{"id":1446,"date":"2018-06-20T15:03:11","date_gmt":"2018-06-20T07:03:11","guid":{"rendered":"http:\/\/ykyi.net\/?p=1446"},"modified":"2018-06-20T15:03:11","modified_gmt":"2018-06-20T07:03:11","slug":"openssl%e7%ad%be%e5%8f%91%e8%af%81%e4%b9%a6%e8%82%98%e5%90%8e%e5%a4%87%e6%80%a5%e6%96%b9%ef%bc%88cheatsheet%ef%bc%89","status":"publish","type":"post","link":"https:\/\/ykyi.net\/?p=1446","title":{"rendered":"openssl\u7b7e\u53d1\u8bc1\u4e66\u8098\u540e\u5907\u6025\u65b9\uff08cheatsheet\uff09"},"content":{"rendered":"<h3>\u751f\u6210\u4e00\u5bf9\u65b0\u7684RSA\u975e\u5bf9\u79f0\u5bc6\u94a5,2048bits\u957f\u3002 generate an RSA private key<\/h3>\n<p>openssl genrsa -out private.key 2048<\/p>\n<h3>\u4ece\u79c1\u94a5\u4e2d\u63d0\u51fa\u516c\u94a5\u3002 extract the public key<\/h3>\n<p>openssl rsa -in mykey.pem -pubout &gt; my_pubkey.pub<\/p>\n<h3>\u521b\u5efa\u81ea\u7b7e\u540d\u8bc1\u4e66\u3002create a self-singned certificate<\/h3>\n<p>openssl req -config openssl.conf -x509 -sha256 -days 3650 -newkey rsa:4096 -keyout ca.key -out ca.crt<\/p>\n<h3>\u7b7e\u7f72CSR\u3002sign the CSR<\/h3>\n<p>openssl ca -config openssl.conf -days 375 -notext -in test.csr -out test.crt<\/p>\n<h3>\u68c0\u9a8c\u7b7e\u4e66\u3002verify the certificate<\/h3>\n<p>openssl verify -CAfile ca.crt test.crt<\/p>\n<h3>\u751f\u6210\u4e00\u4e2aCSR\u3002Generate a new private key and CSR(Certificate Signing Request)<\/h3>\n<p>openssl req -config openssl.conf -out CSR.csr -nodes -new -newkey rsa:2048 -nodes -keyout private.key<\/p>\n<h3>\u67e5\u770b\u4e00\u4e2a\u8bc1\u4e66\u3002show the certificate<\/h3>\n<p>openssl x509 -noout -text -in test.crt<\/p>\n<h3>PEM\u683c\u5f0f\u7684\u8bc1\u4e66\u8f6c\u6362\u4e3apfx\u683c\u5f0f\u7684\u8bc1\u4e66<\/h3>\n<p>openssl pkcs12 -inkey bob_key.pem -in bob_cert.cert -export -out bob_pfx.pfx<\/p>\n<p>We can extract the private key form a PFX to a PEM file with this command:<\/p>\n<h1>openssl pkcs12 -in filename.pfx -nocerts -out key.pem<\/h1>\n<p>Exporting the certificate only:<\/p>\n<h1>openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem<\/h1>\n<p>Removing the password from the extracted private key:<\/p>\n<h1>openssl rsa -in key.pem -out server.key<\/h1>\n<h3>\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ openssl.conf \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/<\/h3>\n<p>\u6211\u7528\u7684openssl\u914d\u7f6e\u6587\u4ef6<\/p>\n<pre><code class=\"\">[ ca ]\ndefault_ca = kamus # The default ca section\n\n[ kamus ]\ndir = . # top dir\ndatabase = <span class=\"katex math inline\">dir\/index.txt # index file.\nnew_certs_dir =<\/span>dir\/newcerts # new certs dir\n\ncertificate = <span class=\"katex math inline\">dir\/ca.crt # The CA cert\nserial =<\/span>dir\/serial # serial no file\nprivate_key = <span class=\"katex math inline\">dir\/root.key # CA private key\nRANDFILE =<\/span>dir\/.rand # random number file\n\ndefault_days = 365 # how long to certify for\ndefault_crl_days= 30 # how long before next CRL\ndefault_md = sha256 # md to use\n\npolicy = policy_any # default policy\nemail_in_dn = no # Don't add the email into cert DN\n\nname_opt = ca_default # Subject name display option\ncert_opt = ca_default # Certificate display option\ncopy_extensions = none # Don't copy extensions from request\n\n[ policy_any ]\ncountryName = optional\nstateOrProvinceName = optional\norganizationName = optional\norganizationalUnitName = optional\ncommonName = supplied\nsubjectAltName = supplied\nemailAddress = optional\n\n[ req ]\ndefault_bits = 2048\ndistinguished_name = req_distinguished_name\nstring_mask = utf8only\ndefault_md = sha256\n\n[ req_distinguished_name ]\ncountryName = Country Name(2 letter code)\nstateOrProvinceName = State or Province Name\nlocalityName = Locality Name\ncommonName = Common Name\nsubjectAltName = SubjectAltName\nemailAddress = email\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u751f\u6210\u4e00\u5bf9\u65b0\u7684RSA\u975e\u5bf9\u79f0\u5bc6\u94a5,2048bits\u957f\u3002 generate an RSA private key openssl genrsa -out private.key 2048 \u4ece\u79c1\u94a5\u4e2d\u63d0\u51fa\u516c\u94a5\u3002 extract the public key openssl rsa -in mykey.pem -pubout &gt; my_pubkey.pub \u521b\u5efa\u81ea\u7b7e\u540d\u8bc1\u4e66\u3002create a self-singned certificate openssl req -config openssl.conf -x509 -sha256 -days 3650 -newkey rsa:4096 -keyout ca.key -out ca.crt \u7b7e\u7f72CSR\u3002sign the CSR openssl ca -config openssl.conf -days 375 -notext -in test.csr -out test.crt &hellip; <a href=\"https:\/\/ykyi.net\/?p=1446\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;openssl\u7b7e\u53d1\u8bc1\u4e66\u8098\u540e\u5907\u6025\u65b9\uff08cheatsheet\uff09&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,6],"tags":[63],"class_list":["post-1446","post","type-post","status-publish","format-standard","hentry","category-security","category-tech_articles","tag-openssl"],"_links":{"self":[{"href":"https:\/\/ykyi.net\/index.php?rest_route=\/wp\/v2\/posts\/1446","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ykyi.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ykyi.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ykyi.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ykyi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1446"}],"version-history":[{"count":0,"href":"https:\/\/ykyi.net\/index.php?rest_route=\/wp\/v2\/posts\/1446\/revisions"}],"wp:attachment":[{"href":"https:\/\/ykyi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1446"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ykyi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1446"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ykyi.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1446"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}