国密证书相关命令行操作

1、双证书签发

• 先自己生成一个自签名证书代替根证

  1、openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:sm2 -out rootCA.key	#使用sm2生成私钥
  2、openssl req -new -sm3 -key rootCA.key -out rootCA.req	-sigopt "distid:1234567812345678"	#创建证书请求
  3、openssl x509 -req -days 365 -sm3 -in rootCA.req -signkey rootCA.key -out rootCA.pem -vfyopt "distid:1234567812345678" -extfile v3.ext	#生成证书
  
  有两种方式实现扩展信息添加：
  1、利用配置文件及section: -extfile openssl.cnf -extensions v3_ca
  2、编写额外的扩展文件： -extfile v3.ext（文件中不用加[]头）
  

  //自签名根证书
  [ v3_ca ]
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid:always,issuer
  basicConstraints = critical,CA:true
  keyUsage = cRLSign, keyCertSign
  

  //暂时不用
  [ v3_req ]
  basicConstraints = CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  

  [ usr_cert ]
  basicConstraints=CA:FALSE
  #签名证书
  //keyUsage=digitalSignature, nonRepudiation
  #加密证书
  //keyUsage=keyEncipherment, dataEncipherment, keyAgreement
  #兼顾签名和加密
  keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid,issuer
  

• 创建设备签名证书：

  • 本地生成私钥，证书请求文件

    1、openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:sm2 -out 34010000001321035038_sign.pri	#使用sm2生成私钥
    2、openssl req -new -sm3 -key 34010000001321035038_sign.pri -out 34010000001321035038_sign.csr	-sigopt "distid:1234567812345678"	#创建证书请求
    

  • 使用根证书签发，获得签名证书

    1、openssl x509 -req -days 365 -in 34010000001321035038_sign.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out 34010000001321035038_sign.pem -sigopt "distid:1234567812345678" -vfyopt "distid:1234567812345678" -extfile v3.ext
    

• 创建设备加密证书

  • 本地生成私钥，内部信息和上面请求文件中一致

    1、openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:sm2 -out 34010000001321035038_enc.pri	#使用sm2生成私钥
    2、openssl req -new -sm3 -key 34010000001321035038_enc.pri -out 34010000001321035038_enc.csr -sigopt "distid:1234567812345678"	#创建证书请求
    

  • 使用根证书签发，获得加密证书

    1、openssl x509 -req -days 365 -in 34010000001321035038_enc.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out 34010000001321035038_enc.pem -sigopt "distid:1234567812345678" -vfyopt "distid:1234567812345678" -extfile v3.ext
    

• 同上面两个流程，创建平台的签名证书和加密证书

2、 证书相关命令行操作：

证书格式转换
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

证书或请求验证
openssl req -verify -in cert.csr -sm3 -vfyopt "distid:1234567812345678"
openssl verify -CAfile rootCA.pem  -vfyopt "distid:1234567812345678" cert.pem

从证书或私钥中导出sm2公钥
openssl x509 -outform PEM -in cert.pem -pubkey -out cert.pub（包含证书原文）
openssl pkey -pubout -in cert.pri -out cert.pub
openssl ec -in cert.pri -pubout -out cert.pub  

公私钥自身格式转换（或者手动进行二进制文件和base64转换，需要加上头）
openssl pkey -in test.pri -inform pem -out test_pri.der -outform der
openssl pkcs8  -topk8 -inform DER -in test_pri.der -out test.pri -outform PEM -nocrypt(反过来) [-passout pass:11111111]加密
openssl pkey -in test.pub -pubin -inform pem -out test_pub.der -outform der(反过来也可以)
或者直接查看
openssl pkey -in test.pri -text -inform DER
openssl pkey -in test.pub -pubin -text [-passin pass:11111111]
公私钥pkcs1到pkcs8互转(公钥一样，私钥不一样)
openssl pkcs8  -topk8 -inform DER -in test_pri.der -out test.pri -outform PEM -nocrypt
openssl ec -in enc.pri -out enc_pri.ec

证书或请求打印
openssl x509 -in cert.pem -noout -text
openssl req -in cert.csr -noout -text [-subject]

将证书转换成证书请求
openssl x509 -x509toreq -in cert.pem -out cert.csr -signkey cert.pri

sm2签名及验证
openssl dgst -sign s.pri -sm3 -sigopt "distid:1234567812345678" -out sign.txt file.txt 
openssl dgst -prverify s.pri -sm3 -sigopt "distid:1234567812345678" -signature sign.txt file.txt
openssl dgst -verify s.pub -sm3 -sigopt "distid:1234567812345678" -signature sign1.txt file.txt

openssl pkeyutl -sign -in file -inkey sm2.key -out sig -rawin -digest sm3 \
    -pkeyopt distid:someid
openssl pkeyutl -verify -certin -in file -inkey sm2.cert -sigfile sig \
    -rawin -digest sm3 -pkeyopt distid:someid

3、一般数字信封(非sm2数字信封)相关命令行操作：

加密生成p7文件(base64)
gmssl smime -encrypt -in outside_enc.pri -sms4-ecb -out output.enc outside_sign.pem

将p7文件格式转换为pem
openssl smime -in output.enc -pk7out -out output.pem

打印p7文件
openssl pkcs7 -in output.pem -text -print

解密p7文件
openssl smime -decrypt -in output.enc -out outside_enc.ori -inkey outside_sign.pri