openssl常用命令行汇总

不羁岁月 提交于 2019-12-29 22:40:14

openssl常用命令行汇总

随机数

openssl rand -out rand.dat -base64 32

摘要

  • 直接做摘要

openssl dgst -sha1 -out dgst.dat plain.txt

  • 先做摘要,然后对摘要进行签名/验签

    • 签名摘要

      openssl dgst -sha1 -sign priv.key -out sig.dat plain.txt

    • 验签摘要

      openssl dgst -sha1 -verify pub.key -signature sig.dat plain.txt

对称加密

  • 块加密

    • 加密

    openssl enc -sm4 -K "0123456789abcdeffedcba9876543210" -iv "12345678123456781234567812345678" -e -in plain.txt -out encrypted.dat

    • 解密

    openssl enc -sm4 -K "0123456789abcdeffedcba9876543210" -iv "12345678123456781234567812345678" -d -in encrypted.dat -out decrypted.dat

  • 流加密

    • 加密

      openssl enc -rc4 -a -K 0000000000000000 -in plain.dat -out encrypted.dat

    • 解密

      openssl enc -d -rc4 -a -K 0000000000000000 -in encrypted.dat -out decrypted.dat

证书请求

  • 生成证书请求

    • 交互式,需要手动输入一些证书项,如CN,email等

      openssl req -key mysite.key -new -out mysite.req -sha1 -utf8
      openssl req -key mysite.key -passin pass:123456 -new -out mysite.req -sha1 -utf8 (私钥带密码的情况)

    • 非交互式,事先编辑好一个配置文件xxx.cnf

      • 不需要扩展项

        [ req ]
        distinguished_name        = req_distinguished_name
        prompt                    = no
        string_mask = utf8only
        #default, pkix, utf8only, nombstr
        
        [ req_distinguished_name ]
        C                         = CN
        ST                        = SH
        L                         = Shanghai
        O                         = AwesomeCompany
        OU                        = SSL Group
        CN                        = RSA_USER
        emailAddress              = rsa@user.com
      • 证书需要多个CN或OU的情况

        [ req ]
         distinguished_name     = req_distinguished_name
         prompt                 = no
         string_mask = utf8only
        #default, pkix, utf8only, nombstr
        
         [ req_distinguished_name ]
         C                      = CN
         ST                     = SH
         L                      = Shanghai
         O                      = AwesomeCompany
         1.OU                     = Dept.DEV
         2.OU                     = SSL Group
         1.CN                     = mytest
         2.CN                     = mysite
         emailAddress            = ssl@test.com
      • 需要带扩展项

        [ req ]
        distinguished_name        = req_distinguished_name
        prompt                    = no
        req_extensions            = v3_req
        string_mask = utf8only
        #default, pkix, utf8only, nombstr
        
        [ req_distinguished_name ]
        C                         = CN
        ST                        = SH
        L                         = Shanghai
        O                         = AwesomeCompany
        OU                        = SSL Group
        CN                        = RSA_USER
        emailAddress              = rsa@user.com
        
        [ v3_req ]
        basicConstraints          = CA:FALSE
        keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment
        subjectAltName          = @alt_names
        
        [alt_names]
        email   = ssl@test.cn
        URI     = http://www.test.com/
        DNS.1   = *.test.cn
        DNS.2   = www.test.com.cn
        DNS.3   = www.test.com.cn:8443
        DNS.4   = 192.168.190.7:8443
        RID     = 1.2.4.6
        IP      = 192.168.1.8
        
        dirName = mydir
        
        [ mydir ]
        CN    = aaa
        O     = bbb

      openssl req -new -config test.cnf -key mysite.key -out mysite.req -sha1 -utf8

      openssl req -new -config test.cnf -key mysite.key -passin pass:123456 -out mysite.req -sha1 -utf8 (私钥带密码的情况)

  • 验证请求

    openssl req -verify -in mysite.req -noout

  • 解析请求

    openssl req -in mysite.req -text

签发证书

  • CA根证书

    openssl x509 -req -days 3650 -in rootca.req -signkey rootca.key -out rootca.pem -passin pass:xxxx(私钥带密码的情况) -CAcreateserial

  • 用户证书

    openssl x509 -req -in user.req -CA rootca.pem -CAkey rootca.key -out user.pem -passin pass:12345678 v3_req -CAcreateserial -days 3650

  • 生成v3证书,需要加配置文件指定扩展项

    -extfile xxx.conf -extensions v3_req

其他证书操作

  • 证书解析

    openssl x509 -in mysite.pem -noout -text

  • 证书转请求

    -x509toreq

  • 克隆包含相同扩展项的证书

    openssl x509 -certupdate -force_pubkey test.pub -in test.pem -CA DemoCA.pem -CAkey DemoCA.key -out test.pem.new -days 9999

  • 检查证书用途

    $ openssl x509 -purpose -noout -in chen.pem
      Certificate purposes:
      SSL client : Yes
      SSL client CA : No
      SSL server : Yes
      SSL server CA : No
      Netscape SSL server : Yes
      Netscape SSL server CA : No
      S/MIME signing : Yes
      S/MIME signing CA : No
      S/MIME encryption : Yes
      S/MIME encryption CA : No
      CRL signing : Yes
      CRL signing CA : No
      Any Purpose : Yes
      Any Purpose CA : Yes
      OCSP helper : Yes
      OCSP helper CA : No
      Time Stamp signing : No
      Time Stamp signing CA : No

验证证书链

openssl verify -CAfile testca.pem mysite.pem

完整返回OK,不完整返回类似error 2 at 1 depth lookup:unable to get issuer certificate

  • 多级CA或多个证书链

    mkdir ca
    cp ca-*.pem ca/   # 将所有CA证书复制到一个单独的目录
    c_rehash ca       # 创建所有CA证书的索引(基于DN项的lhash,此命令也是openssl自带的)
    openssl verify -CApath ca mysite.pem

非对称加密

  • 签名

    openssl pkeyutl -sign -inkey rsa.key -in rsa.dat -out sign.dat

  • 验签

    openssl pkeyutl -verify -certin -inkey rsa.pem -in rsa.dat -sigfile sign.dat

    openssl pkeyutl -verify -inkey rsa.key -in rsa.dat -sigfile sign.dat

  • 加密

    openssl pkeyutl -encrypt -inkey rsa.key -in rsa.dat -out enc.dat

  • 解密

    openssl pkeyutl -decrypt -inkey rsa.key -in enc.dat -out source.dat

pkcs7

  • 签名

    openssl smime -sign -in short.dat -signer rsa.pem -inkey rsa.key -out rsa.sig -outform PEM -nodetach -binary -md sha256

  • 验签

    openssl smime -verify -CAfile rsa-ca.pem -signer rsa.pem -in rsa.sig -inform PEM -noverify -content short.dat -binary

  • 加密

    openssl smime -encrypt -sha1 -in long.dat -outform PEM -out rsa.env -binary rsa.pem

  • 解密

    openssl smime -decrypt -in rsa.env -out rsa.plain -inkey rsa.key -inform PEM -binary

密钥操作

  • 生成密钥

    • genrsa

      openssl genrsa -out rsa.key 2048(私钥不带密码)

      openssl genrsa -out rsa.key -aes256 -passout pass:123456 2048(私钥带密码)

    • ecparam

      openssl ecparam -name CN-GM-ECC -out sm2.param

      openssl ecparam -in sm2.param -out sm2.key -genkey -noout

    • genpkey

      openssl genpkey -algorithm RSA -out rsa.key -pkeyopt rsa_keygen_bits:2048

      openssl genpkey -parafile sm2.param -out sm2.key

      ``

  • 不带密码的私钥==>带密码的私钥

    openssl rsa -in rsa.key -out xxx.key -aes256 -passout pass:123456

    openssl ec -in sm2.key -out xxx.key -sm4 -passout pass:123456

  • 带密码的私钥==>不带密码的私钥

    openssl rsa -in xxx.key -passin pass:123456 -out yyy.key

    openssl ec -in xxx.key -passin pass:123456 -out yyy.key

  • pkey加解密私钥

    openssl pkey -in rsa.key -out rsa_enc.key -des3 -passout pass:1234

    openssl pkey -in rsa_enc.key -out rsa.key -passin pass:1234

  • 从密钥对提取公钥

    openssl rsa -in chen.key -pubout -out chen_pub.key

格式转换

  • PEM私钥转PKCS#8

    openssl pkcs8 -topk8 -in mysite.key -out mysite.pk8 -outform PEM

  • PKCS#8转PEM

    openssl rsa -in mysite.pk8 -out mysite.key

  • PEM转PKCS12

    openssl pkcs12 -export -inkey mysite.key -in mysite.pem -nodes -out mysite.p12(输出不带口令的p12证书)

    openssl pkcs12 -export -inkey mysite.key -in mysite.pem -passout pass:123456 -out mysite.p12 (输出带口令的p12证书)

  • P12转证书

    openssl pkcs12 -in mysite.p12 -nokeys -out mysite.pem

    openssl pkcs12 -in mysite.p12 -nokeys -passin pass:123456 -out mysite.pem (p12文件带口令的情况)

  • P12转私钥

    openssl pkcs12 -in mysite.p12 -nocerts -nodes -out mysite.key (输出不加密的私钥)

    openssl pkcs12 -in mysite.p12 -nocerts -passout pass:123123 -out mysite.key (输出加密后的私钥)

    openssl pkcs12 -in mysite.p12 -nocerts -passin pass:123456 -passout pass:123123 -out mysite.key (p12文件带口令的情况)

其他

  • asn1解析

    openssl asn1parse -dump -i -in xxx

  • 使用引擎

    openssl xxx -engine myengine.so ...

SSL

openssl s_server -accept 9999 -cert server.pem -key server.key -CAfile chain.pem -verify 3 -tls1_2
openssl s_client -connect 127.0.0.1:9999 -cert user.pem -key user.key -debug -status -cipher ECDHE-RSA-AES256-GCM-SHA384

openssl s_server -gmvpn -accept 9999 -gm_sig_cert sig.pem -gm_sig_key sig.key -gm_enc_cert enc.pem -gm_enc_key enc.key -CAfile chain.pem -verify 3
openssl s_client -gmvpn -connect 127.0.0.1:9999 -gm_sig_cert sig.pem -gm_sig_key sig.key -gm_enc_cert enc.pem -gm_enc_key enc.key -cipher ECC-SM4-SM3

HTTPS测试

  • 单行请求测试

    echo -e "GET / HTTP/1.1\r\nHost: localhost\r\nConnection: Keep-Alive\r\n\r\n" | openssl s_client -ign_eof -cert chen.pem -key chen.key -connect 192.168.190.7:443

  • 复杂请求测试

    • 在Chrome中使用开发者模式,复制HTTP请求头 (Network-F5-右键-Copy-Request Headers)

    • 将请求头保存到文件xxxx.header中(注意文件的格式要选择DOS格式,也即\r\n的换行模式),然后通过cat和s_client来发送

      cat request.header | openssl s_client -ign_eof -cert chen.pem -key chen.key -connect 192.168.190.7:443

  • 利用s_client命令测试HTTPS的各种超时

    • 发送完整的HTTP Header,并用time命令测试KeepAlive超时

      echo -e "GET / HTTP/1.1\r\nHost: localhost\r\nConnection: Keep-Alive\r\n" | time openssl s_client -ign_eof -cert chen.pem -key chen.key -connect 192.168.190.7:443

    • 发送不完整的HTTP Header,并用time命令测试Header超时

      echo -e "GET / HTTP/1.1" | time openssl s_client -ign_eof -cert chen.pem -key chen.key -connect 192.168.190.7:443

    • 发送不完整的HTTP Body,并用time命令测试Body超时

      echo -e "POST / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 100\r\nContent-Type: text/html\r\n\r\n11111111" | time openssl s_client -ign_eof -cert xxxx.cer -key xxxx.key -connect 192.168.190.7:443

  • 利用s_client/s_server命令测试SSL传输性能

    • server端

      openssl s_server -accept 9999 -cert xxx.pem -key xxx.key -quiet >/dev/null

    • client端

      dd if=/dev/zero bs=1M count=512 | openssl s_client -connect 127.0.0.1:9999

性能测试

  • 测试算法性能

    openssl speed rsa2048
    openssl speed ecdsap256 
    openssl speed ecdhp256 
    openssl speed aes-128-cbc 
    openssl speed -evp aes-128-cbc
    openssl speed sm2
  • 测试TPS(连接数)

    openssl s_time -connect 192.168.190.7:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3]

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!