man openssl
openssl genrsa -help
openssl rsa -help
openssl req -help
openssl genrsa:使用rsa算法生成私钥(包含私钥和公钥,扩展名.pem、.key)。
#生成私钥,输出到控制台
openssl genrsa
#生成私钥(名文),密钥长度2048,输出文件plaint-private.pem
openssl genrsa -out plaint-private.pem 2048
#生成私钥,使用-des等对称加密算法对私钥进行加密(命令执行后需输入设置密码),后续使用私钥时需要输入密码
openssl genrsa -des -out passwd-private.pem 2048
openssl genrsa -des3 -out passwd-private.pem 2048
openssl genrsa -idea -out passwd-private.pem 2048
openssl genrsa -aes128 -out passwd-private.pem 2048
openssl genrsa -aes192 -out passwd-private.pem 2048
openssl genrsa -aes256 -out passwd-private.pem 2048
openssl genrsa -camellia128 -out passwd-private.pem 2048
openssl genrsa -camellia192 -out passwd-private.pem 2048
openssl genrsa -camellia256 -out passwd-private.pem 2048
#直接在命令行中指定密码123456,也可通过file:pwd.txt参数指定密码在文件中
openssl genrsa -aes192 -passout pass:123456 -out passwd-private.pem 2048
openssl genpkey:指定算法创建私钥(新命令,入参与rsa相同,扩展名.pem、.key)
#生成私钥,输出到控制台(指定算法为rsa)
openssl genpkey -algorithm rsa
#生成私钥(名文),密钥长度2048,输出文件plaint-private.pem
openssl genpkey -algorithm rsa -out plaint-private.pem 2048
#直接在命令行中指定密码123456
openssl genpkey -algorithm rsa -pass pass:123456 -out passwd-private.pem 2048
openssl rsa:rsa密钥管理(公钥、私钥,扩展名.pem、.key)
#提取公钥(从未加密的私钥中提取)
openssl rsa -in plaint-private.pem -pubout -out plaint-public.pem
#提取公钥(从加密的私钥中提取)
openssl rsa -in passwd-private.pem -passin pass:123456 -pubout -out plaint-public.pem
#提取公钥,输出到控制台
openssl rsa -in plaint-private.pem -pubout
#私钥加密
openssl rsa -in plaint-private.pem -des3 -passout pass:123456 -out passwd-private.pem
#私钥格式转换,从pem格式转换为der(所有命令不指定格式默认为pem)
openssl rsa -inform pem -in plaint-private.pem -outform der -out plaint-private.der
#校验私钥的完整性
openssl rsa -in plaint-private.pem -check -noout
openssl pkey:密钥管理(新命令,入参与rsa相同,扩展名.pem、.key)
#提取公钥(从未加密的私钥中提取)
openssl pkey -in plaint-private.pem -pubout -out plaint-public.pem
#提取公钥(从加密的私钥中提取)
openssl pkey -in passwd-private.pem -passin pass:123456 -pubout -out plaint-public.pem
#提取公钥,输出到控制台
openssl pkey -in plaint-private.pem -pubout
#私钥加密
openssl pkey -in plaint-private.pem -des3 -passout pass:123456 -out passwd-private.pem
#私钥格式转换,从pem格式转换为der(所有命令不指定格式默认为pem)
openssl pkey -inform pem -in plaint-private.pem -outform der -out plaint-private.der
openssl req:请求证书管理(包含公钥、主题、私钥签名,扩展名.csr)
#创建请求证书,-new创建请求证书,-key使用文件中的私钥,-subj设置请求证书主题
openssl req -new -key plaint-private.pem -out plaint-request.csr -subj "/C=CN/ST=ZJ/L=HZ/O=RX/OU=ZG/CN=RXCA"
#提取公钥
openssl req -in plaint-request.csr -pubkey -noout > plaint-public.pem
#提取主题
openssl req -in plaint-request.csr -subject -noout
#校验请求证书签名是否合法
openssl req -verify -in plaint-request.csr -noout
#创建私钥和请求证书文件,-newkey创建私钥并指定算法,-nodes输出私钥不加密,-keyout指定私钥文件
openssl req -newkey rsa:2048 -nodes -keyout ca-key.pem -out ca-request.csr -subj "/C=CN/ST=ZJ/L=HZ/O=RX/OU=ZG/CN=RXCA"
openssl x509:通信证书管理(扩展名.cer、.crt)
#创建根证书(自签名根证书认证),-req输入为请求证书文件,-signkey指定自签名证书私钥,执行前需先执行前面两条命令创建ca中心私钥和请求证书
#openssl genrsa -out ca-key.pem 2048
#openssl req -new -key ca-key.pem -out ca-request.csr -subj "/C=CN/ST=ZJ/L=HZ/O=RX/OU=ZG/CN=RXCA"
openssl x509 -req -in ca-request.csr -days 3650 -signkey ca-key.pem -out ca-root.cer
#创建通信证书(CA中心认证),-req输入为请求证书文件,-CA指定根证书,-CAkey指定根证书私钥,执行前需先执行前面两条命令创建通信用户私钥和请求证书文件
#openssl genrsa -out test-key.pem 1024
#openssl req -new -key test-key.pem -out test-request.csr -subj "/C=CN/ST=ZJ/L=HZ/O=RX/OU=ZG/CN=RXCA"
openssl x509 -req -in test-request.csr -days 365 -CA ca-root.cer -CAkey ca-key.pem -CAcreateserial -out test-public.cer
#提取证书信息,-dates证书开始结束时间,-issuer发行人主题,-subject证书主题,-email邮件信息,-noout不输出证书
openssl x509 -in test-public.cer -dates -issuer -subject -email -noout
#提取证书公钥
openssl x509 -in test-public.cer -pubkey -noout > plaint-public.pem
管理PKCS12证书(扩展名.pfx或.p12)
#创建pfx证书
openssl pkcs12 -export -password pass:123456 -in test-public.cer -inkey test-key.pem -out test.pfx
#查看证书信息
openssl pkcs12 -info -passin pass:123456 -in test.pfx -nodes
#提取证书
openssl pkcs12 -in apiclient_cert.p12 -out cert.pem -nokeys
#提取私钥
openssl pkcs12 -in apiclient_cert.p12 -out private_key.pem -nodes -nocerts
openssl rsautl:rsa加密、解密、签名、验签
#公钥加密,-encrypt公钥加密,-inkey指定密钥文件,-pubin密钥文件为公钥,执行前需执行前面一条命令生成明文文件
#echo "Hello World" > plaintext.txt
openssl rsautl -encrypt -inkey plaint-public.pem -pubin -in plaintext.txt -out ciphertext.txt
#私钥解密,-decrypt私钥解密
openssl rsautl -decrypt -inkey plaint-private.pem -in ciphertext.txt -out decrypted.txt
#私钥签名(加密),-sign私钥签名
openssl rsautl -sign -inkey plaint-private.pem -in plaintext.txt -out signature.txt
#公钥验签(解密)
openssl rsautl -verify -inkey plaint-public.pem -pubin -in signature.txt -out verified.txt
#证书加密,-certin密钥文件为证书
openssl rsautl -encrypt -inkey test-public.cer -certin -in plaintext.txt -out ciphertext.txt
#私钥解密
openssl rsautl -decrypt -inkey test-key.pem -in ciphertext.txt -out decrypted.txt
#私钥签名
openssl rsautl -sign -inkey test-key.pem -in plaintext.txt -out signature.txt
#证书验签
openssl rsautl -verify -inkey test-public.cer -certin -in signature.txt -out verified.txt
openssl pkeyutl:加密、解密、签名、验签(新命令,入参与rsa相同)
#公钥加密,-encrypt公钥加密,-inkey指定密钥文件,-pubin密钥文件为公钥,执行前需执行前面一条命令生成明文文件
#echo "Hello World" > plaintext.txt
openssl pkeyutl -encrypt -inkey plaint-public.pem -pubin -in plaintext.txt -out ciphertext.txt
#私钥解密,-decrypt私钥解密
openssl pkeyutl -decrypt -inkey plaint-private.pem -in ciphertext.txt -out decrypted.txt
#私钥签名(加密),-sign私钥签名
openssl pkeyutl -sign -inkey plaint-private.pem -in plaintext.txt -out signature.txt
#公钥验签(解密)
openssl pkeyutl -verifyrecover -inkey plaint-public.pem -pubin -in signature.txt -out verified.txt
#证书加密,-certin密钥文件为证书
openssl pkeyutl -encrypt -inkey test-public.cer -certin -in plaintext.txt -out ciphertext.txt
#私钥解密
openssl pkeyutl -decrypt -inkey test-key.pem -in ciphertext.txt -out decrypted.txt
#私钥签名
openssl pkeyutl -sign -inkey test-key.pem -in plaintext.txt -out signature.txt
#证书验签
openssl pkeyutl -verifyrecover -inkey test-public.cer -certin -in signature.txt -out verified.txt