证书制作命令
更新于 2021-12-28
简介
积累openssl和gmssl命令
密钥用途
原文点此处
密钥扩展用途指定证书内公钥的作用.
| Key usage extension |
Description |
| Digital signature |
Use when the public key is used with a digital signature mechanism to support security services other than non-repudiation, certificate signing, or CRL signing. A digital signature is often used for entity authentication and data origin authentication with integrity. |
| Non-repudiation |
Use when the public key is used to verify digital signatures used to provide a non-repudiation service. Non-repudiation protects against the signing entity falsely denying some action (excluding certificate or CRL signing). |
| Key encipherment |
Use when a certificate will be used with a protocol that encrypts keys. An example is S/MIME enveloping, where a fast (symmetric) key is encrypted with the public key from the certificate. SSL protocol also performs key encipherment. |
| Data encipherment |
Use when the public key is used for encrypting user data, other than cryptographic keys. |
| Key agreement |
Use when the sender and receiver of the public key need to derive the key without using encryption. This key can then can be used to encrypt messages between the sender and receiver. Key agreement is typically used with Diffie-Hellman ciphers. |
| Certificate signing |
Use when the subject public key is used to verify a signature on certificates. This extension can be used only in CA certificates. |
| CRL signing |
Use when the subject public key is to verify a signature on revocation information, such as a CRL. |
| Encipher only |
Use only when key agreement is also enabled. This enables the public key to be used only for enciphering data while performing key agreement. |
| Decipher only |
Use only when key agreement is also enabled. This enables the public key to be used only for deciphering data while performing key agreement. |
| Extended key |
Enable for these key usage extensions |
| TLS Web server authentication |
Digital signature, key encipherment or key agreement |
| TLS Web client authentication |
Digital signature and/or key agreement |
| Sign (downloadable) executable code |
Digital signature |
| Email protection |
Digital signature, non-repudiation, and/or key encipherment or key agreement |
| IPSEC End System (host or router) |
Digital signature and/or key encipherment or key agreement |
| IPSEC Tunnel |
Digital signature and/or key encipherment or key agreement |
| IPSEC User |
Digital signature and/or key encipherment or key agreement |
| Timestamping |
Digital signature, non-repudiation. |
opnessl命令
如果要指定证书通途,需要添加配置配置文件.
配置文件太多了,详见script
CA自签名证书
| Bash |
|---|
| openssl req -new -batch -x509 -days 365 -nodes -newkey rsa:1024 -out cacert.pem -keyout cakey.pem -subj /CN=ca.localdomain/C=FR/ST=BdR/L=Aix/O=fD/OU=Tests
|
签发证书
| Bash |
|---|
| #产生私钥
openssl genrsa -out peer1.key.pem 1024
#产生证书请求文件
openssl req -new -batch -out peer1.csr.pem -key peer1.key.pem -subj /CN=peer1.cn/C=FR/ST=BdR/L=Aix/O=fD/OU=Tests
openssl ca -cert cacert.pem -keyfile cakey.pem -in peer1.csr.pem -out peer1.cert.pem -outdir . -batch
|
密钥
| Bash |
|---|
1
2
3
4
5
6
7
8
9
10
11
12
13
14 | #rsa 私钥
openssl genrsa -out rsa_private_key.pem 1024
#生成公钥
openssl rsa -in rsa_private_key.pem -pubout -out rsa_public_key.pem
#生成加密私钥
openssl genpkey -algorithm RSA -out privatekey.pem -pass pass:1234 -des-ede3-cbc
#解密私钥文件
openssl pkey -in privatekey.pem -out privatekey.der-passin pass:1234
#公钥验证
openssl rsautl -verify -in test.sig -out test.vfy -inkey asn1pub.pem -pubin
#检查密钥完整性
openssl rsa -in private.pem -check -noout
#私钥签名
openssl rsautl -sign -in test -out test.sig-inkey asn1enc.pem
|
加解密
| Bash |
|---|
| #加密
openssl rsautl -encrypt -inkey rsa_public_key.pem -pubin -in test.txt -out test.enc
#解密
openssl rsautl -decrypt -inkey rsa_private_key.pem -in test.enc -out test.dec
|
格式转换
| Bash |
|---|
| #查看crs请求文件
openssl req -in peer1.csr.pem -noout -text
#pem转crt
openssl x509 -in fullchain.pem -out fullchain.crt
#转换成PKCS8格式
openssl pkcs8 -topk8 -inform PEM -in rsa_private_key.pem -outform PEM -nocrypt
#格式转换
openssl rsa -in privatekey.pem -out privatekey.pvk -outform PVK
# crt转pkcs12
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name "client"
|
国密
目前openssl不支持国密sm⅔签发证书
| Bash |
|---|
| #私钥
openssl ecparam -genkey -name SM2 -out priv.key
#公钥
openssl ec -in priv.key -pubout -out public.pem
#证书请求
openssl req -config ../ssl/openssl.cnf -key sm2.key -new -out sm2.req
#签发证书
openssl x509 -req -in sm2.req -signkey sm2.key -out sm2.pem
|
gmssl相关命令
一般环境都装有openssl,编译gmssl做国密证书时,直接设置下动态链接库路径,避免安装gmssl.
| Bash |
|---|
| export LD_LIBRARY_PATH=`pwd`
|
密钥
| Bash |
|---|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21 | #私钥
gmssl ecparam -genkey -name sm2p256v1 -out priv.key
#公钥
gmssl pkey -pubout -in ca_priv.key -out ca_pub.key
#打印公钥私钥
gmssl sm2 -in ca.key -text
#证书请求
gmssl req -new -key user.key -out user.req -subj /CN=ca.localdomain/C=CN/ST=BdR/L=Aix/O=fD/OU=Tests
#自签名证书
gmssl req -x509 -sm3 -days 3650 -key cakey.pem -in cacsr.pem -out cacert.pem
#签名证书
gmssl ca -md sm3 -cert cacert.pem -keyfile ca_priv.key -in peer1.req -out peer1.pem -days 3650 -outdir . -batch
#验证
gmssl s_server -key server_key.pem -cert server_cert.pem -CAfile cacert.pem -cipher ECDHE-SM4-SM3 -verify 1
gmssl s_client -key client_key.pem -cert client_cert.pem -CAfile cacert.pem -cipher ECDHE-SM4-SM3 -verify 1
|