OpenSSL 常用語法整理

- 直接看憑證檔內容

openssl x509 -in cert.pem -text -noout

看結果訊息

[root@pve-ms ichiayi.com]# openssl x509 -in cert.pem -text -noout | more
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:9f:af:ef:f3:22:59:75:7a:fd:a3:78:76:2c:b6:bb:f9:f5
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Dec 31 14:20:07 2018 GMT
            Not After : Mar 31 14:20:07 2019 GMT
        Subject: CN=ichiayi.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b5:ca:5b:e8:b5:e3:1b:0d:51:25:a7:7f:12:2e:
                    26:73:49:5f:9f:52:ee:66:f3:26:4b:74:82:6d:a1:
                    60:80:c7:3c:25:88:1d:ba:7a:77:8d:12:a9:0f:2b:
                    86:c0:5c:dd:eb:6f:13:2f:fc:4e:6b:b3:7a:3c:40:
                    07:91:01:e9:75:3c:ca:09:c8:af:c1:ec:af:aa:b2:
                    ca:4d:f9:70:e6:72:a8:3e:b7:ab:4f:29:b2:f3:ef:
                    5d:e2:9b:1c:42:58:f6:80:4a:fa:ed:bc:2f:cb:30:
                    a2:6b:83:be:3c:93:ac:56:5c:b8:42:35:77:48:cb:
                    12:bb:fb:50:fc:4d:be:22:6b:d3:42:22:3b:ad:91:
                    6c:61:b9:b1:d0:63:4a:38:66:9b:da:ec:50:2b:bd:
                    e9:ce:25:8f:fd:3a:dd:bc:6f:96:1b:7e:8e:47:ba:
                    66:4f:8c:48:2d:98:a2:34:17:66:dd:0a:78:6f:9c:
                    ff:56:b7:d1:1e:f5:5d:58:1f:0c:b6:89:a0:3e:5a:
                    d3:5d:12:68:a0:5e:ed:c3:c3:41:64:0c:c8:0c:19:
                    7e:7d:3e:49:ca:4c:ff:af:5d:68:2e:04:eb:4e:14:
                    71:04:9d:52:54:d5:dd:1f:7b:5f:31:ab:7a:48:a9:
                    0c:80:c8:c8:17:b5:4f:86:8a:35:b7:d5:a7:f3:9d:
                    ca:d1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                2E:D2:F4:8B:D0:31:49:7E:9C:37:38:D8:A2:68:67:B4:C7:37:F2:0C
[root@pve-ms ichiayi.com]# openssl x509 -in cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:9f:af:ef:f3:22:59:75:7a:fd:a3:78:76:2c:b6:bb:f9:f5
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Dec 31 14:20:07 2018 GMT
            Not After : Mar 31 14:20:07 2019 GMT
        Subject: CN=ichiayi.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b5:ca:5b:e8:b5:e3:1b:0d:51:25:a7:7f:12:2e:
                    26:73:49:5f:9f:52:ee:66:f3:26:4b:74:82:6d:a1:
                    60:80:c7:3c:25:88:1d:ba:7a:77:8d:12:a9:0f:2b:
                    86:c0:5c:dd:eb:6f:13:2f:fc:4e:6b:b3:7a:3c:40:
                    07:91:01:e9:75:3c:ca:09:c8:af:c1:ec:af:aa:b2:
                    ca:4d:f9:70:e6:72:a8:3e:b7:ab:4f:29:b2:f3:ef:
                    5d:e2:9b:1c:42:58:f6:80:4a:fa:ed:bc:2f:cb:30:
                    a2:6b:83:be:3c:93:ac:56:5c:b8:42:35:77:48:cb:
                    12:bb:fb:50:fc:4d:be:22:6b:d3:42:22:3b:ad:91:
                    6c:61:b9:b1:d0:63:4a:38:66:9b:da:ec:50:2b:bd:
                    e9:ce:25:8f:fd:3a:dd:bc:6f:96:1b:7e:8e:47:ba:
                    66:4f:8c:48:2d:98:a2:34:17:66:dd:0a:78:6f:9c:
                    ff:56:b7:d1:1e:f5:5d:58:1f:0c:b6:89:a0:3e:5a:
                    d3:5d:12:68:a0:5e:ed:c3:c3:41:64:0c:c8:0c:19:
                    7e:7d:3e:49:ca:4c:ff:af:5d:68:2e:04:eb:4e:14:
                    71:04:9d:52:54:d5:dd:1f:7b:5f:31:ab:7a:48:a9:
                    0c:80:c8:c8:17:b5:4f:86:8a:35:b7:d5:a7:f3:9d:
                    ca:d1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                2E:D2:F4:8B:D0:31:49:7E:9C:37:38:D8:A2:68:67:B4:C7:37:F2:0C
            X509v3 Authority Key Identifier:
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:*.ichiayi.com, DNS:ichiayi.com
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
                                3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
                    Timestamp : Dec 31 15:20:07.239 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:E3:CE:5C:96:90:FE:BF:85:28:74:0C:
                                81:21:C2:13:FB:15:01:E8:15:08:70:D2:F8:26:2C:34:
                                35:3D:FE:5E:83:02:21:00:E4:D8:77:86:70:48:D1:B5:
                                CD:5E:AD:D6:C0:96:E3:4F:40:08:6C:56:8F:1B:07:E3:
                                CC:F2:9C:71:0C:3B:75:A9
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
                                6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
                    Timestamp : Dec 31 15:20:07.236 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:C8:C6:CD:41:89:E5:8A:6D:45:22:1E:
                                90:63:19:28:6E:C6:C2:AD:96:36:56:33:80:84:7C:60:
                                99:D6:6B:11:B1:02:20:0C:F8:CB:1E:B4:87:EC:98:10:
                                0A:65:BF:BE:F6:CE:82:10:48:F6:6A:27:FB:68:FD:28:
                                26:46:C3:4F:6C:11:DA
    Signature Algorithm: sha256WithRSAEncryption
         31:53:92:93:80:f7:37:93:eb:4f:5e:c0:61:f4:6b:ca:7c:40:
         df:53:85:e7:8a:9a:0c:30:a7:97:7b:58:a3:e7:ab:5e:2e:cf:
         97:88:33:97:cc:01:11:22:4f:a6:fd:2c:52:41:60:1d:13:94:
         ee:f4:04:ce:18:bd:fe:73:f9:b9:63:22:86:18:af:7f:2e:51:
         5e:0f:f4:35:17:81:63:03:cf:2e:ca:89:45:3f:01:63:af:4d:
         0d:90:6b:5a:ee:d7:ae:77:c1:33:d7:c4:c1:b4:c9:70:37:02:
         14:ed:d0:3e:25:52:5d:7e:1b:98:84:48:51:ee:1f:55:a6:ed:
         54:08:8f:71:2e:ee:27:9a:13:c5:b2:82:f7:c4:60:2e:e1:da:
         8e:01:7f:66:a8:6d:fb:f2:57:4c:e8:fb:56:2c:74:91:87:67:
         3c:c2:16:b1:05:00:e6:95:06:d8:09:b8:3f:89:62:6e:ea:31:
         19:47:bb:2a:45:1c:ba:94:0a:71:1d:27:1e:e7:60:4f:3c:76:
         b8:81:49:22:12:29:f9:fd:b6:7f:4e:36:7e:64:6c:20:98:8a:
         2b:61:96:fb:a4:7e:45:d1:21:ae:de:c8:7c:67:40:7a:c8:45:
         00:ae:91:fb:1f:d2:a2:0b:f9:fa:84:43:f9:c8:ad:1a:77:79:
         2c:fe:3d:06

- 將憑證 PEM 格式轉成 DER 格式

openssl x509 -inform PEM -outform DER -in ClientCA.crt -out ClientCA.cer

看結果訊息

[jonathan@pd920 certs]$ openssl x509 -inform PEM -outform DER -in ClientCA.crt -out ClientCA.cer

clientca.crt

clientca.cer

- 將憑證 DER 格式轉成 PEM 格式

openssl x509 -inform DER -in GCA.cer -out GCA.crt

看結果訊息

[jonathan@pd920 gca]$ openssl x509 -inform DER -in GCA.cer -out GCA.crt

gca.cer

gca.crt

- 將 CRL 檔由 PEM 格式轉成 DER 格式

openssl crl -in trysoft.crl -outform DER -out trysoft_der.crl

- 檢驗 CRL 檔並將 DER 格式轉成文字格式

wget http://gca.nat.gov.tw/repository/GCA4/CRL/complete.crl
wget http://gca.nat.gov.tw/repository/Certs/GCA.cer
 
openssl crl -inform DER -in complete.crl -text -CAfile GCA.crt -out gca_crl.txt

結果訊息

[jonathan@pd920 gca]$ openssl crl -inform DER -in complete.crl -text -CAfile GCA.crt -out gca_crl.txt
verify OK
[jonathan@pd920 gca]$ more gca_crl.txt
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=TW/O=\xE8\xA1\x8C\xE6\x94\xBF\xE9\x99\xA2/OU=\xE6\x94\xBF\xE5\xBA\x9C\xE6\x86\x91
\xE8\xAD\x89\xE7\xAE\xA1\xE7\x90\x86\xE4\xB8\xAD\xE5\xBF\x83
        Last Update: Aug 21 16:00:00 2008 GMT
        Next Update: Sep 21 16:00:00 2008 GMT
        CRL extensions:
:
:

- 驗 ClientCA.cer 憑證的方式

要先取得該憑證的 root 憑證 RootCA.crt 與廢止清冊 CRL.crt
如果有中繼憑證簽發，也必須取得所有中繼憑證 Exp. Mid1CA.crt , Mid2CA.crt

依據順序產生憑證 chain 檔 chain.crt (PEM 格式) 語法

cat RootCA.crt > chain.crt
cat Mid1CA.crt >> chain.crt
cat Mid2CA.crt >> chain.crt
cat CRL.crt >> chain.crt

將 ClientCA.cer 由 DER 轉成 PEM 格式語法

openssl x509 -inform DER -in ClientCA.cer -out ClientCA.crt

執行以下語法來檢驗憑證語法

openssl verify -CAfile chain.crt -crl_check ClientCA.crt

如果沒問題會出現

[jonathan@pd920 certs]$ openssl verify -CAfile chain.crt -crl_check ClientCA.crt
ClientCA.crt: OK

如果憑證存在廢止清冊內會出現

[jonathan@pd920 certs]$ openssl verify -CAfile chain.crt -crl_check ClientCA.crt
ClientCA.crt: /C=TW/ST=Taiwan/L=Taipei/O=Test Corp./CN=Test Corp./[email protected]
error 23 at 0 depth lookup:certificate revoked

相關參考網址

http://www.madboa.com/geek/openssl/
http://www.ascc.net/nl/91/1819/02.txt
http://www.study-area.org/tips/certs/certs.html

http://ssorc.tw/rewrite.php/read-42.html 主要內容

產生 private key 私密金鑰 及 憑證 cert (365 天, 1024 bits)
openssl req -new -x509 -keyout server.key -out server.crt -days 3650 -newkey rsa:1024
   -nodes : 可以不加密碼

   -subj '/C=TW/ST=Taiwan/L=Taipei/CN=ssorc.tw/[email protected]' : 個人資訊，加的話不會出用提示的方式

產生私密金鑰(private key) & 憑證要求(certificate signing request = csr)
   openssl req -new -keyout server.key -out server.csr -days 365 -newkey rsa:1024
   如果要引用已有 private key 了來產生憑證要求
openssl req -new -key server.key -out server.csr
簽署 csr 產生 crt
openssl x509 -in server.csr -out server.crt -req -text -signkey server.key
CA 簽發
openssl ca -policy policy_anything -out server.crt -infiles server.csr
檢查簽署
openssl req -in server.csr -noout -verify -key server.key
檢查憑證
openssl verify server.crt
查看 csr 內容
openssl req -in server.csr -noout -text
-noout : 不輸出BEGIN CERTIFICATE REQUEST

查看 csr 內容並檢查
openssl req -in server.csr -noout -text -verify
查看 crt 內容
openssl x509 -in server.crt -text
其它查看的參數
-issuer
-subject
-dates

產生 Windows用的 p12
openssl pkcs12 -export -in server.crt -inkey server.key -out windows.p12
   如果反過來的話
openssl pkcs12 -in windows.p12 -out server.crt
windows DER
   openssl x509 -in cacert.pem -out cacert.der -outform DER
產生 public key
openssl rsa -in server.key -pubout
產生 rsa key
openssl genrsa
openssl genrsa 1024
openssl genrsa 1024 -out server.rsa.key
文件加密、解密
   明文文件（plain text）  ：test.txt
   密文文件（cipher text）：test.msg

   文件加密
echo "this is a test file" > test.txt
openssl smime -encrypt -in test.txt -out test.msg cert.pem
   文件解密
openssl smime -decrypt -in test.msg -recip cert.pem -inkey key.pem
   驗證簽章（Verify Signature）
openssl smime -sign -inkey key.pem -signer cert.pem -in test.txt -out test.sig
openssl smime -verif -in test.sig -signer cert.pem -out test2.txt -CAfile cacert.pem
測試 TLS
openssl s_client -CAfile cacert.pem -connect localhost:993
openssl s_client -connect remote.host:25 -starttls smtp
openssl s_time -connect remote_host:443
Benchmark
openssl speed
openssl speed rsa

ref: http://www.madboa.com/geek/openssl/
ref: http://www.ascc.net/nl/91/1819/02.txt
ref: http://www.study-area.org/tips/certs/certs.html

openssl, pki, ca, tips