openssl以及证书详解
一、公钥、私钥
1、生成一个私钥文件
# Generate CA private key (制作ca.key CA机构自己的私钥)
openssl genrsa -out ca.key 2048
[yiifung@master01 ca]$ openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
.......................+++
.....................................+++
e is 65537 (0x10001)
2、从私钥文件中生成公钥
#从上述私钥获取公钥(制作ca.pem CA机构自己的公钥) -pubout 输出一个公钥文件
openssl rsa -in ca.key -pubout -out ca.pem
yiifung@master01 ca]$ openssl rsa -in ca.key -pubout -out ca.pem
writing RSA key
[yiifung@master01 ca]$ ll
total 8
-rw-rw-r--. 1 yiifung yiifung 1679 Jul 15 02:03 ca.key
-rw-rw-r--. 1 yiifung yiifung 451 Jul 15 02:07 ca.pem
[yiifung@master01 ca]$ more ca.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1lGkxLWC3GILPwULlGaa
mVaIg4pExam4B6OxuV8gx4t3KszBLAdKBXETtkux4aCQq3pGbitzBHJoVeQ0khbz
7OclheA0F38rsmCez9DnM2+hyD4O1MDzzaJBCDGz/UXJNANGM4Wx3UqQkMsAsLpT
lt2277+GCneqkRmY48qbD2SmNFMS/FByKoC3cZxTDxSfNxhUGsR3u+iNnnp9DXP+
ZsCu0dDDpMXibJpi2tWVdASZJzN1YI63G3nfCYifKslcWlhdLfE8g/XLQLY0G54/
/TiF01dmkirbAzVoxucb++acXeE+E53FppYUF1li3PadVZRjnOCaC/WUEOZK7L86
rQIDAQAB
-----END PUBLIC KEY-----
[yiifung@master01 ca]$
3、打印、查看公钥、私钥相关信息
# 文本方式输出私钥 -in 指定一个输入的文件 -text 以文本的方式输出密钥文件
openssl rsa -in ca.key -text
# 文本方式输出公钥信息 -pubin 期待一个输入的公钥文件
openssl rsa -pubin -in ca.pem -text
# 查看公钥、私钥modulus部分
openssl rsa -pubin -in ca.pem -modulus
[yiifung@master01 ca]$ openssl rsa -pubin -in ca.pem -modulus
Modulus=D651A4C4B582DC620B3F050B94669A995688838A44C5A9B807A3B1B95F20C78B772ACCC12C074A057113B64BB1E1A090AB7A466E2B7304726855E4349216F3ECE72585E034177F2BB2609ECFD0E7336FA1C83E0ED4C0F3CDA2410831B3FD45C93403463385B1DD4A9090CB00B0BA5396DDB6EFBF860A77AA911998E3CA9B0F64A6345312FC50722A80B7719C530F149F3718541AC477BBE88D9E7A7D0D73FE66C0AED1D0C3A4C5E26C9A62DAD595740499273375608EB71B79DF09889F2AC95C5A585D2DF13C83F5CB40B6341B9E3FFD3885D35766922ADB033568C6E71BFBE69C5DE13E139DC5A69614175962DCF69D5594639CE09A0BF59410E64AECBF3AAD
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1lGkxLWC3GILPwULlGaa
mVaIg4pExam4B6OxuV8gx4t3KszBLAdKBXETtkux4aCQq3pGbitzBHJoVeQ0khbz
7OclheA0F38rsmCez9DnM2+hyD4O1MDzzaJBCDGz/UXJNANGM4Wx3UqQkMsAsLpT
lt2277+GCneqkRmY48qbD2SmNFMS/FByKoC3cZxTDxSfNxhUGsR3u+iNnnp9DXP+
ZsCu0dDDpMXibJpi2tWVdASZJzN1YI63G3nfCYifKslcWlhdLfE8g/XLQLY0G54/
/TiF01dmkirbAzVoxucb++acXeE+E53FppYUF1li3PadVZRjnOCaC/WUEOZK7L86
rQIDAQAB
-----END PUBLIC KEY-----
openssl rsa -in ca.key -modulus
[yiifung@master01 ca]$ openssl rsa -in ca.key -modulus
Modulus=D651A4C4B582DC620B3F050B94669A995688838A44C5A9B807A3B1B95F20C78B772ACCC12C074A057113B64BB1E1A090AB7A466E2B7304726855E4349216F3ECE72585E034177F2BB2609ECFD0E7336FA1C83E0ED4C0F3CDA2410831B3FD45C93403463385B1DD4A9090CB00B0BA5396DDB6EFBF860A77AA911998E3CA9B0F64A6345312FC50722A80B7719C530F149F3718541AC477BBE88D9E7A7D0D73FE66C0AED1D0C3A4C5E26C9A62DAD595740499273375608EB71B79DF09889F2AC95C5A585D2DF13C83F5CB40B6341B9E3FFD3885D35766922ADB033568C6E71BFBE69C5DE13E139DC5A69614175962DCF69D5594639CE09A0BF59410E64AECBF3AAD
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA1lGkxLWC3GILPwULlGaamVaIg4pExam4B6OxuV8gx4t3KszB
LAdKBXETtkux4aCQq3pGbitzBHJoVeQ0khbz7OclheA0F38rsmCez9DnM2+hyD4O
1MDzzaJBCDGz/UXJNANGM4Wx3UqQkMsAsLpTlt2277+GCneqkRmY48qbD2SmNFMS
/FByKoC3cZxTDxSfNxhUGsR3u+iNnnp9DXP+ZsCu0dDDpMXibJpi2tWVdASZJzN1
YI63G3nfCYifKslcWlhdLfE8g/XLQLY0G54//TiF01dmkirbAzVoxucb++acXeE+
E53FppYUF1li3PadVZRjnOCaC/WUEOZK7L86rQIDAQABAoIBAQCbGVKomMMvQjTp
Unli2C4hsiHxL+s9MOnhfXFsuY87WY7QBoX1mwDSl1awom8E3fJUZpT5va/rE/C1
2ATDhKDaXR0mmW6ZYor4+Dt2IbRv4OWvyFlrVogZ1MZDa9TaAdruLUBsoOBrST79
yiuhufYsRB/TuUMD6D4j6+ZdU46Lv/QHp4V1wXbtjEfzjLYsHnfDFZZi5VisRkNj
qQ51dy699XoC87cWws1VI9Im5T2ZGesNV5YVZuWrUFIqjlfWzOglHpmKfvEeufWF
NkDPiac6Al11JZSWCUtn09mEevkoMr5OVrS2ayWmQABbxKSedyNSPpvzu72y6tlN
CSPR2KUBAoGBAO2vC51qkzyUP+m5YmX6FOjjms6GQ7ECS4OdStxxa65DP47oZ2g8
Uv6HpzYz+n/Mgy93Dqrbca/GkqJrIcGnsMF/4baj9Jnik0n91Q36Fz5C6uUFG9bo
9Mhx3pH73N3ghn4hWGmmvUtb65ssFzCRpZrHBX6wf3LomISmI5QupauxAoGBAObV
qdd50o8KzbetMJx60RlEf8fnZBAlYMKHf7eXA7wV7DbcO2EuUQ6k4mF4KJeeAh0c
MMbotKSbfm2Mljjgn2adXmlYY/3dBebDY1nfv8DqHizCNj2TVGvROtmvOogwVyqE
A/zhS1ROZGWNre57nbCzCTF4lzVEAW2uq+jWmkm9AoGBAMOnYGxImsM3VhVToYhI
gIXlNj3jkD1ZokfJZyJnyzg760n8TYMkhT049ZBM4VvqQeMEonJLCh6j23kPr032
eC4Q0wDBnkw+kvhJluRWhmOeOjYkKnKSeU23TnvlVD7g4FVbpafytcge9qdZeA1n
F2d9hSxwpbk1drda+9azP3VBAoGATR5e8r0hamaamd3DmtOxXfazlg6pMHe8XuEz
+xr5xXGxjBaBxBLcQ780XontTdIdNKqBZULDbyb/0wuf+Hqa5oZ2z00Xgu2/lfv7
CkClaIcO87citemtz6OEPMu9C1jTFkIqruZ56z2RbxgpXr5vzWPTE3MNWV9R9tnf
VxezTiUCgYEA1ZaYYFaC9/lFdcaSWw0LAXYhfZsFuw9ACrlEF9nD4uULZQIBzzER
DD8PTRTiT0QZjoYU18NOVPxpnNcoXZaBTPaDLcbujbRGpjj5KiYBa+t7WV6S2MEN
7d3gy6uxhYXt9qSuEFhgjmoNWTOuZl2NaHp8zxzUCkhueLuhugI4dxM=
-----END RSA PRIVATE KEY-----
[yiifung@master01 ca]$
# -noout 不打印密钥信息
openssl rsa -pubin -in ca.pem -modulus -noout 不打印密钥信息
二、CSR文件
1、使用私钥生成CSR
# 使用私钥生成CSR -new 生成一个新的请求文件 -key 使用其中的私钥
openssl req -new -key ca.key -out ca.csr
[yiifung@localhost ssl]$ openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:bos
Organizational Unit Name (eg, section) []:yyzc
Common Name (eg, your name or your server's hostname) []:lichf1
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[yiifung@localhost ssl]$
2、输出证书请求文件中的信息
# 以文本的方式输出证书请求内容 -text
openssl req -in ca.csr -text
# 输出csr中的公钥信息 -pubkey
openssl req -in ca.csr -pubkey -text
# 不输出证书请求信息 -noout,只输出公钥信息
openssl req -in ca.csr -pubkey -noout
# ca.pem中的公钥与ca.csr中的公钥是一致的
[yiifung@master01 ca]$ openssl req -in ca.csr -pubkey -noout -out ca.pem1
[yiifung@master01 ca]$ diff ca.pem ca.pem1
[yiifung@master01 ca]$
3、非交互式生成一个证书请求文件
openssl req -new -key ca.key
-subj “/C=CN/ST=ShangHai/L=Shanghai/O=bos/OU=yyzv/CN=lichf.com/emailAddress=lichf1”
-out ca.csr
4、证书请求文件参数详解
| 英文缩写 | 翻译 | 英文对照 |
|---|---|---|
| C | 国家名称缩写 | Country Name (2 letter code) |
| ST | 州或省名称 | State or Province Name (full name) |
| L | 城市或区域称 | Locality Name (eg, city) |
| O | 组织名(或公司名) | Organization Name (eg, company) |
| OU | 组织单位名称(或部门名) | Organizational Unit Name (eg, section) |
| CN | 服务器域名/证书拥有者名称 | Common Name (e.g. server FQDN or YOUR name) |
| emailAddress | 邮件地址 |
5、浏览器如何验证证书正确性
当浏览器使用HTTPS连接到您的服务器时,他们会检查以确保您的SSL证书与地址栏中的主机名称匹配。浏览器有三种找到匹配的方法:
1.主机名(在地址栏中)与证书主题(Subject)中的通用名称(Common Name)完全匹配。
2.主机名称与通配符通用名称相匹配。例如,www.example.com匹配通用名称* .example.com。
3.主机名 在主题备用名称(SAN: Subject Alternative Name)字段中列出。
客户端使用服务端返回的信息验证服务器的合法性,包括:
证书是否过期
发型服务器证书的CA是否可靠
返回的公钥是否能正确解开返回证书中的数字签名
服务器证书上的域名是否和服务器的实际域名相匹配 – 要核对CN或SAN,见上
验证通过后,将继续进行通信,否则,终止通信
三、通过csr生成自签名证书(根证书 x509格式的)
1、通过csr和私钥生成自签名证书
# 通过csr和私钥生成自签名证书
openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt -days 3650
2、直接生成私钥和证书
# 直接生成私钥和证书
openssl req -newkey rsa:2048 -x509 -nodes -keyout ca.key -out ca.crt -days 3650 -subj "/C=CN/O=People's Republic of China/CN=China CA"
# 通过私钥生成证书
openssl req -x509 -new -key ca.key -out ca.crt -days 3650 -subj "/C=CN/O=People's Republic of China/CN=China CA"
3、 输出证书内容
3、1 以text文本的形式输出证书内容,会输出详细的信息
# 以text文本的形式输出证书内容,会输出详细的信息
openssl x509 -in ca.crt -text
[yiifung@master01 ca]$ openssl x509 -in ca.crt -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
84:55:d0:ab:f1:68:8c:b1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=shanghai, L=shanghai, O=BOS, OU=YYZC
Validity
Not Before: Jul 15 15:47:21 2023 GMT
Not After : Jul 12 15:47:21 2033 GMT
Subject: C=CN, ST=shanghai, L=shanghai, O=BOS, OU=YYZC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d6:51:a4:c4:b5:82:dc:62:0b:3f:05:0b:94:66:
9a:99:56:88:83:8a:44:c5:a9:b8:07:a3:b1:b9:5f:
20:c7:8b:77:2a:cc:c1:2c:07:4a:05:71:13:b6:4b:
b1:e1:a0:90:ab:7a:46:6e:2b:73:04:72:68:55:e4:
34:92:16:f3:ec:e7:25:85:e0:34:17:7f:2b:b2:60:
9e:cf:d0:e7:33:6f:a1:c8:3e:0e:d4:c0:f3:cd:a2:
41:08:31:b3:fd:45:c9:34:03:46:33:85:b1:dd:4a:
90:90:cb:00:b0:ba:53:96:dd:b6:ef:bf:86:0a:77:
aa:91:19:98:e3:ca:9b:0f:64:a6:34:53:12:fc:50:
72:2a:80:b7:71:9c:53:0f:14:9f:37:18:54:1a:c4:
77:bb:e8:8d:9e:7a:7d:0d:73:fe:66:c0:ae:d1:d0:
c3:a4:c5:e2:6c:9a:62:da:d5:95:74:04:99:27:33:
75:60:8e:b7:1b:79:df:09:88:9f:2a:c9:5c:5a:58:
5d:2d:f1:3c:83:f5:cb:40:b6:34:1b:9e:3f:fd:38:
85:d3:57:66:92:2a:db:03:35:68:c6:e7:1b:fb:e6:
9c:5d:e1:3e:13:9d:c5:a6:96:14:17:59:62:dc:f6:
9d:55:94:63:9c:e0:9a:0b:f5:94:10:e6:4a:ec:bf:
3a:ad
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
65:a2:d8:f9:39:21:0e:e5:20:d2:39:eb:43:ad:61:9d:6a:d6:
3f:84:7b:32:f2:4d:46:57:87:cd:88:b1:52:a4:04:33:c3:0f:
56:04:5e:e7:7c:7d:bf:11:71:a7:91:55:6c:04:5e:ce:63:47:
e9:41:45:ce:ce:58:cc:1c:4c:dc:8e:46:e5:1e:05:0b:20:85:
fe:04:1f:3a:55:a5:06:3e:04:76:ef:18:65:9f:84:a8:2a:66:
f5:8b:46:7c:ad:97:2e:a4:23:32:89:6a:91:c2:c3:57:06:74:
a8:86:81:d8:10:41:ee:ac:a3:7f:00:54:f9:8c:3c:78:82:5e:
e4:cc:0f:74:ff:74:c4:3e:7b:76:da:8d:cf:55:91:a9:1d:64:
0c:3a:d0:44:0e:a4:ce:f8:8f:a1:72:bf:0b:f0:9f:79:86:1e:
d2:c2:ef:da:2c:e0:b7:73:cd:61:74:fb:4a:15:e3:42:7f:f4:
30:b1:f3:0c:7c:b1:0c:61:89:ce:d6:39:cf:95:47:fd:32:c6:
77:09:ae:41:9e:5a:4d:c2:36:23:21:50:c9:1f:72:80:ad:70:
31:c8:e7:3e:00:aa:b7:17:67:c1:2e:40:f4:61:5b:92:c3:51:
c5:24:61:27:dc:65:18:fb:c3:0b:66:81:86:be:18:8e:fe:36:
ae:80:9a:32
-----BEGIN CERTIFICATE-----
MIIDHDCCAgQCCQCEVdCr8WiMsTANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwJD
TjERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQwwCgYDVQQK
DANCT1MxDTALBgNVBAsMBFlZWkMwHhcNMjMwNzE1MTU0NzIxWhcNMzMwNzEyMTU0
NzIxWjBQMQswCQYDVQQGEwJDTjERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcM
CHNoYW5naGFpMQwwCgYDVQQKDANCT1MxDTALBgNVBAsMBFlZWkMwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWUaTEtYLcYgs/BQuUZpqZVoiDikTFqbgH
o7G5XyDHi3cqzMEsB0oFcRO2S7HhoJCrekZuK3MEcmhV5DSSFvPs5yWF4DQXfyuy
YJ7P0Oczb6HIPg7UwPPNokEIMbP9Rck0A0YzhbHdSpCQywCwulOW3bbvv4YKd6qR
GZjjypsPZKY0UxL8UHIqgLdxnFMPFJ83GFQaxHe76I2een0Nc/5mwK7R0MOkxeJs
mmLa1ZV0BJknM3Vgjrcbed8JiJ8qyVxaWF0t8TyD9ctAtjQbnj/9OIXTV2aSKtsD
NWjG5xv75pxd4T4TncWmlhQXWWLc9p1VlGOc4JoL9ZQQ5krsvzqtAgMBAAEwDQYJ
KoZIhvcNAQELBQADggEBAGWi2Pk5IQ7lINI560OtYZ1q1j+EezLyTUZXh82IsVKk
BDPDD1YEXud8fb8RcaeRVWwEXs5jR+lBRc7OWMwcTNyORuUeBQsghf4EHzpVpQY+
BHbvGGWfhKgqZvWLRnytly6kIzKJapHCw1cGdKiGgdgQQe6so38AVPmMPHiCXuTM
D3T/dMQ+e3bajc9VkakdZAw60EQOpM74j6Fyvwvwn3mGHtLC79os4LdzzWF0+0oV
40J/9DCx8wx8sQxhic7WOc+VR/0yxncJrkGeWk3CNiMhUMkfcoCtcDHI5z4AqrcX
Z8EuQPRhW5LDUcUkYSfcZRj7wwtmgYa+GI7+Nq6AmjI=
-----END CERTIFICATE-----
[yiifung@master01 ca]$
3、2 从该证书中输出公钥信息,会输出公钥和证书内容信息
openssl x509 -in ca.crt -text -pubkey
[yiifung@master01 ca]$ openssl x509 -in ca.crt -text -pubkey
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
84:55:d0:ab:f1:68:8c:b1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=shanghai, L=shanghai, O=BOS, OU=YYZC
Validity
Not Before: Jul 15 15:47:21 2023 GMT
Not After : Jul 12 15:47:21 2033 GMT
Subject: C=CN, ST=shanghai, L=shanghai, O=BOS, OU=YYZC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d6:51:a4:c4:b5:82:dc:62:0b:3f:05:0b:94:66:
9a:99:56:88:83:8a:44:c5:a9:b8:07:a3:b1:b9:5f:
20:c7:8b:77:2a:cc:c1:2c:07:4a:05:71:13:b6:4b:
b1:e1:a0:90:ab:7a:46:6e:2b:73:04:72:68:55:e4:
34:92:16:f3:ec:e7:25:85:e0:34:17:7f:2b:b2:60:
9e:cf:d0:e7:33:6f:a1:c8:3e:0e:d4:c0:f3:cd:a2:
41:08:31:b3:fd:45:c9:34:03:46:33:85:b1:dd:4a:
90:90:cb:00:b0:ba:53:96:dd:b6:ef:bf:86:0a:77:
aa:91:19:98:e3:ca:9b:0f:64:a6:34:53:12:fc:50:
72:2a:80:b7:71:9c:53:0f:14:9f:37:18:54:1a:c4:
77:bb:e8:8d:9e:7a:7d:0d:73:fe:66:c0:ae:d1:d0:
c3:a4:c5:e2:6c:9a:62:da:d5:95:74:04:99:27:33:
75:60:8e:b7:1b:79:df:09:88:9f:2a:c9:5c:5a:58:
5d:2d:f1:3c:83:f5:cb:40:b6:34:1b:9e:3f:fd:38:
85:d3:57:66:92:2a:db:03:35:68:c6:e7:1b:fb:e6:
9c:5d:e1:3e:13:9d:c5:a6:96:14:17:59:62:dc:f6:
9d:55:94:63:9c:e0:9a:0b:f5:94:10:e6:4a:ec:bf:
3a:ad
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
65:a2:d8:f9:39:21:0e:e5:20:d2:39:eb:43:ad:61:9d:6a:d6:
3f:84:7b:32:f2:4d:46:57:87:cd:88:b1:52:a4:04:33:c3:0f:
56:04:5e:e7:7c:7d:bf:11:71:a7:91:55:6c:04:5e:ce:63:47:
e9:41:45:ce:ce:58:cc:1c:4c:dc:8e:46:e5:1e:05:0b:20:85:
fe:04:1f:3a:55:a5:06:3e:04:76:ef:18:65:9f:84:a8:2a:66:
f5:8b:46:7c:ad:97:2e:a4:23:32:89:6a:91:c2:c3:57:06:74:
a8:86:81:d8:10:41:ee:ac:a3:7f:00:54:f9:8c:3c:78:82:5e:
e4:cc:0f:74:ff:74:c4:3e:7b:76:da:8d:cf:55:91:a9:1d:64:
0c:3a:d0:44:0e:a4:ce:f8:8f:a1:72:bf:0b:f0:9f:79:86:1e:
d2:c2:ef:da:2c:e0:b7:73:cd:61:74:fb:4a:15:e3:42:7f:f4:
30:b1:f3:0c:7c:b1:0c:61:89:ce:d6:39:cf:95:47:fd:32:c6:
77:09:ae:41:9e:5a:4d:c2:36:23:21:50:c9:1f:72:80:ad:70:
31:c8:e7:3e:00:aa:b7:17:67:c1:2e:40:f4:61:5b:92:c3:51:
c5:24:61:27:dc:65:18:fb:c3:0b:66:81:86:be:18:8e:fe:36:
ae:80:9a:32
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1lGkxLWC3GILPwULlGaa
mVaIg4pExam4B6OxuV8gx4t3KszBLAdKBXETtkux4aCQq3pGbitzBHJoVeQ0khbz
7OclheA0F38rsmCez9DnM2+hyD4O1MDzzaJBCDGz/UXJNANGM4Wx3UqQkMsAsLpT
lt2277+GCneqkRmY48qbD2SmNFMS/FByKoC3cZxTDxSfNxhUGsR3u+iNnnp9DXP+
ZsCu0dDDpMXibJpi2tWVdASZJzN1YI63G3nfCYifKslcWlhdLfE8g/XLQLY0G54/
/TiF01dmkirbAzVoxucb++acXeE+E53FppYUF1li3PadVZRjnOCaC/WUEOZK7L86
rQIDAQAB
-----END PUBLIC KEY-----
-----BEGIN CERTIFICATE-----
MIIDHDCCAgQCCQCEVdCr8WiMsTANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwJD
TjERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMQwwCgYDVQQK
DANCT1MxDTALBgNVBAsMBFlZWkMwHhcNMjMwNzE1MTU0NzIxWhcNMzMwNzEyMTU0
NzIxWjBQMQswCQYDVQQGEwJDTjERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcM
CHNoYW5naGFpMQwwCgYDVQQKDANCT1MxDTALBgNVBAsMBFlZWkMwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWUaTEtYLcYgs/BQuUZpqZVoiDikTFqbgH
o7G5XyDHi3cqzMEsB0oFcRO2S7HhoJCrekZuK3MEcmhV5DSSFvPs5yWF4DQXfyuy
YJ7P0Oczb6HIPg7UwPPNokEIMbP9Rck0A0YzhbHdSpCQywCwulOW3bbvv4YKd6qR
GZjjypsPZKY0UxL8UHIqgLdxnFMPFJ83GFQaxHe76I2een0Nc/5mwK7R0MOkxeJs
mmLa1ZV0BJknM3Vgjrcbed8JiJ8qyVxaWF0t8TyD9ctAtjQbnj/9OIXTV2aSKtsD
NWjG5xv75pxd4T4TncWmlhQXWWLc9p1VlGOc4JoL9ZQQ5krsvzqtAgMBAAEwDQYJ
KoZIhvcNAQELBQADggEBAGWi2Pk5IQ7lINI560OtYZ1q1j+EezLyTUZXh82IsVKk
BDPDD1YEXud8fb8RcaeRVWwEXs5jR+lBRc7OWMwcTNyORuUeBQsghf4EHzpVpQY+
BHbvGGWfhKgqZvWLRnytly6kIzKJapHCw1cGdKiGgdgQQe6so38AVPmMPHiCXuTM
D3T/dMQ+e3bajc9VkakdZAw60EQOpM74j6Fyvwvwn3mGHtLC79os4LdzzWF0+0oV
40J/9DCx8wx8sQxhic7WOc+VR/0yxncJrkGeWk3CNiMhUMkfcoCtcDHI5z4AqrcX
Z8EuQPRhW5LDUcUkYSfcZRj7wwtmgYa+GI7+Nq6AmjI=
-----END CERTIFICATE-----
[yiifung@master01 ca]$
3、3 输出过期时间
openssl x509 -in ca.crt -text -dates
3、4打印出证书的系列号
openssl x509 -in ca.crt -serial
3、5打印出证书的拥有者名字
openssl x509 -in ca.crt -subject
四、通过根证书、根私钥、一起证书请求文件签名其他证书
openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -CAcreateserial -days 3650
五 加密生成私钥
1、加密生成私钥
openssl genrsa -aes256 -passout pass:111111 -out rsa_aes_private.key 2048
[yiifung@master01 ca]$ openssl genrsa -aes256 -out rsa_aes_private.key 2048
Generating RSA private key, 2048 bit long modulus
...............................................+++
.....+++
e is 65537 (0x10001)
Enter pass phrase for rsa_aes_private.key:
Verifying - Enter pass phrase for rsa_aes_private.key:
Verify failure
User interface error
139636015818640:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:pem_lib.c:385:
[yiifung@master01 ca]$ openssl genrsa -aes256 -passout pass:111111 -out rsa_aes_private.key 2048
Generating RSA private key, 2048 bit long modulus
........+++
.........+++
e is 65537 (0x10001)
[yiifung@master01 ca]$
2、非加密生成私钥
# 非加密生成RSA私钥
openssl genrsa -out rsa_aes_private.key 2048
3、通过加密的私钥生成公钥
# 交互式输入密码,生成对应公钥
openssl rsa -in rsa_aes_private.key -pubout -out rsa_public.key
# 非交互方式
openssl rsa -in rsa_aes_private.key -passin pass:111111 -pubout -out rsa_public.key
4、加密与非加密转换
# 加密转非加密
openssl rsa -in rsa_aes_private.key -passin pass:111111 -out rsa_private.key
# 私钥转加密
openssl rsa -in rsa_private.key -aes256 -passout pass:111111 -out rsa_aes_private.key