Openssl命令用法比较多,整理了一下平时常用的命令,做了个流水账,方便以后复杂粘贴。

一、生成公钥和私钥

openssl genrsa -out nixops.me.key 2048
openssl rsa -in nixops.me.key -pubout -out nixops.me.crt

一条命令生成:

openssl  req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout nixops.me.key -out nixops.me.crt

验证私钥和公钥:

openssl rsa -check -in nixops.me.key
openssl x509 -text -noout -in nixops.me.crt 

二、生成私钥和证书请求文件csr

openssl  genrsa -out nixops.me.key 2048
openssl req -new -sha256 -key nixops.me.key -out nixops.me.csr

查看csr 信息:

openssl req -noout -text -in nixops.me.csr

三、自建CA

生成CA私钥:

openssl genrsa -out CAKey.pem 2048

生成CA证书:

openssl req -x509 -sha256 -new -nodes -key CAKey.pem -days 3650 -out CACert.pem

也可以使用不用交互,直接提供相关信息:

openssl req -x509 -sha256 -new -nodes -key CAKey.pem -days 3650 -out CACert.pem  -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=myorganization/OU=nixps LTD/CN=nixops.me"

查看CA证书详细信息:

openssl x509 -in CACert.pem -text

使用CA签发证书:

openssl x509 -req -CA CACert.pem -CAkey CAKey.pem  -CAcreateserial -in nixops.me.csr -out nixops.me.issue.crt -days 365 -sha256

查看签发者信息:

openssl x509  -noout -issuer -issuer_hash -in nixops.me.issue.crt

四、使用openssl加密解密文件

4.1 生成并验证私钥

openssl genrsa -out nixops.me.pem 2048
openssl rsa -in nixops.me.pem -text -noout

4.2 导出公钥并验证

openssl rsa -in nixops.pem -pubout -out pub.pem 
openssl rsa -in pub.pem -pubin -text -noout 

4.3 加解密小文件

使用这种方式1024位的私钥可以加密小于86字节的文件,2048位的私钥可以加密小于214字节的文件。
用公钥加密:

openssl rsautl -encrypt -inkey pub.pem -pubin -in file.txt -out file.bin 

用私钥解密:

openssl rsautl -decrypt -inkey nixops.pem -in file.bin 

4.4 加解密大文件

用公钥加密:

openssl  smime  -encrypt -aes256  -in  Large.zip  -binary  -outform DEM  -out  Encrypted.zip  pub.pem

用私钥解密:

openssl  smime -decrypt  -in  Encrypted.zip  -binary -inform DEM -inkey nixops.pem  -out  Large.zip 

五、证书格式转化

一般有以下几种标准格式:

  • .DER .CER : 二进制格式,只保存证书,不保存私钥。
  • .PEM :文本格式,可保存证书,可保存私钥,通常网上的.key后缀的私钥,其实就是PEM格式。
  • .CRT :可以是二进制格式,可以是文本格式,只保存证书,不保存私钥。
  • .PFX .P12 :即PKCS12,是二进制格式,同时包含证书和私钥,一般有密码保护。
  • .JKS :JAVA的专属二进制格式,同时包含证书和私钥,一般有密码保护。

5.1 DER/CER/CRT 转 PEM

先查看证书信息,在转格式:

openssl x509 -in cert.der -inform der -text -noout
openssl x509 -in cert.der -inform der -outform pem -out cert.pem

5.2 PEM转DER/CER/CRT

openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.pem -outform der -out cert.der

5.3 PFX转PEM

openssl pkcs12 -info -nodes -in site.pfx
openssl pkcs12 -in site.pfx -out site.pem -nodes

5.4 JKS转PEM

需要JDK中提供的keytool工具配合openssl,先用keytool转成PKCS12格式:

keytool -importkeystore -srckeystore cert.jks -destkeystore cert.pkcs -srcstoretype JKS -deststoretype PKCS12

在用openssl转成pem格式:

openssl pkcs12 -in cert.pkcs -out cert.pem

六、其它一些技巧

6.1 移除证书中的密码

openssl rsa -in cert.key -out nopass.key

6.2 查看公钥的hash

openssl x509 -noout -hash -in cert.pem

6.3 查看在线网站的证书信息

openssl s_client -connect www.baidu.com:443 -showcerts

6.4 查看网站证书的有效期

查看本地证书:

openssl x509 -dates -noout -in file.pem  #查看证书签发时间和有效期
openssl x509 -startdate -noout -in file.pem #查看签发时间
openssl x509 -enddate -noout -in file.pem   #查看有效时间
openssl x509 -checkend 86400 -noout -in file.pem #检查证书是否在一天内过期,用echo $?即可判断

查看在线证书:

openssl s_client -connect www.baidu.com:443 -servername www.baidu.com 2> /dev/null |  openssl x509 -noout  -dates

提取过期时间:

openssl s_client  -connect www.baidu.com:443 -servername www.baidu.com 2>/dev/null |openssl x509 -enddate -noout |cut -d "=" -f 2

用date命令转换一下日期格式:

date --date="$(openssl s_client  -connect www.baidu.com:443 -servername www.baidu.com 2>/dev/null |openssl x509 -enddate -noout |cut -d "=" -f 2)" --iso-8601

6.5 检查网站是否接受指定版本的SSL协议

协议有TLS 1.0(tls1)、TLS 1.1(tls1_1) TLS 1.2(tls1_2),在高版本的openssl中默认已经禁用了SSL V2(ssl2)、SSL V3(ssl3)

openssl s_client  -connect www.baidu.com:443 -tls1

6.6 检查网站是否支持指定的加密算法

openssl s_client  -connect www.baidu.com:443 -tls1_2 -cipher 'ECDHE-RSA-AES128-GCM-SHA256'


七、使用配置文件,生成自签名证书.

dovecot-openssl.cnf

[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
#C=FI

# State or Province Name (full name)
#ST=

# Locality Name (eg. city)
#L=Helsinki

# Organization (eg. company)
#O=Dovecot

# Organizational Unit Name (eg. section)
OU=IMAP server

# Common Name (*.example.com is also possible)
CN=imap.example.com

# E-mail contact
emailAddress=postmaster@example.com

[ cert_type ]
nsCertType = server

/run/media/lixing/6T_20181101_1/src/net/email/dovecot-2.3.17/doc/mkcert.sh 
#!/bin/sh

# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.

umask 077
OPENSSL=${OPENSSL-openssl}
SSLDIR=${SSLDIR-/etc/ssl}
OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}

CERTDIR=$SSLDIR/certs
KEYDIR=$SSLDIR/private

CERTFILE=$CERTDIR/dovecot.pem
KEYFILE=$KEYDIR/dovecot.pem

if [ ! -d $CERTDIR ]; then
  echo "$SSLDIR/certs directory doesn't exist"
  exit 1
fi

if [ ! -d $KEYDIR ]; then
  echo "$SSLDIR/private directory doesn't exist"
  exit 1
fi

if [ -f $CERTFILE ]; then
  echo "$CERTFILE already exists, won't overwrite"
  exit 1
fi

if [ -f $KEYFILE ]; then
  echo "$KEYFILE already exists, won't overwrite"
  exit 1
fi

$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
chmod 0600 $KEYFILE
echo 
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2


cd ~/unstable_libs/ssl-1.1.1k/bin
查看支持的加密算法:
[xxx@mail create_selfsigned_cert]$  openssl ciphers -tls1_3 -v -s -ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
TLS_AES_128_CCM_8_SHA256 TLSv1.3 Kx=any      Au=any  Enc=AESCCM8(128) Mac=AEAD
TLS_AES_128_CCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESCCM(128) Mac=AEAD


openssl ciphers -v|grep TLSv1.2


export PATH=/home/lixing/unstable_libs/ssl-1.1.1k/bin:$PATH
export LD_LIBRARY_PATH=/home/lixing/unstable_libs/ssl-1.1.1k/lib:$YLX_LIBPATH

cd /run/media/lixing/6T_20181101_1/proj/shell/create_selfsigned_cert/
openssl dhparam -out /opt/chroot_jail/opt/ssl/dhparam.pem 4096
openssl req -new -x509 -nodes -config ./nginx-selfsigned.conf -out self.crt -keyout self.key -days 3650


参考文章:
https://jamielinux.com/docs/openssl-certificate-authority/index.html
https://stackoverflow.com/questions/21297853/how-to-determine-ssl-cert-expiration-date-from-a-pem-encoded-certificate
https://geekflare.com/openssl-commands-certificates/