一、安装
1.yum install openssl
二、使用
1.#openssl RSA
//生成私钥
openssl genrsa -out rsa_private.key 2048
//导出公钥
openssl rsa -in rsa_private.key -out rsa_public.key -pubout
//私钥PKCS#8编码
openssl pkcs8 -topk8 -in rsa_private.key -out pkcs8_rsa_private_key.pem -nocrypt
//生成自签名证书
openssl req -new -x509 -days 365 -key rsa_private.key -out client.crt
// x.509 DER(ASCII)后缀.der .cer .crt ==> x.509 PAM(Base64)后缀.pem .cer .crt
openssl x509 -in cert.cer -inform DER -outform PEM -out cert.pem
//生成含有私钥的证书pkcs12
openssl pkcs12 -export -name myclientcert -in client.crt -inkey rsa_private.key -out client.p12
2.#openssl ECC
openssl ecparam -out EccCA.key -name prime256v1 -genkey
openssl req -key EccCA.key -new -out EccCA.req
#openssl req -config openssl.cnf -key EccCA.key -new -out EccCA.req
openssl x509 -req -in EccCA.req -signkey EccCA.key -out EccCA.pem
3.查看证书内容:
openssl x509 -in user.crt -text -noout
4. 证书校验及分析
4.1 通过-CApath(推荐)
> openssl x509 -hash -in ca.example.com-cert.pem -noout
bc4f7d07
> sudo cp ca.example.com-cert.pem bc4f7d07.0
> export capath=$PWD
#此时可以验证ca.example.com-cert.pem是自签名的。
> openssl verify -CApath . ca.example.com-cert.pem
>ca.example.com-cert.pem: OK
#验证ca.example.com-cert 签发的其它的证书
> openssl verify -CApath . casign.example.com-cert.pem
>casign.example.com-cert.pem: OK
4.2 通过-CAfile
#自行百度