一、生成
1.生成秘钥key
openssl genrsa -out server.key 2048
2.创建服务器证书的申请文件server.csr
3.执行如下命令,生成凭证crt文件
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
二、转化
· 证书转化
1.pem 转 crt
openssl x509 -in example.pem -out example.crt
2.crt 转 pem
openssl x509 -in example.crt -out example.pem
3.cer 转 pem
openssl x509 -in example.cer -out example.pem
3.pem 转cer
openssl x509 -inform pem -in example.pem -outform der -out example.cer
4.pfx 转换成 pem
openssl x509 -in example.pfx -out example.pem -nodes
5.pem转der
openssl x509 -outform der -in example.pem -out example.der
6.der转pem
openssl x509 -inform der -in example.cer -out example.pem
7.pfx转pem
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
· 秘钥转化
1.pem转key格式
openssl rsa -in example.pem -out example.key
2.key 转换成 pem
openssl rsa -in example.key -out example.pem
· 证书秘钥合并
1.将客户端证书文件client.crt和客户端证书密钥文件client.key合并成客户端证书安装包client.pfx
openssl pkcs12 -export -in client.crt -inkey client.key -out client.pfx
·证书导出
1.pfx格式证书转换成key和crt
步骤1:先将pfx转换成.pem文件
openssl pkcs12 -in server.pfx -nodes -out test.pem
步骤2: 将pem文件导出为key
openssl rsa -in server.pem -out server.key
步骤2: 将pem文件导出为crt
openssl x509 -in test.pem -out test.crt
2.将pem key 导出p12
openssl pkcs12 -export -in client.pem -inkey client.key -out cli.p12
提取个人证书
openssl pkcs12 -in alice.p12 -nokeys -clcerts -out alicecert.pem
导出私钥
openssl pkcs12 -in cli.p12 -nodes -nocerts -out server.key
· 证书校验
1.检验证书有效期
openssl x509 -in server.pem -noout -dates
2.验证是否配对
(openssl x509 -noout -modulus -in server.pem | openssl md5 ; openssl rsa -noout -modulus -in server.key | openssl md5) | uniq