OpenSSL 常用命令

openssl x509 -noout -text -in _.httpsok.com.pem

openssl rsa -noout -text -in _.httpsok.com.pem

openssl ec -noout -text -in _.httpsok.com.pem

openssl s_client -connect httpsok.com:443

openssl x509 -outform der -in _.httpsok.com.pem -out _.httpsok.com.der

# 会导致证书链丢失
openssl x509 -inform der -in _.httpsok.com.der -out _.httpsok.com.pem

# 密码：12345678
openssl pkcs12 -export -out httpsok.com.pfx -inkey _.httpsok.com.key -in _.httpsok.com.pem -passout pass:12345678

# 会增加一些证书冗余信息
openssl pkcs12 -in httpsok.com.pfx -out httpsok.com.pem -nodes

vim /etc/ssl/openssl.cnf

openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

openssl pkcs12 -export \
  -out cert.pfx \
  -inkey cert.key \
  -in cert.pem \
  -passout pass:123456 \
  -name "httpsok.com" \
  -certpbe PBE-SHA1-RC2-40 \
  -keypbe PBE-SHA1-3DES \
  -macalg sha1

openssl pkcs12 -export \
  -out cert.pfx \
  -inkey cert.key \
  -in cert.pem \
  -passout pass:123456 \
  -name "httpsok.com"

openssl pkcs12 -info -in cert.pfx -passin pass:123456 -noout

MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

openssl pkcs12  -help
Usage: pkcs12 [options]

General options:
 -help               Display this summary
 -in infile          Input file
 -out outfile        Output file
 -passin val         Input file pass phrase source
 -passout val        Output file pass phrase source
 -password val       Set PKCS#12 import/export password source
 -twopass            Separate MAC, encryption passwords
 -nokeys             Don't output private keys
 -nocerts            Don't output certificates
 -noout              Don't output anything, just verify PKCS#12 input
 -legacy             Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs
 -engine val         Use engine, possibly a hardware device

Provider options:
 -provider-path val  Provider load path (must be before 'provider' argument if required)
 -provider val       Provider to load (can be specified multiple times)
 -propquery val      Property query used when fetching algorithms

Random state options:
 -rand val           Load the given file(s) into the random number generator
 -writerand outfile  Write random data to the specified file

PKCS#12 import (parsing PKCS#12) options:
 -info               Print info about PKCS#12 structure
 -nomacver           Don't verify integrity MAC
 -clcerts            Only output client certificates
 -cacerts            Only output CA certificates
 -*                  Any supported cipher for output encryption
 -noenc              Don't encrypt private keys
 -nodes              Don't encrypt private keys; deprecated

PKCS#12 output (export) options:
 -export             Create PKCS12 file
 -inkey val          Private key, else read from -in input file
 -certfile infile    Extra certificates for PKCS12 output
 -passcerts val      Certificate file pass phrase source
 -chain              Build and add certificate chain for EE cert,
                     which is the 1st cert from -in matching the private key (if given)
 -untrusted infile   Untrusted certificates for chain building
 -CAfile infile      PEM-format file of CA's
 -CApath dir         PEM-format directory of CA's
 -CAstore uri        URI to store of CA's
 -no-CAfile          Do not load the default certificates file
 -no-CApath          Do not load certificates from the default certificates directory
 -no-CAstore         Do not load certificates from the default certificates store
 -name val           Use name as friendly name
 -caname val         Use name as CA friendly name (can be repeated)
 -CSP val            Microsoft CSP name
 -LMK                Add local machine keyset attribute to private key
 -keyex              Set key type to MS key exchange
 -keysig             Set key type to MS key signature
 -keypbe val         Private key PBE algorithm (default AES-256 CBC)
 -certpbe val        Certificate PBE algorithm (default PBES2 with PBKDF2 and AES-256 CBC)
 -descert            Encrypt output with 3DES (default PBES2 with PBKDF2 and AES-256 CBC)
 -macalg val         Digest algorithm to use in MAC (default SHA1)
 -iter +int          Specify the iteration count for encryption and MAC
 -noiter             Don't use encryption iteration
 -nomaciter          Don't use MAC iteration)
 -maciter            Unused, kept for backwards compatibility
 -nomac              Don't generate MAC