r3f.cn
GitHub Repo stars

OpenSSL

这是与电子证书交互时使用的命令参考。

#私钥

#打印私钥详情

openssl rsa -check -text -in privateKey.key

#打印私钥的哈希值

openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl sha1
openssl rsa -noout -modulus -in privateKey.key | openssl sha256
openssl rsa -noout -modulus -in privateKey.key | openssl sha512

#修改密码

openssl rsa -aes256 -in privateKey.key -out newPrivateKey.key

#列出可用的椭圆曲线

openssl ecparam -list_curves

#使用特定曲线创建椭圆曲线私钥

openssl ecparam -name secp521r1 -genkey -noout -out privateKey.key

#证书

#打印证书的哈希值

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl x509 -noout -modulus -in certificate.crt | openssl sha1
openssl x509 -noout -modulus -in certificate.crt | openssl sha256
openssl x509 -noout -modulus -in certificate.crt | openssl sha512

或者,也可以这样:

openssl x509 -noout -fingerprint -in certificate.crt
openssl x509 -noout -fingerprint -sha256 -in certificate.crt

#打印证书内容

openssl x509 -in certificate.crt -noout -text|more

#打印证书的特定字段

openssl x509 -noout -subject certificate.crt
openssl x509 -noout -issuer certificate.crt
openssl x509 -noout -dates certificate.crt

#检查服务器证书

echo | openssl s_client -servername www.openssl.org -connect \
www.openssl.org:443 2>/dev/null | openssl x509 -noout -text|more
echo | openssl s_client -servername imap.arcor.de -connect \
imap.arcor.de:993 2>/dev/null | openssl x509 -noout -text|more

#验证证书

正常

openssl verify -verbose -x509_strict -CAfile \
issuer.crt Test\ Haeschen\ 1.crt

结果:

Test Haeschen 1.crt: OK

损坏例如

openssl verify -verbose -x509_strict -CAfile \
issuer.crt Test\ Haeschen\ 1_corrupted.crt

结果:

C = DE, ST = Thueringen, L = Rudolstadt, O = Damaschkestr. 11, OU = Arbeitszimmer, CN = Test Haeschen 1
error 7 at 0 depth lookup: certificate signature failure
error Test Haeschen 1_corrupted.crt: verification failed
40270500477F0000:error:0200008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:../crypto/rsa/rsa_pk1.c:75:
40270500477F0000:error:02000072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../crypto/rsa/rsa_ossl.c:598:
40270500477F0000:error:1C880004:Provider routines:rsa_verify:RSA lib:../providers/implementations/signature/rsa_sig.c:774:
40270500477F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:../crypto/asn1/a_verify.c:217:

#S/Mime

#创建签名

openssl smime -sign -in msg.txt -text -out msg.p7s \
-signer certificate.crt -inkey privateKey.key

#验证签名

openssl smime -verify -in msg.p7s -CAfile chain.pem

#CRL

#打印 CRL 内容

openssl crl -inform DER -noout -text  -in crl/cacrl.der
openssl crl -inform PEM -noout -text  -in crl/cacrl.pem

#PKCS#12

#显示内容

openssl pkcs12 -info -in  digitalIdentity.p12

#从证书和私钥创建

openssl pkcs12 -export -in certificate.cert \
-inkey privateKey.key -out digitalIdentity.p12

#提取私钥

openssl pkcs12 -in digitalIdentity.p12 -out privateKey.key

#转换为 PEM

openssl pkcs12 -in digitalIdentity.p12 -out digitalIdentity.pem

#TSA

#显示查询

openssl ts -query -in query.tsq -text

#显示回复

openssl ts -reply -in reply.tsr -text

#验证回复

openssl ts -verify -in reply.tsr -data data.dat -CAfile chain.pem

#从回复中提取令牌

openssl ts -reply -in reply.tsr -token_out -out token.tk

#从令牌中提取证书

openssl pkcs7 -inform DER -in token.tk -print_certs -noout -text

#CSR

#从现有密钥创建

openssl req -new -key privateKey.key -out my.csr

这当然可以是 RSA 密钥或基于椭圆曲线的密钥。可用的曲线可以使用以下命令列出:

openssl ecparam -list_curves

然后选择一条曲线并像这样创建一个私钥:

openssl ecparam -name secp521r1 -genkey -noout \
-out privateKey.key

#显示

openssl req -in my.csr -noout -text

#HTTPS

#转储 PEM 编码的证书

openssl s_client -showcerts -connect www.example.com:443

#STARTTLS

#转储 PEM 编码的证书

openssl s_client -showcerts -starttls imap \
-connect mail.domain.com:139

#S/MIME 验证

#可能的结果

消息被篡改(返回码 4):

Verification failure
140485684135232:error:2E09A09E:CMS routines:CMS_SignerInfo_verify_content:verification failure:../crypto/cms/cms_sd.c:847:
140485684135232:error:2E09D06D:CMS routines:CMS_verify:content verify error:../crypto/cms/cms_smime.c:393:

消息签名不受信任(返回码 4):

Verification failure
140146111432000:error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:../crypto/cms/cms_smime.c:252:Verify error:unable to get local issuer certificate

消息未签名(返回码 2):

Error reading S/MIME message
140701208487232:error:0D0D40CD:asn1 encoding routines:SMIME_read_ASN1:invalid mime type:../crypto/asn1/asn_mime.c:469:type: multipart/alternative

验证成功(返回码 0):

Verification successful

#验证电子邮件消息的有效性

openssl cms -verify -in some_email_message.eml

#明确指定信任来验证电子邮件消息的有效性

openssl cms -verify -in some_email_message \
-CAfile trust_anchor-crt

#签名和加密的消息需要先解密:

注意:保存数字身份的 P12 文件必须是 pem 编码的!(见上文)

openssl cms -decrypt -out decrypted_email_message \
-inkey p12.pem -in some_encrypted_email_message

#原始数据

#查看 ASN.1 文件的原始结构(仅适用于 DER 编码的文件)

openssl asn1parse -in mysterious_file.pem

#更详细一些

openssl asn1parse -dump -strictpem -in mysterious_file.pem

#一些有用的 OpenSSL 命令资源