Openssl and Keytool Example
keytool
- 创建服务端密钥库
$ keytool -genkey -alias example.com -keypass changepass -keyalg RSA -keysize 2048 -validity 30 -keystore example.com.pkcs12 -storetype pkcs12 -storepass changepass
$ keytool -list -v -storetype pkcs12 -keystore example.com.pkcs12 -storepass changepass
- 导出服务端证书
$ keytool -export -alias example.com -keystore example.com.pkcs12 -file example.com.crt -rfc -storepass changepass
$ keytool -printcert -file example.com.crt
- 客户端证书库导入服务端证书
$ keytool -import -alias example.com -file example.com.crt -keystore trust.pkcs12 -storetype pkcs12 -storepass changepass
$ keytool -list -v -storetype pkcs12 -keystore trust.pkcs12 -storepass changepass
openssl
- 查看openssl版本
$ openssl version -a
OpenSSL 1.1.1 11 Sep 2018
built on: Thu Jun 20 17:36:28 2019 UTC
platform: debian-amd64
......
- 创建私钥文件
$ openssl genrsa -out rsa_private_key.pem 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
....+++++
.........+++++
e is 65537 (0x010001)
$ cat rsa_private_key.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDqyaddpooMAy0+aWhazbt/o+EPX1hdTP5rObji//ybbJ/FVMv0
iw8fc9c9pty8ubKCkqOA6h9+EY3sO1cEQNLMInyd4Eqwr3Jk9InF8cwH83fDomrY
+baJ03ZyWee5PMTBIiIeExOw4OPetSfPDVNVNiEF3Scm7gSpkuLlWUsAHQIDAQAB
AoGANjQb2XkLQb6yAUigeOYqNUuGN+BRLCkMS4Dl+DIVBWTMdegftfMsqJw7wtX0
+/T7Cz4DVU23u4kd9L22VxsIDvta8Oj1YbrQiY0TnxZ/hNMLa4jjVn1MO8FffzFK
Ys7H1I3iWuMF11WpiIkXnGNlPQp0ihLhWZhcfCLTupt3CAECQQD9upDXplFlKRyL
BS3YKoWG2m/kAi6XvAmb2KzORdGox/cpjeWsxkupbpGRiZ+22UujMS9UOcxHAoi4
3fCJwtkdAkEA7OOu9cnJpWm6slJoFD10taMjR5TnsK2h3GVrHIrs8FwpVkzwq1Lf
FUPbj7NX/xumbYRRuPS5I4EnzOzwficTAQJBAOY1jhF7n8JPKMyh6FSHUBtoubiA
mlGllHpIf5GwG2gt9n1Hd6npSODzpzQLUFQQl+X7TFv5DPUowXAqPoJfvakCQQCn
GVBwVn/kK7mjUhfStysdeU9IjhQE/+XeRrgQsTrDre8Gzk0yPMnaATzel96puEJk
nGLdOdti3RdLKZPXGQ8BAkAub7ffpiXJeD1nPUyclOr8SsgcH7YwJffp/wf03bkd
aZ+ggiTVdP2H+DJXEE6bjZWBGMez0yBih0dIkZKvzbbs
-----END RSA PRIVATE KEY-----
算法:RSA
格式:PKCS#1
文件数据为Base64编码的字符串,首行和尾行特殊标记,RFC2405规定每行最多76个字符,上例是64个字符长
- 从私钥文件创建公钥
$ openssl rsa -in rsa_private_key.pem -out rsa_public_key.pem -pubout
writing RSA key
$ cat rsa_public_key.pem
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqyaddpooMAy0+aWhazbt/o+EP
X1hdTP5rObji//ybbJ/FVMv0iw8fc9c9pty8ubKCkqOA6h9+EY3sO1cEQNLMInyd
4Eqwr3Jk9InF8cwH83fDomrY+baJ03ZyWee5PMTBIiIeExOw4OPetSfPDVNVNiEF
3Scm7gSpkuLlWUsAHQIDAQAB
-----END PUBLIC KEY-----
算法:RSA
格式:X.509
- 将PKCS#1私钥转成
PKCS#8
$ openssl pkcs8 -topk8 -in rsa_private_key.pem -out pkcs8_rsa_private_key.pem -nocrypt
$ cat pkcs8_rsa_private_key.pem
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAOrJp12migwDLT5p
aFrNu3+j4Q9fWF1M/ms5uOL//Jtsn8VUy/SLDx9z1z2m3Ly5soKSo4DqH34Rjew7
VwRA0swifJ3gSrCvcmT0icXxzAfzd8Oiatj5tonTdnJZ57k8xMEiIh4TE7Dg4961
J88NU1U2IQXdJybuBKmS4uVZSwAdAgMBAAECgYA2NBvZeQtBvrIBSKB45io1S4Y3
4FEsKQxLgOX4MhUFZMx16B+18yyonDvC1fT79PsLPgNVTbe7iR30vbZXGwgO+1rw
6PVhutCJjROfFn+E0wtriONWfUw7wV9/MUpizsfUjeJa4wXXVamIiRecY2U9CnSK
EuFZmFx8ItO6m3cIAQJBAP26kNemUWUpHIsFLdgqhYbab+QCLpe8CZvYrM5F0ajH
9ymN5azGS6lukZGJn7bZS6MxL1Q5zEcCiLjd8InC2R0CQQDs4671ycmlabqyUmgU
PXS1oyNHlOewraHcZWsciuzwXClWTPCrUt8VQ9uPs1f/G6ZthFG49LkjgSfM7PB+
JxMBAkEA5jWOEXufwk8ozKHoVIdQG2i5uICaUaWUekh/kbAbaC32fUd3qelI4POn
NAtQVBCX5ftMW/kM9SjBcCo+gl+9qQJBAKcZUHBWf+QruaNSF9K3Kx15T0iOFAT/
5d5GuBCxOsOt7wbOTTI8ydoBPN6X3qm4QmScYt0522LdF0spk9cZDwECQC5vt9+m
Jcl4PWc9TJyU6vxKyBwftjAl9+n/B/TduR1pn6CCJNV0/Yf4MlcQTpuNlYEYx7PT
IGKHR0iRkq/Ntuw=
-----END PRIVATE KEY-----
算法:RSA
格式:PKCS#8
- PKCS#8私钥转换为PKCS#1
$ openssl rsa -in pkcs8_rsa_private_key.pem -out pkcs1_rsa_private_key.pem
writing RSA key
$ diff rsa_private_key.pem pkcs1_rsa_private_key.pem
转换一致
- PKCS#8私钥生成X509公钥
$ openssl rsa -in pkcs8_rsa_private_key.pem -pubout -out x509_rsa_public_key.pem
writing RSA key
$ diff rsa_public_key.pem x509_rsa_public_key.pem
转换一致
- 公钥证书
-_spring_io.crt:通过浏览器导出spring.io网站的证书
$ openssl x509 -in -_spring_io.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:32:95:81:43:7e:1d:99:e0:47:1d:bd:f6:b4:16:76
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
Validity
Not Before: Mar 15 00:00:00 2019 GMT
Not After : Apr 1 12:00:00 2020 GMT
Subject: C = US, ST = California, L = Palo Alto, O = "Pivotal Software, Inc.", OU = Spring, CN = .spring.io
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
......
#转成二进制格式的证书
$ openssl x509 -in -_spring_io.crt -outform der -out -_spring_io.der
#查看
$ openssl x509 -inform DER -in -_spring_io.der -text -noout
#转成文本格式
$ openssl x509 -in -_spring_io.der -inform der -out -_spring_io-2.crt
- 创建自签名的CA证书
#创建私钥
$ openssl genrsa -out ca.key 2048
#创建证书签名请求
$ openssl req -new -key ca.key -out ca.csr
#查看
$ openssl req -in ca.csr -text
#签名
$ openssl x509 -in ca.csr -req -signkey ca.key -days 365 -out ca.crt
#查看
$ openssl x509 -in ca.crt -text -noout
- 创建证书签名
#创建私钥
$ openssl genrsa -out my.key 2048
#创建证书签名请求
$ openssl req -new -key my.key -out my.csr
#使用CA证书签名
$ openssl x509 -req -in my.csr -CA ca.crt -CAkey ca.key -days 365 -CAcreateserial -out my.crt
- 导出PKCS12证书
$ openssl pkcs12 -export -inkey my.key -in my.crt -CAfile ca.crt -out my.pfx
常见的证书相关文件格式,术语
- PKCS
公钥加密标准(Public Key Cryptography Standards, PKCS)
- .csr
证书签名请求.某些应用程序可以生成这些文件以提交给证书颁发机构.实际格式是RFC 2986中定义的PKCS10.它包括所请求证书的一些或所有关键详细信息, 例如主题, 组织,状态, 诸如此类, 以及要签名的证书的公钥. 这些由CA签名并返回证书。返回的证书是公用证书(包括公用密钥, 但不包括专用密钥)
- .pem
PEM(Privacy Enhanced Mail),文本文件,一般用于保存密钥文件或者公钥证书.文件内容是Base64编码的,首行为-----BEGIN开头,尾行为-----END开头.通过浏览器可以导出https网站的证书为.crt,.der,.pem格式
- .key
仅包含密钥的文件格式
- .pkcs12 .pfx .p12
Predecessor of PKCS#12,二进制格式文件,包含私钥与公钥证书,私钥有密码保护
- pkcs8
私钥消息表示标准(Private-Key Information Syntax Standard),Apache读取证书私钥的标准,使用openssl可以将.pem(PKCS#1)格式的私钥转成pkcs#8格式的文件
- .der
二进制文件,保存证书
- .cert .cer .crt
Certificate 的简称,文本文件,保存证书,是.der证书文件的Base64编码版本
- .keystore .jks
Java平台证书格式,使用keytool工具生成
- .p7b
在RFC 2315中定义为PKCS#7, 这是Windows用于证书交换的一种格式,通过浏览器可以导出https网站的证书为.p7b格式
- .crl
证书吊销列表.证书颁发机构产生这些证书是作为在到期之前取消对证书进行授权的一种方式.有时可以从CA网站下载它们.
