查看OpenSSL的版本信息:
root@ openssl version
OpenSSL 3.4.0 22 Oct 2024 (Library: OpenSSL 3.4.0 22 Oct 2024)
注:root@ 代表命令行提示符,不属于输入部分。
获取OpenSSL的帮助信息:
root@ openssl help
help:Standard commands # 基本命令工具
asn1parse ca ciphers cmp
cms crl crl2pkcs7 dgst
dhparam dsa dsaparam ec
ecparam enc engine errstr
fipsinstall gendsa genpkey genrsa
help info kdf list
mac nseq ocsp passwd
pkcs12 pkcs7 pkcs8 pkey
pkeyparam pkeyutl prime rand
rehash req rsa rsautl
s_client s_server s_time sess_id
smime speed spkac srp
storeutl ts verify version
x509# 消息摘要相关的算法
Message Digest commands (see the `dgst' command for more details)
blake2b512 blake2s256 md4 md5
mdc2 rmd160 sha1 sha224
sha256 sha3-224 sha3-256 sha3-384
sha3-512 sha384 sha512 sha512-224
sha512-256 shake128 shake256 sm3# 加密相关的算法
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
idea idea-cbc idea-cfb idea-ecb
idea-ofb rc2 rc2-40-cbc rc2-64-cbc
rc2-cbc rc2-cfb rc2-ecb rc2-ofb
rc4 rc4-40 seed seed-cbc
seed-cfb seed-ecb seed-ofb sm4-cbc
sm4-cfb sm4-ctr sm4-ecb sm4-ofb
具体某一个工具的帮助:
root@ openssl enc -help
加密
aes-128-ecb加密
加密
echo hello >>test.txt
openssl enc -e -aes-128-ecb -in test.txt -out enc_test.txt -pass pass:123
- e:加密;d: 解密;
- aes-128-ecb:aes加密,加密的秘钥长度是128bit,加密模式采用ecb模式;
- in/out: 输入/输出文本
- pass:加密密码,真实的密码是在
pass:后的字符
加密后的结果:
Salted__+□□¶□ڨ<□♣□1?S□↕□□I☻0□cp
解密
openssl enc -d -aes-128-ecb -in enc_test.txt -out decrypt_test.txt -pass pass:123
加密+base64编码
openssl enc -e -aes-128-ecb -base64 -in test.txt -out enc_test.txt -pass pass:123 -p
- p:是打印加密时的密文、盐值和初始化向量等信息。
上述命令执行后,打印出以下信息:
salt=225FD3B76BD6D783
key=C46F6DE636A12D8096B110D12C27EE98
- salt:当前加密的盐值。有了这个盐值后,多次对相同密文使用相同密码加密的密文都不同。
- key:由盐值和密码派生出来实际用于加密的秘钥。秘钥的长度与分组长度相同,均为128bits。
加密后的结果:
U2FsdGVkX18F8pAVPvcIbYUgFYDBZtKGEKSvOwRqloY=
解密+base64编码
使用base64进行编码,在解密时也需要告知base64编码的。
openssl enc -d -aes-128-ecb -base64 -in enc_test.txt -out decrypt_test.txt -pass pass:123
若加密时,采用base64编码,解密时未指定,将会出现下面的错误:
bad decrypt
34359836736:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:crypto/evp/evp_enc.c:572:
加密不带盐值
不带盐值,ECB模式对相同明文的多次加密后的密文就是相同。大家可以使用下面的命令多次重复加密相同的明文,再用前面的带盐值的命令加密进行对比。
openssl enc -e -aes-128-ecb -in test.txt -out enc_test.txt -pass pass:123 -nosalt -base64 -p
- nosalt:不加入盐值。这就会造成多次加密后的密文是相同的。
上述命令执行后,打印出以下信息:
salt=225FD3B76BD6D783
key=A665A45920422F9D417E4867EFDC4FB8
解密不带盐值
openssl enc -d -aes-128-ecb -in enc_test.txt -out decrypt_test.txt -pass pass:123 -nosalt -base64 -p
解密时,也许指定不带盐值,否则报告下面的错误。
bad magic number
aes-128-cbc加密
加密
openssl enc -e -aes-128-cbc -in test.txt -out enc_test.txt -pass pass:123 -nosalt -base64 -p
上述命令执行后,打印出以下信息:
key=A665A45920422F9D417E4867EFDC4FB8
iv =A04A1F3FFF1FA07E998E86F7F7A27AE3
- iv:即为CBC模式的初始化向量值。这个初始化向量可以人工指定,也可以采用随机生成,也可以有OpenSSL自动生成。
解密
openssl enc -d -aes-128-cbc -in enc_test.txt -out decrypt_test.txt -pass pass:123 -nosalt -base64 -p
aes-128-ctr加密
该加密模式,分块的末块长度不足,无需填充。因此,待加密的明文数据量较少时,加密后的密文数据量也较少。
加密
openssl enc -e -aes-128-ctr -in test.txt -out enc_test.txt -pass pass:123 -nosalt -base64 -p
上述命令执行后,打印出以下信息:
key=A665A45920422F9D417E4867EFDC4FB8
iv =A04A1F3FFF1FA07E998E86F7F7A27AE3
解密
openssl enc -d -aes-128-ctr -in enc_test.txt -out decrypt_test.txt -pass pass:123 -nosalt -base64 -p
散列函数和消息验证码
散列函数
MD5
root@ openssl dgst -md5 test.txt
MD5(test.txt)= de1ec876fbb738255aa58bdb775d93c2
SHA256
root@ openssl dgst -sha256 test.txt
SHA256(test.txt)= ec58ec95a10466fa34edd4790dd822ab849b2562bfd700c53c31e2cf39dc695a
SHA3-256
root@ openssl dgst -sha3-256 test.txt
SHA3-256(test.txt)= af5b10d616cadd83f643d842e1c199d2d15c2800a8a8f5f19d1f259be92970c1
消息验证码
root@ openssl dgst -sha256 -hmac 123 test.txt
HMAC-SHA256(test.txt)= e5b12545e3f7e19b4f623ec70b110f70c65af7c7b8bc768663d5a27e33d332b3
公私钥生成
1. 生成私钥明文文件
root@ openssl genrsa -out self_private.pem 2048
- out: 输出的文件名。
- 2048:指的是私钥的长度,默认是2048bits。最短:512,最长16384。不建议太长,也不建议太短。太短,秘钥安全等级不够;太长生成秘钥的时间很长,更别说用于加解密了。使用默认值2048即可,不填写时就是默认2048bits。
生成的私钥文件内容如下:
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxby5Z/WPn0SoKl6R+Wh9Og/FGc0S5Mek7Bd5Z7VqAtEuqYt5
tVWv76Gqmv5hGKAcHt2SCUpyxHYhTaXQug0TJfuJHK5tuUxwkblznUpbRgp2PK9k
...
3HgG4jZXSAw9kW4hJFkMHuEKciL/G2VBjmERc0ew/C7xjKoC4cBQrfHqx2hzPKnw
M/2El4Erby8O//J+tgk9c2zEtK19MIUwUstt03z9JgdsBZZjbmRj
-----END RSA PRIVATE KEY-----
2. 查看明文私钥内容
openssl rsa -in self_private.pem -text
- text:表示将输入的文件信息以文本方式呈现。
输出内容如下,作者未对每个参数的用途做深入研究,感兴趣的读者可以从其他途径进一步了解:
RSA Private-Key: (2048 bit, 2 primes)
modulus:00:c5:bc:b9:67:f5:8f:9f:44:a8:2a:5e:91:f9:68:...e6:ce:69:e4:79:7e:87:ed:c6:c2:5b:6b:9e:69:41:78:2d
publicExponent: 65537 (0x10001)
privateExponent:70:59:0e:2e:d7:02:c7:47:47:14:eb:ae:9c:ba:95:...55:3b:53:90:42:6f:77:2a:31:c3:5a:04:9c:7b:ce:b1
prime1:00:f5:9f:0f:67:97:5b:73:0b:cd:c6:ff:04:c0:93:...89:14:b8:f2:23:8b:54:63:4b:b7:23:7a:7e:88:ac:8b:0b:7c:b2:eb:5f:c9:1b:af
prime2:00:ce:17:b0:e4:1c:5a:c7:a5:77:59:2e:c6:bf:03:... 7d:83:a9:17:1f:d8:d2:f5:1c:1a:9d:ef:a4:1e:de:7e:f2:34:78:04:dc:4f:d4:e3
exponent1:28:33:f3:ca:89:ec:af:05:04:96:88:d1:57:50:06:...c7:36:8a:73:a4:ef:98:1d:21:89:ce:17:fd:f8:f7:fd:56:58:d6:cb:e3:d8:03
exponent2:1c:22:a9:d8:8a:72:6e:3d:0d:ad:14:30:b7:d5:13:...3d:1b:31:77:fc:8e:d8:3d:8c:f8:b0:c5:94:1d:45:f1:64:ee:59:a3:86:16:87
coefficient:00:96:a3:ee:9e:3e:1c:93:00:20:d7:f4:9f:35:8e:...73:6c:c4:b4:ad:7d:30:85:30:52:cb:6d:d3:7c:fd:26:07:6c:05:96:63:6e:64:63
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxby5Z/WPn0SoKl6R+Wh9Og/FGc0S5Mek7Bd5Z7VqAtEuqYt5
tVWv76Gqmv5hGKAcHt2SCUpyxHYhTaXQug0TJfuJHK5tuUxwkblznUpbRgp2PK9k
...
3HgG4jZXSAw9kW4hJFkMHuEKciL/G2VBjmERc0ew/C7xjKoC4cBQrfHqx2hzPKnw
M/2El4Erby8O//J+tgk9c2zEtK19MIUwUstt03z9JgdsBZZjbmRj
-----END RSA PRIVATE KEY-----
3. 从私钥文件中提取公钥
注:从原理上是不能从公钥中提取私钥信息的。
openssl rsa -pubout -in self_private.pem -out self_public.pem
- pubout:表示输出的是公钥信息
生成的公钥文件内容如下:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxby5Z/WPn0SoKl6R+Wh9
...
N2qaDYc7XCg4QRotKTb0DP9c7cmTle+88OCYUrK1CZPmzmnkeX6H7cbCW2ueaUF4
LQIDAQAB
-----END PUBLIC KEY-----
4. 查看明文公钥内容
openssl rsa -pubin -in self_public.pem -text
- pubin:表示输入是公钥文件
输出内容如下:
RSA Public-Key: (2048 bit)
Modulus:00:c5:bc:b9:67:f5:8f:9f:44:a8:2a:5e:91:f9:68:...e6:ce:69:e4:79:7e:87:ed:c6:c2:5b:6b:9e:69:41:78:2d
Exponent: 65537 (0x10001)
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxby5Z/WPn0SoKl6R+Wh9
...
N2qaDYc7XCg4QRotKTb0DP9c7cmTle+88OCYUrK1CZPmzmnkeX6H7cbCW2ueaUF4
LQIDAQAB
-----END PUBLIC KEY-----
5. 生成私钥密文文件
openssl genrsa -aes-128-cbc -passout pass:123 -out self_private.pem 2048
- aes-128-cbc:对私钥的加密的算法。
- passout:加密的密码。一定要以
pass:开头,123:才是密码。
生成的私钥密文文件内容如下,输出内容中有表明该私钥文件时已经加密过:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQYxNNgN4T33Kab8LP
...
DwlZu+UpVvxWIqZ71uEmO4zuMMrq+AAGKYP9tT6dexZ1d8dXkfhqAlXRfPrF84h
UFNSLz4or3kBL0SLsZfdGkNlC04OY+FfIvspn+w6KJmk7MY9Uc6bN6A=
-----END ENCRYPTED PRIVATE KEY-----
6. 解密私钥密文文件
openssl rsa -passin pass:123 -in self_private.pem -out decrypt.pem
解密后的明文私钥:
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC2bzXPBenjjFqb
...
24JN99YfT3Ib/cTiY9gTaQ0yFMng6zpGu47NiL4F1x1TQsWt/v2edMa5d+MaLFyX
HiF54f/y8YemhZp6fp5MSIyC
-----END PRIVATE KEY-----
直接从私钥密文文件提取公钥:
openssl rsa -passin pass:123 -pubout -in self_private.pem -out self_public.pem
7. 校验私钥文件秘钥对匹配
root@ openssl rsa -check -in self_private.pem -passin pass:123 -noout
RSA key ok
- check:校验私钥文件
- noout:不输出秘钥信息
8. 比较私钥文件中的公钥信息和公钥文件中的公钥信息
从私钥文件中提取公钥,计算sha256值:
root@ openssl rsa -passin pass:123 -in self_private.pem -pubout | openssl sha256
writing RSA key
SHA2-256(stdin)= 56698700a3328d088755be4ebe9215dd847c44a4a77ad1ad8baf96b5045f24cf
提取公钥文件公钥,计算公钥的sha256值:
root@ openssl rsa -pubin -in self_public.pem -pubout | openssl sha256
writing RSA key
SHA2-256(stdin)= 56698700a3328d088755be4ebe9215dd847c44a4a77ad1ad8baf96b5045f24cf
或者,直接计算公钥文件的sha256值:
root@ openssl sha256 self_public.pem
SHA2-256(self_public.pem)= 56698700a3328d088755be4ebe9215dd847c44a4a77ad1ad8baf96b5045f24cf
公私钥加解密
公钥加密
openssl pkeyutl -encrypt -pubin -inkey self_public.pem -in test.txt -out encrypt_test.txt
- encrypt:加密。
- pubin:输入是公钥
- inkey:因为pubin是表示公钥,此处传入的就是公钥文件
私钥解密
因为私钥文件是密文,因此需要包含 -passin pass:123来对密文的私钥解密。
openssl pkeyutl -decrypt -inkey self_private.pem -passin pass:123 -in encrypt_test.txt -out decrypt_test.txt
- decrypt:解密。
- inkey:因为没有指定是公钥,此处就默认是私钥文件。
私钥签名,公钥验签
私钥签名
openssl pkeyutl -sign -inkey self_private.pem -passin pass:123 -digest sha256 -rawin -in test.txt -out sign_test.txt -hexdump
- sign:签名
- digest:签名时所用的Hash函数,且限制输入文件为raw类型。
- rawin:指示raw类型的文件输入。未经过压缩处理的,即原生的。所有文件都可以认为是原始文件。
- hexdump:十六进制打印输出。在生成签名文件时,需要去掉,否则在验签时无法验证通过。
等效命令如下:
openssl dgst -sha256 -sign self_private.pem -passin pass:123 -out sign_test.txt -hex test.txt
打印输出签名文件内容如下:
root@ cat sign_test.txt
}□□♠□□□□▲□□N□□□.□OF□□-□□□♣G□□□☺□*►↕□□
$m□q□□c□♥8~ǕuxO□□□□□□ □R□♥,□□□H□%☼□E□̆□□W<_♫>□↑d□∟{□[□□□TL☻□□□□B□>□►|■q□8
□□□□□□□♠գPp□j3☺q□□□□□D
□▲□J|□□□^#□□i□↨͓1Ӌо□♠□JI9□g□\□p↨□□►□♦§˜□"□☻O□□<□2#8□□UΞI→Π□Ϙh□□?'3□l□h□□
□►□i□□□-□)`□v□□M□ꦿ
按照十六进制输出如下:
root@ cat sign_test.txt
0000 - 7d e4 af 06 bf dd e9 98-1e f9 c1 4e 96 bf d8 2e }..........N....
0010 - e0 4f 46 8c 92 2d 98 b0-90 05 47 83 e6 9c 01 b7 .OF..-....G.....
0020 - 2a 10 12 9e df 1b 45 24-6d f2 71 95 d6 63 e6 03 *.....E$m.q..c..
0030 - 38 7e c7 95 75 78 4f 9c-e6 8b e6 95 d0 20 b6 52 8~..uxO...... .R
0040 - f5 03 2c be 88 c9 48 80-25 0f ff 45 f5 cc 86 a1 ..,...H.%..E....
0050 - bd 57 3c 5f 0e 3e b2 18-64 fa 1c 7b a4 5b ba 8e .W<_.>..d..{.[..
0060 - df 54 4c 02 c0 a3 b2 85-42 c5 3e 86 10 7c 16 71 .TL.....B.>..|.q
0070 - 8a 38 aa 90 72 05 fa 41-f9 04 cc 6a 1f d8 4e 9c .8..r..A...j..N.
0080 - c8 41 97 c4 f5 f2 b0 44-0d ad 9e c6 e3 f9 8f a6 .A.....D........
0090 - 06 d5 a3 50 70 98 6a 33-01 71 0a b7 1e b1 4a 7c ...Pp.j3.q....J|
00a0 - a2 dd df 5e 23 94 b7 69-c3 17 cd 93 31 d3 8b d0 ...^#..i....1...
00b0 - be bb 06 dd 4a 49 39 df-67 d0 5c d3 70 17 bd d8 ....JI9.g.\.p...
00c0 - 10 b2 04 00 15 c2 98 eb-22 f5 02 4f b6 a7 3c f9 ........"..O..<.
00d0 - 32 23 38 8e db 55 ce 9e-49 1a ce a0 ab cf 98 68 2#8..U..I......h
00e0 - 94 bc 3f 27 33 99 6c c2-68 ba 9a fa 10 f6 69 8d ..?'3.l.h.....i.
00f0 - b1 f7 2d cb 29 60 a9 76-d8 dd 4d b7 ea a6 bf d8 ..-.)`.v..M.....
公钥验签
root@ openssl pkeyutl -verify -pubin -inkey self_public.pem -rawin -in test.txt -sigfile sign_test.txt
Signature Verified Successfully
等效命令如下:
root@ openssl dgst -verify self_public.pem -signature sign_test.txt test.txt
Verified OK
身份证书
1. 生成证书签名请求文件
a. 生成一对公私钥
openssl genrsa -aes-128-cbc -passout pass:123 -out self_private.pem 2048
openssl rsa -pubout -passin pass:123 -in self_private.pem -out self_public.pem
私钥文件:self_private.pem
公钥文件:self_public.pem
b. 基于公私钥生成签名请求
openssl req -new -key self_private.pem -passin pass:123 -subj "/CN=*example.com/O=Test, Inc./C=CN/ST=Sichuan/L=Chengdu" -out self_csr.pem
- req:签名请求命令
- key:私钥文件
- subj:主体信息,主要包含以下信息:
- C:国家代码(Country Name),此处填写:中国CN。
- ST:省份或州(State or Province Name),此处填写:Sichuan。
- L:城市或地区(Locality Name),此处填写:Chengdu。
- O:组织名称(Organization Name),此处填写Test, Inc.公司。
- OU:组织单位名称(Organizational Unit Name),表示组织内部的部门或单位。一般可不填写。
- CN:通用名称(Common Name),对于服务器证书,这通常是服务器的域名或IP地址,此处填写*example.com网址;对于个人证书,这通常是证书持有者的姓名或别名。
签名请求文件原始信息如下:
-----BEGIN CERTIFICATE REQUEST-----
MIICojCCAYoCAQAwXTEVMBMGA1UEAwwMKmV4YW1wbGUuY29tMRMwEQYDVQQKDApU
...
HIFgyPBTc0gUXvHCLqoseVXuUUeOL6zThgQOCWj9WP2XgCyzY/Gqzbq003aBa58a
9Ov/84+n
-----END CERTIFICATE REQUEST-----
通过下列的命令,可以查看签名请求文件信息:
openssl req -in self_csr.pem -noout -text
输出内容如下:
Certificate Request:Data:Version: 1 (0x0)# 主体信息Subject: CN=*example.com, O=Test, Inc., C=CN, ST=Sichuan, L=Chengdu# 主体的公钥信息Subject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:e4:cf:dc:1f:35:5f:58:c0:1b:1c:b3:7d:ff:fe:...97:88:fc:5a:65:00:2f:28:78:03:5a:65:89:8d:ee:ea:efExponent: 65537 (0x10001)Attributes:(none)Requested Extensions:# 对签名请求信息的签名算法和签名值Signature Algorithm: sha256WithRSAEncryption Signature Value:cb:bd:2b:71:ff:2f:f4:f3:e0:ec:7c:4d:e0:13:e1:72:54:fd:...97:80:2c:b3:63:f1:aa:cd:ba:b4:d3:76:81:6b:9f:1a:f4:eb:ff:f3:8f:a7
c. 一步生成签名请求
生成私钥的同时也生成签名请求文件。
openssl req -new -newkey rsa:2048 -passout pass:123 -subj "/CN=*example.com/O=Test, Inc./C=CN/ST=Sichuan/L=Chengdu" -keyout self_private.pem -out self_csr.pem
- newkey:生成私钥,rsa算法,2048bits的秘钥长度。
d. 校验签名请求文件
root@ openssl req -verify -in self_csr.pem -key self_private.pem -passin pass:123 -noout
Warning: Not placing -key in cert or request since request is used
Certificate request self-signature verify OK
2. 证书颁发机构签名身份证书
a. 证书机构生成自签名的根证书
生成根私钥和证书签名请求文件
openssl req -new -newkey rsa:2048 -passout pass:123 -subj "/CN=*root_cert.com/O=root_cert.Inc./C=CN/ST=Sichuan/L=Chengdu" -keyout root_private.pem -out root_csr.pem
- 根私钥文件:root_private.pem
- 根证书请求文件:root_csr.pem
自签发根证书
openssl x509 -req -days 3650 -in root_csr.pem -signkey root_private.pem -passin pass:123 -out root_cert.pem -extensions v3_ca -extfile <(cat <<-EOF
[v3_ca]
basicConstraints = critical,CA:true
keyUsage = critical, keyCertSign, cRLSign
EOF
)
Certificate request self-signature ok
subject=CN=*root_cert.com, O=root_cert.Inc., C=CN, ST=Sichuan, L=Chengdu
- x509:是一个标准协议,此处是满足协议的x509命令。
自签发的证书内容如下:
root@ cat root_cert.pem
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgIUAKR3xmTKbjm9lW13Zq8QUFIWNaAwDQYJKoZIhvcNAQEL
...
C6FBSwbFbI8hh+GrpPeydvM9s1UtgYGo0Y7ngvMPNyOo5viz5cbDLQ4nL224i2Ii
MP9FXzU9ETlolRBau6h/IF8H4Rp3xwrMSw==
-----END CERTIFICATE-----
利用如下命令查看根证书:
openssl x509 -in root_cert.pem -noout -text
Certificate: Data: Version: 3 (0x2) Serial Number: 68:08:bc:c3:99:19:45:37:57:0a:99:34:99:72:37:0e:b4:16:da:05 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=*root_cert.com, O=root_cert.Inc., C=CN, ST=Sichuan, L=Chengdu Validity Not Before: Nov 25 16:45:39 2024 GMT Not After : Nov 23 16:45:39 2034 GMT Subject: CN=*root_cert.com, O=root_cert.Inc., C=CN, ST=Sichuan, L=Chengdu Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e0:f9:37:a9:c9:ff:2c:8b:a9:fb:76:4c:7a:d4: ...94:70:00:09:1b:b2:4b:e6:10:68:ad:c3:cb:67:ff: 52:9d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE # 证书机构颁发的证书 X509v3 Key Usage: critical Certificate Sign, CRL Sign # 证书签名,证书吊销列表签名 X509v3 Subject Key Identifier: 52:56:00:0C:28:98:26:2E:56:70:7E:84:62:7B:A2:81:95:2E:C9:50 Signature Algorithm: sha256WithRSAEncryption Signature Value: 29:e1:51:8d:9a:c0:56:c3:e8:5c:12:15:08:30:75:06:b3:17: 18:d8:89:6b:2b:4d:87:d7:34:3f:99:09:ba:28:e9:91:e0:13: ...04:c6:b9:3e
b. 利用自签发的根证书,签发其他实体组织的证书签名
openssl x509 -req -days 180 -CA root_cert.pem -CAkey root_private.pem -passin pass:123 -in self_csr.pem -out self_cert.pem -CAcreateserial -extfile <(cat <<-EOF
[v3_server]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
EOF
)
Certificate request self-signature ok # 表明签名请求信息时自签名,且状态OK。
subject=CN=*example.com, O=Test, Inc., C=CN, ST=Sichuan, L=Chengdu
查看身份证书信息
openssl x509 -in self_cert.pem -noout -text
Certificate: Data: Version: 3 (0x2) Serial Number: 71:32:19:0a:09:10:b6:a9:a0:b8:3e:65:3d:59:7f:0e:18:a2:cd:cd Signature Algorithm: sha256WithRSAEncryption Issuer: CN=*root_cert.com, O=root_cert.Inc., C=CN, ST=Sichuan, L=Chengdu # 签发机构信息 Validity Not Before: Nov 24 15:15:53 2024 GMT Not After : May 23 15:15:53 2025 GMT Subject: CN=*example.com, O=Test, Inc., C=CN, ST=Sichuan, L=Chengdu Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e2:48:5a:74:18:7d:80:e8:5c:4a:99:bd:f8:76: 97:a0:e7:48:d9:15:27:7f:40:6a:ca:da:16:00:b2: ...dd:10:41:ca:18:49:38:2f:22:cb:05:11:ae:b6:a8: 68:e9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 5C:8C:46:0E:B8:6D:49:E5:EE:A8:6E:92:90:84:10:E9:C3:A2:E0:E7 X509v3 Authority Key Identifier: CA:D1:4A:2A:47:A6:CF:9F:96:C3:26:C9:B6:52:AF:6C:7E:DA:56:E1 Signature Algorithm: sha256WithRSAEncryption Signature Value: 05:dd:8b:60:a1:e5:80:82:fc:63:e0:20:a9:37:b4:62:b2:23: ... dc:5f:db:81:c2:9e:23:35:32:0c:31:f1:c1:18:43:ac:ff:9c: 56:93:32:40
c. 验证身份信息
openssl verify -CAfile root_cert.pem self_cert.pem
验证成功,输出如下内容:
self_cert.pem: OK
如果在签发证书时,未提供扩展信息字段内容,将出现下面的错误:
CN=*root_cert.com, O=root_cert.Inc., C=CN, ST=Sichuan, L=Chengdu
error 18 at 0 depth lookup: self-signed certificate
error root_cert.pem: verification failed
CN=*example.com, O=Test, Inc., C=CN, ST=Sichuan, L=Chengdu
error 20 at 0 depth lookup: unable to get local issuer certificate
error self_cert.pem: verification failed
