openssl常用命令

openssl

openssl - OpenSSL 命令行程序

概要

openssl 命令 [选项... ] [参数... ]

openssl list 标准命令摘要命令密码命令密码算法摘要算法mac 算法公钥算法

openssl no-XXX [ options ]

描述

OpenSSL 是一个加密工具包,实现了安全套接字层 (SSL) 和传输层安全 (TLS) 网络协议以及它们所需的相关加密标准。

openssl程序是一个命令行程序,用于从 shell使用 OpenSSL加密库的各种加密功能。它可用于

o  Creation and management of private keys, public keys and parameters      # 私钥、公钥和参数的创建和管理
o  Public key cryptographic operations                                      # 公开密钥加密操作
o  Creation of X.509 certificates, CSRs and CRLs                            # 创建X.509证书、CSR和CRL
o  Calculation of Message Digests and Message Authentication Codes          # 计算消息摘要和消息验证码
o  Encryption and Decryption with Ciphers                                   # 使用密码进行加密和解密
o  SSL/TLS Client and Server Tests                                          # SSL/TLS客户端和服务器测试
o  Handling of S/MIME signed or encrypted mail                              # 处理S/MIME签名或加密邮件
o  Timestamp requests, generation and verification                          # 时间戳请求、生成和验证

help

显示有关命令选项的信息。

查看代码
 # openssl help
Standard commands
asn1parse         ca                ciphers           cms               
crl               crl2pkcs7         dgst              dhparam           
dsa               dsaparam          ec                ecparam           
enc               engine            errstr            gendsa            
genpkey           genrsa            help              list              
nseq              ocsp              passwd            pkcs12            
pkcs7             pkcs8             pkey              pkeyparam         
pkeyutl           prime             rand              rehash            
req               rsa               rsautl            s_client          
s_server          s_time            sess_id           smime             
speed             spkac             srp               storeutl          
ts                verify            version           x509              

Message Digest commands (see the `dgst' command for more details)
blake2b512        blake2s256        gost              md4               
md5               rmd160            sha1              sha224            
sha256            sha3-224          sha3-256          sha3-384          
sha3-512          sha384            sha512            sha512-224        
sha512-256        shake128          shake256          sm3               

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb      
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb      
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1     
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb      
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8     
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64            
bf                bf-cbc            bf-cfb            bf-ecb            
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast              
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb         
cast5-ofb         des               des-cbc           des-cfb           
des-ecb           des-ede           des-ede-cbc       des-ede-cfb       
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb      
des-ede3-ofb      des-ofb           des3              desx              
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc           
rc2-cfb           rc2-ecb           rc2-ofb           rc4               
rc4-40            seed              seed-cbc          seed-cfb          
seed-ecb          seed-ofb          sm4-cbc           sm4-cfb           
sm4-ctr           sm4-ecb           sm4-ofb

genrsa

生成 RSA 私钥。

查看代码
 # openssl genrsa -help
Usage: genrsa [options]
Valid options are:
 -help               Display this summary
 -3                  Use 3 for the E value
 -F4                 Use F4 (0x10001) for the E value
 -f4                 Use F4 (0x10001) for the E value
 -out outfile        Output the key to specified file
 -rand val           Load the file(s) into the random number generator
 -writerand outfile  Write random data to the specified file
 -passout val        Output file pass phrase source
 -*                  Encrypt the output with any supported cipher
 -engine val         Use engine, possibly a hardware device
 -primes +int        Specify number of primes

req

PKCS#10 X.509 证书签名请求 (CSR) 管理。

查看代码
 # openssl req -help
Usage: req [options]
Valid options are:
 -help               Display this summary
 -inform PEM|DER     Input format - DER or PEM
 -outform PEM|DER    Output format - DER or PEM
 -in infile          Input file
 -out outfile        Output file
 -key val            Private key to use
 -keyform format     Key file format
 -pubkey             Output public key
 -new                New request
 -config infile      Request template file
 -keyout outfile     File to send the key to
 -passin val         Private key password source
 -passout val        Output file pass phrase source
 -rand val           Load the file(s) into the random number generator
 -writerand outfile  Write random data to the specified file
 -newkey val         Specify as type:bits
 -pkeyopt val        Public key options as opt:value
 -sigopt val         Signature parameter in n:v form
 -batch              Do not ask anything during request generation
 -newhdr             Output "NEW" in the header lines
 -modulus            RSA modulus
 -verify             Verify signature on REQ
 -nodes              Don't encrypt the output key
 -noout              Do not output REQ
 -verbose            Verbose output
 -utf8               Input characters are UTF8 (default ASCII)
 -nameopt val        Various certificate name options
 -reqopt val         Various request text options
 -text               Text form of request
 -x509               Output a x509 structure instead of a cert request
                     (Required by some CA's)
 -subj val           Set or modify request subject
 -subject            Output the request's subject
 -multivalue-rdn     Enable support for multivalued RDNs
 -days +int          Number of days cert is valid for
 -set_serial val     Serial number to use
 -addext val         Additional cert extension key=value pair (may be given more than once)
 -extensions val     Cert extension section (override value in config file)
 -reqexts val        Request extension section (override value in config file)
 -precert            Add a poison extension (implies -new)
 -*                  Any supported digest
 -engine val         Use engine, possibly a hardware device
 -keygen_engine val  Specify engine to be used for key generation operations

ca

证书颁发机构 (CA) 管理。

查看代码
 # openssl ca -help
Usage: ca [options]
Valid options are:
 -help                   Display this summary
 -verbose                Verbose output during processing
 -config val             A config file
 -name val               The particular CA definition to use
 -subj val               Use arg instead of request's subject
 -utf8                   Input characters are UTF8 (default ASCII)
 -create_serial          If reading serial fails, create a new random serial
 -rand_serial            Always create a random serial; do not store it
 -multivalue-rdn         Enable support for multivalued RDNs
 -startdate val          Cert notBefore, YYMMDDHHMMSSZ
 -enddate val            YYMMDDHHMMSSZ cert notAfter (overrides -days)
 -days +int              Number of days to certify the cert for
 -md val                 md to use; one of md2, md5, sha or sha1
 -policy val             The CA 'policy' to support
 -keyfile val            Private key
 -keyform format         Private key file format (PEM or ENGINE)
 -passin val             Input file pass phrase source
 -key val                Key to decode the private key if it is encrypted
 -cert infile            The CA cert
 -selfsign               Sign a cert with the key associated with it
 -in infile              The input PEM encoded cert request(s)
 -out outfile            Where to put the output file(s)
 -outdir dir             Where to put output cert
 -sigopt val             Signature parameter in n:v form
 -notext                 Do not print the generated certificate
 -batch                  Don't ask questions
 -preserveDN             Don't re-order the DN
 -noemailDN              Don't add the EMAIL field to the DN
 -gencrl                 Generate a new CRL
 -msie_hack              msie modifications to handle all those universal strings
 -crldays +int           Days until the next CRL is due
 -crlhours +int          Hours until the next CRL is due
 -crlsec +int            Seconds until the next CRL is due
 -infiles                The last argument, requests to process
 -ss_cert infile         File contains a self signed cert to sign
 -spkac infile           File contains DN and signed public key and challenge
 -revoke infile          Revoke a cert (given in file)
 -valid val              Add a Valid(not-revoked) DB entry about a cert (given in file)
 -extensions val         Extension section (override value in config file)
 -extfile infile         Configuration file with X509v3 extensions to add
 -status val             Shows cert status given the serial number
 -updatedb               Updates db for expired cert
 -crlexts val            CRL extension section (override value in config file)
 -crl_reason val         revocation reason
 -crl_hold val           the hold instruction, an OID. Sets revocation reason to certificateHold
 -crl_compromise val     sets compromise time to val and the revocation reason to keyCompromise
 -crl_CA_compromise val  sets compromise time to val and the revocation reason to CACompromise
 -rand val               Load the file(s) into the random number generator
 -writerand outfile      Write random data to the specified file
 -engine val             Use engine, possibly a hardware device

passwd

生成散列密码。

查看代码
 # openssl passwd -help
Usage: passwd [options]
Valid options are:
 -help               Display this summary
 -in infile          Read passwords from file
 -noverify           Never verify when reading password from terminal
 -quiet              No warnings
 -table              Format output as table
 -reverse            Switch table columns
 -salt val           Use provided salt
 -stdin              Read passwords from stdin
 -6                  SHA512-based password algorithm
 -5                  SHA256-based password algorithm
 -apr1               MD5-based password algorithm, Apache variant
 -1                  MD5-based password algorithm
 -aixmd5             AIX MD5-based password algorithm
 -crypt              Standard Unix password algorithm (default)
 -rand val           Load the file(s) into the random number generator
 -writerand outfile  Write random data to the specified file

x509

X.509 证书数据管理。

查看代码
 # openssl x509 -help
Usage: x509 [options]
Valid options are:
 -help                      Display this summary
 -inform format             Input format - default PEM (one of DER or PEM)
 -in infile                 Input file - default stdin
 -outform format            Output format - default PEM (one of DER or PEM)
 -out outfile               Output file - default stdout
 -keyform PEM|DER|ENGINE    Private key format - default PEM
 -passin val                Private key password/pass-phrase source
 -serial                    Print serial number value
 -subject_hash              Print subject hash value
 -issuer_hash               Print issuer hash value
 -hash                      Synonym for -subject_hash
 -subject                   Print subject DN
 -issuer                    Print issuer DN
 -email                     Print email address(es)
 -startdate                 Set notBefore field
 -enddate                   Set notAfter field
 -purpose                   Print out certificate purposes
 -dates                     Both Before and After dates
 -modulus                   Print the RSA key modulus
 -pubkey                    Output the public key
 -fingerprint               Print the certificate fingerprint
 -alias                     Output certificate alias
 -noout                     No output, just status
 -nocert                    No certificate output
 -ocspid                    Print OCSP hash values for the subject name and public key
 -ocsp_uri                  Print OCSP Responder URL(s)
 -trustout                  Output a trusted certificate
 -clrtrust                  Clear all trusted purposes
 -clrext                    Clear all certificate extensions
 -addtrust val              Trust certificate for a given purpose
 -addreject val             Reject certificate for a given purpose
 -setalias val              Set certificate alias
 -days int                  How long till expiry of a signed certificate - def 30 days
 -checkend intmax           Check whether the cert expires in the next arg seconds
                            Exit 1 if so, 0 if not
 -signkey val               Self sign cert with arg
 -x509toreq                 Output a certification request object
 -req                       Input is a certificate request, sign and output
 -CA infile                 Set the CA certificate, must be PEM format
 -CAkey val                 The CA key, must be PEM format; if not in CAfile
 -CAcreateserial            Create serial number file if it does not exist
 -CAserial val              Serial file
 -set_serial val            Serial number to use
 -text                      Print the certificate in text form
 -ext val                   Print various X509V3 extensions
 -C                         Print out C code forms
 -extfile infile            File with X509V3 extensions to add
 -rand val                  Load the file(s) into the random number generator
 -writerand outfile         Write random data to the specified file
 -extensions val            Section from config file to use
 -nameopt val               Various certificate name options
 -certopt val               Various certificate text options
 -checkhost val             Check certificate matches host
 -checkemail val            Check certificate matches email
 -checkip val               Check certificate matches ipaddr
 -CAform PEM|DER            CA format - default PEM
 -CAkeyform PEM|DER|ENGINE  CA key format - default PEM
 -sigopt val                Signature parameter in n:v form
 -force_pubkey infile       Force the Key to put inside certificate
 -next_serial               Increment current certificate serial number
 -clrreject                 Clears all the prohibited or rejected uses of the certificate
 -badsig                    Corrupt last byte of certificate signature (for test)
 -*                         Any supported digest
 -subject_hash_old          Print old-style (MD5) issuer hash value
 -issuer_hash_old           Print old-style (MD5) subject hash value
 -engine val                Use engine, possibly a hardware device
 -preserve_dates            preserve existing dates when signing
posted @ 2022-08-18 19:48  小吉猫  阅读(1633)  评论(0编辑  收藏  举报