====== OpenSSL 常用語法整理 ======
===== - 直接看憑證檔內容 ====
openssl x509 -in cert.pem -text -noout
++++看結果訊息|
[root@pve-ms ichiayi.com]# openssl x509 -in cert.pem -text -noout | more
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:9f:af:ef:f3:22:59:75:7a:fd:a3:78:76:2c:b6:bb:f9:f5
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Dec 31 14:20:07 2018 GMT
Not After : Mar 31 14:20:07 2019 GMT
Subject: CN=ichiayi.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b5:ca:5b:e8:b5:e3:1b:0d:51:25:a7:7f:12:2e:
26:73:49:5f:9f:52:ee:66:f3:26:4b:74:82:6d:a1:
60:80:c7:3c:25:88:1d:ba:7a:77:8d:12:a9:0f:2b:
86:c0:5c:dd:eb:6f:13:2f:fc:4e:6b:b3:7a:3c:40:
07:91:01:e9:75:3c:ca:09:c8:af:c1:ec:af:aa:b2:
ca:4d:f9:70:e6:72:a8:3e:b7:ab:4f:29:b2:f3:ef:
5d:e2:9b:1c:42:58:f6:80:4a:fa:ed:bc:2f:cb:30:
a2:6b:83:be:3c:93:ac:56:5c:b8:42:35:77:48:cb:
12:bb:fb:50:fc:4d:be:22:6b:d3:42:22:3b:ad:91:
6c:61:b9:b1:d0:63:4a:38:66:9b:da:ec:50:2b:bd:
e9:ce:25:8f:fd:3a:dd:bc:6f:96:1b:7e:8e:47:ba:
66:4f:8c:48:2d:98:a2:34:17:66:dd:0a:78:6f:9c:
ff:56:b7:d1:1e:f5:5d:58:1f:0c:b6:89:a0:3e:5a:
d3:5d:12:68:a0:5e:ed:c3:c3:41:64:0c:c8:0c:19:
7e:7d:3e:49:ca:4c:ff:af:5d:68:2e:04:eb:4e:14:
71:04:9d:52:54:d5:dd:1f:7b:5f:31:ab:7a:48:a9:
0c:80:c8:c8:17:b5:4f:86:8a:35:b7:d5:a7:f3:9d:
ca:d1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
2E:D2:F4:8B:D0:31:49:7E:9C:37:38:D8:A2:68:67:B4:C7:37:F2:0C
[root@pve-ms ichiayi.com]# openssl x509 -in cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:9f:af:ef:f3:22:59:75:7a:fd:a3:78:76:2c:b6:bb:f9:f5
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Dec 31 14:20:07 2018 GMT
Not After : Mar 31 14:20:07 2019 GMT
Subject: CN=ichiayi.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b5:ca:5b:e8:b5:e3:1b:0d:51:25:a7:7f:12:2e:
26:73:49:5f:9f:52:ee:66:f3:26:4b:74:82:6d:a1:
60:80:c7:3c:25:88:1d:ba:7a:77:8d:12:a9:0f:2b:
86:c0:5c:dd:eb:6f:13:2f:fc:4e:6b:b3:7a:3c:40:
07:91:01:e9:75:3c:ca:09:c8:af:c1:ec:af:aa:b2:
ca:4d:f9:70:e6:72:a8:3e:b7:ab:4f:29:b2:f3:ef:
5d:e2:9b:1c:42:58:f6:80:4a:fa:ed:bc:2f:cb:30:
a2:6b:83:be:3c:93:ac:56:5c:b8:42:35:77:48:cb:
12:bb:fb:50:fc:4d:be:22:6b:d3:42:22:3b:ad:91:
6c:61:b9:b1:d0:63:4a:38:66:9b:da:ec:50:2b:bd:
e9:ce:25:8f:fd:3a:dd:bc:6f:96:1b:7e:8e:47:ba:
66:4f:8c:48:2d:98:a2:34:17:66:dd:0a:78:6f:9c:
ff:56:b7:d1:1e:f5:5d:58:1f:0c:b6:89:a0:3e:5a:
d3:5d:12:68:a0:5e:ed:c3:c3:41:64:0c:c8:0c:19:
7e:7d:3e:49:ca:4c:ff:af:5d:68:2e:04:eb:4e:14:
71:04:9d:52:54:d5:dd:1f:7b:5f:31:ab:7a:48:a9:
0c:80:c8:c8:17:b5:4f:86:8a:35:b7:d5:a7:f3:9d:
ca:d1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
2E:D2:F4:8B:D0:31:49:7E:9C:37:38:D8:A2:68:67:B4:C7:37:F2:0C
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:*.ichiayi.com, DNS:ichiayi.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Log ID : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
Timestamp : Dec 31 15:20:07.239 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:E3:CE:5C:96:90:FE:BF:85:28:74:0C:
81:21:C2:13:FB:15:01:E8:15:08:70:D2:F8:26:2C:34:
35:3D:FE:5E:83:02:21:00:E4:D8:77:86:70:48:D1:B5:
CD:5E:AD:D6:C0:96:E3:4F:40:08:6C:56:8F:1B:07:E3:
CC:F2:9C:71:0C:3B:75:A9
Signed Certificate Timestamp:
Version : v1(0)
Log ID : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
Timestamp : Dec 31 15:20:07.236 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:C8:C6:CD:41:89:E5:8A:6D:45:22:1E:
90:63:19:28:6E:C6:C2:AD:96:36:56:33:80:84:7C:60:
99:D6:6B:11:B1:02:20:0C:F8:CB:1E:B4:87:EC:98:10:
0A:65:BF:BE:F6:CE:82:10:48:F6:6A:27:FB:68:FD:28:
26:46:C3:4F:6C:11:DA
Signature Algorithm: sha256WithRSAEncryption
31:53:92:93:80:f7:37:93:eb:4f:5e:c0:61:f4:6b:ca:7c:40:
df:53:85:e7:8a:9a:0c:30:a7:97:7b:58:a3:e7:ab:5e:2e:cf:
97:88:33:97:cc:01:11:22:4f:a6:fd:2c:52:41:60:1d:13:94:
ee:f4:04:ce:18:bd:fe:73:f9:b9:63:22:86:18:af:7f:2e:51:
5e:0f:f4:35:17:81:63:03:cf:2e:ca:89:45:3f:01:63:af:4d:
0d:90:6b:5a:ee:d7:ae:77:c1:33:d7:c4:c1:b4:c9:70:37:02:
14:ed:d0:3e:25:52:5d:7e:1b:98:84:48:51:ee:1f:55:a6:ed:
54:08:8f:71:2e:ee:27:9a:13:c5:b2:82:f7:c4:60:2e:e1:da:
8e:01:7f:66:a8:6d:fb:f2:57:4c:e8:fb:56:2c:74:91:87:67:
3c:c2:16:b1:05:00:e6:95:06:d8:09:b8:3f:89:62:6e:ea:31:
19:47:bb:2a:45:1c:ba:94:0a:71:1d:27:1e:e7:60:4f:3c:76:
b8:81:49:22:12:29:f9:fd:b6:7f:4e:36:7e:64:6c:20:98:8a:
2b:61:96:fb:a4:7e:45:d1:21:ae:de:c8:7c:67:40:7a:c8:45:
00:ae:91:fb:1f:d2:a2:0b:f9:fa:84:43:f9:c8:ad:1a:77:79:
2c:fe:3d:06
++++
===== - 將憑證 PEM 格式轉成 DER 格式 =====
openssl x509 -inform PEM -outform DER -in ClientCA.crt -out ClientCA.cer
++++看結果訊息|
[jonathan@pd920 certs]$ openssl x509 -inform PEM -outform DER -in ClientCA.crt -out ClientCA.cer
| {{:tech:trysoft_test:clientca.crt|}} | {{:tech:trysoft_test:clientca.cer|}} |
++++
===== - 將憑證 DER 格式轉成 PEM 格式 =====
openssl x509 -inform DER -in GCA.cer -out GCA.crt
++++看結果訊息|
[jonathan@pd920 gca]$ openssl x509 -inform DER -in GCA.cer -out GCA.crt
| {{:tech:gca:gca.cer|}} | {{:tech:gca:gca.crt|}} |
++++
===== - 將 CRL 檔由 PEM 格式轉成 DER 格式 =====
openssl crl -in trysoft.crl -outform DER -out trysoft_der.crl
===== - 檢驗 CRL 檔並將 DER 格式轉成文字格式 =====
wget http://gca.nat.gov.tw/repository/GCA4/CRL/complete.crl
wget http://gca.nat.gov.tw/repository/Certs/GCA.cer
openssl crl -inform DER -in complete.crl -text -CAfile GCA.crt -out gca_crl.txt
++++結果訊息|
[jonathan@pd920 gca]$ openssl crl -inform DER -in complete.crl -text -CAfile GCA.crt -out gca_crl.txt
verify OK
[jonathan@pd920 gca]$ more gca_crl.txt
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=TW/O=\xE8\xA1\x8C\xE6\x94\xBF\xE9\x99\xA2/OU=\xE6\x94\xBF\xE5\xBA\x9C\xE6\x86\x91
\xE8\xAD\x89\xE7\xAE\xA1\xE7\x90\x86\xE4\xB8\xAD\xE5\xBF\x83
Last Update: Aug 21 16:00:00 2008 GMT
Next Update: Sep 21 16:00:00 2008 GMT
CRL extensions:
:
:
++++
===== - 驗 ClientCA.cer 憑證的方式 =====
- 要先取得該憑證的 root 憑證 RootCA.crt 與廢止清冊 CRL.crt
- 如果有中繼憑證簽發,也必須取得所有中繼憑證 Exp. Mid1CA.crt , Mid2CA.crt
- 依據順序產生憑證 chain 檔 chain.crt (PEM 格式) ++語法|
cat RootCA.crt > chain.crt
cat Mid1CA.crt >> chain.crt
cat Mid2CA.crt >> chain.crt
cat CRL.crt >> chain.crt
++
- 將 ClientCA.cer 由 DER 轉成 PEM 格式 ++語法|
openssl x509 -inform DER -in ClientCA.cer -out ClientCA.crt
++
- 執行以下語法來檢驗憑證 ++語法|
openssl verify -CAfile chain.crt -crl_check ClientCA.crt
++
- 如果沒問題會++出現|
[jonathan@pd920 certs]$ openssl verify -CAfile chain.crt -crl_check ClientCA.crt
ClientCA.crt: OK
++
- 如果憑證存在廢止清冊內會++出現|
[jonathan@pd920 certs]$ openssl verify -CAfile chain.crt -crl_check ClientCA.crt
ClientCA.crt: /C=TW/ST=Taiwan/L=Taipei/O=Test Corp./CN=Test Corp./emailAddress=test@ichiayi.com
error 23 at 0 depth lookup:certificate revoked
++
===== 相關參考網址 =====
* [[http://www.madboa.com/geek/openssl/]]
* [[http://www.ascc.net/nl/91/1819/02.txt]]
* [[http://www.study-area.org/tips/certs/certs.html]]
* [[http://ssorc.tw/rewrite.php/read-42.html]]++主要內容|
產生 private key 私密金鑰 及 憑證 cert (365 天, 1024 bits)
openssl req -new -x509 -keyout server.key -out server.crt -days 3650 -newkey rsa:1024
-nodes : 可以不加密碼
-subj '/C=TW/ST=Taiwan/L=Taipei/CN=ssorc.tw/emailAddress=cross@ssorc.tw' : 個人資訊,加的話不會出用提示的方式
產生私密金鑰(private key) & 憑證要求(certificate signing request = csr)
openssl req -new -keyout server.key -out server.csr -days 365 -newkey rsa:1024
如果要引用已有 private key 了來產生憑證要求
openssl req -new -key server.key -out server.csr
簽署 csr 產生 crt
openssl x509 -in server.csr -out server.crt -req -text -signkey server.key
CA 簽發
openssl ca -policy policy_anything -out server.crt -infiles server.csr
檢查簽署
openssl req -in server.csr -noout -verify -key server.key
檢查憑證
openssl verify server.crt
查看 csr 內容
openssl req -in server.csr -noout -text
-noout : 不輸出BEGIN CERTIFICATE REQUEST
查看 csr 內容並檢查
openssl req -in server.csr -noout -text -verify
查看 crt 內容
openssl x509 -in server.crt -text
其它查看的參數
-issuer
-subject
-dates
產生 Windows用的 p12
openssl pkcs12 -export -in server.crt -inkey server.key -out windows.p12
如果反過來的話
openssl pkcs12 -in windows.p12 -out server.crt
windows DER
openssl x509 -in cacert.pem -out cacert.der -outform DER
產生 public key
openssl rsa -in server.key -pubout
產生 rsa key
openssl genrsa
openssl genrsa 1024
openssl genrsa 1024 -out server.rsa.key
文件加密、解密
明文文件(plain text) :test.txt
密文文件(cipher text):test.msg
文件加密
echo "this is a test file" > test.txt
openssl smime -encrypt -in test.txt -out test.msg cert.pem
文件解密
openssl smime -decrypt -in test.msg -recip cert.pem -inkey key.pem
驗證簽章(Verify Signature)
openssl smime -sign -inkey key.pem -signer cert.pem -in test.txt -out test.sig
openssl smime -verif -in test.sig -signer cert.pem -out test2.txt -CAfile cacert.pem
測試 TLS
openssl s_client -CAfile cacert.pem -connect localhost:993
openssl s_client -connect remote.host:25 -starttls smtp
openssl s_time -connect remote_host:443
Benchmark
openssl speed
openssl speed rsa
ref: http://www.madboa.com/geek/openssl/
ref: http://www.ascc.net/nl/91/1819/02.txt
ref: http://www.study-area.org/tips/certs/certs.html
++
{{tag>openssl pki ca tips}}