{"id":1989,"date":"2023-04-01T10:54:05","date_gmt":"2023-04-01T02:54:05","guid":{"rendered":"https:\/\/www.appblog.cn\/?p=1989"},"modified":"2023-04-22T07:41:52","modified_gmt":"2023-04-21T23:41:52","slug":"summary-of-openssl-key-operations","status":"publish","type":"post","link":"https:\/\/www.appblog.cn\/index.php\/2023\/04\/01\/summary-of-openssl-key-operations\/","title":{"rendered":"OpenSSL\u79d8\u94a5\u64cd\u4f5c\u603b\u7ed3"},"content":{"rendered":"<h2>\u516c\u79c1\u94a5\u751f\u6210<\/h2>\n<pre><code class=\"language-bash\">\/\/\u751f\u62102048\u4f4d\u7684RSA\u79c1\u94a5\nopenssl genrsa -out private.pem 2048\n\n\/\/\u518d\u7531\u79c1\u94a5\u751f\u6210\u516c\u94a5\nopenssl rsa -in private.pem -pubout -out public.pem<\/code><\/pre>\n<p><!-- more --><\/p>\n<h2>ssl\u8bc1\u4e66\u8f6c\u6362cer\u8f6cpem<\/h2>\n<pre><code class=\"language-bash\">\/\/.pem\u8bc1\u4e66\u8f6c.cer\u8bc1\u4e66\nopenssl x509 -outform der -in demo.pem -out demo.cer\n\n\/\/.cer\u8bc1\u4e66\u8f6c.pem\u8bc1\u4e66\nopenssl x509 -inform der -in demo.cer -out demo.pem<\/code><\/pre>\n<h2>\u8bc1\u4e66\u683c\u5f0f\u4ecb\u7ecd<\/h2>\n<blockquote>\n<p>PKCS \u5168\u79f0\u662f Public-Key Cryptography Standards \uff0c\u662f\u7531 RSA \u5b9e\u9a8c\u5ba4\u4e0e\u5176\u5b83\u5b89\u5168\u7cfb\u7edf\u5f00\u53d1\u5546\u4e3a\u4fc3\u8fdb\u516c\u94a5\u5bc6\u7801\u7684\u53d1\u5c55\u800c\u5236\u8ba2\u7684\u4e00\u7cfb\u5217\u6807\u51c6\uff0cPKCS \u76ee\u524d\u5171\u53d1\u5e03\u8fc7 15 \u4e2a\u6807\u51c6 \u5e38\u7528\u7684\u6709\uff1a<\/p>\n<\/blockquote>\n<ul>\n<li><code>PKCS#7<\/code>\uff1aCryptographic Message Syntax Standard<\/li>\n<li><code>PKCS#10<\/code>\uff1aCertification Request Standard<\/li>\n<li><code>PKCS#12<\/code>\uff1aPersonal Information Exchange Syntax Standard<\/li>\n<li><code>X.509<\/code>\uff1a\u662f\u5e38\u89c1\u901a\u7528\u7684\u8bc1\u4e66\u683c\u5f0f\u3002\u6240\u6709\u7684\u8bc1\u4e66\u90fd\u7b26\u5408\u4e3aPublic Key Infrastructure (PKI) \u5236\u5b9a\u7684 ITU-T X509 \u56fd\u9645\u6807\u51c6<\/li>\n<li><code>PKCS#7<\/code>\uff1a\u5e38\u7528\u7684\u540e\u7f00\u662f\uff1a.P7B .P7C .SPC<\/li>\n<li><code>PKCS#12<\/code>\uff1a\u5e38\u7528\u7684\u540e\u7f00\u6709\uff1a.P12 .PFX<\/li>\n<li><code>X.509<\/code>\uff1aDER \u7f16\u7801(ASCII)\u7684\u540e\u7f00\u662f\uff1a.DER .CER .CRT<\/li>\n<li><code>X.509<\/code>\uff1aPAM \u7f16\u7801(Base64)\u7684\u540e\u7f00\u662f\uff1a.PEM .CER .CRT<\/li>\n<li><code>.cer\/.crt<\/code>\uff1a\u662f\u7528\u4e8e\u5b58\u653e\u8bc1\u4e66\uff0c\u5b83\u662f2\u8fdb\u5236\u5f62\u5f0f\u5b58\u653e\u7684\uff0c\u4e0d\u542b\u79c1\u94a5<\/li>\n<li><code>.pem<\/code>\uff1a\u8ddfcrt\/cer\u7684\u533a\u522b\u662f\u5b83\u4ee5Ascii\u6765\u8868\u793a\u3002<\/li>\n<li><code>pfx\/p12<\/code>\uff1a\u7528\u4e8e\u5b58\u653e\u4e2a\u4eba\u8bc1\u4e66\/\u79c1\u94a5\uff0c\u4ed6\u901a\u5e38\u5305\u542b\u4fdd\u62a4\u5bc6\u7801\uff0c2\u8fdb\u5236\u65b9\u5f0f<\/li>\n<li><code>p10<\/code>\uff1a\u662f\u8bc1\u4e66\u8bf7\u6c42<\/li>\n<li><code>p7r<\/code>\uff1a\u662fCA\u5bf9\u8bc1\u4e66\u8bf7\u6c42\u7684\u56de\u590d\uff0c\u53ea\u7528\u4e8e\u5bfc\u5165<\/li>\n<li><code>p7b<\/code>\uff1a\u4ee5\u6811\u72b6\u5c55\u793a\u8bc1\u4e66\u94fe(certificate chain)\uff0c\u540c\u65f6\u4e5f\u652f\u6301\u5355\u4e2a\u8bc1\u4e66\uff0c\u4e0d\u542b\u79c1\u94a5<\/li>\n<\/ul>\n<p>\u5173\u4e8e\u8bc1\u4e66\u540e\u7f00\u683c\u5f0f\u6765\u81ea: <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/www.chinassl.net\/ssltools\/convert-ssl-commands.html\">https:\/\/www.chinassl.net\/ssltools\/convert-ssl-commands.html<\/a><\/p>\n<h2>\u4f7f\u7528OpenSSL\u8fdb\u884c\u8f6c\u6362<\/h2>\n<p>\u5c06PEM\u8f6c\u6362\u4e3aCRT(.CRT\u6587\u4ef6)<\/p>\n<pre><code class=\"language-bash\">openssl x509 -outform der -in certificate.pem -out certificate.crt<\/code><\/pre>\n<p>\u5c06DER\u6587\u4ef6(.crt .cer .der)\u8f6c\u6362\u4e3aPEM<\/p>\n<pre><code class=\"language-bash\">openssl x509 -inform der -in certificate.cer -out certificate.pem<\/code><\/pre>\n<p>\u5c06PEM\u8f6c\u6362\u4e3aDER<\/p>\n<pre><code class=\"language-bash\">openssl x509 -outform der -in certificate.pem -out certificate.der<\/code><\/pre>\n<p>\u5c06\u5305\u542b\u79c1\u94a5\u548c\u8bc1\u4e66\u7684PKCS#12\u6587\u4ef6(.pfx .p12)\u8f6c\u6362\u4e3aPEM<\/p>\n<pre><code class=\"language-bash\">openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes<\/code><\/pre>\n<blockquote>\n<p>You can add -nocerts to only output the private key or add -nokeys to only output the certificates.<\/p>\n<\/blockquote>\n<p>\u5c06PEM\u8bc1\u4e66\u6587\u4ef6\u548c\u79c1\u94a5\u8f6c\u6362\u4e3aPKCS#12(.pfx .p12)<\/p>\n<pre><code class=\"language-bash\">openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt<\/code><\/pre>\n<p>\u5c06PEM\u8f6c\u6362\u4e3aP7B<\/p>\n<pre><code class=\"language-bash\">openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer<\/code><\/pre>\n<p>\u5c06P7B\u8f6c\u6362\u4e3aPEM<\/p>\n<pre><code class=\"language-bash\">openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer<\/code><\/pre>\n<p>\u5c06PEM\u8f6c\u6362\u4e3aPFX<\/p>\n<pre><code class=\"language-bash\">openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt<\/code><\/pre>\n<p>\u5c06P7B\u8f6c\u6362\u4e3aPFX<\/p>\n<pre><code class=\"language-bash\">openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer\n\nopenssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer<\/code><\/pre>\n<p>\u5c06PFX\u8f6c\u6362\u4e3aPEM<\/p>\n<pre><code class=\"language-bash\">openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes<\/code><\/pre>\n<h2>\u901a\u8fc7OpenSSL\u751f\u6210RSA\u5bc6\u94a5<\/h2>\n<p>\u5728\u547d\u4ee4\u884c\u4e0a\u4f7f\u7528OpenSSL\uff0c\u9996\u5148\u9700\u8981\u751f\u6210\u516c\u94a5\u548c\u79c1\u94a5\uff0c\u5e94\u8be5\u4f7f\u7528<code>-passout<\/code>\u53c2\u6570\u5bc6\u7801\u4fdd\u62a4\u6b64\u6587\u4ef6\uff0c\u8be5\u53c2\u6570\u53ef\u4ee5\u91c7\u7528\u8bb8\u591a\u4e0d\u540c\u7684\u5f62\u5f0f\uff0c\u53ef\u4ee5\u8bf7\u53c2\u9605OpenSSL\u6587\u6863\u3002<\/p>\n<pre><code class=\"language-bash\">openssl genrsa -out private.pem 1024<\/code><\/pre>\n<p>\u8fd9\u5c06\u521b\u5efa\u4e00\u4e2a\u540d\u4e3a<code>private.pem<\/code>\u7684\u5bc6\u94a5\u6587\u4ef6\uff0c\u8be5\u6587\u4ef6\u4f7f\u75281024\u4f4d(bits)\u3002\u8be5\u6587\u4ef6\u5b9e\u9645\u4e0a\u540c\u65f6\u5177\u6709\u79c1\u94a5\u548c\u516c\u94a5\uff0c\u53ef\u4ee5\u4ece\u8be5\u6587\u4ef6\u4e2d\u63d0\u53d6\u516c\u5171\u5bc6\u94a5\uff1a<\/p>\n<pre><code class=\"language-bash\">openssl rsa -in private.pem -out public.pem -outform PEM -pubout<\/code><\/pre>\n<p>or<\/p>\n<pre><code class=\"language-bash\">openssl rsa -in private.pem -pubout &gt; public.pem<\/code><\/pre>\n<p>or<\/p>\n<pre><code class=\"language-bash\">openssl rsa -in private.pem -pubout -out public.pem<\/code><\/pre>\n<p>\u73b0\u5728<code>public.pem<\/code>\u53ea\u5305\u542b\u516c\u94a5\uff0c\u53ef\u4ee5\u548c\u7b2c\u4e09\u65b9\u81ea\u7531\u5730\u5206\u4eab\u3002\u53ef\u4ee5\u901a\u8fc7\u4f7f\u7528\u516c\u94a5\u52a0\u5bc6\u7136\u540e\u4f7f\u7528\u79c1\u94a5\u8fdb\u884c\u89e3\u5bc6\u6765\u6d4b\u8bd5\uff0c\u9996\u5148\u6211\u4eec\u9700\u8981\u4e00\u4e9b\u6570\u636e\u505a\u52a0\u5bc6\uff1a<\/p>\n<p>\u793a\u4f8b\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-bash\">echo &#039;too many secrets&#039; &gt; file.txt<\/code><\/pre>\n<p>\u73b0\u5728\u5728<code>file.txt<\/code>\u4e2d\u6709\u4e00\u4e9b\u6570\u636e\uff0c\u53ef\u4ee5\u4f7f\u7528OpenSSL\u548c\u516c\u94a5\u8fdb\u884c\u52a0\u5bc6\uff1a<\/p>\n<pre><code class=\"language-bash\">openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out encrypted.txt<\/code><\/pre>\n<p>\u8fd9\u5c06\u521b\u5efa\u4e00\u4e2a\u52a0\u5bc6\u7248\u672c\u7684<code>file.txt<\/code>\uff0c\u8fd9\u4e2a\u6587\u4ef6\u4e3a<code>encrypted.txt<\/code>\uff08\u5982\u679c\u76f4\u63a5\u6253\u5f00\u8fd9\u4e2a\u6587\u4ef6\u67e5\u770b\u90a3\u4e48\u5b83\u770b\u8d77\u6765\u53ea\u662f\u4e8c\u8fdb\u5236\u5783\u573e\uff0c\u4eba\u7c7b\u65e0\u6cd5\u770b\u61c2\uff09\u3002\u7136\u540e\u53ef\u4ee5\u4f7f\u7528\u79c1\u94a5\u89e3\u5bc6\u5b83\uff1a<\/p>\n<pre><code class=\"language-bash\">openssl rsautl -decrypt -inkey private.pem -in encrypted.txt -out decrypted.txt<\/code><\/pre>\n<p>\u73b0\u5728\u5728<code>decryptpted.txt<\/code>\u4e2d\u4fbf\u662f\u672a\u52a0\u5bc6\u7684\u5185\u5bb9\uff1a<\/p>\n<pre><code class=\"language-bash\">cat decrypted.txt\n|output -&gt; too many secrets<\/code><\/pre>\n<h2>\u5178\u578b\u6837\u4f8b<\/h2>\n<p>\u4f7f\u7528\u4e09\u91cdDES\u52a0\u5bc6\u79c1\u94a5\uff1a<\/p>\n<pre><code class=\"language-bash\">openssl rsa -in key.pem -des3 -out keyout.pem<\/code><\/pre>\n<p>\u8981\u5220\u9664RSA\u79c1\u94a5\u4e0a\u7684\u5bc6\u7801\u77ed\u8bed\uff1a<\/p>\n<pre><code class=\"language-bash\">openssl rsa -in key.pem -out keyout.pem<\/code><\/pre>\n<p>\u5c06\u79c1\u94a5\u4ecePEM\u8f6c\u6362\u4e3aDER\u683c\u5f0f\uff1a<\/p>\n<pre><code class=\"language-bash\">openssl rsa -in key.pem -outform DER -out keyout.der<\/code><\/pre>\n<p>\u5c06\u79c1\u94a5\u7684\u7ec4\u4ef6\u8f93\u51fa\u5230\u6807\u51c6\u8f93\u51fa\uff1a<\/p>\n<pre><code class=\"language-bash\">openssl rsa -in key.pem -text -noout<\/code><\/pre>\n<p>\u8981\u8f93\u51fa\u79c1\u94a5\u7684\u516c\u5171\u90e8\u5206\uff1a<\/p>\n<pre><code class=\"language-bash\">openssl rsa -in key.pem -pubout -out pubkey.pem<\/code><\/pre>\n<p>\u4ee5RSAPublicKey\u683c\u5f0f\u8f93\u51fa\u79c1\u94a5\u7684\u516c\u5171\u90e8\u5206\uff1a<\/p>\n<pre><code class=\"language-bash\">openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u516c\u79c1\u94a5\u751f\u6210 \/\/\u751f\u62102048\u4f4d\u7684RSA\u79c1\u94a5 openssl genrsa -out private.pem 2 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[97],"tags":[185,146],"class_list":["post-1989","post","type-post","status-publish","format-standard","hentry","category-tools-skills","tag-openssh","tag-openssl"],"_links":{"self":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/posts\/1989","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/comments?post=1989"}],"version-history":[{"count":0,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/posts\/1989\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/media?parent=1989"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/categories?post=1989"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/tags?post=1989"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}