Common Openssl commands ssl

Others 2022-05-18 23:29:12 views: 0

Apply for a certificate

openssl s_client -connect xingren.com:443

 

SSL is often used in applications such as authentication and data encryption. To use SSL, our password has its own certificate. Digital certificates generally need to be applied to professional certification companies (such as VeriSign), and they are all charged. In some cases, we just want to use encrypted data communication and don’t care about certification. At this time, we can make a certificate by ourselves. For a certificate, there are two ways, one is Self Signed, the other is to make a CA by yourself, and then this CA will issue the certificate we need. These two methods are described below.

Generate Self Signed Certificate

copy code 
# Generate a key, your private key, openssl will prompt you to enter a password, you can enter it or not,
# If you enter it, you must enter a password every time you use this key in the future. For security reasons, there should still be a password protection
> openssl genrsa -des3 -out selfsign.key 4096

# Using the key generated above, generate a certificate signing request (CSR)
# If your key is password protected, openssl will first ask your password, then ask you a series of questions,
# Among them, Common Name(CN) is the most important, it represents the target that your certificate should represent. If you apply for a certificate for the website, you must add your domain name.
> openssl req -new -key selfsign.key -out selfsign.csr

# Generate Self Signed certificate selfsign.crt is the certificate we generated
> openssl x509 -req -days 365 -in selfsign.csr -signkey selfsign.key -out selfsign.crt

# Another relatively simple method is to use the following command to generate the key and certificate at one time
> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
copy code

Generate your own CA (Certificate Authority)

The CA is the issuer of the certificate. The CA can issue other people's certificates. After adding the CA's certificate to the root certificate trusted by the system, the certificate issued by the CA is also trusted by the system. Therefore, the CA's key must be carefully protected. Generally, They must be encrypted and protected and restricted to read and write with root privileges.

copy code 
# Generate CA key
> openssl genrsa -des3 -out ca.key 4096

# Generate CA certificate
> openssl req -new -x509 -days 365 -key ca.key -out ca.crt

# The two steps of generating our key and CSR are the same as in Self Signed above
> openssl genrsa -des3 -out myserver.key 4096
> openssl req -new -key myserver.key -out myserver.csr

# Use ca's certificate and key to generate our certificate
# The set_serial here specifies the serial number of the certificate. If the certificate expires (after 365 days),
# Or the certificate key is leaked, and you need to add 1 when you need to re-issue the certificate
> openssl x509 -req -days 365 -in myserver.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out myserver.crt
copy code

View certificates

copy code 
# View KEY information
> openssl rsa -noout -text -in myserver.key

# View CSR information
> openssl req -noout -text -in myserver.csr

# View certificate information
> openssl x509 -noout -text -in ca.crt

# 验证证书
# 会提示self signed
> openssl verify selfsign.crt

# 因为myserver.crt 是幅ca.crt发布的,所以会验证成功
> openssl verify -CAfile ca.crt myserver.crt
copy code

去掉key的密码保护

有时候每次都要输入密码太繁琐了,可以把Key的保护密码去掉

> openssl rsa -in myserver.key -out server.key.insecure

不同格式证书的转换

一般证书有三种格式:

  • PEM(.pem) 前面命令生成的都是这种格式,
  • DER(.cer .der) Windows 上常见
  • PKCS#12文件(.pfx .p12) Mac上常见
copy code 
# PEM转换为DER
> openssl x509 -outform der -in myserver.crt -out myserver.der

# DER转换为PEM
> openssl x509 -inform der -in myserver.cer -out myserver.pem

# PEM转换为PKCS
> openssl pkcs12 -export -out myserver.pfx -inkey myserver.key -in myserver.crt -certfile ca.crt

# PKCS转换为PEM
> openssl pkcs12 -in myserver.pfx -out myserver2.pem -nodes
copy code

测试证书

Openssl提供了简单的client和server工具,可以用来模拟SSL连接,做测试使用。

copy code 
# 连接到远程服务器
> openssl s_client -connect www.google.com.hk:443

# Simulated HTTPS service that can return Openssl related information
# -accept is used to specify the listening port number
# -cert -key is used to specify the key and certificate to provide the service
> openssl s_server -accept 443 -cert myserver.crt -key myserver.key -www

# can write key and certificate to the same file
> cat myserver.crt myserver.key > myserver.pem
# Use only one parameter when you use it
> openssl s_server -accept 443 -cert myserver.pem -www

# You can save the server's certificate
> openssl s_client -connect www.google.com.hk:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > remoteserver.pem
# Convert to DER file, you can view it directly under Windows
> openssl x509 -outform der -in remoteserver.pem -out remoteserver.cer
copy code

Calculate MD5 and SHA1

# MD5 digest
> openssl dgst -md5 filename

# SHA1 digest
> openssl dgst -sha1 filename

reference:
http://www.cnblogs.com/E7868A/archive/2012/11/16/2772240.html

Guess you like

Origin http://10.200.1.11:23101/article/api/json?id=326694141&siteId=291194637
Recommended
The “35-year-old curse” of Chinese coders
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Ranking
Methods and Practices of Manufacturing Data Quality Improvement
Serial port upgrade program for efficient transmission of large firmware
Use KITTI to run LIOSAM and complete the EVO evaluation
Calling methods on string literals (Java)
ActiveMQ and Spring integration (4)
You have to know the HTTPS! ! !
PAT whether Structures and Algorithms 7-4 with a binary search tree (40 rows streamlined structure)
el-upload brings request background
UVA - 1204 Fun Game-like pressure dp
2019-12-28
Daily
More
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)

Code World

© 2018 codetd.com