差異處

這裏顯示兩個版本的差異處。

--- tech:openssl_tips [2008/08/22 13:05] – jonathan
+++ tech:openssl_tips [2018/12/31 23:56] (目前版本) – Jonathan Tsai
@@ 行 1: / 行 1: @@
+====== OpenSSL 常用語法整理 ======
+===== - 直接看憑證檔內容 ====
+<code sh>
+openssl x509 -in cert.pem -text -noout
+</code>
+++++看結果訊息|
+<file>
+[root@pve-ms ichiayi.com]# openssl x509 -in cert.pem -text -noout | more
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+:9f:af:ef:f3:22:59:75:7a:fd:a3:78:76:2c:b6:bb:f9:f5
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
+        Validity
+            Not Before: Dec 31 14:20:07 2018 GMT
+            Not After : Mar 31 14:20:07 2019 GMT
+        Subject: CN=ichiayi.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+:b5:ca:5b:e8:b5:e3:1b:0d:51:25:a7:7f:12:2e:
+:73:49:5f:9f:52:ee:66:f3:26:4b:74:82:6d:a1:
+:80:c7:3c:25:88:1d:ba:7a:77:8d:12:a9:0f:2b:
+:c0:5c:dd:eb:6f:13:2f:fc:4e:6b:b3:7a:3c:40:
+:91:01:e9:75:3c:ca:09:c8:af:c1:ec:af:aa:b2:
+                    ca:4d:f9:70:e6:72:a8:3e:b7:ab:4f:29:b2:f3:ef:
+d:e2:9b:1c:42:58:f6:80:4a:fa:ed:bc:2f:cb:30:
+                    a2:6b:83:be:3c:93:ac:56:5c:b8:42:35:77:48:cb:
+:bb:fb:50:fc:4d:be:22:6b:d3:42:22:3b:ad:91:
+c:61:b9:b1:d0:63:4a:38:66:9b:da:ec:50:2b:bd:
+                    e9:ce:25:8f:fd:3a:dd:bc:6f:96:1b:7e:8e:47:ba:
+:4f:8c:48:2d:98:a2:34:17:66:dd:0a:78:6f:9c:
+                    ff:56:b7:d1:1e:f5:5d:58:1f:0c:b6:89:a0:3e:5a:
+                    d3:5d:12:68:a0:5e:ed:c3:c3:41:64:0c:c8:0c:19:
+e:7d:3e:49:ca:4c:ff:af:5d:68:2e:04:eb:4e:14:
+:04:9d:52:54:d5:dd:1f:7b:5f:31:ab:7a:48:a9:
+c:80:c8:c8:17:b5:4f:86:8a:35:b7:d5:a7:f3:9d:
+                    ca:d1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage:
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier:
+E:D2:F4:8B:D0:31:49:7E:9C:37:38:D8:A2:68:67:B4:C7:37:F2:0C
+[root@pve-ms ichiayi.com]# openssl x509 -in cert.pem -text -noout
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+:9f:af:ef:f3:22:59:75:7a:fd:a3:78:76:2c:b6:bb:f9:f5
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
+        Validity
+            Not Before: Dec 31 14:20:07 2018 GMT
+            Not After : Mar 31 14:20:07 2019 GMT
+        Subject: CN=ichiayi.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+:b5:ca:5b:e8:b5:e3:1b:0d:51:25:a7:7f:12:2e:
+:73:49:5f:9f:52:ee:66:f3:26:4b:74:82:6d:a1:
+:80:c7:3c:25:88:1d:ba:7a:77:8d:12:a9:0f:2b:
+:c0:5c:dd:eb:6f:13:2f:fc:4e:6b:b3:7a:3c:40:
+:91:01:e9:75:3c:ca:09:c8:af:c1:ec:af:aa:b2:
+                    ca:4d:f9:70:e6:72:a8:3e:b7:ab:4f:29:b2:f3:ef:
+d:e2:9b:1c:42:58:f6:80:4a:fa:ed:bc:2f:cb:30:
+                    a2:6b:83:be:3c:93:ac:56:5c:b8:42:35:77:48:cb:
+:bb:fb:50:fc:4d:be:22:6b:d3:42:22:3b:ad:91:
+c:61:b9:b1:d0:63:4a:38:66:9b:da:ec:50:2b:bd:
+                    e9:ce:25:8f:fd:3a:dd:bc:6f:96:1b:7e:8e:47:ba:
+:4f:8c:48:2d:98:a2:34:17:66:dd:0a:78:6f:9c:
+                    ff:56:b7:d1:1e:f5:5d:58:1f:0c:b6:89:a0:3e:5a:
+                    d3:5d:12:68:a0:5e:ed:c3:c3:41:64:0c:c8:0c:19:
+e:7d:3e:49:ca:4c:ff:af:5d:68:2e:04:eb:4e:14:
+:04:9d:52:54:d5:dd:1f:7b:5f:31:ab:7a:48:a9:
+c:80:c8:c8:17:b5:4f:86:8a:35:b7:d5:a7:f3:9d:
+                    ca:d1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage:
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier:
+E:D2:F4:8B:D0:31:49:7E:9C:37:38:D8:A2:68:67:B4:C7:37:F2:0C
+            X509v3 Authority Key Identifier:
+                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
+            Authority Information Access:
+                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
+                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
+            X509v3 Subject Alternative Name:
+                DNS:*.ichiayi.com, DNS:ichiayi.com
+            X509v3 Certificate Policies:
+                Policy: 2.23.140.1.2.1
+                Policy: 1.3.6.1.4.1.44947.1.1.1
+                  CPS: http://cps.letsencrypt.org
+            CT Precertificate SCTs:
+                Signed Certificate Timestamp:
+                    Version   : v1(0)
+                    Log ID    : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
+E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
+                    Timestamp : Dec 31 15:20:07.239 2018 GMT
+                    Extensions: none
+                    Signature : ecdsa-with-SHA256
+:46:02:21:00:E3:CE:5C:96:90:FE:BF:85:28:74:0C:
+:21:C2:13:FB:15:01:E8:15:08:70:D2:F8:26:2C:34:
+:3D:FE:5E:83:02:21:00:E4:D8:77:86:70:48:D1:B5:
+                                CD:5E:AD:D6:C0:96:E3:4F:40:08:6C:56:8F:1B:07:E3:
+                                CC:F2:9C:71:0C:3B:75:A9
+                Signed Certificate Timestamp:
+                    Version   : v1(0)
+                    Log ID    : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
+F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
+                    Timestamp : Dec 31 15:20:07.236 2018 GMT
+                    Extensions: none
+                    Signature : ecdsa-with-SHA256
+:45:02:21:00:C8:C6:CD:41:89:E5:8A:6D:45:22:1E:
+:63:19:28:6E:C6:C2:AD:96:36:56:33:80:84:7C:60:
+:D6:6B:11:B1:02:20:0C:F8:CB:1E:B4:87:EC:98:10:
+A:65:BF:BE:F6:CE:82:10:48:F6:6A:27:FB:68:FD:28:
+:46:C3:4F:6C:11:DA
+    Signature Algorithm: sha256WithRSAEncryption
+:53:92:93:80:f7:37:93:eb:4f:5e:c0:61:f4:6b:ca:7c:40:
+         df:53:85:e7:8a:9a:0c:30:a7:97:7b:58:a3:e7:ab:5e:2e:cf:
+:88:33:97:cc:01:11:22:4f:a6:fd:2c:52:41:60:1d:13:94:
+         ee:f4:04:ce:18:bd:fe:73:f9:b9:63:22:86:18:af:7f:2e:51:
+e:0f:f4:35:17:81:63:03:cf:2e:ca:89:45:3f:01:63:af:4d:
+d:90:6b:5a:ee:d7:ae:77:c1:33:d7:c4:c1:b4:c9:70:37:02:
+:ed:d0:3e:25:52:5d:7e:1b:98:84:48:51:ee:1f:55:a6:ed:
+:08:8f:71:2e:ee:27:9a:13:c5:b2:82:f7:c4:60:2e:e1:da:
+e:01:7f:66:a8:6d:fb:f2:57:4c:e8:fb:56:2c:74:91:87:67:
+c:c2:16:b1:05:00:e6:95:06:d8:09:b8:3f:89:62:6e:ea:31:
+:47:bb:2a:45:1c:ba:94:0a:71:1d:27:1e:e7:60:4f:3c:76:
+         b8:81:49:22:12:29:f9:fd:b6:7f:4e:36:7e:64:6c:20:98:8a:
+b:61:96:fb:a4:7e:45:d1:21:ae:de:c8:7c:67:40:7a:c8:45:
+:ae:91:fb:1f:d2:a2:0b:f9:fa:84:43:f9:c8:ad:1a:77:79:
+c:fe:3d:06
+</file>++++
+===== - 將憑證 PEM 格式轉成 DER 格式 =====
+<code sh>
+openssl x509 -inform PEM -outform DER -in ClientCA.crt -out ClientCA.cer
+</code>
+++++看結果訊息|
+<file>
+[jonathan@pd920 certs]$ openssl x509 -inform PEM -outform DER -in ClientCA.crt -out ClientCA.cer
+</file>
+|  {{:tech:trysoft_test:clientca.crt|}}  |  {{:tech:trysoft_test:clientca.cer|}}  |
+++++
+===== - 將憑證 DER 格式轉成 PEM 格式 =====
+<code sh>
+openssl x509 -inform DER -in GCA.cer -out GCA.crt
+</code>
+++++看結果訊息|
+<file>
+[jonathan@pd920 gca]$ openssl x509 -inform DER -in GCA.cer -out GCA.crt
+</file>
+|  {{:tech:gca:gca.cer|}}  |  {{:tech:gca:gca.crt|}}  |
+++++
+===== - 將 CRL 檔由 PEM 格式轉成 DER 格式 =====
+<code sh>
+openssl crl -in trysoft.crl -outform DER -out trysoft_der.crl
+</code>
+===== - 檢驗 CRL 檔並將 DER 格式轉成文字格式 =====
+<code sh>
+wget http://gca.nat.gov.tw/repository/GCA4/CRL/complete.crl
+wget http://gca.nat.gov.tw/repository/Certs/GCA.cer
+openssl crl -inform DER -in complete.crl -text -CAfile GCA.crt -out gca_crl.txt
+</code>
+++++結果訊息|
+<file>
+[jonathan@pd920 gca]$ openssl crl -inform DER -in complete.crl -text -CAfile GCA.crt -out gca_crl.txt
+verify OK
+[jonathan@pd920 gca]$ more gca_crl.txt
+Certificate Revocation List (CRL):
+        Version 2 (0x1)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: /C=TW/O=\xE8\xA1\x8C\xE6\x94\xBF\xE9\x99\xA2/OU=\xE6\x94\xBF\xE5\xBA\x9C\xE6\x86\x91
+\xE8\xAD\x89\xE7\xAE\xA1\xE7\x90\x86\xE4\xB8\xAD\xE5\xBF\x83
+        Last Update: Aug 21 16:00:00 2008 GMT
+        Next Update: Sep 21 16:00:00 2008 GMT
+        CRL extensions:
+:
+:
+</file>
+++++
+===== - 驗 ClientCA.cer 憑證的方式 =====
+  - 要先取得該憑證的 root 憑證 RootCA.crt 與廢止清冊 CRL.crt
+  - 如果有中繼憑證簽發，也必須取得所有中繼憑證 Exp. Mid1CA.crt , Mid2CA.crt
+  - 依據順序產生憑證 chain 檔 chain.crt (PEM 格式) ++語法|<code sh>
+cat RootCA.crt > chain.crt
+cat Mid1CA.crt >> chain.crt
+cat Mid2CA.crt >> chain.crt
+cat CRL.crt >> chain.crt
+</code>++
+  - 將 ClientCA.cer 由 DER 轉成 PEM 格式 ++語法|<code sh>
+openssl x509 -inform DER -in ClientCA.cer -out ClientCA.crt
+</code>++
+  - 執行以下語法來檢驗憑證 ++語法|<code sh>
+openssl verify -CAfile chain.crt -crl_check ClientCA.crt
+</code>++
+  - 如果沒問題會++出現|<file>
+[jonathan@pd920 certs]$ openssl verify -CAfile chain.crt -crl_check ClientCA.crt
+ClientCA.crt: OK
+</file>++
+  - 如果憑證存在廢止清冊內會++出現|<file>
+[jonathan@pd920 certs]$ openssl verify -CAfile chain.crt -crl_check ClientCA.crt
+ClientCA.crt: /C=TW/ST=Taiwan/L=Taipei/O=Test Corp./CN=Test Corp./[email protected]
+error 23 at 0 depth lookup:certificate revoked
+</file>++
+===== 相關參考網址 =====
+  * [[http://www.madboa.com/geek/openssl/]]
+  * [[http://www.ascc.net/nl/91/1819/02.txt]]
+  * [[http://www.study-area.org/tips/certs/certs.html]]
+  * [[http://ssorc.tw/rewrite.php/read-42.html]]++主要內容|<code>
+產生 private key 私密金鑰 及 憑證 cert (365 天, 1024 bits)
+openssl req -new -x509 -keyout server.key -out server.crt -days 3650 -newkey rsa:1024
+   -nodes : 可以不加密碼
+   -subj '/C=TW/ST=Taiwan/L=Taipei/CN=ssorc.tw/[email protected]' : 個人資訊，加的話不會出用提示的方式
+產生私密金鑰(private key) & 憑證要求(certificate signing request = csr)
+   openssl req -new -keyout server.key -out server.csr -days 365 -newkey rsa:1024
+   如果要引用已有 private key 了來產生憑證要求
+openssl req -new -key server.key -out server.csr
+簽署 csr 產生 crt
+openssl x509 -in server.csr -out server.crt -req -text -signkey server.key
+CA 簽發
+openssl ca -policy policy_anything -out server.crt -infiles server.csr
+檢查簽署
+openssl req -in server.csr -noout -verify -key server.key
+檢查憑證
+openssl verify server.crt
+查看 csr 內容
+openssl req -in server.csr -noout -text
+-noout : 不輸出BEGIN CERTIFICATE REQUEST
+查看 csr 內容並檢查
+openssl req -in server.csr -noout -text -verify
+查看 crt 內容
+openssl x509 -in server.crt -text
+其它查看的參數
+-issuer
+-subject
+-dates
+產生 Windows用的 p12
+openssl pkcs12 -export -in server.crt -inkey server.key -out windows.p12
+   如果反過來的話
+openssl pkcs12 -in windows.p12 -out server.crt
+windows DER
+   openssl x509 -in cacert.pem -out cacert.der -outform DER
+產生 public key
+openssl rsa -in server.key -pubout
+產生 rsa key
+openssl genrsa
+openssl genrsa 1024
+openssl genrsa 1024 -out server.rsa.key
+文件加密、解密
+   明文文件（plain text）  ：test.txt
+   密文文件（cipher text）：test.msg
+   文件加密
+echo "this is a test file" > test.txt
+openssl smime -encrypt -in test.txt -out test.msg cert.pem
+   文件解密
+openssl smime -decrypt -in test.msg -recip cert.pem -inkey key.pem
+   驗證簽章（Verify Signature）
+openssl smime -sign -inkey key.pem -signer cert.pem -in test.txt -out test.sig
+openssl smime -verif -in test.sig -signer cert.pem -out test2.txt -CAfile cacert.pem
+測試 TLS
+openssl s_client -CAfile cacert.pem -connect localhost:993
+openssl s_client -connect remote.host:25 -starttls smtp
+openssl s_time -connect remote_host:443
+Benchmark
+openssl speed
+openssl speed rsa
+ref: http://www.madboa.com/geek/openssl/
+ref: http://www.ascc.net/nl/91/1819/02.txt
+ref: http://www.study-area.org/tips/certs/certs.html
+</code>++
+{{tag>openssl pki ca tips}}