差異處

這裏顯示兩個版本的差異處。

連向這個比對檢視

兩邊的前次修訂版 前次修改
下次修改
前次修改
tech:openssl_tips [2008/08/22 13:23] jonathantech:openssl_tips [2018/12/31 23:56] (目前版本) Jonathan Tsai
行 1: 行 1:
 +====== OpenSSL 常用語法整理 ======
 +
 +===== - 直接看憑證檔內容 ====
 +<code sh>
 +openssl x509 -in cert.pem -text -noout
 +</code>
 +++++看結果訊息|
 +<file>
 +[root@pve-ms ichiayi.com]# openssl x509 -in cert.pem -text -noout | more
 +Certificate:
 +    Data:
 +        Version: 3 (0x2)
 +        Serial Number:
 +            03:9f:af:ef:f3:22:59:75:7a:fd:a3:78:76:2c:b6:bb:f9:f5
 +    Signature Algorithm: sha256WithRSAEncryption
 +        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
 +        Validity
 +            Not Before: Dec 31 14:20:07 2018 GMT
 +            Not After : Mar 31 14:20:07 2019 GMT
 +        Subject: CN=ichiayi.com
 +        Subject Public Key Info:
 +            Public Key Algorithm: rsaEncryption
 +                Public-Key: (2048 bit)
 +                Modulus:
 +                    00:b5:ca:5b:e8:b5:e3:1b:0d:51:25:a7:7f:12:2e:
 +                    26:73:49:5f:9f:52:ee:66:f3:26:4b:74:82:6d:a1:
 +                    60:80:c7:3c:25:88:1d:ba:7a:77:8d:12:a9:0f:2b:
 +                    86:c0:5c:dd:eb:6f:13:2f:fc:4e:6b:b3:7a:3c:40:
 +                    07:91:01:e9:75:3c:ca:09:c8:af:c1:ec:af:aa:b2:
 +                    ca:4d:f9:70:e6:72:a8:3e:b7:ab:4f:29:b2:f3:ef:
 +                    5d:e2:9b:1c:42:58:f6:80:4a:fa:ed:bc:2f:cb:30:
 +                    a2:6b:83:be:3c:93:ac:56:5c:b8:42:35:77:48:cb:
 +                    12:bb:fb:50:fc:4d:be:22:6b:d3:42:22:3b:ad:91:
 +                    6c:61:b9:b1:d0:63:4a:38:66:9b:da:ec:50:2b:bd:
 +                    e9:ce:25:8f:fd:3a:dd:bc:6f:96:1b:7e:8e:47:ba:
 +                    66:4f:8c:48:2d:98:a2:34:17:66:dd:0a:78:6f:9c:
 +                    ff:56:b7:d1:1e:f5:5d:58:1f:0c:b6:89:a0:3e:5a:
 +                    d3:5d:12:68:a0:5e:ed:c3:c3:41:64:0c:c8:0c:19:
 +                    7e:7d:3e:49:ca:4c:ff:af:5d:68:2e:04:eb:4e:14:
 +                    71:04:9d:52:54:d5:dd:1f:7b:5f:31:ab:7a:48:a9:
 +                    0c:80:c8:c8:17:b5:4f:86:8a:35:b7:d5:a7:f3:9d:
 +                    ca:d1
 +                Exponent: 65537 (0x10001)
 +        X509v3 extensions:
 +            X509v3 Key Usage: critical
 +                Digital Signature, Key Encipherment
 +            X509v3 Extended Key Usage:
 +                TLS Web Server Authentication, TLS Web Client Authentication
 +            X509v3 Basic Constraints: critical
 +                CA:FALSE
 +            X509v3 Subject Key Identifier:
 +                2E:D2:F4:8B:D0:31:49:7E:9C:37:38:D8:A2:68:67:B4:C7:37:F2:0C
 +[root@pve-ms ichiayi.com]# openssl x509 -in cert.pem -text -noout
 +Certificate:
 +    Data:
 +        Version: 3 (0x2)
 +        Serial Number:
 +            03:9f:af:ef:f3:22:59:75:7a:fd:a3:78:76:2c:b6:bb:f9:f5
 +    Signature Algorithm: sha256WithRSAEncryption
 +        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
 +        Validity
 +            Not Before: Dec 31 14:20:07 2018 GMT
 +            Not After : Mar 31 14:20:07 2019 GMT
 +        Subject: CN=ichiayi.com
 +        Subject Public Key Info:
 +            Public Key Algorithm: rsaEncryption
 +                Public-Key: (2048 bit)
 +                Modulus:
 +                    00:b5:ca:5b:e8:b5:e3:1b:0d:51:25:a7:7f:12:2e:
 +                    26:73:49:5f:9f:52:ee:66:f3:26:4b:74:82:6d:a1:
 +                    60:80:c7:3c:25:88:1d:ba:7a:77:8d:12:a9:0f:2b:
 +                    86:c0:5c:dd:eb:6f:13:2f:fc:4e:6b:b3:7a:3c:40:
 +                    07:91:01:e9:75:3c:ca:09:c8:af:c1:ec:af:aa:b2:
 +                    ca:4d:f9:70:e6:72:a8:3e:b7:ab:4f:29:b2:f3:ef:
 +                    5d:e2:9b:1c:42:58:f6:80:4a:fa:ed:bc:2f:cb:30:
 +                    a2:6b:83:be:3c:93:ac:56:5c:b8:42:35:77:48:cb:
 +                    12:bb:fb:50:fc:4d:be:22:6b:d3:42:22:3b:ad:91:
 +                    6c:61:b9:b1:d0:63:4a:38:66:9b:da:ec:50:2b:bd:
 +                    e9:ce:25:8f:fd:3a:dd:bc:6f:96:1b:7e:8e:47:ba:
 +                    66:4f:8c:48:2d:98:a2:34:17:66:dd:0a:78:6f:9c:
 +                    ff:56:b7:d1:1e:f5:5d:58:1f:0c:b6:89:a0:3e:5a:
 +                    d3:5d:12:68:a0:5e:ed:c3:c3:41:64:0c:c8:0c:19:
 +                    7e:7d:3e:49:ca:4c:ff:af:5d:68:2e:04:eb:4e:14:
 +                    71:04:9d:52:54:d5:dd:1f:7b:5f:31:ab:7a:48:a9:
 +                    0c:80:c8:c8:17:b5:4f:86:8a:35:b7:d5:a7:f3:9d:
 +                    ca:d1
 +                Exponent: 65537 (0x10001)
 +        X509v3 extensions:
 +            X509v3 Key Usage: critical
 +                Digital Signature, Key Encipherment
 +            X509v3 Extended Key Usage:
 +                TLS Web Server Authentication, TLS Web Client Authentication
 +            X509v3 Basic Constraints: critical
 +                CA:FALSE
 +            X509v3 Subject Key Identifier:
 +                2E:D2:F4:8B:D0:31:49:7E:9C:37:38:D8:A2:68:67:B4:C7:37:F2:0C
 +            X509v3 Authority Key Identifier:
 +                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
 +
 +            Authority Information Access:
 +                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
 +                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
 +
 +            X509v3 Subject Alternative Name:
 +                DNS:*.ichiayi.com, DNS:ichiayi.com
 +            X509v3 Certificate Policies:
 +                Policy: 2.23.140.1.2.1
 +                Policy: 1.3.6.1.4.1.44947.1.1.1
 +                  CPS: http://cps.letsencrypt.org
 +
 +            CT Precertificate SCTs:
 +                Signed Certificate Timestamp:
 +                    Version   : v1(0)
 +                    Log ID    : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
 +                                3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
 +                    Timestamp : Dec 31 15:20:07.239 2018 GMT
 +                    Extensions: none
 +                    Signature : ecdsa-with-SHA256
 +                                30:46:02:21:00:E3:CE:5C:96:90:FE:BF:85:28:74:0C:
 +                                81:21:C2:13:FB:15:01:E8:15:08:70:D2:F8:26:2C:34:
 +                                35:3D:FE:5E:83:02:21:00:E4:D8:77:86:70:48:D1:B5:
 +                                CD:5E:AD:D6:C0:96:E3:4F:40:08:6C:56:8F:1B:07:E3:
 +                                CC:F2:9C:71:0C:3B:75:A9
 +                Signed Certificate Timestamp:
 +                    Version   : v1(0)
 +                    Log ID    : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
 +                                6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
 +                    Timestamp : Dec 31 15:20:07.236 2018 GMT
 +                    Extensions: none
 +                    Signature : ecdsa-with-SHA256
 +                                30:45:02:21:00:C8:C6:CD:41:89:E5:8A:6D:45:22:1E:
 +                                90:63:19:28:6E:C6:C2:AD:96:36:56:33:80:84:7C:60:
 +                                99:D6:6B:11:B1:02:20:0C:F8:CB:1E:B4:87:EC:98:10:
 +                                0A:65:BF:BE:F6:CE:82:10:48:F6:6A:27:FB:68:FD:28:
 +                                26:46:C3:4F:6C:11:DA
 +    Signature Algorithm: sha256WithRSAEncryption
 +         31:53:92:93:80:f7:37:93:eb:4f:5e:c0:61:f4:6b:ca:7c:40:
 +         df:53:85:e7:8a:9a:0c:30:a7:97:7b:58:a3:e7:ab:5e:2e:cf:
 +         97:88:33:97:cc:01:11:22:4f:a6:fd:2c:52:41:60:1d:13:94:
 +         ee:f4:04:ce:18:bd:fe:73:f9:b9:63:22:86:18:af:7f:2e:51:
 +         5e:0f:f4:35:17:81:63:03:cf:2e:ca:89:45:3f:01:63:af:4d:
 +         0d:90:6b:5a:ee:d7:ae:77:c1:33:d7:c4:c1:b4:c9:70:37:02:
 +         14:ed:d0:3e:25:52:5d:7e:1b:98:84:48:51:ee:1f:55:a6:ed:
 +         54:08:8f:71:2e:ee:27:9a:13:c5:b2:82:f7:c4:60:2e:e1:da:
 +         8e:01:7f:66:a8:6d:fb:f2:57:4c:e8:fb:56:2c:74:91:87:67:
 +         3c:c2:16:b1:05:00:e6:95:06:d8:09:b8:3f:89:62:6e:ea:31:
 +         19:47:bb:2a:45:1c:ba:94:0a:71:1d:27:1e:e7:60:4f:3c:76:
 +         b8:81:49:22:12:29:f9:fd:b6:7f:4e:36:7e:64:6c:20:98:8a:
 +         2b:61:96:fb:a4:7e:45:d1:21:ae:de:c8:7c:67:40:7a:c8:45:
 +         00:ae:91:fb:1f:d2:a2:0b:f9:fa:84:43:f9:c8:ad:1a:77:79:
 +         2c:fe:3d:06
 +</file>++++
 +
 +===== - 將憑證 PEM 格式轉成 DER 格式 =====
 +<code sh>
 +openssl x509 -inform PEM -outform DER -in ClientCA.crt -out ClientCA.cer
 +</code>
 +++++看結果訊息|
 +<file>
 +[jonathan@pd920 certs]$ openssl x509 -inform PEM -outform DER -in ClientCA.crt -out ClientCA.cer
 +</file>
 +|  {{:tech:trysoft_test:clientca.crt|}}  |  {{:tech:trysoft_test:clientca.cer|}}  |
 +++++
 +
 +===== - 將憑證 DER 格式轉成 PEM 格式 =====
 +<code sh>
 +openssl x509 -inform DER -in GCA.cer -out GCA.crt
 +</code>
 +++++看結果訊息|
 +<file>
 +[jonathan@pd920 gca]$ openssl x509 -inform DER -in GCA.cer -out GCA.crt
 +</file>
 +|  {{:tech:gca:gca.cer|}}  |  {{:tech:gca:gca.crt|}}  |
 +++++
 +
 +===== - 將 CRL 檔由 PEM 格式轉成 DER 格式 =====
 +<code sh>
 +openssl crl -in trysoft.crl -outform DER -out trysoft_der.crl
 +</code>
 +
 +===== - 檢驗 CRL 檔並將 DER 格式轉成文字格式 =====
 +<code sh>
 +wget http://gca.nat.gov.tw/repository/GCA4/CRL/complete.crl
 +wget http://gca.nat.gov.tw/repository/Certs/GCA.cer
 +
 +openssl crl -inform DER -in complete.crl -text -CAfile GCA.crt -out gca_crl.txt
 +</code>
 +++++結果訊息|
 +<file>
 +[jonathan@pd920 gca]$ openssl crl -inform DER -in complete.crl -text -CAfile GCA.crt -out gca_crl.txt
 +verify OK
 +[jonathan@pd920 gca]$ more gca_crl.txt
 +Certificate Revocation List (CRL):
 +        Version 2 (0x1)
 +        Signature Algorithm: sha1WithRSAEncryption
 +        Issuer: /C=TW/O=\xE8\xA1\x8C\xE6\x94\xBF\xE9\x99\xA2/OU=\xE6\x94\xBF\xE5\xBA\x9C\xE6\x86\x91
 +\xE8\xAD\x89\xE7\xAE\xA1\xE7\x90\x86\xE4\xB8\xAD\xE5\xBF\x83
 +        Last Update: Aug 21 16:00:00 2008 GMT
 +        Next Update: Sep 21 16:00:00 2008 GMT
 +        CRL extensions:
 +:
 +:
 +</file>
 +++++
 +===== - 驗 ClientCA.cer 憑證的方式 =====
 +  - 要先取得該憑證的 root 憑證 RootCA.crt 與廢止清冊 CRL.crt
 +  - 如果有中繼憑證簽發,也必須取得所有中繼憑證 Exp. Mid1CA.crt , Mid2CA.crt
 +  - 依據順序產生憑證 chain 檔 chain.crt (PEM 格式) ++語法|<code sh>
 +cat RootCA.crt > chain.crt
 +cat Mid1CA.crt >> chain.crt
 +cat Mid2CA.crt >> chain.crt
 +cat CRL.crt >> chain.crt
 +</code>++
 +  - 將 ClientCA.cer 由 DER 轉成 PEM 格式 ++語法|<code sh>
 +openssl x509 -inform DER -in ClientCA.cer -out ClientCA.crt
 +</code>++
 +  - 執行以下語法來檢驗憑證 ++語法|<code sh>
 +openssl verify -CAfile chain.crt -crl_check ClientCA.crt
 +</code>++
 +  - 如果沒問題會++出現|<file>
 +[jonathan@pd920 certs]$ openssl verify -CAfile chain.crt -crl_check ClientCA.crt
 +ClientCA.crt: OK
 +</file>++
 +  - 如果憑證存在廢止清冊內會++出現|<file>
 +[jonathan@pd920 certs]$ openssl verify -CAfile chain.crt -crl_check ClientCA.crt
 +ClientCA.crt: /C=TW/ST=Taiwan/L=Taipei/O=Test Corp./CN=Test Corp./[email protected]
 +error 23 at 0 depth lookup:certificate revoked
 +</file>++
 +===== 相關參考網址 =====
 +  * [[http://www.madboa.com/geek/openssl/]]
 +  * [[http://www.ascc.net/nl/91/1819/02.txt]]
 +  * [[http://www.study-area.org/tips/certs/certs.html]]
 +  * [[http://ssorc.tw/rewrite.php/read-42.html]]++主要內容|<code>
 +產生 private key 私密金鑰 及 憑證 cert (365 天, 1024 bits)
 +openssl req -new -x509 -keyout server.key -out server.crt -days 3650 -newkey rsa:1024
 +   -nodes : 可以不加密碼
 +
 +   -subj '/C=TW/ST=Taiwan/L=Taipei/CN=ssorc.tw/[email protected]' : 個人資訊,加的話不會出用提示的方式
 +
 +產生私密金鑰(private key) & 憑證要求(certificate signing request = csr)
 +   openssl req -new -keyout server.key -out server.csr -days 365 -newkey rsa:1024
 +   如果要引用已有 private key 了來產生憑證要求
 +openssl req -new -key server.key -out server.csr
 +簽署 csr 產生 crt
 +openssl x509 -in server.csr -out server.crt -req -text -signkey server.key
 +CA 簽發
 +openssl ca -policy policy_anything -out server.crt -infiles server.csr
 +檢查簽署
 +openssl req -in server.csr -noout -verify -key server.key
 +檢查憑證
 +openssl verify server.crt
 +查看 csr 內容
 +openssl req -in server.csr -noout -text
 +-noout : 不輸出BEGIN CERTIFICATE REQUEST
 +
 +查看 csr 內容並檢查
 +openssl req -in server.csr -noout -text -verify
 +查看 crt 內容
 +openssl x509 -in server.crt -text
 +其它查看的參數
 +-issuer
 +-subject
 +-dates
 +
 +產生 Windows用的 p12
 +openssl pkcs12 -export -in server.crt -inkey server.key -out windows.p12
 +   如果反過來的話
 +openssl pkcs12 -in windows.p12 -out server.crt
 +windows DER
 +   openssl x509 -in cacert.pem -out cacert.der -outform DER
 +產生 public key
 +openssl rsa -in server.key -pubout
 +產生 rsa key
 +openssl genrsa
 +openssl genrsa 1024
 +openssl genrsa 1024 -out server.rsa.key
 +文件加密、解密
 +   明文文件(plain text)  :test.txt
 +   密文文件(cipher text):test.msg
 +
 +   文件加密
 +echo "this is a test file" > test.txt
 +openssl smime -encrypt -in test.txt -out test.msg cert.pem
 +   文件解密
 +openssl smime -decrypt -in test.msg -recip cert.pem -inkey key.pem
 +   驗證簽章(Verify Signature)
 +openssl smime -sign -inkey key.pem -signer cert.pem -in test.txt -out test.sig
 +openssl smime -verif -in test.sig -signer cert.pem -out test2.txt -CAfile cacert.pem
 +測試 TLS
 +openssl s_client -CAfile cacert.pem -connect localhost:993
 +openssl s_client -connect remote.host:25 -starttls smtp
 +openssl s_time -connect remote_host:443
 +Benchmark
 +openssl speed
 +openssl speed rsa
 +
 +ref: http://www.madboa.com/geek/openssl/
 +ref: http://www.ascc.net/nl/91/1819/02.txt
 +ref: http://www.study-area.org/tips/certs/certs.html
 +</code>++
 +
 +{{tag>openssl pki ca tips}}