openssl证书基本操作

# 证书标准

X.509 - 是一种证书标准，主要定义了证书中应该包含哪些内容。其详情可以参考 RFC5280 (opens new window)，Openssl使用的就是这种证书标准。

# 证书编码

相同的 X.509 证书, 可能有不同的编码格式, 目前有以下两种编码格式：

PEM (Privacy Enhanced Mail)，BASE64编码，文本格式，可直接用记事本查看，以"-----BEGIN CERTIFICATE-----"开头，"-----END CERTIFICATE-----"结尾。

# 查看 PEM 格式证书的信息
openssl x509 -in certificate.pem -text -noout

1
2

DER (Distinguished Encoding Rules)，二进制格式，不可直接查看。

# 查看 DER 格式证书的信息
openssl x509 -in certificate.der -inform der -text -noout

1
2

提示

-in arg - input file - default stdin
-inform arg - input format - default PEM (one of DER, NET or PEM)
-text - print the certificate in text form
-noout - no certificate output

具体可以通过 openssl x509 -help 查看

# 证书扩展名

.pem - 用于 Base64 编码的 X.509 证书，公私钥文件等
.der - 用于 DER 编码的证书。这些证书也可以用 CER 或者 CRT 作为扩展名。比较合适的说法是 我有一个DER编码的证书，而不是 我有一个DER证书。
.crt - certificate 的缩写，常见于 Unix/Linux 系统，可以是 PEM 编码，也可以是 DER 编码，大多数是 PEM 编码。
.cer - 同样是 certificate 的缩写，还是证书的意思，常见于 Windows 系统，同样的，可以是 PEM 编码，也可以是 DER 编码，大多数是 DER 编码。

注： .crt 和 .cer 证书在相同编码下是一样的，为了区分，一般 .crt 使用 PEM 编码，.cer 使用 DER

.key - 通常用来存放一个公钥或者私钥，并非 X.509 证书，可以是 PEM 编码，也可以是 DER 编码。

# 查看 PEM 编码 的 RSA KEY 信息
openssl rsa -in rsakey.key -text -noout
# 查看 DER 编码 的 RSA KEY 信息
openssl rsa -in rsakey.key -inform der -text -noout

1
2
3
4

.csr - Certificate Signing Request，证书签名请求。这个并不是证书，而是向权威证书颁发机构获得签名证书的申请，其核心内容是一个公钥(当然还附带了一些别的信息)，在生成这个申请的时候，同时也会生成一个私钥，私钥要自己保管好。

# 查看 CSR 的信息
openssl req -in my.csr -noout -text
openssl req -in my.csr -inform der -noout -text

1
2
3

.pfx - Predecessor of PKCS#12，由证书和私钥存放在一起组成，使用 DER 编码，常见于 Windows 的 IIS 服务器 (对 unix 服务器来说，一般 CRT 和 KEY 是分开存放在不同文件中的)。pfx文件一般还会有密码，用于保证私钥的安全。

# 生成 pfx: CA.crt是CA(权威证书颁发机构)的根证书，有的话也通过 -certfile 参数一起带进去。
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CA.crt

# 把 PFX 转换为 PEM 编码
openssl pkcs12 -in iis.pfx -out iis.pem -nodes
# 这个时候会提示你输入密码，或者直接将密码带入，这里假设密码是 password
openssl pkcs12 -in iis.pfx -out iis.pem -nodes -passin pass:password

1
2
3
4
5
6
7

# 证书转换

PEM 转为 DER

openssl x509 -in cert.crt -outform der -out cert.der

DER 转为 PEM

openssl x509 -in cert.der -inform der -outform pem -out cert.pem

提示

-in arg - input file - default stdin
-out arg - output file - default stdout
-inform arg - input format - default PEM (one of DER, NET or PEM)
-outform arg - output format - default PEM (one of DER, NET or PEM)

具体可以通过 openssl x509 -help 查看

要转换 KEY 文件也类似，只不过把 x509 换成 rsa 或ec；转 CSR 文件，使用 req

# RSA 证书签发

一般情况下，证书都是通过向权威证书颁发机构申请的，申请之前，需要有自己的 CSR，把 CSR 交给权威证书颁发机构，权威证书颁发机构对此进行签名，生成你的证书。

# 生成 CSR

生成 key 文件

# 生成 RSA 公私钥
openssl genrsa -des3 -out myrsa.key 2048

1
2

执行上满的命令，openssl 会提示你输入密码，此密码用于加密 key 文件(参数 -des3 是指加密算法，当然也可以选用其他你认为安全的算法。)，以后每当需读取此文件都需输入密码。

如果不需要密码，可以使用如下命令：

openssl genrsa -out myrsa.key 2048

提示

加密的 key 文件去除密码：

openssl rsa -in myrsa_des.key -passin pass:123456 -out myrsa.key

明文 key 文件加密（添加密码）

openssl rsa -in myrsa.key -des3 -passout pass:123456 -out myrsa_des.key

为了演示方便，这里生成不带密码的，正常使用为了安全还是带上密码比较好。

生成 csr 文件

使用上面生成的 key，生成一个 certificate signing request (CSR)

openssl req -new -key myrsa.key -out myrsa.csr

如果你的 key 有密码保护，openssl 首先会询问你的密码，然后询问你一系列问题，其中 Common Name(CN) 是最重要的，它代表你的证书要代表的目标，如果你为网站申请的证书，就要添你的域名或者服务器的ip地址。

生成 csr 后，提交给权威证书颁发机构，权威证书颁发机构对此进行签名，生成证书。

提示

上面1、2步骤的命令，也可以合并成如下命令，一步生成 key 和 CSR

openssl req -newkey rsa:2048 -nodes -keyout myrsa.key -out myrsa.csr

点击查看 myrsa.csr 和 myrsa.key 文件内容

# 查看 CSR 内容
openssl req -in myrsa.csr -text

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9d:05:20:cc:2a:9c:b8:68:17:f3:7a:87:32:fe:
                    c7:7a:ff:f0:d7:c2:13:46:24:92:14:ab:27:0c:6f:
                    60:bf:4c:cf:d6:1b:42:9f:a1:b8:ba:ed:99:f1:7f:
                    cd:cc:7c:0a:d1:0a:5e:31:03:0f:4f:9b:b3:54:0a:
                    0e:14:b8:63:de:a9:9e:e0:ee:ec:4f:00:8f:2a:c7:
                    3b:1d:71:7a:b8:86:01:62:f5:e6:9f:fb:51:88:21:
                    1e:91:c5:0a:4a:4f:2f:42:a9:e9:73:65:51:e9:4b:
                    06:d9:07:75:79:82:f2:b3:16:84:19:82:68:3b:28:
                    31:6b:4d:6a:54:26:0f:f4:4c:3a:e6:b0:19:9a:77:
                    b7:e6:f3:2b:12:ca:d5:5e:dd:b3:06:91:2c:05:64:
                    b6:54:bc:6f:b3:72:67:e5:19:e8:8b:72:92:d7:82:
                    a8:21:b8:d5:ee:78:11:c8:9a:b0:06:03:37:16:ea:
                    e4:d5:f8:d2:41:e1:80:11:81:5f:99:fa:0b:0e:98:
                    f3:a1:dd:c9:be:76:61:05:21:25:7d:39:dc:20:e1:
                    de:2c:2b:96:08:82:73:aa:50:53:a3:08:3e:0d:15:
                    21:57:c3:36:42:ae:bf:94:ce:3f:52:9f:d7:ae:f8:
                    73:fa:f0:4a:cd:74:3f:d3:50:84:6a:d4:bc:65:8f:
                    37:bd
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         24:6e:8c:fa:6c:52:60:29:04:23:73:1e:57:7a:c3:3f:2d:0f:
         5b:07:01:d6:fa:85:7a:4c:ec:40:34:8e:8f:73:6a:31:7d:6f:
         1f:7b:5f:db:a3:d2:2e:26:23:2e:c5:46:0b:a6:22:1d:f0:b1:
         6f:d1:fe:df:ab:4f:2b:97:d7:26:c5:3c:bb:5c:1a:8f:fe:b4:
         76:8f:bb:3f:6e:09:9a:ad:1a:6a:40:ba:9f:dc:7f:fb:42:1f:
         1d:5d:e5:4a:68:cf:8e:fc:44:4c:96:ec:21:d9:f5:5b:c9:1a:
         a0:72:d9:a6:36:70:52:dd:76:21:d0:13:58:54:f0:97:9e:11:
         a3:fc:ff:91:07:7f:d5:98:d3:53:a8:f4:82:6b:c1:3b:ac:52:
         9e:a0:ec:a3:3f:bc:57:26:d0:98:9f:53:97:d2:ea:9f:b5:41:
         36:fc:a1:66:9f:39:60:24:95:be:b5:d5:83:3f:01:f4:95:3f:
         94:03:af:94:4d:92:a6:73:d8:0f:ae:da:1d:ae:f6:2c:9d:6c:
         fd:e9:1a:9a:5a:13:20:36:be:3d:47:87:d7:ff:f1:f2:14:49:
         ab:5e:c8:55:b3:24:21:e4:6f:2c:d6:bb:ae:82:2f:ef:24:13:
         c1:c1:d7:40:48:7d:b4:13:8b:d7:85:8a:96:e7:4b:2a:98:08:
         fc:97:63:1b
-----BEGIN CERTIFICATE REQUEST-----
MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAJ0FIMwqnLhoF/N6hzL+x3r/8NfCE0YkkhSrJwxv
YL9Mz9YbQp+huLrtmfF/zcx8CtEKXjEDD0+bs1QKDhS4Y96pnuDu7E8AjyrHOx1x
eriGAWL15p/7UYghHpHFCkpPL0Kp6XNlUelLBtkHdXmC8rMWhBmCaDsoMWtNalQm
D/RMOuawGZp3t+bzKxLK1V7dswaRLAVktlS8b7NyZ+UZ6ItykteCqCG41e54Ecia
sAYDNxbq5NX40kHhgBGBX5n6Cw6Y86Hdyb52YQUhJX053CDh3iwrlgiCc6pQU6MI
Pg0VIVfDNkKuv5TOP1Kf1674c/rwSs10P9NQhGrUvGWPN70CAwEAAaAAMA0GCSqG
SIb3DQEBCwUAA4IBAQAkboz6bFJgKQQjcx5XesM/LQ9bBwHW+oV6TOxANI6Pc2ox
fW8fe1/bo9IuJiMuxUYLpiId8LFv0f7fq08rl9cmxTy7XBqP/rR2j7s/bgmarRpq
QLqf3H/7Qh8dXeVKaM+O/ERMluwh2fVbyRqgctmmNnBS3XYh0BNYVPCXnhGj/P+R
B3/VmNNTqPSCa8E7rFKeoOyjP7xXJtCYn1OX0uqftUE2/KFmnzlgJJW+tdWDPwH0
lT+UA6+UTZKmc9gPrtodrvYsnWz96RqaWhMgNr49R4fX//HyFEmrXshVsyQh5G8s
1ruugi/vJBPBwddASH20E4vXhYqW50sqmAj8l2Mb
-----END CERTIFICATE REQUEST-----

# 查看 key 内容
openssl rsa -in myrsa.key -text

Private-Key: (2048 bit)
modulus:
    00:9d:05:20:cc:2a:9c:b8:68:17:f3:7a:87:32:fe:
    c7:7a:ff:f0:d7:c2:13:46:24:92:14:ab:27:0c:6f:
    60:bf:4c:cf:d6:1b:42:9f:a1:b8:ba:ed:99:f1:7f:
    cd:cc:7c:0a:d1:0a:5e:31:03:0f:4f:9b:b3:54:0a:
    0e:14:b8:63:de:a9:9e:e0:ee:ec:4f:00:8f:2a:c7:
    3b:1d:71:7a:b8:86:01:62:f5:e6:9f:fb:51:88:21:
    1e:91:c5:0a:4a:4f:2f:42:a9:e9:73:65:51:e9:4b:
    06:d9:07:75:79:82:f2:b3:16:84:19:82:68:3b:28:
    31:6b:4d:6a:54:26:0f:f4:4c:3a:e6:b0:19:9a:77:
    b7:e6:f3:2b:12:ca:d5:5e:dd:b3:06:91:2c:05:64:
    b6:54:bc:6f:b3:72:67:e5:19:e8:8b:72:92:d7:82:
    a8:21:b8:d5:ee:78:11:c8:9a:b0:06:03:37:16:ea:
    e4:d5:f8:d2:41:e1:80:11:81:5f:99:fa:0b:0e:98:
    f3:a1:dd:c9:be:76:61:05:21:25:7d:39:dc:20:e1:
    de:2c:2b:96:08:82:73:aa:50:53:a3:08:3e:0d:15:
    21:57:c3:36:42:ae:bf:94:ce:3f:52:9f:d7:ae:f8:
    73:fa:f0:4a:cd:74:3f:d3:50:84:6a:d4:bc:65:8f:
    37:bd
publicExponent: 65537 (0x10001)
privateExponent:
    1d:ec:be:45:6a:d1:97:6b:6f:35:1d:e2:ea:5b:18:
    15:5e:f5:bd:88:e5:37:76:fc:c8:27:9e:37:86:7a:
    7f:ba:d9:d9:4a:34:b6:4b:91:f3:3e:19:1a:a7:6a:
    c7:4f:d4:97:e6:4b:f1:37:4e:11:b3:f0:c7:51:6b:
    41:93:aa:a4:e2:da:be:af:8a:25:bc:4b:8c:b1:8f:
    98:9a:e9:f2:84:c7:7a:de:b6:67:42:f4:54:e7:4a:
    f6:29:01:3f:0c:3c:4b:8e:2a:49:ad:c3:a0:9c:85:
    df:92:c6:56:b4:18:20:fd:67:8b:9d:08:d4:4d:62:
    ad:ba:81:4b:2c:3d:da:26:e8:9e:15:e5:49:59:42:
    a8:89:61:d2:bc:de:48:cd:de:7e:c0:19:ac:30:a4:
    af:32:c6:fc:ec:17:d3:30:3f:88:00:29:75:b2:3c:
    b6:9e:7d:fa:77:f2:1d:fc:c8:7f:82:28:0d:2a:f4:
    a7:d5:9f:19:2f:b4:4d:c8:c1:62:bc:f9:12:30:fb:
    86:14:24:e7:56:e3:fb:06:fb:e1:97:78:5f:8c:ef:
    4c:22:34:8f:bc:9c:7a:77:c6:ff:53:e1:73:00:f7:
    60:1c:30:18:c0:2d:a0:71:87:aa:de:f9:32:f3:dd:
    fc:9c:b5:de:7b:b9:56:ce:3f:c3:a0:04:dd:10:e9:
    41
prime1:
    00:ca:9c:ae:da:f5:f3:53:10:fa:55:43:9c:80:a2:
    0a:7c:00:68:f2:00:d6:58:9f:93:45:7a:73:a4:ca:
    35:0a:a6:0b:f6:1b:39:84:69:9a:f0:0b:0b:6d:5f:
    7d:c5:22:c6:47:3a:39:4f:b8:c2:59:ad:66:79:03:
    a2:c1:5d:f3:9b:11:d4:35:64:bf:4e:05:18:5e:07:
    ce:e5:fb:1d:0c:ce:ac:bd:f0:1e:31:44:01:d5:cc:
    a8:97:68:41:eb:23:ae:f2:e7:9b:ee:97:3f:e6:f3:
    84:71:fa:61:6d:0b:cc:af:63:c6:a7:8a:70:eb:97:
    30:56:c4:a8:f5:84:b8:0a:a9
prime2:
    00:c6:65:02:33:4d:99:ea:3b:04:b7:39:e9:7b:af:
    fd:bd:23:c8:60:76:8c:f4:51:84:b2:b1:9d:63:90:
    c9:ac:7e:a3:5f:e7:b4:0a:53:bd:e1:71:03:da:46:
    c8:95:dc:d4:6a:13:51:01:cf:91:16:43:41:e4:e0:
    6d:89:37:2e:3e:d0:2a:d2:2e:34:5a:72:d2:a6:6d:
    f3:20:4d:0a:48:25:9f:1d:ab:cf:12:01:1b:51:ad:
    da:35:57:34:a9:19:f7:93:37:a2:21:91:70:1b:f7:
    ec:60:95:25:5e:57:4f:fc:7e:ac:f8:02:a9:a3:f4:
    7a:8e:45:8e:30:c8:0b:64:f5
exponent1:
    00:9f:cc:03:7c:5e:0e:92:ad:09:42:c6:18:60:bb:
    6c:59:70:59:54:c4:a4:49:31:52:0d:b2:0e:13:22:
    07:c3:66:42:78:cf:f0:05:26:e5:33:fd:01:fe:39:
    1a:10:a8:e4:88:b8:bb:0a:cd:45:3b:45:2f:54:b2:
    31:63:20:9e:48:e7:3e:de:fd:9e:84:02:30:bd:b8:
    9a:cd:77:c7:e9:99:f7:53:b6:55:99:b5:71:5d:16:
    14:c1:95:50:a8:0b:74:a7:cf:53:84:51:75:ec:c8:
    92:e4:f1:fc:74:ec:a1:7a:92:ce:d2:c4:b5:5a:99:
    db:5e:13:ac:ce:36:e6:90:41
exponent2:
    00:b0:b9:05:2e:c1:ef:5a:b0:5b:d1:02:eb:32:5c:
    60:7f:fc:c1:de:fb:7b:2f:9e:f5:bf:5f:6b:bd:67:
    19:de:67:a8:0c:24:0f:42:2b:ba:36:79:3f:5f:4e:
    32:1b:1c:6c:b2:58:a6:8e:20:61:33:1d:92:32:d8:
    9f:79:dd:07:7a:b8:5f:8c:7d:cf:f0:c9:db:4e:99:
    1e:3b:25:a5:05:03:4e:2b:56:01:cc:1d:e4:41:eb:
    c5:36:42:8a:0c:1f:af:63:19:e9:78:51:5f:35:ea:
    b0:4a:90:50:8b:2a:e7:7b:19:33:e6:70:28:c0:7d:
    64:36:1b:4b:3f:b4:d2:41:89
coefficient:
    00:8b:58:6a:67:3c:a4:d4:74:e9:d8:99:97:6d:27:
    54:b4:9e:6f:c7:72:24:86:b1:48:e5:00:1b:6a:e4:
    7d:b4:40:f8:43:d8:96:b9:19:d8:9e:44:70:56:c7:
    df:7b:52:62:b6:9d:3b:d7:ed:92:74:5d:1a:d5:29:
    7c:35:10:b2:71:93:26:f9:3e:83:d8:3d:85:39:1b:
    90:af:e2:23:57:b2:9a:84:b7:aa:10:f1:b1:32:d7:
    2e:90:98:36:bc:5b:34:54:c0:ad:18:68:14:6c:35:
    ef:3b:90:f7:41:d9:f7:64:43:32:8e:71:b2:c3:e2:
    03:00:2f:1b:69:72:c3:4e:93
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAnQUgzCqcuGgX83qHMv7Hev/w18ITRiSSFKsnDG9gv0zP1htC
n6G4uu2Z8X/NzHwK0QpeMQMPT5uzVAoOFLhj3qme4O7sTwCPKsc7HXF6uIYBYvXm
n/tRiCEekcUKSk8vQqnpc2VR6UsG2Qd1eYLysxaEGYJoOygxa01qVCYP9Ew65rAZ
mne35vMrEsrVXt2zBpEsBWS2VLxvs3Jn5Rnoi3KS14KoIbjV7ngRyJqwBgM3Furk
1fjSQeGAEYFfmfoLDpjzod3JvnZhBSElfTncIOHeLCuWCIJzqlBTowg+DRUhV8M2
Qq6/lM4/Up/Xrvhz+vBKzXQ/01CEatS8ZY83vQIDAQABAoIBAB3svkVq0ZdrbzUd
4upbGBVe9b2I5Td2/MgnnjeGen+62dlKNLZLkfM+GRqnasdP1JfmS/E3ThGz8MdR
a0GTqqTi2r6viiW8S4yxj5ia6fKEx3retmdC9FTnSvYpAT8MPEuOKkmtw6Cchd+S
xla0GCD9Z4udCNRNYq26gUssPdom6J4V5UlZQqiJYdK83kjN3n7AGawwpK8yxvzs
F9MwP4gAKXWyPLaeffp38h38yH+CKA0q9KfVnxkvtE3IwWK8+RIw+4YUJOdW4/sG
++GXeF+M70wiNI+8nHp3xv9T4XMA92AcMBjALaBxh6re+TLz3fyctd57uVbOP8Og
BN0Q6UECgYEAypyu2vXzUxD6VUOcgKIKfABo8gDWWJ+TRXpzpMo1CqYL9hs5hGma
8AsLbV99xSLGRzo5T7jCWa1meQOiwV3zmxHUNWS/TgUYXgfO5fsdDM6svfAeMUQB
1cyol2hB6yOu8ueb7pc/5vOEcfphbQvMr2PGp4pw65cwVsSo9YS4CqkCgYEAxmUC
M02Z6jsEtznpe6/9vSPIYHaM9FGEsrGdY5DJrH6jX+e0ClO94XED2kbIldzUahNR
Ac+RFkNB5OBtiTcuPtAq0i40WnLSpm3zIE0KSCWfHavPEgEbUa3aNVc0qRn3kzei
IZFwG/fsYJUlXldP/H6s+AKpo/R6jkWOMMgLZPUCgYEAn8wDfF4Okq0JQsYYYLts
WXBZVMSkSTFSDbIOEyIHw2ZCeM/wBSblM/0B/jkaEKjkiLi7Cs1FO0UvVLIxYyCe
SOc+3v2ehAIwvbiazXfH6Zn3U7ZVmbVxXRYUwZVQqAt0p89ThFF17MiS5PH8dOyh
epLO0sS1WpnbXhOszjbmkEECgYEAsLkFLsHvWrBb0QLrMlxgf/zB3vt7L571v19r
vWcZ3meoDCQPQiu6Nnk/X04yGxxsslimjiBhMx2SMtifed0HerhfjH3P8MnbTpke
OyWlBQNOK1YBzB3kQevFNkKKDB+vYxnpeFFfNeqwSpBQiyrnexkz5nAowH1kNhtL
P7TSQYkCgYEAi1hqZzyk1HTp2JmXbSdUtJ5vx3IkhrFI5QAbauR9tED4Q9iWuRnY
nkRwVsffe1Jitp071+2SdF0a1Sl8NRCycZMm+T6D2D2FORuQr+IjV7KahLeqEPGx
MtcukJg2vFs0VMCtGGgUbDXvO5D3Qdn3ZEMyjnGyw+IDAC8baXLDTpM=
-----END RSA PRIVATE KEY-----

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186

# 生成 CA 证书

权威证书颁发机构签发证书都是要收费的，这里我们生成自己的根证书/CA证书来对上面的 CSR 签发证书。

openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

# 也可以合并成如下命令，也就是生成一个 self sign 自签名的证书
openssl req -newkey rsa:2048 -nodes -x509 -days 3650 -keyout ca.key -out ca.crt

1
2
3
4
5

提示

-newkey arg - 创建新的证书请求和新的私钥
-x509 - 生成自签名证书
-days - 指定自签名证书的有效期限
-nodes - 不对私钥文件进行加密
-keyout - 指定生成的私钥文件名称
-out - 指定生成的证书文件名称

这样就生成了 ca.key 和 ca.crt

验证一下证书：

openssl verify ca.crt

点击查看 ca.crt 和 ca.key 文件内容

# 查看 ca.crt 内容
openssl x509 -in ca.crt -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 17613397105465249251 (0xf46f5b58ff264de3)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
        Validity
            Not Before: Feb 22 09:51:34 2023 GMT
            Not After : Feb 19 09:51:34 2033 GMT
        Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b4:f1:15:98:35:cf:9f:3c:d3:09:b7:3d:42:b4:
                    0b:c0:f1:c8:81:a1:b5:e1:e0:f1:eb:01:ae:ba:82:
                    eb:59:23:c8:a3:ff:26:74:f9:01:97:cf:36:ff:da:
                    9e:61:8a:52:be:49:bc:b1:f3:f8:d4:b4:2d:c4:db:
                    ff:49:22:18:53:c5:bb:3b:6b:ad:a2:03:d0:b0:08:
                    d9:13:9b:3d:66:94:de:ae:c5:3e:11:21:6b:e2:67:
                    cd:18:bf:a7:c2:a6:96:d7:9a:67:ed:a3:6c:5f:ef:
                    0b:d0:f3:45:85:b5:8c:ae:15:e8:05:94:49:c4:9a:
                    78:05:ca:47:88:bf:9a:16:b2:43:ec:ae:e3:cb:c3:
                    42:90:2a:8b:14:ea:6a:5d:4f:d5:2f:2b:d3:d0:3f:
                    ed:b7:dd:f6:29:37:c7:56:fd:e0:a3:c9:6e:ef:af:
                    29:a0:a2:a2:18:f8:83:5f:7c:93:74:02:d9:88:d4:
                    d6:71:7b:e2:6b:06:8f:2d:6d:25:b2:eb:be:57:43:
                    f0:53:d8:59:4d:29:27:27:6b:8d:59:1b:24:5d:c1:
                    31:fb:72:b1:50:ed:aa:d2:dc:d9:23:55:79:1a:02:
                    99:df:08:a2:b2:3e:9e:91:aa:28:2b:90:97:b6:0e:
                    0f:a4:de:7d:ad:bf:82:f7:b2:b4:f1:b8:67:c4:08:
                    d0:67
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                62:C8:5B:99:4D:1B:8E:B8:BD:24:3D:47:C4:03:BE:9F:BF:4F:18:1D
            X509v3 Authority Key Identifier: 
                keyid:62:C8:5B:99:4D:1B:8E:B8:BD:24:3D:47:C4:03:BE:9F:BF:4F:18:1D

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         a5:9b:29:39:86:33:05:87:90:1b:93:e6:8a:b6:a8:ea:0f:11:
         23:62:88:34:eb:ef:99:43:93:5c:8f:45:9a:08:a6:6c:89:a7:
         aa:bc:c1:d3:82:5c:d7:75:a4:d9:3b:15:45:cf:42:10:e2:89:
         68:24:99:91:a7:37:55:56:bb:38:3a:46:7d:21:c1:3e:52:d8:
         85:81:d4:14:e6:65:ed:3a:cb:b1:a6:85:41:a2:76:bc:ce:a4:
         43:86:65:37:fa:f2:c9:fa:68:a1:05:75:a3:80:95:de:5a:f8:
         c2:31:66:38:c3:60:7d:f0:ee:d7:95:a8:09:6e:77:d0:7e:1e:
         f5:9f:45:72:e1:ce:75:63:23:72:62:50:9e:de:4c:0f:4d:05:
         c6:dd:9c:3d:eb:a4:01:6a:0f:f3:ad:88:24:0d:99:c0:98:3d:
         a5:86:46:ac:12:89:41:46:a4:0b:07:7a:01:e7:be:5e:82:b1:
         01:cd:09:30:b3:97:73:d9:37:3a:9c:43:8e:b2:47:91:23:ea:
         74:10:4b:ba:76:84:eb:50:52:50:0f:56:8e:da:9d:61:ad:a0:
         8f:58:65:90:09:06:2a:19:17:26:97:f6:ae:e8:56:1b:e3:f8:
         29:73:42:e9:01:ad:49:4a:2e:a6:1c:cf:6b:59:7e:b2:d2:27:
         23:b1:86:bc
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAPRvW1j/Jk3jMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMjMwMjIyMDk1MTM0WhcNMzMwMjE5MDk1MTM0WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAtPEVmDXPnzzTCbc9QrQLwPHIgaG14eDx6wGuuoLrWSPIo/8mdPkBl882
/9qeYYpSvkm8sfP41LQtxNv/SSIYU8W7O2utogPQsAjZE5s9ZpTersU+ESFr4mfN
GL+nwqaW15pn7aNsX+8L0PNFhbWMrhXoBZRJxJp4BcpHiL+aFrJD7K7jy8NCkCqL
FOpqXU/VLyvT0D/tt932KTfHVv3go8lu768poKKiGPiDX3yTdALZiNTWcXviawaP
LW0lsuu+V0PwU9hZTSknJ2uNWRskXcEx+3KxUO2q0tzZI1V5GgKZ3wiisj6ekaoo
K5CXtg4PpN59rb+C97K08bhnxAjQZwIDAQABo1AwTjAdBgNVHQ4EFgQUYshbmU0b
jri9JD1HxAO+n79PGB0wHwYDVR0jBBgwFoAUYshbmU0bjri9JD1HxAO+n79PGB0w
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEApZspOYYzBYeQG5Pmirao
6g8RI2KINOvvmUOTXI9FmgimbImnqrzB04Jc13Wk2TsVRc9CEOKJaCSZkac3VVa7
ODpGfSHBPlLYhYHUFOZl7TrLsaaFQaJ2vM6kQ4ZlN/ryyfpooQV1o4CV3lr4wjFm
OMNgffDu15WoCW530H4e9Z9FcuHOdWMjcmJQnt5MD00Fxt2cPeukAWoP862IJA2Z
wJg9pYZGrBKJQUakCwd6Aee+XoKxAc0JMLOXc9k3OpxDjrJHkSPqdBBLunaE61BS
UA9WjtqdYa2gj1hlkAkGKhkXJpf2ruhWG+P4KXNC6QGtSUouphzPa1l+stInI7GG
vA==
-----END CERTIFICATE-----

# 查看 ca.key 内容
openssl rsa -in ca.key -text

Private-Key: (2048 bit)
modulus:
    00:b4:f1:15:98:35:cf:9f:3c:d3:09:b7:3d:42:b4:
    0b:c0:f1:c8:81:a1:b5:e1:e0:f1:eb:01:ae:ba:82:
    eb:59:23:c8:a3:ff:26:74:f9:01:97:cf:36:ff:da:
    9e:61:8a:52:be:49:bc:b1:f3:f8:d4:b4:2d:c4:db:
    ff:49:22:18:53:c5:bb:3b:6b:ad:a2:03:d0:b0:08:
    d9:13:9b:3d:66:94:de:ae:c5:3e:11:21:6b:e2:67:
    cd:18:bf:a7:c2:a6:96:d7:9a:67:ed:a3:6c:5f:ef:
    0b:d0:f3:45:85:b5:8c:ae:15:e8:05:94:49:c4:9a:
    78:05:ca:47:88:bf:9a:16:b2:43:ec:ae:e3:cb:c3:
    42:90:2a:8b:14:ea:6a:5d:4f:d5:2f:2b:d3:d0:3f:
    ed:b7:dd:f6:29:37:c7:56:fd:e0:a3:c9:6e:ef:af:
    29:a0:a2:a2:18:f8:83:5f:7c:93:74:02:d9:88:d4:
    d6:71:7b:e2:6b:06:8f:2d:6d:25:b2:eb:be:57:43:
    f0:53:d8:59:4d:29:27:27:6b:8d:59:1b:24:5d:c1:
    31:fb:72:b1:50:ed:aa:d2:dc:d9:23:55:79:1a:02:
    99:df:08:a2:b2:3e:9e:91:aa:28:2b:90:97:b6:0e:
    0f:a4:de:7d:ad:bf:82:f7:b2:b4:f1:b8:67:c4:08:
    d0:67
publicExponent: 65537 (0x10001)
privateExponent:
    00:9a:33:16:af:27:b4:af:c4:db:28:dd:83:14:94:
    71:ab:d5:a1:85:6f:f5:9b:f0:e2:d9:df:0e:34:1e:
    9c:48:d4:29:0a:31:c8:69:49:47:e5:43:0f:61:0d:
    c3:89:e6:a2:cb:4d:f5:c4:45:e1:9a:0b:8f:31:c4:
    36:93:f1:bd:7f:ae:f3:f8:18:b4:d9:6c:9c:ed:58:
    2c:fe:fb:7e:61:2c:9f:75:9b:dc:60:26:f6:54:f5:
    17:21:6f:3b:9d:b3:f0:ba:fe:f8:70:d9:a3:e3:41:
    c9:f5:21:4c:ef:3d:20:0d:bf:d7:82:e1:b3:d8:1b:
    b8:0b:5f:2e:85:48:9c:1d:98:11:5a:9b:24:e0:40:
    3a:64:b3:77:5c:92:66:56:28:ff:be:15:5d:4d:a1:
    9f:48:50:d7:fd:2b:e9:86:c6:e8:07:d3:50:09:03:
    43:19:9e:67:e8:b4:d9:05:af:2a:09:b2:19:8e:5e:
    28:fd:3e:59:1d:06:76:c1:9c:b7:b4:d6:ed:35:ac:
    96:98:55:28:d4:d5:4f:87:54:6b:c1:9e:3a:95:c5:
    84:45:84:19:3f:a0:8b:a8:73:aa:c2:aa:9e:f6:31:
    a6:03:bf:cb:e0:a3:cc:c7:a9:b1:d3:6c:fe:b0:16:
    bf:26:3b:c6:4d:1e:72:38:e9:3c:6e:2b:3e:b1:c3:
    c2:e9
prime1:
    00:d8:00:16:d0:33:a1:d7:56:d2:82:36:85:6d:87:
    ee:0a:e6:a2:8c:c6:a1:7e:bf:f4:54:51:d6:75:dc:
    da:5b:75:9b:54:eb:f9:f6:9d:d1:ba:77:31:91:79:
    38:22:0d:2d:67:99:ee:75:d7:c9:72:1b:fe:98:c8:
    8f:d6:aa:48:08:28:bb:74:38:93:a3:55:19:62:2f:
    76:2f:ce:a8:12:6f:09:6c:56:94:a3:0c:8d:8d:77:
    18:ef:3e:3d:98:46:be:eb:39:9f:15:73:d1:0a:72:
    70:c5:55:6b:3f:02:36:d7:ce:c7:12:e5:b4:d9:bd:
    e0:c2:33:c4:ca:44:d6:4e:73
prime2:
    00:d6:72:f9:76:6c:af:bc:c7:df:50:c0:e7:8f:cf:
    38:56:18:e5:ec:ad:0f:e5:9b:4c:c7:77:dd:f6:4f:
    6c:06:5e:fe:7d:fd:b2:83:42:fa:d8:de:19:46:f8:
    17:9b:73:d7:6a:33:fc:50:1c:79:b6:f7:d9:11:83:
    d4:4b:bd:7a:99:d4:4d:03:ff:61:fc:55:0d:b3:56:
    47:cf:86:b5:96:30:39:ff:48:6e:ad:e8:25:0b:51:
    3c:36:e8:4c:d0:f2:cc:03:11:f1:b9:48:04:b9:ec:
    f2:e4:6c:97:25:f0:40:39:28:0e:62:8a:61:1a:1f:
    9b:dd:4d:72:b3:8f:f8:a5:3d
exponent1:
    00:c9:e6:93:6c:7b:c6:bc:ad:68:49:d4:c2:b5:96:
    48:78:a2:0a:b1:01:fd:f4:a7:62:af:ea:6b:47:72:
    70:1c:eb:7a:8d:4f:a2:2f:d6:67:33:1f:b5:12:a0:
    b7:4a:84:fc:bb:09:54:af:8c:4b:bd:40:d3:a3:66:
    5d:a5:2f:37:f3:80:77:6f:f4:6e:74:4e:d8:52:41:
    c0:fc:80:f3:f3:7f:1c:d4:ca:bd:57:07:25:cd:64:
    d4:c6:d4:6b:e8:c9:c0:2d:c9:87:9d:1a:cb:fc:32:
    ea:9c:59:f2:cc:4b:ba:8d:d0:b7:9e:3f:5e:e3:e5:
    2b:90:fb:a8:e7:d4:9e:69:67
exponent2:
    00:cf:6c:7a:3a:bf:b9:e3:e1:77:f1:46:05:34:a6:
    7c:99:5a:8f:da:b3:32:73:26:19:c7:bd:fb:65:a9:
    40:95:91:00:9b:a0:ee:2f:e4:73:79:9c:a9:da:69:
    51:7c:3d:3a:19:31:9b:55:69:95:99:12:76:55:68:
    ab:c9:6e:c6:cd:4f:fa:06:69:d8:bf:17:0d:9f:6f:
    4f:1a:3d:f4:1a:07:1f:b1:fa:bf:83:5a:cd:a9:fa:
    b3:41:70:c4:0c:3f:2c:71:b3:c3:99:31:3d:d1:10:
    8d:87:c0:39:1a:ab:1d:93:ab:58:ee:9b:66:7c:bc:
    22:28:96:26:e1:e3:d9:df:09
coefficient:
    71:03:7f:9d:fc:45:53:c2:36:f0:5e:8a:ee:a1:d9:
    d0:8c:2a:49:ed:e6:dc:ba:ec:0e:7d:22:c6:97:ff:
    70:fc:2a:f6:06:f9:b1:95:5e:f9:7b:56:66:e1:59:
    f5:08:a5:d4:3f:5c:4c:bf:57:76:6e:2f:70:c8:c3:
    4d:43:df:9c:3a:e2:24:01:3f:58:1f:b3:d5:77:8f:
    4c:5d:dd:63:18:9b:3d:96:f3:ee:c4:6f:95:48:75:
    c8:0d:12:d8:9b:8b:85:31:88:86:f0:40:ee:eb:98:
    fa:14:c6:f5:44:99:17:4d:a9:85:8a:6c:24:ef:41:
    7d:86:c5:ed:33:c5:83:07
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAtPEVmDXPnzzTCbc9QrQLwPHIgaG14eDx6wGuuoLrWSPIo/8m
dPkBl882/9qeYYpSvkm8sfP41LQtxNv/SSIYU8W7O2utogPQsAjZE5s9ZpTersU+
ESFr4mfNGL+nwqaW15pn7aNsX+8L0PNFhbWMrhXoBZRJxJp4BcpHiL+aFrJD7K7j
y8NCkCqLFOpqXU/VLyvT0D/tt932KTfHVv3go8lu768poKKiGPiDX3yTdALZiNTW
cXviawaPLW0lsuu+V0PwU9hZTSknJ2uNWRskXcEx+3KxUO2q0tzZI1V5GgKZ3wii
sj6ekaooK5CXtg4PpN59rb+C97K08bhnxAjQZwIDAQABAoIBAQCaMxavJ7SvxNso
3YMUlHGr1aGFb/Wb8OLZ3w40HpxI1CkKMchpSUflQw9hDcOJ5qLLTfXEReGaC48x
xDaT8b1/rvP4GLTZbJztWCz++35hLJ91m9xgJvZU9Rchbzuds/C6/vhw2aPjQcn1
IUzvPSANv9eC4bPYG7gLXy6FSJwdmBFamyTgQDpks3dckmZWKP++FV1NoZ9IUNf9
K+mGxugH01AJA0MZnmfotNkFryoJshmOXij9PlkdBnbBnLe01u01rJaYVSjU1U+H
VGvBnjqVxYRFhBk/oIuoc6rCqp72MaYDv8vgo8zHqbHTbP6wFr8mO8ZNHnI46Txu
Kz6xw8LpAoGBANgAFtAzoddW0oI2hW2H7grmoozGoX6/9FRR1nXc2lt1m1Tr+fad
0bp3MZF5OCINLWeZ7nXXyXIb/pjIj9aqSAgou3Q4k6NVGWIvdi/OqBJvCWxWlKMM
jY13GO8+PZhGvus5nxVz0QpycMVVaz8CNtfOxxLltNm94MIzxMpE1k5zAoGBANZy
+XZsr7zH31DA54/POFYY5eytD+WbTMd33fZPbAZe/n39soNC+tjeGUb4F5tz12oz
/FAcebb32RGD1Eu9epnUTQP/YfxVDbNWR8+GtZYwOf9Ibq3oJQtRPDboTNDyzAMR
8blIBLns8uRslyXwQDkoDmKKYRofm91NcrOP+KU9AoGBAMnmk2x7xrytaEnUwrWW
SHiiCrEB/fSnYq/qa0dycBzreo1Poi/WZzMftRKgt0qE/LsJVK+MS71A06NmXaUv
N/OAd2/0bnRO2FJBwPyA8/N/HNTKvVcHJc1k1MbUa+jJwC3Jh50ay/wy6pxZ8sxL
uo3Qt54/XuPlK5D7qOfUnmlnAoGBAM9sejq/uePhd/FGBTSmfJlaj9qzMnMmGce9
+2WpQJWRAJug7i/kc3mcqdppUXw9Ohkxm1VplZkSdlVoq8luxs1P+gZp2L8XDZ9v
Txo99BoHH7H6v4Nazan6s0FwxAw/LHGzw5kxPdEQjYfAORqrHZOrWO6bZny8IiiW
JuHj2d8JAoGAcQN/nfxFU8I28F6K7qHZ0IwqSe3m3LrsDn0ixpf/cPwq9gb5sZVe
+XtWZuFZ9Qil1D9cTL9Xdm4vcMjDTUPfnDriJAE/WB+z1XePTF3dYxibPZbz7sRv
lUh1yA0S2JuLhTGIhvBA7uuY+hTG9USZF02phYpsJO9BfYbF7TPFgwc=
-----END RSA PRIVATE KEY-----

# 生成证书

使用上面生成的 CA 证书及私钥来对一开始的 CSR 签发证书

openssl x509 -req -sha256 -days 3650 -in myrsa.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out myrsa.crt

验证一下证书：

openssl verify -CAfile ca.crt myrsa.crt

提示

-CAcreateserial - 使用此选项和 -CA 选项，如果 CA 序列号文件不存在，将创建该文件 ca.srl，并生成一个随机数，用于该证书。

点击查看 myrsa.crt 文件内容

# 查看 myrsa.crt 内容
openssl x509 -in myrsa.crt -text

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 12923694340142719469 (0xb35a2f8799eee1ed)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
        Validity
            Not Before: Feb 23 01:45:11 2023 GMT
            Not After : Feb 20 01:45:11 2033 GMT
        Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9d:05:20:cc:2a:9c:b8:68:17:f3:7a:87:32:fe:
                    c7:7a:ff:f0:d7:c2:13:46:24:92:14:ab:27:0c:6f:
                    60:bf:4c:cf:d6:1b:42:9f:a1:b8:ba:ed:99:f1:7f:
                    cd:cc:7c:0a:d1:0a:5e:31:03:0f:4f:9b:b3:54:0a:
                    0e:14:b8:63:de:a9:9e:e0:ee:ec:4f:00:8f:2a:c7:
                    3b:1d:71:7a:b8:86:01:62:f5:e6:9f:fb:51:88:21:
                    1e:91:c5:0a:4a:4f:2f:42:a9:e9:73:65:51:e9:4b:
                    06:d9:07:75:79:82:f2:b3:16:84:19:82:68:3b:28:
                    31:6b:4d:6a:54:26:0f:f4:4c:3a:e6:b0:19:9a:77:
                    b7:e6:f3:2b:12:ca:d5:5e:dd:b3:06:91:2c:05:64:
                    b6:54:bc:6f:b3:72:67:e5:19:e8:8b:72:92:d7:82:
                    a8:21:b8:d5:ee:78:11:c8:9a:b0:06:03:37:16:ea:
                    e4:d5:f8:d2:41:e1:80:11:81:5f:99:fa:0b:0e:98:
                    f3:a1:dd:c9:be:76:61:05:21:25:7d:39:dc:20:e1:
                    de:2c:2b:96:08:82:73:aa:50:53:a3:08:3e:0d:15:
                    21:57:c3:36:42:ae:bf:94:ce:3f:52:9f:d7:ae:f8:
                    73:fa:f0:4a:cd:74:3f:d3:50:84:6a:d4:bc:65:8f:
                    37:bd
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         33:36:c1:1b:1a:bb:3d:2c:6e:9f:ce:a0:28:4f:82:c4:6f:75:
         f9:31:08:ec:92:6a:fa:1e:e2:48:be:93:c1:77:33:51:a0:4b:
         af:9d:49:0a:bd:c6:4a:e6:79:42:e5:5c:4c:4e:4d:c0:cc:fd:
         11:74:a8:5e:96:ad:dc:93:a4:c3:9f:78:58:c9:e1:44:68:8f:
         62:88:25:c4:6b:5a:d4:d5:c8:d1:09:b7:97:4c:ed:22:61:c7:
         91:f8:3b:80:d2:89:a1:ff:b0:27:b8:20:ef:f2:79:92:5e:8c:
         47:4c:82:fb:0b:e4:ea:70:a4:f5:25:5c:7f:04:6d:8d:dc:fc:
         90:44:a3:07:77:fb:17:c4:38:c4:a6:15:b5:eb:65:32:44:3e:
         5f:c7:b8:0a:a0:e8:55:75:92:56:7c:43:d9:ca:74:33:ba:5b:
         5a:85:67:49:bd:12:15:00:71:75:14:f1:04:3c:ea:df:97:15:
         c9:7b:a7:6e:f2:61:a6:b4:57:fc:7c:0c:bc:f7:e7:af:21:be:
         d2:58:fd:6d:ad:33:ae:82:bf:50:76:a4:66:23:b4:e9:c8:90:
         de:33:35:4e:b3:04:ef:2f:5e:3b:f7:d9:72:c5:45:28:3f:64:
         95:ed:b4:63:e0:51:6e:c4:bb:53:95:e6:58:b9:3d:78:0b:2f:
         14:6a:60:f9
-----BEGIN CERTIFICATE-----
MIIDBjCCAe4CCQCzWi+Hme7h7TANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMB4XDTIzMDIyMzAxNDUxMVoXDTMzMDIyMDAxNDUxMVowRTELMAkG
A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0
IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJ0FIMwqnLhoF/N6hzL+x3r/8NfCE0YkkhSrJwxvYL9Mz9YbQp+huLrtmfF/zcx8
CtEKXjEDD0+bs1QKDhS4Y96pnuDu7E8AjyrHOx1xeriGAWL15p/7UYghHpHFCkpP
L0Kp6XNlUelLBtkHdXmC8rMWhBmCaDsoMWtNalQmD/RMOuawGZp3t+bzKxLK1V7d
swaRLAVktlS8b7NyZ+UZ6ItykteCqCG41e54EciasAYDNxbq5NX40kHhgBGBX5n6
Cw6Y86Hdyb52YQUhJX053CDh3iwrlgiCc6pQU6MIPg0VIVfDNkKuv5TOP1Kf1674
c/rwSs10P9NQhGrUvGWPN70CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAMzbBGxq7
PSxun86gKE+CxG91+TEI7JJq+h7iSL6TwXczUaBLr51JCr3GSuZ5QuVcTE5NwMz9
EXSoXpat3JOkw594WMnhRGiPYoglxGta1NXI0Qm3l0ztImHHkfg7gNKJof+wJ7gg
7/J5kl6MR0yC+wvk6nCk9SVcfwRtjdz8kESjB3f7F8Q4xKYVtetlMkQ+X8e4CqDo
VXWSVnxD2cp0M7pbWoVnSb0SFQBxdRTxBDzq35cVyXunbvJhprRX/HwMvPfnryG+
0lj9ba0zroK/UHakZiO06ciQ3jM1TrME7y9eO/fZcsVFKD9kle20Y+BRbsS7U5Xm
WLk9eAsvFGpg+Q==
-----END CERTIFICATE-----

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

# 生成 pfx

将 myrsa.crt 和 myrsa.key 合并生成 myrsa.pfx 文件

openssl pkcs12 -export -out myrsa.pfx -inkey myrsa.key -in myrsa.crt -certfile ca.crt
# 提示输入密码，这里我们使用 123456

1
2

-certfile ca.crt ca 证书也可以不带进去

pfx 一般带密码，因为私钥也在里面，如果不带可以加 -nodes

# 写成脚本

#!/bin/bash

# 设置变量
NAME_CA=ca
NAME=myrsa
RSA_BITS=2048
DAYS=3650
PWD_PFX=123456

#red color
echo -e "\033[31m1. 生成CA证书及私钥:"
#back to normal  -n no new line
echo -e -n "\033[0m" 
# 生成 CA 证书及私钥
openssl genrsa -out ${NAME_CA}.key ${RSA_BITS}
openssl req -new -x509 -days ${DAYS} -key ${NAME_CA}.key -out ${NAME_CA}.crt
# 或者
# openssl req -newkey rsa:${RSA_BITS} -nodes -x509 -days ${DAYS} -keyout ${NAME_CA}.key -out ${NAME_CA}.crt

echo ""
#red color
echo -e "\033[31m2. 生成RSA密钥对及CSR:"
#back to normal  -n no new line
echo -e -n "\033[0m" 
# 生成 RSA 密钥对及 CSR
openssl genrsa -out ${NAME}.key ${RSA_BITS}
openssl req -new -key ${NAME}.key -out ${NAME}.csr
# 或者
# openssl req -newkey rsa:${RSA_BITS} -nodes -keyout ${NAME}.key -out ${NAME}.csr

echo ""
#red color
echo -e "\033[31m3. 签发RSA证书:"
#back to normal  -n no new line
echo -e -n "\033[0m" 
# 签发 RSA 证书
openssl x509 -req -sha256 -days ${DAYS} -in ${NAME}.csr -CA ${NAME_CA}.crt -CAkey ${NAME_CA}.key -CAcreateserial -out ${NAME}.crt

echo ""
#red color
echo -e "\033[31m4. 生成pfx证书:"
#back to normal  -n no new line
echo -e -n "\033[0m" 
# 生成 pfx 证书
openssl pkcs12 -export -passout pass:${PWD_PFX} -out ${NAME}.pfx -inkey ${NAME}.key -in ${NAME}.crt -certfile ${NAME_CA}.crt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

# ECC 证书签发

跟上面 RSA 证书的签发差不多，将 rsa 换成 ec 即可

# 生成 ECC CA证书及私钥
openssl ecparam -name secp256k1 -genkey -noout -out ecc_ca.key 
openssl req -new -x509 -days 3650 -key ecc_ca.key -out ecc_ca.crt

# 生成 secp256k1 椭圆曲线算法的 ECC 私钥及CSR
openssl ecparam -name secp256k1 -genkey -noout -out ecc_secp256k1.key
openssl req -new -key ecc_secp256k1.key -out ecc_secp256k1.csr

# 签发 ECC 证书
openssl x509 -req -sha256 -days 3650 -in ecc_secp256k1.csr -CA ecc_ca.crt -CAkey ecc_ca.key -CAcreateserial -out ecc_secp256k1.crt

# 生成 pfx
openssl pkcs12 -export -out ecc_secp256k1.pfx -inkey ecc_secp256k1.key -in ecc_secp256k1.crt -certfile ecc_ca.crt

1
2
3
4
5
6
7
8
9
10
11
12
13

# 从 pfx 文件中提取证书，公私钥文件

# 方法一

pfx 转 PEM

openssl pkcs12 -in myrsa.pfx -nodes -out myrsa.pem -passin pass:123456

转换成 pem 格式，直接用记事本打开查看，可以看到就是将 myrsa.crt ca.crt myrsa.key 合并在一起

点击查看 myrsa.pem 文件内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

提取证书

openssl x509 -in myrsa.pem -out myrsa.crt

提取私钥

openssl rsa -in myrsa.pem -out myrsa.key

从私钥文件中提取公钥

openssl rsa -in myrsa.key -pubout -out myrsa_pub.key

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnQUgzCqcuGgX83qHMv7H
ev/w18ITRiSSFKsnDG9gv0zP1htCn6G4uu2Z8X/NzHwK0QpeMQMPT5uzVAoOFLhj
3qme4O7sTwCPKsc7HXF6uIYBYvXmn/tRiCEekcUKSk8vQqnpc2VR6UsG2Qd1eYLy
sxaEGYJoOygxa01qVCYP9Ew65rAZmne35vMrEsrVXt2zBpEsBWS2VLxvs3Jn5Rno
i3KS14KoIbjV7ngRyJqwBgM3Furk1fjSQeGAEYFfmfoLDpjzod3JvnZhBSElfTnc
IOHeLCuWCIJzqlBTowg+DRUhV8M2Qq6/lM4/Up/Xrvhz+vBKzXQ/01CEatS8ZY83
vQIDAQAB
-----END PUBLIC KEY-----

1
2
3
4
5
6
7
8
9
10
11

# 方法二

从 pfx 中提取证书

openssl pkcs12 -in myrsa.pfx -clcerts -nokeys -out myrsa.crt -passin pass:123456

从 pfx 中提取私钥

openssl pkcs12 -in myrsa.pfx -nocerts -nodes -out myrsa.key -passin pass:123456

从私钥文件中提取公钥

openssl rsa -in myrsa.key -pubout -out myrsa_pub.key

提示

ECC 证书也一样，将上面的 rsa 换成 ec 即可

# 知识补充

# openssl.cnf

许多命令使用外部配置文件作为部分或全部参数，并使用 -config 选项指定该文件。

环境变量 OPENSSL_COFF 可用于指定文件的位置。

如果未指定环境变量，则该文件在默认证书存储区域中命名为 openssl.cnf，其值取决于构建 openssl 时指定的配置标志。

# PEM 格式文件解析

这里以上面的 myrsa.key 为例子

点击查看 myrsa.key 文件内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

对私钥进行 base64 解码，只需要中间数据

base64在线解码 (opens new window)

base64

解码完是通过 ASN1 编码的 二进制 数据（这是只是将其显示成十六进制字符，方便查看），对该数据进行解析

ASN.1 JavaScript decoder (opens new window)

asn1

提示

也可以使用 openssl 的 asn1parse 分析

openssl asn1parse -in myrsa.key

# 参考资料

编辑此页

#证书 #X509 #PEM #DER #PFX

上次更新: 2023/02/24, 13:49:38

← ASN1概述及数据类型详解 Mac下openssl升级→