33
Generating RSA private key, 4096 bit long modulus
34
.....................................++
35
.............................................................................................................................++
36
e is 65537 (0x10001)
37
-----BEGIN RSA PRIVATE KEY-----
38
MIIJKAIBAAKCAgEA6D4Y2cYFt5IocTu5v6FTRHJdn+CsmwEdHgJ2uv0Rr8wfa/OC
39
gJeC+CGltdfcL5je6ceu7bx+t9B0BQf6P4KB7qIxUBAEwg8N7dR33TwATExml9bM
40
vQh1PerC7gCrnAKCv5kYoRFVacI85MezpJqYGBBONxhnjur+CG6NxdM6ZgIhYcYd
41
jXVyHYJSO4npkxiVhgJn8zucBBw5i2loNgLuSTsrSiCuwLiFyhuXPKmJIfeLXhQy
42
SpxKtyVDD/5U0lwVmYdlIn0EGRE+AJrl5Yn87OikvXjc5mSBCXBL6ZwRyfEfdBNQ
43
5c9wEh7TOrrZd/fY45Hk2M6ddq4wFrcqNoceXcAj8UtoAmpboUlAyD6Q21YWVIr+
44
 ...
45
省略备注：4096位 RSA BEGIN -- END 区间总共约48行
46
 ...
47
3QT5HMmnUMfcltujezpSf5G9lWMCzwSYuOahl4cxElUUM75jF458SMIkY4RZZZ9V
48
CuC0y5e04F7mwESzwRgHfONovQdRbUudyh1NZ2smQGA9apCxOdfM4jVYgUsK+639
49
vCrymAqb2zsk63MXQ2IflgIIp7bHOXn5W69+pZDg5J9M0uprzRx0kqVA3qDvqRgg
50
5XzO3I5H483+X6ov8JaGOjPVwbfaMmWxc2UpM1WHGZMXyca4Jy09qOZemJs=
51
-----END RSA PRIVATE KEY-----
52
[root@centos openssl_test]#
53

输出到文件


xxxxxxxxxx
28
1
[root@centos openssl_test]# openssl genrsa -out genrsa_4096.rsa 4096
2
Generating RSA private key, 4096 bit long modulus
3
................................++
4
........................................................++
5
e is 65537 (0x10001)
6
[root@centos openssl_test]# ls -alh
7
total 8.0K
8
drwxr-xr-x   2 root root   29 Jul 27 16:19 .
9
dr-xr-x---. 13 root root 4.0K Jul 27 16:12 ..
10
-rw-r--r--   1 root root 3.2K Jul 27 16:19 genrsa_4096.rsa
11
[root@centos openssl_test]# openssl genrsa -out genrsa_2048.rsa 2048
12
Generating RSA private key, 2048 bit long modulus
13
........................................................................................................................+++
14
.....+++
15
e is 65537 (0x10001)
16
[root@centos openssl_test]# openssl genrsa -out genrsa_1024.rsa 1024
17
Generating RSA private key, 1024 bit long modulus
18
..................................................................................................++++++
19
.++++++
20
e is 65537 (0x10001)
21
[root@centos openssl_test]# ls -alh
22
total 16K
23
drwxr-xr-x   2 root root   75 Jul 27 16:19 .
24
dr-xr-x---. 13 root root 4.0K Jul 27 16:12 ..
25
-rw-r--r--   1 root root  887 Jul 27 16:19 genrsa_1024.rsa
26
-rw-r--r--   1 root root 1.7K Jul 27 16:19 genrsa_2048.rsa
27
-rw-r--r--   1 root root 3.2K Jul 27 16:19 genrsa_4096.rsa
28
# 可以看到文件大小是成相应的位数关系的，大概是1k、2k、4k，可以通过这个大小判断rsa位数。

加个密码


xxxxxxxxxx
29
1
[root@centos openssl_test]# openssl genrsa -out genrsa_1024_encrypt.rsa -des3 -passout pass:123456 1024
2
Generating RSA private key, 1024 bit long modulus
3
...............++++++
4
.++++++
5
e is 65537 (0x10001)
6
[root@centos openssl_test]# openssl genrsa -out genrsa_2048_encrypt.rsa -des3 -passout pass:123456 2048
7
Generating RSA private key, 2048 bit long modulus
8
...............+++
9
.....................................+++
10
e is 65537 (0x10001)
11
[root@centos openssl_test]# openssl genrsa -out genrsa_4096_encr pt.rsa -des3 -passout pass:123456 4096
12
Generating RSA private key, 4096 bit long modulus
13
...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................++
14
................................++
15
e is 65537 (0x10001)
16
[root@centos openssl_test]# ls -alh
17
total 28K
18
drwxr-xr-x   2 root root  168 Jul 27 16:27 .
19
dr-xr-x---. 13 root root 4.0K Jul 27 16:12 ..
20
-rw-r--r--   1 root root  963 Jul 27 16:27 genrsa_1024_encrypt.rsa
21
-rw-r--r--   1 root root  887 Jul 27 16:23 genrsa_1024.rsa
22
-rw-r--r--   1 root root 1.8K Jul 27 16:27 genrsa_2048_encrypt.rsa
23
-rw-r--r--   1 root root 1.7K Jul 27 16:19 genrsa_2048.rsa
24
-rw-r--r--   1 root root 3.3K Jul 27 16:26 genrsa_4096_encrypt.rsa
25
-rw-r--r--   1 root root 3.2K Jul 27 16:19 genrsa_4096.rsa
26

27
# 可以看出，加密后的私钥文件变大了一点
28
[root@centos openssl_test]#
29

帮助


xxxxxxxxxx
20
1
[root@centos openssl_test]# openssl genrsa help
2
usage: genrsa [args] [numbits]
3
 -des            encrypt the generated key with DES in cbc mode
4
 -des3           encrypt the generated key with DES in ede cbc mode (168 bit key)
5
 -idea           encrypt the generated key with IDEA in cbc mode
6
 -seed
7
                 encrypt PEM output with cbc seed
8
 -aes128, -aes192, -aes256
9
                 encrypt PEM output with cbc aes
10
 -camellia128, -camellia192, -camellia256
11
                 encrypt PEM output with cbc camellia
12
 -out file       output the key to 'file
13
 -passout arg    output file pass phrase source
14
 -f4             use F4 (0x10001) for the E value
15
 -3              use 3 for the E value
16
 -engine e       use engine e, possibly a hardware device.  # 对应输出中的 e is 65537 (0x10001)
17
 -rand file:file:...
18
                 load the file (or the files in the directory) into
19
                 the random number generator
20

还有无参数时


xxxxxxxxxx
19
1
# 可以看出是相当于命令 openssl genrsa 2048
2
[root@centos openssl_test]# openssl genrsa
3
Generating RSA private key, 2048 bit long modulus
4
..+++
5
.................+++
6
e is 65537 (0x10001)
7
-----BEGIN RSA PRIVATE KEY-----
8
MIIEogIBAAKCAQEA3HTtGa48QyFvS5VEDjk6hxU3/MfDsu9GhqD0SvDGRSbomdU/
9
I0/g2heRaFPrcvK7o+nYWCJRYp1DiaAO70sVUzXUi8q20t54gp9CMJlKVvhFaP8F
10
uj/jqec9mtGiomApSWa03wACfPkFMSqceKRuWBVIL7OfHmhYFXPI0TNfWnwtMrM7
11
 ...
12
省略备注：2048位 RSA BEGIN -- END 区间总共约24行
13
 ...
14
7hEg8uOEEO1tgt7UyaNRsseCabCQ3l57m5ma3jHBeyzDmv9ZSfexuE4HK2HjN4UZ
15
+pMxAoGAE3iML0UXv16VEsPZkCaKIFCyvM+OW3soFB9gC5q+xop5fyjJgzh40U/v
16
DMHk+p7QO+uydUv1EK0b/XaDGOSef32FQDTIwcC49raVHkpS4FSPd28UEOY0NLqN
17
Vs1oGw2D0HYRSTkgO2/rWXwnkXyTzP19VKPzEqnyn1UZoBBpyqQ=
18
-----END RSA PRIVATE KEY-----
19

rsa 查看私钥、导出公钥

查看

没错，常用的是ssh


xxxxxxxxxx
49
1
[root@centos openssl_test]# openssl genrsa -out genrsa_2048.rsa 2048
2
Generating RSA private key, 2048 bit long modulus
3
...............................................................................................+++
4
........................+++
5
e is 65537 (0x10001)
6
[root@centos openssl_test]# cat genrsa_2048.rsa
7
# 查看输出文件
8
-----BEGIN RSA PRIVATE KEY-----
9
MIIEpQIBAAKCAQEA3Pemy0XO+3gR7uduvvwpuiDJjL5UtbzOMee3XzKYEze4Hq4v
10
ntMyLx1QIJN+Ef0O3EfgweH6SPoW90iSYB7NNdlCMh/EWuB1K9mY5xv3PDGl2xnT
11
mVifDARbkjpPg1AaZ2FllYI0ezR/4nPzzdmIbh43uxg9jzG2TSlE5VYp8OD9kbcb
12
  ...
13
  省略备注：2048位 RSA BEGIN -- END 区间总共约24行
14
  ...
15
JgCji3sxh71NwdhfQu2hHCXkA9yLebv/O8QQm6PL3EqWLdn7HAC+weTf5RuXpDAo
16
Uo0fRfEVAoGAK8dO/57YjLGGlJ2+f/yUt8pMN0IFASMJW2BS74+rl6b+KbFfPcXX
17
AiBtfnH5wG4kuqJYNpOQRuoBpFCpsr8Fgb52gBAM9oRlXj/JbDc+3enTzHe0fCB7
18
DSEIdnl1tHoellxiqFydQpA4ZskAInPmiqcMkBr0UDZY72ffHhClwJ8=
19
-----END RSA PRIVATE KEY-----
20
[root@centos openssl_test]# openssl rsa -in genrsa_2048.rsa
21
# 直接用openssl rsa 查看私钥文件，与cat直接查看文件一致。
22
writing RSA key
23
-----BEGIN RSA PRIVATE KEY-----
24
MIIEpQIBAAKCAQEA3Pemy0XO+3gR7uduvvwpuiDJjL5UtbzOMee3XzKYEze4Hq4v
25
ntMyLx1QIJN+Ef0O3EfgweH6SPoW90iSYB7NNdlCMh/EWuB1K9mY5xv3PDGl2xnT
26
mVifDARbkjpPg1AaZ2FllYI0ezR/4nPzzdmIbh43uxg9jzG2TSlE5VYp8OD9kbcb
27
  ...
28
  省略备注：2048位 RSA BEGIN -- END 区间总共约24行
29
  ...
30
Uo0fRfEVAoGAK8dO/57YjLGGlJ2+f/yUt8pMN0IFASMJW2BS74+rl6b+KbFfPcXX
31
AiBtfnH5wG4kuqJYNpOQRuoBpFCpsr8Fgb52gBAM9oRlXj/JbDc+3enTzHe0fCB7
32
DSEIdnl1tHoellxiqFydQpA4ZskAInPmiqcMkBr0UDZY72ffHhClwJ8=
33
-----END RSA PRIVATE KEY-----
34
[root@centos openssl_test]# openssl rsa -in genrsa_2048.rsa  -pubout
35
# 将私钥的公钥输出到屏幕
36
writing RSA key
37
-----BEGIN PUBLIC KEY-----
38
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3Pemy0XO+3gR7uduvvwp
39
uiDJjL5UtbzOMee3XzKYEze4Hq4vntMyLx1QIJN+Ef0O3EfgweH6SPoW90iSYB7N
40
NdlCMh/EWuB1K9mY5xv3PDGl2xnTmVifDARbkjpPg1AaZ2FllYI0ezR/4nPzzdmI
41
bh43uxg9jzG2TSlE5VYp8OD9kbcbfGEzP4Nemp+0eCkEZkwoG/aHAhQ1hyZAsd91
42
6HJ1FoIXexu9ZzFrZuHbw07ALBnnDq0PC+x3Z0HhsQOOPBn2T9lmKEl0txwDoizY
43
1NyiWWdG58xnhBWLEVLHoiMLaTIXxxtPuiysqOgtRsq/QT7MupOdkQdJjf2EgWEm
44
uwIDAQAB
45
-----END PUBLIC KEY-----
46

47
[root@centos openssl_test]# openssl rsa -in genrsa_2048.rsa  -pubout -out genrsa_2048.rsa_public
48
# 输出公钥到文件
49

查看加密私钥文件


xxxxxxxxxx
57
1
[root@centos openssl_test]# openssl rsa -in genrsa_2048_encrypt.rsa  -pubout
2
# 这个是加密私钥，要求输入密码才能查看公钥、私钥。
3
Enter pass phrase for genrsa_2048_encrypt.rsa:
4
writing RSA key
5
-----BEGIN PUBLIC KEY-----
6
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqetgCD6lqGVkd2bUURLP
7
IFCgeQkMYorY1ezXbshs9tCXgWIWtZsQCeaoWzt2iQ0zt5RDuQHYCkq1kBwvkK2N
8
BJ4rwqkpjGTTFSvIVj9z+D13sH6Xq9ux92o66+cBvqVV+1mTvqSxj4NCWTg1xAfd
9
zpVKUf6cM44xbgk2nLc7uu5zTs2XJmgiwL4SfD6mY1Kmi+2V7q8g4ktatXzLWCaY
10
8CjJtvAAwIt236W/pSg1o1fJBoeMru/OVYL56C7AcG4JvFwnvS/jK3QjAwGGdsjW
11
pZr2DTHaBVSCMfNc2PDBAJOWsOb7n9Xwfag2cOTitUU9fOXp4pEVPEFcXB0DV1W+
12
CwIDAQAB
13
-----END PUBLIC KEY-----
14
[root@centos openssl_test]#
15

16
[root@centos openssl_test]# openssl rsa -in genrsa_2048_encrypt.rsa
17
Enter pass phrase for genrsa_2048_encrypt.rsa:
18
writing RSA key
19
-----BEGIN RSA PRIVATE KEY-----
20
MIIEowIBAAKCAQEAqetgCD6lqGVkd2bUURLPIFCgeQkMYorY1ezXbshs9tCXgWIW
21
tZsQCeaoWzt2iQ0zt5RDuQHYCkq1kBwvkK2NBJ4rwqkpjGTTFSvIVj9z+D13sH6X
22
q9ux92o66+cBvqVV+1mTvqSxj4NCWTg1xAfdzpVKUf6cM44xbgk2nLc7uu5zTs2X
23
  ...
24
  省略备注：2048位 RSA BEGIN -- END 区间总共约24行
25
  ...
26
c9ilYO+XCIOZcrjEpTOwLhgf2UIKHxp8a7SVb9c/xnCdL9Bw+YgSP6drnMy8pYmO
27
frUVAoGBAISO1QhKMRf+FT7YbV18wjzvBzTa4ne2z96jWbdJMwzlF7cEDP/TE4/q
28
wgrVXT1B8sYEIUJbhIwJDp6yj0Jrp1808zNHUS40v3EV5M+kOCqoLq3GGgjPpEWM
29
DBMhmrxDqcAlUzSxGQ61GsMO1XB5bMZHpCNl3Ob8eorTbUs2ok4u
30
-----END RSA PRIVATE KEY-----
31
[root@centos openssl_test]# openssl rsa -in genrsa_2048_encrypt.rsa  -pubout -out test_
32
Enter pass phrase for genrsa_2048_encrypt.rsa:
33
writing RSA key
34
[root@centos openssl_test]# ls -alh
35
total 32K
36
drwxr-xr-x   2 root root  181 Jul 27 16:50 .
37
dr-xr-x---. 13 root root 4.0K Jul 27 16:12 ..
38
-rw-r--r--   1 root root  963 Jul 27 16:27 genrsa_1024_encrypt.rsa
39
-rw-r--r--   1 root root  887 Jul 27 16:23 genrsa_1024.rsa
40
-rw-r--r--   1 root root 1.8K Jul 27 16:27 genrsa_2048_encrypt.rsa
41
-rw-r--r--   1 root root 1.7K Jul 27 16:43 genrsa_2048.rsa
42
-rw-r--r--   1 root root 3.3K Jul 27 16:26 genrsa_4096_encrypt.rsa
43
-rw-r--r--   1 root root 3.2K Jul 27 16:19 genrsa_4096.rsa
44
-rw-r--r--   1 root root  451 Jul 27 16:50 test_
45
# 注意公钥的文件大小
46
[root@centos openssl_test]# cat test_
47
-----BEGIN PUBLIC KEY-----
48
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqetgCD6lqGVkd2bUURLP
49
IFCgeQkMYorY1ezXbshs9tCXgWIWtZsQCeaoWzt2iQ0zt5RDuQHYCkq1kBwvkK2N
50
BJ4rwqkpjGTTFSvIVj9z+D13sH6Xq9ux92o66+cBvqVV+1mTvqSxj4NCWTg1xAfd
51
zpVKUf6cM44xbgk2nLc7uu5zTs2XJmgiwL4SfD6mY1Kmi+2V7q8g4ktatXzLWCaY
52
8CjJtvAAwIt236W/pSg1o1fJBoeMru/OVYL56C7AcG4JvFwnvS/jK3QjAwGGdsjW
53
pZr2DTHaBVSCMfNc2PDBAJOWsOb7n9Xwfag2cOTitUU9fOXp4pEVPEFcXB0DV1W+
54
CwIDAQAB
55
-----END PUBLIC KEY-----
56
[root@centos openssl_test]#
57

去除密码


xxxxxxxxxx
47
1
[root@centos openssl_test]# openssl rsa -in genrsa_2048_encrypt.rsa
2
Enter pass phrase for genrsa_2048_encrypt.rsa:
3
writing RSA key
4
-----BEGIN RSA PRIVATE KEY-----
5
MIIEowIBAAKCAQEAqetgCD6lqGVkd2bUURLPIFCgeQkMYorY1ezXbshs9tCXgWIW
6
tZsQCeaoWzt2iQ0zt5RDuQHYCkq1kBwvkK2NBJ4rwqkpjGTTFSvIVj9z+D13sH6X
7
q9ux92o66+cBvqVV+1mTvqSxj4NCWTg1xAfdzpVKUf6cM44xbgk2nLc7uu5zTs2X
8
  ...
9
  省略备注：2048位 RSA BEGIN -- END 区间总共约24行
10
  ...
11
frUVAoGBAISO1QhKMRf+FT7YbV18wjzvBzTa4ne2z96jWbdJMwzlF7cEDP/TE4/q
12
wgrVXT1B8sYEIUJbhIwJDp6yj0Jrp1808zNHUS40v3EV5M+kOCqoLq3GGgjPpEWM
13
DBMhmrxDqcAlUzSxGQ61GsMO1XB5bMZHpCNl3Ob8eorTbUs2ok4u
14
-----END RSA PRIVATE KEY-----
15
[root@centos openssl_test]# openssl rsa -in genrsa_2048_encrypt.rsa -out xxxx
16
# 将加密私钥输出
17
Enter pass phrase for genrsa_2048_encrypt.rsa:
18
writing RSA key
19
[root@centos openssl_test]# cat xxxx
20
-----BEGIN RSA PRIVATE KEY-----
21
MIIEowIBAAKCAQEAqetgCD6lqGVkd2bUURLPIFCgeQkMYorY1ezXbshs9tCXgWIW
22
tZsQCeaoWzt2iQ0zt5RDuQHYCkq1kBwvkK2NBJ4rwqkpjGTTFSvIVj9z+D13sH6X
23
q9ux92o66+cBvqVV+1mTvqSxj4NCWTg1xAfdzpVKUf6cM44xbgk2nLc7uu5zTs2X
24
  ...
25
  省略备注：2048位 RSA BEGIN -- END 区间总共约24行
26
  ...
27
c9ilYO+XCIOZcrjEpTOwLhgf2UIKHxp8a7SVb9c/xnCdL9Bw+YgSP6drnMy8pYmO
28
frUVAoGBAISO1QhKMRf+FT7YbV18wjzvBzTa4ne2z96jWbdJMwzlF7cEDP/TE4/q
29
wgrVXT1B8sYEIUJbhIwJDp6yj0Jrp1808zNHUS40v3EV5M+kOCqoLq3GGgjPpEWM
30
DBMhmrxDqcAlUzSxGQ61GsMO1XB5bMZHpCNl3Ob8eorTbUs2ok4u
31
-----END RSA PRIVATE KEY-----
32
[root@centos openssl_test]# openssl rsa -in xxxx
33
# 此时已不要求输入密码
34
writing RSA key
35
-----BEGIN RSA PRIVATE KEY-----
36
MIIEowIBAAKCAQEAqetgCD6lqGVkd2bUURLPIFCgeQkMYorY1ezXbshs9tCXgWIW
37
tZsQCeaoWzt2iQ0zt5RDuQHYCkq1kBwvkK2NBJ4rwqkpjGTTFSvIVj9z+D13sH6X
38
q9ux92o66+cBvqVV+1mTvqSxj4NCWTg1xAfdzpVKUf6cM44xbgk2nLc7uu5zTs2X
39
  ...
40
  省略备注：2048位 RSA BEGIN -- END 区间总共约24行
41
  ...
42
c9ilYO+XCIOZcrjEpTOwLhgf2UIKHxp8a7SVb9c/xnCdL9Bw+YgSP6drnMy8pYmO
43
frUVAoGBAISO1QhKMRf+FT7YbV18wjzvBzTa4ne2z96jWbdJMwzlF7cEDP/TE4/q
44
wgrVXT1B8sYEIUJbhIwJDp6yj0Jrp1808zNHUS40v3EV5M+kOCqoLq3GGgjPpEWM
45
DBMhmrxDqcAlUzSxGQ61GsMO1XB5bMZHpCNl3Ob8eorTbUs2ok4u
46
-----END RSA PRIVATE KEY-----
47

加密码


xxxxxxxxxx
19
1
[root@centos openssl_test]# openssl rsa -in genrsa_2048.rsa -out bbb -des3 -passout pass:abcde
2
writing RSA key
3
[root@centos openssl_test]# openssl rsa -in bbb
4
Enter pass phrase for bbb:abcde
5
writing RSA key
6
-----BEGIN RSA PRIVATE KEY-----
7
MIIEpQIBAAKCAQEA3Pemy0XO+3gR7uduvvwpuiDJjL5UtbzOMee3XzKYEze4Hq4v
8
ntMyLx1QIJN+Ef0O3EfgweH6SPoW90iSYB7NNdlCMh/EWuB1K9mY5xv3PDGl2xnT
9
mVifDARbkjpPg1AaZ2FllYI0ezR/4nPzzdmIbh43uxg9jzG2TSlE5VYp8OD9kbcb
10
  ...
11
  省略备注：2048位 RSA BEGIN -- END 区间总共约24行
12
  ...
13
JgCji3sxh71NwdhfQu2hHCXkA9yLebv/O8QQm6PL3EqWLdn7HAC+weTf5RuXpDAo
14
Uo0fRfEVAoGAK8dO/57YjLGGlJ2+f/yUt8pMN0IFASMJW2BS74+rl6b+KbFfPcXX
15
AiBtfnH5wG4kuqJYNpOQRuoBpFCpsr8Fgb52gBAM9oRlXj/JbDc+3enTzHe0fCB7
16
DSEIdnl1tHoellxiqFydQpA4ZskAInPmiqcMkBr0UDZY72ffHhClwJ8=
17
-----END RSA PRIVATE KEY-----
18
[root@centos openssl_test]#
19

更改密码

-- passin pass:123456 # 密码参数

-des3 -passout pass:abcde # 加密密码参数

输入原密码，参数指定新密码


xxxxxxxxxx
23
1
[root@centos openssl_test]# openssl rsa -in genrsa_2048_encrypt.rsa  -out aaa -des3 -passout pass:abcde
2
Enter pass phrase for genrsa_2048_encrypt.rsa:
3
writing RSA key
4
# 此时要求输入原密码，新密码通过-des3 -passout pass:abcde传入
5
[root@centos openssl_test]# openssl rsa -in genrsa_2048_encrypt.rsa -passin pass:123456 -out aaa -des3 -passout pass:abcde
6
writing RSA key
7
[root@centos openssl_test]# openssl rsa -in aaa
8
# 用新密码打开
9
Enter pass phrase for aaa:abcde
10
writing RSA key
11
-----BEGIN RSA PRIVATE KEY-----
12
MIIEowIBAAKCAQEAqetgCD6lqGVkd2bUURLPIFCgeQkMYorY1ezXbshs9tCXgWIW
13
tZsQCeaoWzt2iQ0zt5RDuQHYCkq1kBwvkK2NBJ4rwqkpjGTTFSvIVj9z+D13sH6X
14
q9ux92o66+cBvqVV+1mTvqSxj4NCWTg1xAfdzpVKUf6cM44xbgk2nLc7uu5zTs2X
15
  ...
16
  省略备注：2048位 RSA BEGIN -- END 区间总共约24行
17
  ...
18
c9ilYO+XCIOZcrjEpTOwLhgf2UIKHxp8a7SVb9c/xnCdL9Bw+YgSP6drnMy8pYmO
19
frUVAoGBAISO1QhKMRf+FT7YbV18wjzvBzTa4ne2z96jWbdJMwzlF7cEDP/TE4/q
20
wgrVXT1B8sYEIUJbhIwJDp6yj0Jrp1808zNHUS40v3EV5M+kOCqoLq3GGgjPpEWM
21
DBMhmrxDqcAlUzSxGQ61GsMO1XB5bMZHpCNl3Ob8eorTbUs2ok4u
22
-----END RSA PRIVATE KEY-----
23
[root@centos openssl_test]#

仅输入新密码


xxxxxxxxxx
6
1
[root@centos openssl_test]# openssl rsa -in genrsa_2048_encrypt.rsa -passin pass:123456  -out aaa -des3
2
writing RSA key
3
Enter PEM pass phrase:
4
Verifying - Enter PEM pass phrase:
5
[root@centos openssl_test]#
6

同时输入原密码、新密码


xxxxxxxxxx
11
1
[root@centos openssl_test]# openssl rsa -in genrsa_2048_encrypt.rsa  -out aaa -des3 -passout pass:abcde
2
# 原密码、新密码均通过交互方式输入（新密码有二次确认）
3
Enter pass phrase for genrsa_2048_encrypt.rsa:
4
writing RSA key
5
[root@centos openssl_test]# openssl rsa -in genrsa_2048_encrypt.rsa  -out aaa -des3
6
Enter pass phrase for genrsa_2048_encrypt.rsa:
7
writing RSA key
8
Enter PEM pass phrase:
9
Verifying - Enter PEM pass phrase:
10
[root@centos openssl_test]#
11

校验文件是否被修改

当然修改后私钥是无效的，无法使用。


xxxxxxxxxx
16
1
[root@centos openssl_test]# openssl rsa -in aaa -check
2
Enter pass phrase for aaa:
3
RSA key ok    #  自校验ok
4
writing RSA key
5
-----BEGIN RSA PRIVATE KEY-----
6
MIIEowIBAAKCAQEAqetgCD6lqGVkd2bUURLPIFCgeQkMYorY1ezXbshs9tCXgWIW
7
tZsQCeaoWzt2iQ0zt5RDuQHYCkq1kBwvkK2NBJ4rwqkpjGTTFSvIVj9z+D13sH6X
8
q9ux92o66+cBvqVV+1mTvqSxj4NCWTg1xAfdzpVKUf6cM44xbgk2nLc7uu5zTs2X
9
  ...
10
  省略备注：2048位 RSA BEGIN -- END 区间总共约24行
11
  ...
12
c9ilYO+XCIOZcrjEpTOwLhgf2UIKHxp8a7SVb9c/xnCdL9Bw+YgSP6drnMy8pYmO
13
frUVAoGBAISO1QhKMRf+FT7YbV18wjzvBzTa4ne2z96jWbdJMwzlF7cEDP/TE4/q
14
wgrVXT1B8sYEIUJbhIwJDp6yj0Jrp1808zNHUS40v3EV5M+kOCqoLq3GGgjPpEWM
15
DBMhmrxDqcAlUzSxGQ61GsMO1XB5bMZHpCNl3Ob8eorTbUs2ok4u
16
-----END RSA PRIVATE KEY-----


xxxxxxxxxx
21
1
[root@centos openssl_test]# openssl rsa -in aaa -check
2
Enter pass phrase for aaa:abcde
3
RSA key error: d e not congruent to 1     # 此时是仅修改了一个字符时的报错。
4
RSA key error: dmp1 not congruent to d
5
RSA key error: dmq1 not congruent to d
6
writing RSA key
7
-----BEGIN RSA PRIVATE KEY-----
8
MIIEowIBAAKCAQEAqetgCD6lqGVkd2bUURLPIFCgeQkMYorY1ezXbshs9tCXgWIW
9
tZsQCeaoWzt2iQ0zt5RDuQHYCkq1kBwvkK2NBJ4rwqkpjGTTFSvIVj9z+D13sH6X
10
q9ux92o66+cBvqVV+1mTvqSxj4NCWTg1xAfdzpVKUf6cM44xbgk2nLc7uu5zTs2X
11
  ...
12
  省略备注：2048位 RSA BEGIN -- END 区间总共约24行
13
  ...
14
c9ilYO+XCIOZcrjEpTOwLhgf2UIKHxp8a7SVb9c/xnCdL9Bw+YgSP6drnMy8pYmO
15
frUVAoGBAISO1QhKMRf+FT7YbV18wjzvBzTa4ne2z96jWbdJMwzlF7cEDP/TE4/q
16
wgrVXT1B8sYEIUJbhIwJDp6yj0Jrp1808zNHUS40v3EV5M+kOCqoLq3GGgjPpEWM
17
DBMhmrxDqcAlUzSxGQ61GsMO1XB5bMZHpCNl3Ob8eorTbUs2ok4u
18
-----END RSA PRIVATE KEY-----
19
# 其它的报错 
20
unable to load Private Key
21
139890935146400:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:802:

speed加密性能测试

测试本机的加密算法的性能（计算能力）


xxxxxxxxxx
1
1
# openssl speed [md2] [mdc2] [md5] [hmac] [sha1] [rmd160] [idea-cbc] [rc2-cbc] [rc5-cbc] [bf-cbc] [des-cbc] [des-ede3] [rc4] [rsa512] [rsa1024] [rsa2048] [rsa4096] [dsa512] [dsa1024] [dsa2048] [idea] [rc2] [des] [rsa] [blowfish]

大概是10秒多少个：如下

177262/10s


xxxxxxxxxx
23
1
[root@centos openssl_test]# openssl speed dsa512 rsa512 rsa2048
2
Doing 512 bit private rsa's for 10s: 177262 512 bit private RSA's in 9.99s
3
Doing 512 bit public rsa's for 10s: 2101681 512 bit public RSA's in 10.00s
4
Doing 2048 bit private rsa's for 10s: 8322 2048 bit private RSA's in 10.00s
5
Doing 2048 bit public rsa's for 10s: 276706 2048 bit public RSA's in 9.99s
6
Doing 512 bit sign dsa's for 10s: 120092 512 bit DSA signs in 10.00s
7
Doing 512 bit verify dsa's for 10s: 187931 512 bit DSA verify in 9.99s
8
OpenSSL 1.0.2k-fips  26 Jan 2017
9
built on: reproducible build, date unspecified
10
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
11
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
12
                  sign    verify    sign/s verify/s
13
rsa  512 bits 0.000056s 0.000005s  17743.9 210168.1
14
rsa 2048 bits 0.001202s 0.000036s    832.2  27698.3
15
                  sign    verify    sign/s verify/s
16
dsa  512 bits 0.000083s 0.000053s  12009.2  18811.9
17

18

19
[root@centos openssl_test]# openssl rand -base64 30;openssl rand -hex 30;openssl rand 30
20
1VwkzoONidGgARKuzxsU1QFco3rVdsSao7olCDcg
21
50f637130ea027ef5414445d077d78e5ac4fca392b4271a70d7f32784581
22
▒▒S"▒▒j▒~▒O=▒▒3O▒|▒x▒▒/▒T[root@centos openssl_test]#
23

rank生成伪随机数作密码生成器


xxxxxxxxxx
25
1

2
[root@centos openssl_test]# openssl rand -base64 30
3
8T1vetrHIui9tU/YzC4Owz5FUtS1khSmDFAexIk9
4
[root@centos openssl_test]# openssl rand -hex 30
5
75629487094bbf7ec9a4cee6c96f120afba3366ae61da0a22dc86f2c18a3
6
[root@centos openssl_test]# openssl rand 30
7
R▒▒T▒{▒`)N▒*ν▒▒r▒▒▒7
8
▒▒▒a[root@centos openssl_test]#
9

10
[root@centos openssl_test]# openssl rand -rand aaa
11
Usage: rand [options] num
12
where options are
13
-out file             - write to file
14
-engine e             - use engine e, possibly a hardware device.
15
-rand file:file:... - seed PRNG from files
16
-base64               - base64 encode output
17
-hex                  - hex encode output
18
[root@centos openssl_test]# openssl rand -rand aaa 30
19
1743 semi-random bytes loaded
20
▒[�▒m▒Q▒▒+Y"U▒f▒u▒▒E_▒[root@centos openssl_test]#
21
[root@centos openssl_test]# openssl rand -rand aaa -hex 30
22
1743 semi-random bytes loaded
23
5ab338214e42cf4b96a02a54d790dc35040497d01a2c158541e0ad5895f6
24
[root@centos openssl_test]#
25

passwd

选项说明：
-crypt：UNIX标准加密算法，此为默认算法。如果加盐(-salt)算密码，只取盐的前2位，2位后面的所有字符都忽略。
-1(数字)：基于MD5的算法代号。更多的算法代号见"http://www.cnblogs.com/f-ck-need-u/p/7011460.html#blog222"。
-apr1(数字)：apache中使用的备选md5算法代号，不能和"-1"选项一起使用，因为apr1本身就默认了md5。htpasswd工具生成的身份验证密码就是此方法。
-salt：加密时加点盐，可以增加算法的复杂度。但加了盐会有副作用：盐相同，密码相同，加密的结果将一样。
-in file：从文件中读取要计算的密码列表
-stdin：从标准输入中获取要输入的密码
-quiet：生成密码过程中不输出任何信息


xxxxxxxxxx
45
1
[root@centos openssl_test]# man sslpasswd  # 帮助手册 
2
[root@centos openssl_test]# openssl passwd 123456;openssl passwd 123456
3
I4QMiuXObfxQ.
4
fyuQFqzHk7vrw
5

6
# 可以看出密码也不一样
7
# 因为默认使用-crypt是使用随机密码加密的。 可以通过-salt将加密密码固定，但也只取-salt的前2位
8
[root@centos openssl_test]#
9
[root@centos openssl_test]# openssl passwd -salt 'xyx' 123456;openssl passwd -salt 'xxx' 123456
10
xyJkVhXGAZ8tM
11
xxkVQ7YXT9yoE
12
# -salt前2位不同，但加密后的值是固定的，就是在不同的主机上执行此命令，都是同样的输出
13
[root@centos openssl_test]# openssl passwd -salt 'xyx' 123456;openssl passwd -salt 'xyx' 123456
14
xyJkVhXGAZ8tM
15
xyJkVhXGAZ8tM
16
# -salt前2位相同。
17
[root@centos openssl_test]#openssl passwd -crypt -salt 'xyx' 123456
18
# 这个是等效完整命令
19

20

21
# -l 基于md5算法加密密码，同样加-salt参数后，密码将固定，且不限制2位salt。
22
[root@centos openssl_test]# openssl passwd -1 123456 ; openssl passwd -1 123456
23
$1$gnQ2oXiZ$5pmHzkczNKejnFvOJ1byT.
24
$1$547gj6Hu$9/PRvlnk8qHobRA2Ckh/X1
25
[root@centos openssl_test]# openssl passwd -1 123456 ; openssl passwd -1 123456
26
$1$fhuoZF1N$23aX.Fm/d7VhVGDTzHFoU0
27
$1$bhJ/qMc7$QEu9YaDXXrO3JveGtLB9u/
28
[root@centos openssl_test]# openssl passwd -1 -salt 'abcde ' 123456 ; openssl passwd -1 -salt 'abcde' 123456
29
$1$abcde $QfooXY1pJ8YQrb4hqlNFG.
30
$1$abcde$ZNsM2unwzBdZCr/Y0QzpZ/
31
[root@centos openssl_test]# openssl passwd -1 -salt 'abcde ' 123456 ; openssl passwd -1 -salt 'abcde' 123456
32
$1$abcde $QfooXY1pJ8YQrb4hqlNFG.
33
$1$abcde$ZNsM2unwzBdZCr/Y0QzpZ/
34
[root@centos openssl_test]# openssl passwd -1 -salt 'abcde ' 123456 ; openssl passwd -1 -salt 'abcde' 123456
35
$1$abcde $QfooXY1pJ8YQrb4hqlNFG.
36
$1$abcde$ZNsM2unwzBdZCr/Y0QzpZ/
37

38
#  -apr1 定制版的-l参数，所以就不要同时与-l出现了。
39
[root@centos openssl_test]# openssl passwd -apr1  123456 ; openssl passwd -apr1 123456
40
$apr1$x33fWW1u$ueY9aH7EkOMyvx1FfJal2.
41
$apr1$m7zNn8rw$a2F8W1W0n5MmTf04XIu2M.
42
[root@centos openssl_test]# openssl passwd -apr1 -salt 'abcde' 123456 ;  openssl passwd -apr1 -salt 'abcde' 123456
43
$apr1$abcde$JfpSak.jThpRLJPtL0SUP0
44
$apr1$abcde$JfpSak.jThpRLJPtL0SUP0
45

生成sha512密码


xxxxxxxxxx
5
1
# grub-crypt --sha-512代替(交互)
2
python -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'
3

4
# grub-crypt --sha-512代替(非交互)
5
python -c 'import crypt,getpass;pw="123456";print(crypt.crypt(pw))'

pkcs12 p12 pfx

pfx （外加了导入密码的二进制文件，iis中常用）<-----> crt+key之间的互转

查看一个通过在线pfx生成网站上制作的文件

windows也认扩展名为p12的导入


xxxxxxxxxx
63
1
[root@centos]# openssl  pkcs12 -in STAR.zjzwfw.gov.cn_iis.pfx
2
Enter Import Password:    # 提示输入导入密码，没有时可以直接回车。
3
MAC verified OK
4
Bag Attributes
5
    localKeyID: 06 BF 20 14 3B E0 6B FB 48 52 53 D3 32 93 6C CF 57 72 5E A5
6
subject=/C=CN/ST=\xE6\xB5\x99\xE6\xB1\x9F\xE7\x9C\x81/L=\xE6\x9D\xAD\xE5\xB7\x9E\xE5\xB8\x82/O=\xE6\xB5\x99\xE6\xB1\x9F\xE7\x9C\x81\xE4\xBA\xBA\xE6\xB0\x91\xE6\x94\xBF\xE5\xBA\x9C\xE5\x8A\x9E\xE5\x85\xAC\xE5\x8E\x85(\xE6\xB5\x99\xE6\xB1\x9F\xE7\x9C\x81\xE4\xBA\xBA\xE6\xB0\x91\xE6\x94\xBF\xE5\xBA\x9C\xE5\x8F\x82\xE4\xBA\x8B\xE5\xAE\xA4)/OU=\xE4\xBF\xA1\xE6\x81\xAF\xE4\xB8\xAD\xE5\xBF\x83/CN=*.zjzwfw.gov.cn
7
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
8
-----BEGIN CERTIFICATE-----
9
MIIG8DCCBdigAwIBAgIQDZYSfSPTcQMfrDqQX5iL/jANBgkqhkiG9w0BAQsFADBN
10
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
11
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMjAwNzE0MDAwMDAwWhcN
12
MjIwOTE0MTIwMDAwWjCBrzELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCea1meaxn+ec
13
gTESMBAGA1UEBwwJ5p2t5bee5biCMUcwRQYDVQQKDD7mtZnmsZ/nnIHkurrmsJHm
14
...省略若干行
15
...
16
aiHCG2WVYp9zXi19KkootQbZJ9w1Ojno3Axy4IKbhNB1FQfmo+mmR2mK5EbUPEY4
17
bFTwAMFzMFC1s1eI4BJLYdEabg2C5WLrugFMcv+VbrIkXTAO49SXUEnKgZcSUfvd
18
rkgwyg==
19
-----END CERTIFICATE-----
20
Bag Attributes: <No Attributes>
21
subject=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
22
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
23
-----BEGIN CERTIFICATE-----
24
MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
25
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
26
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
27
QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
28
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
29
U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
30
ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
31
nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
32
...省略若干行
33
...
34
xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
35
CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
36
5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
37
8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
38
2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
39
c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
40
j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
41
-----END CERTIFICATE-----
42
Bag Attributes
43
    localKeyID: 06 BF 20 14 3B E0 6B FB 48 52 53 D3 32 93 6C CF 57 72 5E A5
44
Key Attributes: <No Attributes>
45
Enter PEM pass phrase:     # 提示输入pem密码这是一个ca+crt+key的三合一文件信息，但指定输出到文件参数时，将输出到屏幕上。
46
Verifying - Enter PEM pass phrase:  # 这个密码是必要输入的，否则不显示或不能导出。
47
-----BEGIN ENCRYPTED PRIVATE KEY-----
48
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIka0ggXMf0yYCAggA
49
MBQGCCqGSIb3DQMHBAjZAl+FkfCHrASCBMghtLJmiRYSoKMHvXR4eucJQrOc3yK6
50
Ms6/MlRAYeQCJ1h4MWMfACLLx6Bj8gQNveIcNU5EEJZNaq2UwxHpdpQCQqszSr5E
51
...省略若干行
52
...
53
nxo2qbGNTfSEvByHepsG3UoftWiOzV+baiE5k3P7RjEGtyXlqAfWgwjLJ8HWiloc
54
uTjr5Q0ZV5wYWFXpPDt6OWdnvK+zqwD0XDjqXyeABXGQr+MM0FG+n6FF0vcbF9k4
55
yeLsY+T9LG5egwRYp4SQDVpDb5jWHLJAtYRWX13bvfhDEh40Bd+a24DfU2cCzBuR
56
5ez7fuk9jdkd0V8KGlB6wQPI8PWNAc+yW1njyoVy4PonmL5+oeMej70jsjGMAlAD
57
bXJsB6me6A0CciLItc49LmT1QfHGTz3/QgXBpWEXnsJIlfvyJxzoKgiezxJKbpyU
58
aigWrJhZuNmyTOs8B7wDVNRVUC/PV62rz4E435GZNH1pW6dh46UdiTwfxT7X2QNp
59
eEJrcSnY9nJflv7TPQ96CkUC3r+/zW8vLAh5A0AupwpPcFzij3fgMZ51Z2Ql6JZu
60
Hek=
61
-----END ENCRYPTED PRIVATE KEY-----
62
[root@centos]#
63

openssl pkcs12制作转换pfx


xxxxxxxxxx
6
1
# 导入的源包括3个文件：ca证书，站点证书，站点证书的key，
2
# 输出的是pfx
3
[root@centos]# openssl pkcs12 -inkey site.key -in site_certificate.crt  -certfile ca.crt -export -out site_certificate.pfx
4
Enter Export Password:   # 提示输入新创建的文件的导出密码，可以不指定密码。
5
Verifying - Enter Export Password:
6

pfx转pem-->crt key

将PFX文件转换为PEM格式时，OpenSSL会将所有证书和私钥放入一个文件中。您需要在文本编辑器中打开该文件，并将每个证书和私钥（包括BEGIN / END语句）复制到其各自的文本文件中，并将它们分别保存为certificate.cer.crt(域名证书)，CACert.cer.crt（根证书，与域名证书类似，可能不包括在其中）和privateKey.key（私钥）。

但其实命令本身的参数也是支持分开导出的（下面有示例），说明它们的生成原理中有一部分就是合并文件。ca证书和网站证书可以合并成一个证书文件，直接复制粘贴合并即可。

...


xxxxxxxxxx
79
1
[root@centos]# openssl pkcs12 -in certificate.pfx -out pem_ca_nocerts.crt -nocerts -nomacver -nodes
2
# 此时仅导出-----BEGIN PRIVATE KEY-----部分，即私钥部分。
3
Enter Import Password:
4
[root@centos]# ls -alh
5

6
-rw-r--r--  1 root root 1.8K Jul 27 21:08 pem_ca_nocerts.crt
7
-rw-r--r--  1 root root 4.5K Jul 27 20:31 STAR.zjzwfw.gov.cn_iis.pfx
8
[root@centos]# cat pem_ca_nocerts.crt
9
Bag Attributes
10
    localKeyID: 98 5F 13 D2 3B A3 76 5F 8C BC 42 C9 64 93 3C 19 C9 74 E1 8A
11
Key Attributes: <No Attributes>
12
-----BEGIN PRIVATE KEY-----
13
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCt7zCT5ztpf1f7
14
awmFiXW98ajRxGAx6uhQffUeBlA6HjyMMBgzZRGtawUSnPL37TUyk5g1W1i1UyFR
15
Jo9/iDMuPE7HFdA0S1gm+fsnMO6cYKjATCCGO9HrBg1in+vgVDlvd5A7ryKOa01p
16
AeWW9IXilTpWtUlrgyYINm2A8+Mpug0MAnyUigy62Mkcktl3Qk4au/+GgESuSuYv
17
...省略若干行
18
...
19
zcwnrW6Dp7xk9dbsNhFhtZnZ4SJR/qMi6DfXPRBUTuiWv0XhyMI3nWL1KIcYQl2d
20
dgAR85k6qP4xhEhU1QQM2LZ6YWoUVFy/ChFfMmjQ1F+ceYBDYdsz1LI3xb+3nwQb
21
LWkQieunIZp8Odt+k9GxtfoOjhmOPtB6PHjglt0nAoGAc6FHA4dAURxmyzQY0rno
22
JjyZ+uLi5WQDyaXGvDitVhBywxQEBpFcEYrF3XdMXpg50lhiOPViOy5+IIeRsvlU
23
6hbRkCzlIEatWcE6pxIDFl3MrqmqqQYyoNme8pp1zxi+8LbCfg/WCmclTBOoieRf
24
kIE+n0hRYFEMw2Z38fZh0XY=
25
-----END PRIVATE KEY-----
26
[root@centos]#
27

28
# =======================================================================================下面的可用作nginx使用。
29

30
[root@centos]# openssl pkcs12 -in certificate.pfx -out clcerts.pem -clcerts -nodes
31
# 此时的pem是包含了client_crt+key的文件，其中的顺序不重要。提取----xxx ----中的段落即可用作nginx使用。
32
Enter Import Password:
33
MAC verified OK  输出此处的表明可用。
34

35
[root@centos]# cat pem_ca_clcerts.crt
36
Bag Attributes
37
    localKeyID: 98 5F 13 D2 3B A3 76 5F 8C BC 42 C9 64 93 3C 19 C9 74 E1 8A
38
subject=/CN=www.haudi.top   # 此处为site
39
issuer=/C=CN/O=TrustAsia Technologies, Inc./OU=Domain Validated SSL/CN=TrustAsia TLS RSA CA
40
-----BEGIN CERTIFICATE-----
41
MIIFrDCCBJSgAwIBAgIQDZP6aUi/I3+gAHFZjht6RzANBgkqhkiG9w0BAQsFADBy
42
MQswCQYDVQQGEwJDTjElMCMGA1UEChMcVHJ1c3RBc2lhIFRlY2hub2xvZ2llcywg
43
SW5jLjEdMBsGA1UECxMURG9tYWluIFZhbGlkYXRlZCBTU0wxHTAbBgNVBAMTFFRy
44
...省略若干行
45
pYi5sZMyK+8+CIvEiooUyQ==
46
-----END CERTIFICATE-----
47
-----BEGIN PRIVATE KEY-----
48
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCt7zCT5ztpf1f7
49
awmFiXW98ajRxGAx6uhQffUeBlA6HjyMMBgzZRGtawUSnPL37TUyk5g1W1i1UyFR
50
Jo9/iDMuPE7HFdA0S1gm+fsnMO6cYKjATCCGO9HrBg1in+vgVDlvd5A7ryKOa01p
51
...省略若干行
52
6hbRkCzlIEatWcE6pxIDFl3MrqmqqQYyoNme8pp1zxi+8LbCfg/WCmclTBOoieRf
53
kIE+n0hRYFEMw2Z38fZh0XY=
54
-----END PRIVATE KEY-----
55

56

57
[root@centos]# openssl pkcs12 -in certificate.pfx -out ca_certs.crt -cacerts -nomacver -nodes
58
Enter Import Password:
59
[root@centos]# cat ca_certs.crt
60
# 此时文件包括 ca + key 但不适合nginx使用
61
Bag Attributes: <No Attributes>
62
subject=/C=CN/O=TrustAsia Technologies, Inc./OU=Domain Validated SSL/CN=TrustAsia TLS RSA CA
63
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
64
-----BEGIN CERTIFICATE-----
65
MIIErjCCA5agAwIBAgIQBYAmfwbylVM0jhwYWl7uLjANBgkqhkiG9w0BAQsFADBh
66
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
67
...省略若干行
68
pYi5sZMyK+8+CIvEiooUyQ==
69
-----END CERTIFICATE-----
70
-----BEGIN PRIVATE KEY-----
71
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCt7zCT5ztpf1f7
72
awmFiXW98ajRxGAx6uhQffUeBlA6HjyMMBgzZRGtawUSnPL37TUyk5g1W1i1UyFR
73
Jo9/iDMuPE7HFdA0S1gm+fsnMO6cYKjATCCGO9HrBg1in+vgVDlvd5A7ryKOa01p
74
...省略若干行
75
6hbRkCzlIEatWcE6pxIDFl3MrqmqqQYyoNme8pp1zxi+8LbCfg/WCmclTBOoieRf
76
kIE+n0hRYFEMw2Z38fZh0XY=
77
-----END PRIVATE KEY-----
78

79

只导出ca证书或client certificate证书


xxxxxxxxxx
36
1
[root@centos]# openssl pkcs12 -in certificate.pfx -out ca_certs.crt -cacerts -nokeys -nomacver -nodes
2
Enter Import Password:
3
[root@centos]# cat ca_certs.crt
4
Bag Attributes: <No Attributes>
5
subject=/C=CN/O=TrustAsia Technologies, Inc./OU=Domain Validated SSL/CN=TrustAsia TLS RSA CA
6
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
7
-----BEGIN CERTIFICATE-----
8
MIIErjCCA5agAwIBAgIQBYAmfwbylVM0jhwYWl7uLjANBgkqhkiG9w0BAQsFADBh
9
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
10
...省略若干行
11
ISLNdMRiDrXntcImDAiRvkh5GJuH4YCVE6XEntqaNIgGkRwxKSgnU3Id3iuFbW9F
12
UQ9Qqtb1GX91AJ7i4153TikGgYCdwYkBURD8gSVe8OAco6IfZOYt/TEwii1Ivi1C
13
qnuUlWpsF1LdQNIdfbW3TSe0BhQa7ifbVIfvPWHYOu3rkg1ZeMo6XRU9B4n5VyJY
14
RmE=
15
-----END CERTIFICATE-----
16
[root@centos]#
17

18
[root@centos]# openssl pkcs12 -in certificate.pfx -out cl_certs.crt -clcerts -nokeys -nomacver -nodes
19
Enter Import Password:
20
[root@centos]# cat cl_certs.crt
21
Bag Attributes
22
    localKeyID: 98 5F 13 D2 3B A3 76 5F 8C BC 42 C9 64 93 3C 19 C9 74 E1 8A
23
subject=/CN=www.haudi.top
24
issuer=/C=CN/O=TrustAsia Technologies, Inc./OU=Domain Validated SSL/CN=TrustAsia TLS RSA CA
25
-----BEGIN CERTIFICATE-----
26
MIIFrDCCBJSgAwIBAgIQDZP6aUi/I3+gAHFZjht6RzANBgkqhkiG9w0BAQsFADBy
27
MQswCQYDVQQGEwJDTjElMCMGA1UEChMcVHJ1c3RBc2lhIFRlY2hub2xvZ2llcywg
28
SW5jLjEdMBsGA1UECxMURG9tYWluIFZhbGlkYXRlZCBTU0wxHTAbBgNVBAMTFFRy
29
dXN0QXNpYSBUTFMgUlNBIENBMB4XDTIwMDcyNzAwMDAwMFoXDTIxMDcyODEyMDAw
30
MFowGzEZMBcGA1UEAxMQd3d3LnhpbnpoaWJhLnRvcDCCASIwDQYJKoZIhvcNAQEB
31
...省略若干行
32
dIe542ikcbJ01yNZT7+XZhMSdclhrBY9xWJ3vEfZN+0NwGnL+8pQWSTA2l2JsRId
33
pMU+rKpUnytVWMta9Uewfbt8i1vXFyCRv8xdu+AiknpLW2qG2cvE13NiQjWUvPg4
34
pYi5sZMyK+8+CIvEiooUyQ==
35
-----END CERTIFICATE-----
36

pkcs12帮助细节


xxxxxxxxxx
50
1
[root@centos]# openssl pkcs12 help
2
Usage: pkcs12 [options]
3
where options are
4
-export       output PKCS12 file
5
-chain        add certificate chain
6
-inkey file   private key if not infile
7
-certfile f   add all certs in f
8
-CApath arg   - PEM format directory of CA's
9
-CAfile arg   - PEM format file of CA's
10
-name "name"  use name as friendly name
11
-caname "nm"  use nm as CA friendly name (can be used more than once).
12
-in  infile   input filename
13
-out outfile  output filename
14
-noout        don't output anything, just verify.
15
-nomacver     don't verify MAC.
16
-nocerts      don't output certificates.
17
-clcerts      only output client certificates.
18
-cacerts      only output CA certificates.
19
-nokeys       don't output private keys.
20
-info         give info about PKCS#12 structure.
21
-des          encrypt private keys with DES
22
-des3         encrypt private keys with triple DES (default)
23
-idea         encrypt private keys with idea
24
-seed         encrypt private keys with seed
25
-aes128, -aes192, -aes256
26
              encrypt PEM output with cbc aes
27
-camellia128, -camellia192, -camellia256
28
              encrypt PEM output with cbc camellia
29
-nodes        don't encrypt private keys
30
-noiter       don't use encryption iteration
31
-nomaciter    don't use MAC iteration
32
-maciter      use MAC iteration
33
-nomac        don't generate MAC
34
-twopass      separate MAC, encryption passwords
35
-descert      encrypt PKCS#12 certificates with triple DES (default RC2-40)
36
-certpbe alg  specify certificate PBE algorithm (default RC2-40)
37
-keypbe alg   specify private key PBE algorithm (default 3DES)
38
-macalg alg   digest algorithm used in MAC (default SHA1)
39
-keyex        set MS key exchange type
40
-keysig       set MS key signature type
41
-password p   set import/export password source
42
-passin p     input file pass phrase source
43
-passout p    output file pass phrase source
44
-engine e     use engine e, possibly a hardware device.
45
-rand file:file:...
46
              load the file (or the files in the directory) into
47
              the random number generator
48
-CSP name     Microsoft CSP name
49
-LMK          Add local machine keyset attribute to private key
50

PEM

PEM可以简单的合并ca_certificate.crt / client_certificate.crt / client_certificate.key 来产生，复制粘贴到同一个文件即可。

或者

以此三个文件通过openssl pkcs12 命令输出pfx或p12文件，再由通过命令pfx转换为PEM（建议方案，前文有转换操作）

jks（多用于tomcat）类似于pfx

windows keytools.exe或linux中keytools工具位于jdk中

以下以windows JDK环境测试


xxxxxxxxxx
4
1
keytool -import -alias mycert -file d:\site_key.pem -keystore mykeystore.jks
2
# 有具体帮助。也支持反向转换。
3
#校验jks证书密钥
4
keytool -list -v -keystore arbor.jks

生成jks


xxxxxxxxxx
196
1
E:\jdk1.8.0_192\bin>keytool.exe --help
2
密钥和证书管理工具
3

4
命令:
5

6
 -certreq            生成证书请求
7
 -changealias        更改条目的别名
8
 -delete             删除条目
9
 -exportcert         导出证书
10
 -genkeypair         生成密钥对
11
 -genseckey          生成密钥
12
 -gencert            根据证书请求生成证书
13
 -importcert         导入证书或证书链
14
 -importpass         导入口令
15
 -importkeystore     从其他密钥库导入一个或所有条目
16
 -keypasswd          更改条目的密钥口令
17
 -list               列出密钥库中的条目
18
 -printcert          打印证书内容
19
 -printcertreq       打印证书请求的内容
20
 -printcrl           打印 CRL 文件的内容
21
 -storepasswd        更改密钥库的存储口令
22

23
使用 "keytool -command_name -help" 获取 command_name 的用法
24

25
E:\jdk1.8.0_192\bin>keytool.exe -import -alias mycert -file .\start.pem -keystore mykeystore.jks
26
输入密钥库口令:
27
密钥库口令太短 - 至少必须为 6 个字符
28
输入密钥库口令:
29
再次输入新口令:
30

31
E:\jdk1.8.0_192\bin>keytool.exe -import -alias mycert -file .\start.pem -keystore mykeystore.jks
32
输入密钥库口令:     #  定义新的导入密码
33
再次输入新口令:
34
所有者: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
35
发布者: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
36
序列号: 1fda3eb6eca75c888438b724bcfbc91
37
有效期为 Fri Mar 08 20:00:00 CST 2013 至 Wed Mar 08 20:00:00 CST 2023
38
证书指纹:
39
         MD5:  34:5E:FF:15:B7:A4:9A:DD:45:1B:65:A7:F4:BD:C6:AE
40
         SHA1: 1F:B8:6B:11:68:EC:74:31:54:06:2E:8C:9C:C5:B1:71:A4:B7:CC:B4
41
         SHA256: 15:4C:43:3C:49:19:29:C5:EF:68:6E:83:8E:32:36:64:A0:0E:6A:0D:82:2C:CC:95:8F:B4:DA:B0:3E:49:A0:8F
42
签名算法名称: SHA256withRSA
43
主体公共密钥算法: 2048 位 RSA 密钥
44
版本: 3
45

46
扩展:
47

48
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
49
AuthorityInfoAccess [
50
  [
51
   accessMethod: ocsp
52
   accessLocation: URIName: http://ocsp.digicert.com
53
]
54
]
55

56
#2: ObjectId: 2.5.29.35 Criticality=false
57
AuthorityKeyIdentifier [
58
KeyIdentifier [
59
0000: 03 DE 50 35 56 D1 4C BB   66 F0 A3 E2 1B 1B C3 97  ..P5V.L.f.......
60
0010: B2 3D D1 55                                        .=.U
61
]
62
]
63

64
#3: ObjectId: 2.5.29.19 Criticality=true
65
BasicConstraints:[
66
  CA:true
67
  PathLen:0
68
]
69

70
#4: ObjectId: 2.5.29.31 Criticality=false
71
CRLDistributionPoints [
72
  [DistributionPoint:
73
     [URIName: http://crl3.digicert.com/DigiCertGlobalRootCA.crl]
74
, DistributionPoint:
75
     [URIName: http://crl4.digicert.com/DigiCertGlobalRootCA.crl]
76
]]
77

78
#5: ObjectId: 2.5.29.32 Criticality=false
79
CertificatePolicies [
80
  [CertificatePolicyId: [2.5.29.32.0]
81
[PolicyQualifierInfo: [
82
  qualifierID: 1.3.6.1.5.5.7.2.1
83
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
84
0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS
85

86
]]  ]
87
]
88

89
#6: ObjectId: 2.5.29.15 Criticality=true
90
KeyUsage [
91
  DigitalSignature
92
  Key_CertSign
93
  Crl_Sign
94
]
95

96
#7: ObjectId: 2.5.29.14 Criticality=false
97
SubjectKeyIdentifier [
98
KeyIdentifier [
99
0000: 0F 80 61 1C 82 31 61 D5   2F 28 E7 8D 46 38 B4 2C  ..a..1a./(..F8.,
100
0010: E1 C6 D9 E2                                        ....
101
]
102
]
103

104
是否信任此证书? [否]:  y
105
证书已添加到密钥库中
106

107
E:\jdk1.8.0_192\bin>keytool.exe  -list -v -keystore mykeystore.jks  
108
# 此输出与上面生成时的输出一致
109
输入密钥库口令:
110
密钥库类型: jks
111
密钥库提供方: SUN
112

113
您的密钥库包含 1 个条目
114

115
别名: mycert
116
创建日期: 2020-7-27
117
条目类型: trustedCertEntry
118

119
所有者: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
120
发布者: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
121
序列号: 1fda3eb6eca75c888438b724bcfbc91
122
有效期为 Fri Mar 08 20:00:00 CST 2013 至 Wed Mar 08 20:00:00 CST 2023
123
证书指纹:
124
         MD5:  34:5E:FF:15:B7:A4:9A:DD:45:1B:65:A7:F4:BD:C6:AE
125
         SHA1: 1F:B8:6B:11:68:EC:74:31:54:06:2E:8C:9C:C5:B1:71:A4:B7:CC:B4
126
         SHA256: 15:4C:43:3C:49:19:29:C5:EF:68:6E:83:8E:32:36:64:A0:0E:6A:0D:82:2C:CC:95:8F:B4:DA:B0:3E:49:A0:8F
127
签名算法名称: SHA256withRSA
128
主体公共密钥算法: 2048 位 RSA 密钥
129
版本: 3
130

131
扩展:
132

133
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
134
AuthorityInfoAccess [
135
  [
136
   accessMethod: ocsp
137
   accessLocation: URIName: http://ocsp.digicert.com
138
]
139
]
140

141
#2: ObjectId: 2.5.29.35 Criticality=false
142
AuthorityKeyIdentifier [
143
KeyIdentifier [
144
0000: 03 DE 50 35 56 D1 4C BB   66 F0 A3 E2 1B 1B C3 97  ..P5V.L.f.......
145
0010: B2 3D D1 55                                        .=.U
146
]
147
]
148

149
#3: ObjectId: 2.5.29.19 Criticality=true
150
BasicConstraints:[
151
  CA:true
152
  PathLen:0
153
]
154

155
#4: ObjectId: 2.5.29.31 Criticality=false
156
CRLDistributionPoints [
157
  [DistributionPoint:
158
     [URIName: http://crl3.digicert.com/DigiCertGlobalRootCA.crl]
159
, DistributionPoint:
160
     [URIName: http://crl4.digicert.com/DigiCertGlobalRootCA.crl]
161
]]
162

163
#5: ObjectId: 2.5.29.32 Criticality=false
164
CertificatePolicies [
165
  [CertificatePolicyId: [2.5.29.32.0]
166
[PolicyQualifierInfo: [
167
  qualifierID: 1.3.6.1.5.5.7.2.1
168
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
169
0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS
170

171
]]  ]
172
]
173

174
#6: ObjectId: 2.5.29.15 Criticality=true
175
KeyUsage [
176
  DigitalSignature
177
  Key_CertSign
178
  Crl_Sign
179
]
180

181
#7: ObjectId: 2.5.29.14 Criticality=false
182
SubjectKeyIdentifier [
183
KeyIdentifier [
184
0000: 0F 80 61 1C 82 31 61 D5   2F 28 E7 8D 46 38 B4 2C  ..a..1a./(..F8.,
185
0010: E1 C6 D9 E2                                        ....
186
]
187
]
188

189

190

191
*******************************************
192
*******************************************
193

194

195

196
E:\jdk1.8.0_192\bin>

导出jks为pem

重要的操作是导出其中的key，crt部分是通用的。

支持在线操作，见下方在线链接（需要crt（可以是不完整证书链的证书）+key）。


xxxxxxxxxx
11
1
# \jdk\java-1.8.0-openjdk-1.8.0.275-1.b01.dev.redhat.windows.x86_64\bin> .\keytool.exe -v -importkeystore -srckeystore some_domain.jks -destkeystore some_domain.jks.p12 -srcstoretype jks -deststoretype pkcs12 -deststorepass 123456 -destkeypass 123456
2
正在将密钥库 some_domain.jks 导入到 some_domain.jks.p12...
3
输入源密钥库口令:
4
存在现有条目别名 1, 是否覆盖? [否]:  y
5
已成功导入别名 1 的条目。
6
已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消
7
[正在存储some_domain.jks.p12]
8

9
# openssl pkcs12 -nodes -in some_domain.jks.p12  -out yc.huzhou.gov.cn.jks.p12.key_crt
10
# 导出时按提示输入密码，然后生成包含key+crt的文本文件，即可自行切割。
11

补全证书链

myssl站点支持检测，然后提供在线补全功能。

补全实际上是添加一段ca certificate段，将其与key重新配置到nginx或封装到jks中即可使用。

文件格式与类型

提醒：扩展名不重要，扩展名的使用上，许多平台或个人也命名上没做到可识别。

.DER .CER，文件是二进制格式，只保存证书，不保存私钥。（windows可打开查看）
.PEM，一般是文本格式，可保存证书，可保存私钥。
.CRT，可以是二进制格式，可以是文本格式，与 .DER 格式相同，不保存私钥。（windows可打开查看）
.PFX .P12，二进制格式，同时包含证书和私钥，一般有密码保护。（windows可打开查看）
.JKS，二进制格式，同时包含证书和私钥，一般有密码保护。jdk中常用。

配置实例

yum连接双向认证yum源


xxxxxxxxxx
5
1
yum源使用证书认证：自签名证书
2
需要在客户端服务器安装证书
3
将证书ca.crt追加到cat ca-key.pem >> /etc/pki/tls/certs/ca-bundle.crt
4

5
然后在客户端/etc/hosts中添加对应域名的解析，然后在yum.repo中baseurl中引用域名，而非ip进行调用。

nginx

可以在线生成 https://myssl.com/create_test_cert.html


xxxxxxxxxx
3
1
    ssl_certificate /etc/nginx/ssl/server.crt;
2
    ssl_certificate_key /etc/nginx/ssl/server.key;
3
    ssl_client_certificate /etc/nginx/ssl/ca.crt;  # 非必须


xxxxxxxxxx
6
1
#公钥2048，生成key及csr
2
openssl genrsa -out ca.key 2048
3
openssl req -new -subj /C=CN/ST=JS/L=SZ/O=sth/OU=ou/CN=infra/emailAddress=notify2u@163.com -days 36500 -key ca.key -out ca.csr
4
#sha256位，生成证书
5
openssl x509 -req -days 36500 -sha256 -signkey ca.key -in ca.csr -out ca.crt
6
openssl x509 -text -noout -in ca.crt   # 查看证书信息

tomcat


xxxxxxxxxx
17
1
 <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
2
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
3
               clientAuth="false" sslProtocol="TLS" keystoreFile="/xxx/xxx/xxx.jks"  keystorePass="xxxx" keyAlias="xxxx"/>
4

5

6
    <Connector port="9443" protocol="HTTP/1.1"
7
               maxThreads="150" SSLEnabled="true"
8
            keystoreFile="conf/some.domain.cn.jks" keystorePass="*******" clientAuth="false" sslProtocol="TLS" 
9
       
10
    />
11
    
12
    或
13
        <Connector port="9443" protocol="HTTP/1.1"
14
               maxThreads="150" SSLEnabled="true"
15
            keystoreFile="/conf/some.domain.cn.jks" keystorePass="*******" clientAuth="false" sslProtocol="TLS" 
16
       
17
    />

或 ssl单独子标签配置


xxxxxxxxxx
7
1
<Connector port="443"   protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
2
        <SSLHostConfig>
3
            <Certificate certificateKeystoreFile="/xxx/xxx/xxx.jks" certificateKeyAlias="xxx"
4
                certificateKeystorePassword="xxx"
5
                         type="RSA" />
6
        </SSLHostConfig>
7
    </Connector>

keystoreFile/certificateKeystoreFile:证书地址，可使用绝对路径，也可以配置相对路径
keyAlias/certificateKeyAlias:生成证书时输入的别名
keystorePass/certificateKeystorePassword:生成证书时输入的密钥

iis证书管理

iis6 （2003）

iis7.5（server2008R2）

如果有到期的证书，可以先删除，再导入，否则再绑定时，你可能会选错是哪个。

确定后，等待生效。访问地址检查证书是否更新为最新的状态。

x509生成证书

这个是证书的显示效果


xxxxxxxxxx
56
1
-----BEGIN CERTIFICATE-----
2
MIID7jCCAtagAwIBAgIQER6+Jt29QNOQYPVwOT8jVDANBgkqhkiG9w0BAQsFADBe
3
MQswCQYDVQQGEwJDTjEOMAwGA1UEChMFTXlTU0wxKzApBgNVBAsTIk15U1NMIFRl
4
c3QgUlNBIC0gRm9yIHRlc3QgdXNlIG9ubHkxEjAQBgNVBAMTCU15U1NMLmNvbTAe
5
Fw0yMDEyMjgxMTQwMzFaFw0yNTEyMjcxMTQwMzFaMCwxCzAJBgNVBAYTAkNOMR0w
6
GwYDVQQDExRuaG1zcngubmFuaGFpLmdvdi5jbjCCASIwDQYJKoZIhvcNAQEBBQAD
7
...省略若干行...
8
3jHp4olXb2pKmrbXdegz5Kg5fBxG7CRkscS9MfDTp8YkAlsmVwyFqyGZR8rpLhqq
9
N9aZ1GRQ4zZFXM0CeLMPy+OgRYa5t4J0LV5/mcLydBaKvdyYwRUNSpsO9O1pXqNg
10
eRrXqGmECNZN8lW9ywCVLI+FsnygVKTdwExEGVD69wsfhgQdBM9SM53RLTixCLI6
11
PJ+Rtxuv7css5kQyEZYYov0pkTmIQOK3U6aJfWi/ms9bouDf6v+vbnN3nQhYBvQc
12
JcA=
13
-----END CERTIFICATE-----
14
-----BEGIN RSA PRIVATE KEY-----
15
MIIEpQIBAAKCAQEA2AKSJCirDjtIBopgixiqs2++Y6ZznQq/4nh+XUlEdQsdBL7i
16
qqCRYcFwSLQ8q6iUMvq2JhB+zMi7MUxBBxcnaKrDcbIr6nhkD1fElTlSm5TavWfn
17
Qd1FCLf/EAb6N+jBqwyFuUgAJSWtGo1ekYMKtFiyYyP9Uhv9EfmhRnFoym1ilnTg
18
hDgV0VCot6z/3YZuDyxeS1lRIRUnvLQDbhDPjcTUPLWtQaL/VDPpllO22CAREYk4
19
aI0GemOLM9vORs6Ls2yJDcwKMhounqQovXKx/EjxxvOwKsecLYi1MnXM66VYcrkO
20
Me9fs1HcUhFN9PzoeQDRDY+FrjaMDIzRP0VJ9wIDAQABAoIBAQCGGeJ8TDsVlLv8
21
...省略若干行...
22
JuLR2QmBT70k4FFWxfI0Ps3mqnGbYxmZeUSCGyS/gegHGjNVobjkQJLNDo6CU8WH
23
Paf1BhDILfCnMMDpgtLzOpN55kqJKVFqDx0NbbOcKHPHSpiEu0gONVIQdOz0rOGj
24
8D2vWWsCgYEAkRp8iqQw/t9BWGthn6h7PNjaajE58Sqc+E7MOsKNY5BxiLbBFeJo
25
BXEmBIdI5Gqn8JCT45GT2tl5ewO/XXPhQX0oTrya04sLkU793lQUOvPLfdfEusaf
26
WY3jklogzF6ija05Q4nvoQSKZJLchbfkxXI2BBBrYvqoEUb5whsmFUs=
27
-----END RSA PRIVATE KEY-----
28

29
-----BEGIN CERTIFICATE-----
30
MIID7jCCAtagAwIBAgIQER6+Jt29QNOQYPVwOT8jVDANBgkqhkiG9w0BAQsFADBe
31
MQswCQYDVQQGEwJDTjEOMAwGA1UEChMFTXlTU0wxKzApBgNVBAsTIk15U1NMIFRl
32
c3QgUlNBIC0gRm9yIHRlc3QgdXNlIG9ubHkxEjAQBgNVBAMTCU15U1NMLmNvbTAe
33
Fw0yMDEyMjgxMTQwMzFaFw0yNTEyMjcxMTQwMzFaMCwxCzAJBgNVBAYTAkNOMR0w
34
GwYDVQQDExRuaG1zcngubmFuaGFpLmdvdi5jbjCCASIwDQYJKoZIhvcNAQEBBQAD
35
...省略若干行...
36
3jHp4olXb2pKmrbXdegz5Kg5fBxG7CRkscS9MfDTp8YkAlsmVwyFqyGZR8rpLhqq
37
N9aZ1GRQ4zZFXM0CeLMPy+OgRYa5t4J0LV5/mcLydBaKvdyYwRUNSpsO9O1pXqNg
38
eRrXqGmECNZN8lW9ywCVLI+FsnygVKTdwExEGVD69wsfhgQdBM9SM53RLTixCLI6
39
PJ+Rtxuv7css5kQyEZYYov0pkTmIQOK3U6aJfWi/ms9bouDf6v+vbnN3nQhYBvQc
40
JcA=
41
-----END CERTIFICATE-----
42
-----BEGIN CERTIFICATE-----
43
MIIDuzCCAqOgAwIBAgIQSEIWDPfWTDKZcWNyL2O+fjANBgkqhkiG9w0BAQsFADBf
44
MQswCQYDVQQGEwJDTjEOMAwGA1UEChMFTXlTU0wxLDAqBgNVBAsTI015U1NMIFRl
45
c3QgUm9vdCAtIEZvciB0ZXN0IHVzZSBvbmx5MRIwEAYDVQQDEwlNeVNTTC5jb20w
46
HhcNMTcxMTE2MDUzNTM1WhcNMjcxMTE2MDUzNTM1WjBeMQswCQYDVQQGEwJDTjEO
47
MAwGA1UEChMFTXlTU0wxKzApBgNVBAsTIk15U1NMIFRlc3QgUlNBIC0gRm9yIHRl
48
c3QgdXNlIG9ubHkxEjAQBgNVBAMTCU15U1NMLmNvbTCCASIwDQYJKoZIhvcNAQEB
49
BQADggEPADCCAQoCggEBAMBOtZk0uzdG4dcIIdcAdSSYDbua0Bdd6N6s4hZaCOup
50
...省略若干行...
51
648azH/r/GR1S+mXci0Mg6RrDdLzUO7VSf0JULJf98oEPr9fpIZuRTyWcxiP4yh0
52
wVd35OIQBTToLrMOWYWuApU4/YLKvg4A86h577kuYeSsWyf5kk0ngXsL1AFMqjOk
53
Tc7p8PuW68S5/88Pe+Bq3sAaG3U5rousiTIpoN/osq+GyXisgv5jd2M4YBtl/NlD
54
ppZs5LAOjct+Aaofhc5rNysonKjkd44K2cgBkbpOMj0dbVNKyL2/2I0zyY1FU2Mk
55
URUHyMW5Qd5Q9g6Y4sDOIm6It9TF7EjpwMs42R30agcRYzuUsN72ZFBYFJwnBX8=
56
-----END CERTIFICATE-----


xxxxxxxxxx
80
1
C:\Program Files\OpenSSL-Win64\bin>openssl.exe x509 -in D:\ssl\allinone.txt -text
2
Certificate:
3
    Data:
4
        Version: 3 (0x2)
5
        Serial Number:
6
            11:1e:be:26:dd:bd:40:d3:90:60:f5:70:39:3f:23:54
7
        Signature Algorithm: sha256WithRSAEncryption
8
        Issuer: C = CN, O = MySSL, OU = MySSL Test RSA - For test use only, CN = MySSL.com
9
        Validity
10
            Not Before: Dec 28 11:40:31 2020 GMT
11
            Not After : Dec 27 11:40:31 2025 GMT
12
        Subject: C = CN, CN = nhmsrx.nanhai.gov.cn
13
        Subject Public Key Info:
14
            Public Key Algorithm: rsaEncryption
15
                RSA Public-Key: (2048 bit)
16
                Modulus:
17
                    00:d8:02:92:24:28:ab:0e:3b:48:06:8a:60:8b:18:
18
                    aa:b3:6f:be:63:a6:73:9d:0a:bf:e2:78:7e:5d:49:
19
                    44:75:0b:1d:04:be:e2:aa:a0:91:61:c1:70:48:b4:
20
                    3c:ab:a8:94:32:fa:b6:26:10:7e:cc:c8:bb:31:4c:
21
                    41:07:17:27:68:aa:c3:71:b2:2b:ea:78:64:0f:57:
22
                    c4:95:39:52:9b:94:da:bd:67:e7:41:dd:45:08:b7:
23
                    ff:10:06:fa:37:e8:c1:ab:0c:85:b9:48:00:25:25:
24
                    ad:1a:8d:5e:91:83:0a:b4:58:b2:63:23:fd:52:1b:
25
                    fd:11:f9:a1:46:71:68:ca:6d:62:96:74:e0:84:38:
26
                    15:d1:50:a8:b7:ac:ff:dd:86:6e:0f:2c:5e:4b:59:
27
                    51:21:15:27:bc:b4:03:6e:10:cf:8d:c4:d4:3c:b5:
28
                    ad:41:a2:ff:54:33:e9:96:53:b6:d8:20:11:11:89:
29
                    38:68:8d:06:7a:63:8b:33:db:ce:46:ce:8b:b3:6c:
30
                    89:0d:cc:0a:32:1a:2e:9e:a4:28:bd:72:b1:fc:48:
31
                    f1:c6:f3:b0:2a:c7:9c:2d:88:b5:32:75:cc:eb:a5:
32
                    58:72:b9:0e:31:ef:5f:b3:51:dc:52:11:4d:f4:fc:
33
                    e8:79:00:d1:0d:8f:85:ae:36:8c:0c:8c:d1:3f:45:
34
                    49:f7
35
                Exponent: 65537 (0x10001)
36
        X509v3 extensions:
37
            X509v3 Key Usage: critical
38
                Digital Signature, Key Encipherment
39
            X509v3 Extended Key Usage:
40
                TLS Web Server Authentication, TLS Web Client Authentication
41
            X509v3 Authority Key Identifier:
42
                keyid:28:81:26:05:D1:34:1A:3F:C1:73:0F:BB:93:CF:15:1C:3F:03:BF:7F
43

44
            Authority Information Access:
45
                OCSP - URI:http://ocsp.myssl.com
46
                CA Issuers - URI:http://ca.myssl.com/myssltestrsa.crt
47

48
            X509v3 Subject Alternative Name:
49
                DNS:nhmsrx.nanhai.gov.cn
50
    Signature Algorithm: sha256WithRSAEncryption
51
         6e:0f:92:1a:7b:1f:67:0d:12:54:af:7a:05:95:10:4d:ed:81:
52
         39:91:a6:34:7d:44:eb:c6:4d:98:fd:06:3d:58:50:09:fd:fb:
53
         71:3e:dc:d8:cf:87:1f:1e:6e:ae:43:3e:17:a1:b7:b2:69:dc:
54
         f7:ec:c3:d5:99:1e:d3:03:de:31:e9:e2:89:57:6f:6a:4a:9a:
55
         b6:d7:75:e8:33:e4:a8:39:7c:1c:46:ec:24:64:b1:c4:bd:31:
56
         f0:d3:a7:c6:24:02:5b:26:57:0c:85:ab:21:99:47:ca:e9:2e:
57
         1a:aa:37:d6:99:d4:64:50:e3:36:45:5c:cd:02:78:b3:0f:cb:
58
         e3:a0:45:86:b9:b7:82:74:2d:5e:7f:99:c2:f2:74:16:8a:bd:
59
         dc:98:c1:15:0d:4a:9b:0e:f4:ed:69:5e:a3:60:79:1a:d7:a8:
60
         69:84:08:d6:4d:f2:55:bd:cb:00:95:2c:8f:85:b2:7c:a0:54:
61
         a4:dd:c0:4c:44:19:50:fa:f7:0b:1f:86:04:1d:04:cf:52:33:
62
         9d:d1:2d:38:b1:08:b2:3a:3c:9f:91:b7:1b:af:ed:cb:2c:e6:
63
         44:32:11:96:18:a2:fd:29:91:39:88:40:e2:b7:53:a6:89:7d:
64
         68:bf:9a:cf:5b:a2:e0:df:ea:ff:af:6e:73:77:9d:08:58:06:
65
         f4:1c:25:c0
66
-----BEGIN CERTIFICATE-----
67
MIID7jCCAtagAwIBAgIQER6+Jt29QNOQYPVwOT8jVDANBgkqhkiG9w0BAQsFADBe
68
MQswCQYDVQQGEwJDTjEOMAwGA1UEChMFTXlTU0wxKzApBgNVBAsTIk15U1NMIFRl
69
c3QgUlNBIC0gRm9yIHRlc3QgdXNlIG9ubHkxEjAQBgNVBAMTCU15U1NMLmNvbTAe
70
Fw0yMDEyMjgxMTQwMzFaFw0yNTEyMjcxMTQwMzFaMCwxCzAJBgNVBAYTAkNOMR0w
71
GwYDVQQDExRuaG1zcngubmFuaGFpLmdvdi5jbjCCASIwDQYJKoZIhvcNAQEBBQAD
72
...省略若干行...
73
3jHp4olXb2pKmrbXdegz5Kg5fBxG7CRkscS9MfDTp8YkAlsmVwyFqyGZR8rpLhqq
74
N9aZ1GRQ4zZFXM0CeLMPy+OgRYa5t4J0LV5/mcLydBaKvdyYwRUNSpsO9O1pXqNg
75
eRrXqGmECNZN8lW9ywCVLI+FsnygVKTdwExEGVD69wsfhgQdBM9SM53RLTixCLI6
76
PJ+Rtxuv7css5kQyEZYYov0pkTmIQOK3U6aJfWi/ms9bouDf6v+vbnN3nQhYBvQc
77
JcA=
78
-----END CERTIFICATE-----
79

80
C:\Program Files\OpenSSL-Win64\bin>

部分信息输出


xxxxxxxxxx
19
1
【信息输出选项：】
2
-text：以text格式输出证书内容，即以最全格式输出，
3
     ：包括public key,signature algorithms,issuer和subject names,serial number以及any trust settings.
4
-certopt option：自定义要输出的项
5
-noout         ：禁止输出证书请求文件中的编码部分
6
-pubkey        ：输出证书中的公钥
7
-modulus       ：输出证书中公钥模块部分
8
-serial        ：输出证书的序列号
9
-subject       ：输出证书中的subject
10
-issuer        ：输出证书中的issuer，即颁发者的subject
11
-subject_hash  ：输出证书中subject的hash码
12
-issuer_hash   ：输出证书中issuer(即颁发者的subject)的hash码
13
-hash          ：等价于"-subject_hash"，但此项是为了向后兼容才提供的选项
14
-email         ：输出证书中的email地址，如果有email的话
15
-startdate     ：输出证书有效期的起始日期
16
-enddate       ：输出证书有效期的终止日期
17
-dates         ：输出证书有效期，等价于"startdate+enddate"
18
-fingerprint   ：输出指纹摘要信息```
19


xxxxxxxxxx
26
1
C:\Program Files\OpenSSL-Win64\bin>openssl.exe x509 -in D:\ssl\allinone.txt -noout -serial
2
serial=111EBE26DDBD40D39060F570393F2354
3

4
C:\Program Files\OpenSSL-Win64\bin>openssl.exe x509 -in D:\ssl\allinone.txt -noout -subject
5
subject=C = CN, CN = nhmsrx.nanhai.gov.cn
6

7
C:\Program Files\OpenSSL-Win64\bin>openssl.exe x509 -in D:\ssl\allinone.txt -noout -issuer
8
issuer=C = CN, O = MySSL, OU = MySSL Test RSA - For test use only, CN = MySSL.com
9

10
C:\Program Files\OpenSSL-Win64\bin>openssl.exe x509 -in D:\ssl\allinone.txt -noout -fingerprint
11
SHA1 Fingerprint=94:16:C4:2F:9D:51:A1:C7:6D:26:C9:E2:76:A5:9F:BE:7A:75:BD:94
12

13
C:\Program Files\OpenSSL-Win64\bin>openssl.exe x509 -in D:\ssl\allinone.txt -noout -issuer_hash
14
d8b9d496
15

16
C:\Program Files\OpenSSL-Win64\bin>openssl.exe x509 -in D:\ssl\allinone.txt -noout -startdate -enddate
17
notBefore=Dec 28 11:40:31 2020 GMT
18
notAfter=Dec 27 11:40:31 2025 GMT
19

20
C:\Program Files\OpenSSL-Win64\bin>openssl.exe x509 -in D:\ssl\allinone.txt -noout -dates
21
notBefore=Dec 28 11:40:31 2020 GMT
22
notAfter=Dec 27 11:40:31 2025 GMT
23

24
C:\Program Files\OpenSSL-Win64\bin>openssl.exe x509 -in D:\ssl\allinone.txt -noout -email
25

26
C:\Program Files\OpenSSL-Win64\bin>

ca签暑选项

x509可以将自身模拟为ca角色，实现证书自签发


xxxxxxxxxx
18
1
*****************************************************************************************
2
*  伪命令x509可以像openssl ca一样对证书或请求执行签名动作。注意，openssl x509         *
3
*  不读取配置文件，所有的一切配置都由x509自行提供，所以openssl x509像是一个"mini CA"  *
4
*****************************************************************************************
5
-signkey filename：该选项用于提供自签署时的私钥文件，自签署的输入文件"-in file"的file可以是证书请求文件，也可以是已签署过的证书。-days arg：指定证书有效期限，默认30天。
6
-x509toreq：将已签署的证书转换回证书请求文件。需要使用"-signkey"选项来传递需要的私钥。
7
-req：x509工具默认以证书文件做为inputfile(-in file)，指定该选项将使得input file的file为证书请求文件。
8
-set_serial n：指定证书序列号。该选项可以和"-singkey"或"-CA"选项一起使用。
9
             ：如果和"-CA"一起使用，则"-CAserial"或"-CAcreateserial"选项指定的serial值将失效。
10
             ：序列号可以使用数值或16进制值(0x开头)。也接受负值，但是不建议。
11
-CA filename      ：指定签署时所使用的CA证书。该选项一般和"-req"选项一起使用，用于为证书请求文件签署。
12
-CAkey filename   ：设置CA签署时使用的私钥文件。如果该选项没有指定，将假定CA私钥已经存在于CA自签名的证书文件中。
13
-CAserial filename：设置CA使用的序列号文件。当使用"-CA"选项来签名时，它将会使用某个文件中指定的序列号来唯一标识此次签名后的证书文件。
14
                  ：这个序列号文件的内容仅只有一行，这一行的值为16进制的数字。当某个序列号被使用后，该文件中的序列号将自动增加。
15
                  ：默认序列号文件以CA证书文件基名加".srl"为后缀命名。如CA证书为"mycert.pem"，则默认寻找的序列号文件为"mycert.srl"
16
-CAcreateserial   ：当使用该选项时，如果CA使用的序列号文件不存在将自动创建：该文件将包含序列号值"02"并且此次签名后证书文件序列号为1。
17
                  ：一般如果使用了"-CA"选项而序列号文件不存在将会产生错误"找不到srl文件"。
18
-extfile filename ：指定签名时包含要添加到证书中的扩展项的文件。

流程


xxxxxxxxxx
19
1
【CERTIFICATE EXTENSIONS】
2
-purpose：选项检查证书的扩展项并决定该证书允许用于哪些方面，即证书使用目的范围。
3
basicConstraints：该扩展项用于决定证书是否可以当作CA证书。格式为basicConstraints=CA:true | false
4
                ：1.如果CA的flag设置为true，那么该证书允许作为一个CA证书，即可以颁发下级证书或进行签名；
5
                ：2.如果CA的flag设置为false，那么该证书就不能作为CA，不能为下级颁发证书或签名；
6
                ：3.所有CA的证书中都必须设置CA的flag为true。
7
                ：4.如果basicConstraints扩展项未设置，那么证书被认为可疑的CA，即"possible CA"。
8
keyUsage：该扩展项用于指定证书额外的使用限制，即也是使用目的的一种表现方式。
9
        ：1.如果keyUsage扩展项被指定，那么该证书将又有额外的使用限制。
10
        ：2.CA证书文件中必须至少设置keyUsage=keyCertSign。
11
        ：3.如果设置了keyUsage扩展项，那么不论是否使用了critical，都将被限制在指定的使用目的purpose上。
12
例如，使用x509工具自建CA。由于x509无法建立证书请求文件，所以只能使用openssl req来生成请求文件，然后使用x509来自签署。自签署时，使用"-req"选项明确表示输入文件为证书请求文件，否则将默认以为是证书文件，再使用"-signkey"提供自签署时使用的私钥。
13

14
[root@xuexi ssl]# openssl req -new -keyout key.pem -out req.csr
15

16
[root@xuexi ssl]# openssl x509 -req -in req.csr -signkey key.pem -out x509.crt
17
x509也可以用来签署他人的证书请求，即为他人颁发证书。注意，为他人颁发证书时，确保serial文件存在，建议使用自动创建的选项"-CAcreateserial"。
18

19
[root@xuexi ssl]# openssl x509 -req -in req.csr -CA ca.crt -CAkey ca.key -out x509.crt -CAcreateserial

证书查看

命令查看


xxxxxxxxxx
14
1
#查看 PEM - Privacy Enhanced Mail 格式证书文件命令
2
openssl x509 -in roots.pem -text -noout
3

4
***
5
        Validity
6
            Not Before: Sep  1 12:00:00 1998 GMT  # 有效期起始与结束。
7
            Not After : Jan 28 12:00:00 2028 GMT
8
                Subject: CN=docs.haudi.top     # 对应的域名
9
                DNS:docs.haudi.top
10
***
11

12

13

14


xxxxxxxxxx
2
1
#查看 DER - Distinguished Encoding Rules 格式证书命令：
2
openssl x509 -in roots.der -inform der -text -noout

常识

目前的https用的证书rsa密钥位数一般都是2048位

应用

ssh密钥生成


xxxxxxxxxx
5
1
#ssh-keygen -t rsa -b 4096 -f /root/.ssh/new_rsa -N "s3cret" -C "test use only"
2
# 实现了一次生成密钥对
3
# openssl rsa 生成过程
4
# openssl genrsa -out genrsa_2048.rsa 2048
5
# openssl genrsa -out genrsa_2048_encrypt.rsa -des3 -passout pass:123456 2048

注意PEM的格式是密钥文本位于一对BEGIN-END之中，但ssh的公钥不是用的这个格式，则需要ssh-keygen从已有的私钥中将公钥输出


xxxxxxxxxx
43
1
[root@centos ssl_test]# openssl rsa -in genrsa_2048_encrypt.rsa -passin pass:123456 -pubout -out genrsa_2048.decrypt.pub
2
writing RSA key
3
[root@centos ssl_test]# cat genrsa_2048.decrypt.pub
4
# 此公钥对于ssh来说是不可使用的，私钥的格式是一致的，可以直接使用
5
-----BEGIN PUBLIC KEY-----
6
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs3Z09BnN8KUjeVbNGIQ2
7
qxoT0fqItBcFDkbPReiE5vQIJw4MOcrCCM86vjwgsfTKkESZncly5WWBmZzPdrN0
8
2FlzMl4sXBS0Y+KqOa93cKKmwOzGq+/tjmS3QN7Li+2eSQFpwfpAQd3BLHmKOATs
9
75WqUyBNYPIDaFOjE1bvj3KNE04RR3f7Cb8bjnBxKWpWLt8WTcJ4xnjfafoQwCGi
10
OAN71NwCt0MIb+8VDmESsE1OQREsd55fhNhZpN9OSPwPFQBC1/kSwBf4J7azjXQ7
11
8c5g/Gs3zxUlV6DBpZrcxxVzBJKJWoE65BazRZsQPbULi7eLHoh16ixveeu5fHNK
12
5wIDAQAB
13
-----END PUBLIC KEY-----
14

15
# 转换过程（注意是从私钥输出ssh公钥，不是从公钥输出ssh公钥）
16
[root@centos ssl_test]# ssh-keygen -y -f genrsa_2048_encrypt.rsa >rsa.pub
17
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
18
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
19
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
20
Permissions 0644 for 'genrsa_2048_encrypt.rsa' are too open.
21
It is required that your private key files are NOT accessible by others.
22
This private key will be ignored.
23
Load key "genrsa_2048_encrypt.rsa": bad permissions  # 密钥权限过大不合适
24
[root@centos ssl_test]# ls -alh
25
total 12K
26
drwxr-xr-x   2 root root   83 Jul 28 10:25 .
27
dr-xr-x---. 13 root root 4.0K Jul 27 16:12 ..
28
-rw-r--r--   1 root root  451 Jul 28 10:17 genrsa_2048.decrypt.pub
29
-rw-r--r--   1 root root 1.8K Jul 28 10:14 genrsa_2048_encrypt.rsa
30
-rw-r--r--   1 root root    0 Jul 28 10:25 rsa.pub
31
[root@centos ssl_test]# chmod 600 genrsa_2048_encrypt.rsa
32
# 修改权限仅属主可读写
33
[root@centos ssl_test]# ssh-keygen -y -f genrsa_2048_encrypt.rsa
34
Enter passphrase:
35
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzdnT0Gc3wpSN5Vs0YhDarGhPR+oi0FwUORs9F6ITm9AgnDgw5ysIIzzq+PCCx9MqQRJmdyXLlZYGZnM92s3TYWXMyXixcFLRj4qo5r3dwoqbA7Mar7+2OZLdA3suL7Z5JAWnB+kBB3cEseYo4BOzvlapTIE1g8gNoU6MTVu+Pco0TThFHd/sJvxuOcHEpalYu3xZNwnjGeN9p+hDAIaI4A3vU3AK3Qwhv7xUOYRKwTU5BESx3nl+E2Fmk305I/A8VAELX+RLAF/gntrONdDvxzmD8azfPFSVXoMGlmtzHFXMEkolagTrkFrNFmxA9tQuLt4seiHXqLG9567l8c0rn
36
[root@centos ssl_test]# ssh-keygen -y -f genrsa_2048_encrypt.rsa >rsa.pub
37
# 输入到文件
38
Enter passphrase:
39
[root@centos ssl_test]# cat rsa.pub
40
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzdnT0Gc3wpSN5Vs0YhDarGhPR+oi0FwUORs9F6ITm9AgnDgw5ysIIzzq+PCCx9MqQRJmdyXLlZYGZnM92s3TYWXMyXixcFLRj4qo5r3dwoqbA7Mar7+2OZLdA3suL7Z5JAWnB+kBB3cEseYo4BOzvlapTIE1g8gNoU6MTVu+Pco0TThFHd/sJvxuOcHEpalYu3xZNwnjGeN9p+hDAIaI4A3vU3AK3Qwhv7xUOYRKwTU5BESx3nl+E2Fmk305I/A8VAELX+RLAF/gntrONdDvxzmD8azfPFSVXoMGlmtzHFXMEkolagTrkFrNFmxA9tQuLt4seiHXqLG9567l8c0rn
41

42

43

公钥长库对比


xxxxxxxxxx
7
1
# cat .ssh/authorized_keys
2
# 4096
3
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxj+vQv1jow9cVh42M6PHat9nF88vA+Y11EvmXUctebuhFVHa11b3N1fOWMra1RpIJulgUc4JjLRfuJYPri3wTkaPuCHzyFFwQCQPWIOS+YyQAYlE7ACbKENXUgHPHvubdWQT3u5qenauDyZp+JMBbhJ7eUBCuZnZT8eWb7NREPQw3mpMzVatdvToh1eycqWyHzMjhcoG1/nHidcLsqEe+87Dg/TAo/d8W9IGzjZmbELblF2yh91iJ6PTiqbyCcIPJBI8n4dZeOl1NQWpzvfjoz+/ofSTrZxiv6ntgbCKVuz39ygRqeCAZNDphXqPClkPfGDYgcH83SX/nwTh1u+i55HW8bEZCkFssSeAzfxd2p1kYWkR16iOE8sSxsAB10uehIBmk2+ob8bLtLvWgrifDgdpX6KluzoiI0Qtw2C0VOGRD0DM5QR+ELqdCHMHrzPGEEy1EytfcQRmknOnoNe2lJ7f6VQeLCuUc6Mg4h+daSyUg1l3AwD0QU0WnJuASEnZSEemDejLsDeRTPLh0nxm33M6+5NuwVICXtaElbfqjovJ9JBRdXjN8w9Aq1KBOFX6Q7TMNh/3AXJ/Xr+lNGZ05e8JMZziUyPdnpqf7sZ1jYfKDL5XnT67OM8+uUrKhECCSPOPywu7kiRmZhTnSUysrKknnYmCZ/hLV5nHb7VHL+w== imported-openssh-key
4

5
#2048
6
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzdnT0Gc3wpSN5Vs0YhDarGhPR+oi0FwUORs9F6ITm9AgnDgw5ysIIzzq+PCCx9MqQRJmdyXLlZYGZnM92s3TYWXMyXixcFLRj4qo5r3dwoqbA7Mar7+2OZLdA3suL7Z5JAWnB+kBB3cEseYo4BOzvlapTIE1g8gNoU6MTVu+Pco0TThFHd/sJvxuOcHEpalYu3xZNwnjGeN9p+hDAIaI4A3vU3AK3Qwhv7xUOYRKwTU5BESx3nl+E2Fmk305I/A8VAELX+RLAF/gntrONdDvxzmD8azfPFSVXoMGlmtzHFXMEkolagTrkFrNFmxA9tQuLt4seiHXqLG9567l8c0rn imported-openssh-key
7

rsa类型，命令提示不支持修改注释，rsa1（ssh1版本使用）支持

但是其实可以直接手动在pub文件中修改或添加的。

-t 加密类型
-b 位数
-f 密钥对保存路径（包含公钥+私钥）
-N 私钥口令
-C 公钥注释信息（可以用命令cat查看公钥文件，查看最后的注释，注释可以随意修改）-c -C "new commit"

yum curl 使用


xxxxxxxxxx
8
1
系统无法验证证书签发机构问题
2
curl -i https://www.kzf.com/.well-known/openid-configuration
3

4
Peer’s Certificate issuer is not recognized
5
此种情况多发生在自签名的证书，报错含义是签发证书机构未经认证，无法识别。我们加个 -K 虽然可以解决 但不是根本解决。这个就是缺少中间证书链  ，
6

7
解决办法是将签发该证书的私有CA公钥cacert.pem是文件内容，追加到/etc/pki/tls/certs/ca-bundle.crt  
8
如果cacert.pem是关联到自定义域名的，则需要添加对应的域名解析到hosts文件。

网站使用

证书申请后，一般包括以下目录及文件


xxxxxxxxxx
18
1
[root@centos scs1594944913408]# tree -L 2
2
.
3
├── Apache
4
│   ├── ca.crt
5
│   ├── server.crt
6
│   └── server.key
7
├── IIS
8
│   ├── keystorePass.txt
9
│   └── server.pfx
10
├── Nginx
11
│   ├── server.crt
12
│   └── server.key
13
├── Tomcat
14
│   ├── keystorePass.txt
15
│   └── server.jks
16
└── domain.csr
17

18


xxxxxxxxxx
63
1
[root@centos scs1594944913408]# ls -alh
2
drwxr-xr-x   2 root root   56 Jul 28 11:42 Apache
3
-rw-r--r--   1 root root 1.1K Jul 28 10:41 domain.csr
4
drwxr-xr-x   2 root root   48 Jul 28 11:42 IIS
5
drwxr-xr-x   2 root root   42 Jul 28 11:42 Nginx
6
drwxr-xr-x   2 root root   48 Jul 28 11:42 Tomcat
7
[root@centos scs1594944913408]# ls -alh Nginx/
8
-rw-r--r-- 1 root root 3.6K Jul 28 10:41 server.crt
9
-rw-r--r-- 1 root root 1.7K Jul 28 10:41 server.key
10
[root@centos scs1594944913408]# ls -alh IIS/
11
-rw-r--r-- 1 root root   16 Jul 28 10:41 keystorePass.txt
12
-rw-r--r-- 1 root root 4.6K Jul 28 10:41 server.pfx
13
[root@centos scs1594944913408]# ls -alh Tomcat/
14
-rw-r--r-- 1 root root   16 Jul 28 10:41 keystorePass.txt
15
-rw-r--r-- 1 root root 4.0K Jul 28 10:41 server.jks
16
[root@centos scs1594944913408]# ls -alh a
17
ls: cannot access a: No such file or directory
18
[root@centos scs1594944913408]# ls -alh Apache/
19
-rw-r--r-- 1 root root 1.7K Jul 28 10:41 ca.crt
20
-rw-r--r-- 1 root root 2.0K Jul 28 10:41 server.crt
21
-rw-r--r-- 1 root root 1.7K Jul 28 10:41 server.key
22
[root@centos scs1594944913408]# cat Nginx/server.crt    
23
# 可对比验证证书关系：Nginx/server.crt  =  cat Apache/ca.crtcat + Apache/server.crt
24
# nginx 有最多有两个段，apache是分开的。
25
-----BEGIN CERTIFICATE-----
26
MIIFlTCCBH2gAwIBAgIQDuKyL6/4ReKnh7vNZ99x9jANBgkqhkiG9w0BAQsFADBu
27
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
28
省略20行
29
RCdCdKeHK0KalvlieleblsU+NjGvF6dE05TUJpRcMog+I1O9dcOzubeWKi1Mw9Ls
30
8DzwdHmu8tsh+33b/QoHplWRxAIWoTGc/eB3hdpzik+lVoBx9x75cb5OnRuu+Qdr
31
gx8HKuV/ObM+P6UEZ7DANzTj4oLmiIwyEVQxIvijMUwKLg1j1SUWThYln2JeCGun
32
Q6kQSwCEMF/d1mdMa0HhqMIsit6QENf/ez2LyOJEGEao/sPTZUJHocA=
33
-----END CERTIFICATE-----
34
-----BEGIN CERTIFICATE-----
35
MIIEqjCCA5KgAwIBAgIQAnmsRYvBskWr+YBTzSybsTANBgkqhkiG9w0BAQsFADBh
36
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
37
省略20行
38
4YSB03Yqp2t3TeZHM9ESfkus74nQyW7pRGezj+TC44xCagCQQOzzNmzEAP2SnCrJ
39
sNE2DpRVMnL8J6xBRdjmOsC3N6cQuKuRXbzByVBjCqAA8t1L0I+9wXJerLPyErjy
40
rMKWaBFLmfK/AHNF4ZihwPGOc7w6UHczBZXH5RFzJNnww+WnKuTPI0HfnVH8lg==
41
-----END CERTIFICATE-----
42

43
[root@centos scs1594944913408]# cat Apache/server.crt
44
-----BEGIN CERTIFICATE-----
45
MIIFlTCCBH2gAwIBAgIQDuKyL6/4ReKnh7vNZ99x9jANBgkqhkiG9w0BAQsFADBu
46
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
47
省略20行
48
RCdCdKeHK0KalvlieleblsU+NjGvF6dE05TUJpRcMog+I1O9dcOzubeWKi1Mw9Ls
49
8DzwdHmu8tsh+33b/QoHplWRxAIWoTGc/eB3hdpzik+lVoBx9x75cb5OnRuu+Qdr
50
gx8HKuV/ObM+P6UEZ7DANzTj4oLmiIwyEVQxIvijMUwKLg1j1SUWThYln2JeCGun
51
Q6kQSwCEMF/d1mdMa0HhqMIsit6QENf/ez2LyOJEGEao/sPTZUJHocA=
52
-----END CERTIFICATE-----
53
[root@centos scs1594944913408]# cat Apache/ca.crt
54
-----BEGIN CERTIFICATE-----
55
MIIEqjCCA5KgAwIBAgIQAnmsRYvBskWr+YBTzSybsTANBgkqhkiG9w0BAQsFADBh
56
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
57
省略20行
58
4YSB03Yqp2t3TeZHM9ESfkus74nQyW7pRGezj+TC44xCagCQQOzzNmzEAP2SnCrJ
59
sNE2DpRVMnL8J6xBRdjmOsC3N6cQuKuRXbzByVBjCqAA8t1L0I+9wXJerLPyErjy
60
rMKWaBFLmfK/AHNF4ZihwPGOc7w6UHczBZXH5RFzJNnww+WnKuTPI0HfnVH8lg==
61
-----END CERTIFICATE-----
62
[root@centos scs1594944913408]#
63

如何在tomcat上安装SSL证书https://support.huaweicloud.com/scm_faq/scm_01_0022.html

如何在Nginx上安装SSL证书https://support.huaweicloud.com/scm_faq/scm_01_0023.html

其它工具导出公钥

puttygen、xshell、securecrt均支持从私钥导出公钥。

比如putty保存的密钥文件(ppk扩展名)是公私在同一个文件中。里面表示了公钥的行数和私钥的行数，但这个是专用的不能用从ppk文本中提取相关行复制粘贴为PEM格式（BEGIN-END对）


xxxxxxxxxx
27
1
PuTTY-User-Key-File-2: ssh-rsa
2
Encryption: none
3
Comment: rsa-key-20200728
4
Public-Lines: 6
5
AAAAB3NzaC1yc2EAAAABJQAAAQEAji3pW2Q3BsGdt4QUjqP+Um8KmkEOvaIQiAqK
6
MSvlcBXwyMrMlo15Ap3f9AcjxLZXgWmQTp5tJigLBF8z60lf+340cy6wNI5HHtij
7
U3Zoi52xTx1Dj93X+offyEdA47TTjhubk1msxpK7lDj/UAGJzD1lEAOawzXkMtel
8
gK4mKFI6ntmOH0L2yV1GZpLmp2zFk2qSpOC6fwESgUWbtY0Mf+iCzGAC0adfOFH/
9
vx1GU4QfBKey39Qcr1imS0cWAmt+8ie/9BeQErIcgUwN3ht4k0Q2X9xjO/LHQ4uw
10
CjmSIKMCBtZOxpcCWYvOIRDmae2+IlKNcK312fCa104IcIIjFw==
11
Private-Lines: 14
12
AAABAAPXujLnCGf3ZSCitHKOz4Wv+V4dbxnhyRhu/NDlgr3XFFh0Lwr855hJdMFn
13
+gw8R43gQiujarvXkZhVmZ6TR8iG3tKuPB0YmiNto4yiVdpCiEBokx+QX8iANnsI
14
2D2BbYBhnGvEJ0OjGdOS1nfIsLJ+MynyQnP6iaCCXmtC+hzD6Vtp68NGgfLpn9am
15
SLK1ayC9SW1gzYxnVIcmVosKTvdyooC9BIAYKGPgzijNdgpoCBuBDe0GWlsSHAYv
16
q6AkXdOt+7jh7FTX0NeIzf25xUvZ7uy4KbNiWqSSesFCu+53r2XaK0udZ3EjlF28
17
tk1t68Rmx4JVrDkey0kZvC7py/0AAACBANeKGuwjQqgvuHYwc5fcUOOJ0A5xGDSy
18
bqfOsFtOTxiE1KruPmNwXQVTVihFO77aJmlpdTJlE+QuqKaBl35thvB49uNRJDCU
19
yNN0BHbtdB/QzjtvB9w7Md65lVdRC4zYJ/Teox4LGOcGTovJEBhHDrHnrbNw4CZw
20
y9dxBwkxABP5AAAAgQCo3m+Ows+GfeC2MBbM9uNmTj7nZMrQgaMzKgq+TsCKN4Jb
21
Qs/43cyDdX4LlC93+FSJoYt9ONUpVxHy5MvJb6L+4Qt66kw3OrgZ5oHRRM3Uy/Zy
22
ujaAE4nOwMqayojb0S6zb6ruzb4n+RjQy7p08fv418oEKWvrJ7Fh1Y7Md7eTjwAA
23
AIBXskj7V2tt5f4VXAin3aN1sSk6nMg2TADCWCHupp0cRX+fPEG/lDQh4JYp1Q8m
24
ID/UrSHBOt2ofQBoFCwT8ngcPpuYGgmgOpELYcnEDPo+b87Lm6wf5U0dVsPAJXeT
25
UaTUJBbfGqv+K+Wng3K1+r1jg7A7vL3dPJirdp/n3QMMtw==
26
Private-MAC: 45dc71e11a4823cbf38b54d0044b798ccc8175cb
27

网站https安全等级检测（推荐）

https://myssl.com/haudi.top?status=q

在线生成网站

搜索引擎关键词：ssl证书在线转换

https://myssl.com/create_test_cert.html 先生成，再转换为标准java key storeage。此可以生成自签名证书。

https://www.getssl.cn/export_keystore.php 注意大小 nginx pem4k key2k = jks3k ，另外5k一般不正常。

https://www.myssl.cn/tools/merge-jks-cert.html nginx crt+key 在线转jks（tomcat用）

https://www.myssl.cn/tools/merge-jks-cert.html

https://www.ssleye.com/jks_pkcs12.html


xxxxxxxxxx
8
1
完整的证书内容一般分为3级，服务端证书-中间证书-根证书，即 end-user certificates， intermediates Certificates 和 root Certificates。
2

3
end-user ：用来加密传输数据的公钥的证书，是https中使用的证书。开发者牛小七把证书部署在qiniu.com 的服务器上。
4
intermediates：CA用来认证公钥持有者身份的证书，即确认https使用的end-user证书是属于qiniu.com的证书。
5
root：用来认证intermediates证书是合法证书的证书。
6
简单来说，end-user证书上面几级证书都是为了保证end-user证书未被篡改，保证是CA签发的合法证书，进而保证end-user证书中的公钥未被篡改。我们使用end-user certificates来确保加密传输数据的公钥(public key)不被篡改，而又如何确保end-user certificates的合法性呢？这个认证过程跟公钥的认证过程类似，首先获取颁布end-user certificates的CA的证书，然后验证end-user certificates的signature。一般来说，root CAs不会直接颁布end-user certificates的，而是授权给多个二级CA，而二级CA又可以授权给多个三级CA，这些中间的CA就是intermediates CAs，它们才会颁布end-user certificates。
7

8
七牛云证书管理，会在用户上传证书的时检测证书的完整性，证书链不完整会自动帮用户补全证书链，但无法保证补全的证书链100%是正确的。所以需要用户选择使用自传的证书还是系统补全后的证书。

refers


xxxxxxxxxx
1
1

准备