用OpenSSL搭建PKI证书体系
1 创建PKI结构目录
mkdir 07_PKI
cd 07_PKI
mkdir 01_RootCA 02_SubCA 03_Client
2 创建根CA
cd 01_RootCA
mkdir key csr cert newcerts
touch index.txt index.txt.attr
echo 01 > serial
2.1 创建根CA密钥对
2.1.1 生成 长度为2048 bit 的RSA私钥。
cd key
openssl genrsa -out pri_key.pem 2048
2.1.2 查看生成的RSA私钥。
openssl rsa -in pri_key.pem -text
2.1.3 从私钥文件中提取RSA公钥
openssl rsa -in pri_key.pem -pubout -out pub_key.pem#
2.2 创建根CA的证书签名请求(CSR)
2.2.1 创建CSR
创建根 CA 配置文件 rootca.conf:
cd ..
touch rootca.conf
根 CA 配置文件 rootca.conf 内容如下:
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = E:/07_PKI/01_RootCA
certs = $dir/cert
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cert/rootca_cert.crt
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/key/pri_key.pem
RANDFILE = $dir/key/.rand
unique_subject = no
x509_extensions = usr_cert
copy_extensions = copy
name_opt = ca_default
cert_opt = ca_default
default_days = 5475
default_crl_days= 60
default_md = sha256
preserve = no
policy = policy_ca
[ policy_ca ]
countryName = supplied
stateOrProvinceName = supplied
localityName = supplied
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = pri_key.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
utf8 = yes
prompt = no
[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = GuangDong
localityName = ShenZhen
organizationName = TangTring
commonName = RootCA
[ usr_cert ]
basicConstraints = CA:TRUE
[ v3_ca ]
basicConstraints = CA:TRUE
[ req_attributes ]
创建根 CA 证书签名请求文件,指定签名算法为 sha256,默认为 sha1 算法。
cd csr
openssl req -new -key ../key/pri_key.pem -out rootca_csr.pem -config ../rootca.conf
2.2.2 查看CSR
openssl req -in rootca_csr.pem
输出内容如下:
-----BEGIN CERTIFICATE REQUEST-----
MIICnjCCAYYCAQAwWTELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5nRG9uZzER
MA8GA1UEBwwIU2hlblpoZW4xEjAQBgNVBAoMCVRhbmdUcmluZzEPMA0GA1UEAwwG
Um9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsGjDN8ge3f9i
CrAfsrLln/RMXz7EAqMMIjGmChMlQdXEArCT/FdxfoomOWfTHRTREnFthZ9w+TOq
kvgOyQuiFGTJRZ2c3T2FidfFJ5yA06UOELBXWXqhjvYYP+EWGtdn0kOg/tA7QKTG
ZyggQzJQmsAfZkk5vpV1Ok+ZtwoxWZPL0/xBRxZAuF2gxByN4Mt81rsgWLowPX5X
tINDCifEx1BlHZGxlWUWVIVj1SAf+g2S42s5d1xNrZNpKTMe46bduLuYGk4SqeZP
uXyTkVLq00VmgM7Ma9UHucrBmYQ/ybDJlOjgON1rVQqXR0dWTwx65iOVzAf+0hYj
Lc96+ZarEwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAAecVqSze262UIRgBYWG
RQAri+DM84tfVzj7ayIZnpBCHpi2dsatFRxAmwgKwhv/syE7xyTRQ8kUzBBIts6s
hqDblMRl/RDO05iXlk1US3rIoWhJvUrK++aWLHQTYfMMCCdEblRg4IMi1E1CFWSW
nmsnqHsb/JSdWKrGlpZFHamLHafR0IcTWwLierQ30DEvDuLLYbWO2VKq2u2r69V8
MDhOc8em1PEEdLGZR+QkJ+wKj1xt5ICn2KuQfrQXk5QdnkR2Wti/hZMm4rOQd8A1
APOWJAroYwdgNam/csyNF7binpEczCSamseWgrajTPhIdB+IUfjk3ha+djP10ivo
JYo=
-----END CERTIFICATE REQUEST-----
以文本形式输出请求文件头使用 -noout -text 参数.
openssl req -in rootca_csr.pem -text -noout
输出如下:
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=RootCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b0:68:c3:37:c8:1e:dd:ff:62:0a:b0:1f:b2:b2:
e5:9f:f4:4c:5f:3e:c4:02:a3:0c:22:31:a6:0a:13:
25:41:d5:c4:02:b0:93:fc:57:71:7e:8a:26:39:67:
d3:1d:14:d1:12:71:6d:85:9f:70:f9:33:aa:92:f8:
0e:c9:0b:a2:14:64:c9:45:9d:9c:dd:3d:85:89:d7:
c5:27:9c:80:d3:a5:0e:10:b0:57:59:7a:a1:8e:f6:
18:3f:e1:16:1a:d7:67:d2:43:a0:fe:d0:3b:40:a4:
c6:67:28:20:43:32:50:9a:c0:1f:66:49:39:be:95:
75:3a:4f:99:b7:0a:31:59:93:cb:d3:fc:41:47:16:
40:b8:5d:a0:c4:1c:8d:e0:cb:7c:d6:bb:20:58:ba:
30:3d:7e:57:b4:83:43:0a:27:c4:c7:50:65:1d:91:
b1:95:65:16:54:85:63:d5:20:1f:fa:0d:92:e3:6b:
39:77:5c:4d:ad:93:69:29:33:1e:e3:a6:dd:b8:bb:
98:1a:4e:12:a9:e6:4f:b9:7c:93:91:52:ea:d3:45:
66:80:ce:cc:6b:d5:07:b9:ca:c1:99:84:3f:c9:b0:
c9:94:e8:e0:38:dd:6b:55:0a:97:47:47:56:4f:0c:
7a:e6:23:95:cc:07:fe:d2:16:23:2d:cf:7a:f9:96:
ab:13
Exponent: 65537 (0x10001)
Attributes:
(none)
Requested Extensions:
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
07:9c:56:a4:b3:7b:6e:b6:50:84:60:05:85:86:45:00:2b:8b:
e0:cc:f3:8b:5f:57:38:fb:6b:22:19:9e:90:42:1e:98:b6:76:
c6:ad:15:1c:40:9b:08:0a:c2:1b:ff:b3:21:3b:c7:24:d1:43:
c9:14:cc:10:48:b6:ce:ac:86:a0:db:94:c4:65:fd:10:ce:d3:
98:97:96:4d:54:4b:7a:c8:a1:68:49:bd:4a:ca:fb:e6:96:2c:
74:13:61:f3:0c:08:27:44:6e:54:60:e0:83:22:d4:4d:42:15:
64:96:9e:6b:27:a8:7b:1b:fc:94:9d:58:aa:c6:96:96:45:1d:
a9:8b:1d:a7:d1:d0:87:13:5b:02:e2:7a:b4:37:d0:31:2f:0e:
e2:cb:61:b5:8e:d9:52:aa:da:ed:ab:eb:d5:7c:30:38:4e:73:
c7:a6:d4:f1:04:74:b1:99:47:e4:24:27:ec:0a:8f:5c:6d:e4:
80:a7:d8:ab:90:7e:b4:17:93:94:1d:9e:44:76:5a:d8:bf:85:
93:26:e2:b3:90:77:c0:35:00:f3:96:24:0a:e8:63:07:60:35:
a9:bf:72:cc:8d:17:b6:e2:9e:91:1c:cc:24:9a:9a:c7:96:82:
b6:a3:4c:f8:48:74:1f:88:51:f8:e4:de:16:be:76:33:f5:d2:
2b:e8:25:8a
2.2.3 验证CSR的签名
openssl req -verify -in rootca_csr.pem -noout
输出:
Certificate request self-signature verify OK
2.3 创建根CA自签名证书
2.3.1 生成根CA证书
生成自签名的根CA证书:
cd ../cert
openssl ca -selfsign -in ../csr/rootca_csr.pem -out rootca_cert.crt -config ../rootca.conf
输出内容如下:
Using configuration from ../rootca.conf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 24 07:32:28 2024 GMT
Not After : Sep 21 07:32:28 2039 GMT
Subject:
countryName = CN
stateOrProvinceName = GuangDong
localityName = ShenZhen
organizationName = TangTring
commonName = RootCA
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Sep 21 07:32:28 2039 GMT (5475 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database updated
2.3.2 查看证书文件:
以文本形式查看证书文件:
openssl x509 -in rootca_cert.crt -text -noout
输出内容如下:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
54:31:e1:11:20:6c:0e:7b:a2:3b:fc:17:64:a4:30:a3:d7:75:b2:00
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=RootCA
Validity
Not Before: Sep 24 02:52:22 2024 GMT
Not After : Sep 22 02:52:22 2034 GMT
Subject: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=RootCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b0:68:c3:37:c8:1e:dd:ff:62:0a:b0:1f:b2:b2:
e5:9f:f4:4c:5f:3e:c4:02:a3:0c:22:31:a6:0a:13:
25:41:d5:c4:02:b0:93:fc:57:71:7e:8a:26:39:67:
d3:1d:14:d1:12:71:6d:85:9f:70:f9:33:aa:92:f8:
0e:c9:0b:a2:14:64:c9:45:9d:9c:dd:3d:85:89:d7:
c5:27:9c:80:d3:a5:0e:10:b0:57:59:7a:a1:8e:f6:
18:3f:e1:16:1a:d7:67:d2:43:a0:fe:d0:3b:40:a4:
c6:67:28:20:43:32:50:9a:c0:1f:66:49:39:be:95:
75:3a:4f:99:b7:0a:31:59:93:cb:d3:fc:41:47:16:
40:b8:5d:a0:c4:1c:8d:e0:cb:7c:d6:bb:20:58:ba:
30:3d:7e:57:b4:83:43:0a:27:c4:c7:50:65:1d:91:
b1:95:65:16:54:85:63:d5:20:1f:fa:0d:92:e3:6b:
39:77:5c:4d:ad:93:69:29:33:1e:e3:a6:dd:b8:bb:
98:1a:4e:12:a9:e6:4f:b9:7c:93:91:52:ea:d3:45:
66:80:ce:cc:6b:d5:07:b9:ca:c1:99:84:3f:c9:b0:
c9:94:e8:e0:38:dd:6b:55:0a:97:47:47:56:4f:0c:
7a:e6:23:95:cc:07:fe:d2:16:23:2d:cf:7a:f9:96:
ab:13
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
D9:C2:22:B4:CA:46:BA:AC:32:D6:AC:97:BF:81:17:09:A9:D5:04:F6
X509v3 Authority Key Identifier:
D9:C2:22:B4:CA:46:BA:AC:32:D6:AC:97:BF:81:17:09:A9:D5:04:F6
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
76:02:c3:e9:da:e5:c9:37:75:57:fd:97:62:80:9f:3b:67:a0:
f3:32:7d:1e:3a:f4:bd:c2:e4:10:3f:b6:64:7c:2e:9a:47:e4:
5a:56:c6:c4:fc:b9:68:2a:ef:83:d9:10:b3:e2:23:93:2c:47:
49:4c:df:d4:3f:ea:c2:76:bb:2a:c4:a0:c6:c0:f9:2c:5a:43:
1f:dd:84:16:89:6d:a6:b4:7c:16:58:fa:90:a9:36:0c:b1:e4:
d8:57:30:a4:47:d9:ec:a4:df:df:57:ea:69:9a:fa:27:7c:db:
77:5f:ad:25:84:78:8b:a5:2c:cc:22:93:01:f8:9d:65:ce:dc:
4a:b3:a2:e7:df:b8:c4:74:ee:99:d3:27:db:1e:6a:13:e2:b1:
d2:6d:86:05:be:f7:46:e6:4d:14:67:85:27:a2:af:6b:39:95:
ed:b3:a3:43:3d:17:4c:5c:53:2d:42:97:47:6a:9b:bb:d2:3a:
4e:7d:92:74:a3:51:a8:dd:d4:c7:c1:9a:e1:31:68:3c:71:ea:
42:1b:77:09:d0:1d:29:ca:16:a7:87:28:47:f4:c9:c9:43:c1:
1d:d6:9d:4a:27:40:c8:86:e2:39:c0:3d:a7:ad:d6:0a:ae:d2:
f9:bf:21:aa:b8:68:23:db:83:fd:d9:72:f8:39:d4:be:1d:3f:
f6:2c:39:e8
3 创建二级CA证书
cd ../../02_SubCA
mkdir key csr cert newcerts
touch index.txt index.txt.attr
echo 01 > serial
3.1 创建二级CA秘钥对
cd key
openssl genrsa -out pri_key.pem 2048
3.2 创建二级CA证书签名请求
创建二级CA配置文件
cd ../
vim subca.conf
subca.conf 文件内容如下:
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = E:/07_PKI/02_SubCA
certs = $dir/cert
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cert/subca_cert.crt
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/key/pri_key.pem
RANDFILE = $dir/key/.rand
unique_subject = no
x509_extensions = usr_cert
copy_extensions = copy
name_opt = ca_default
cert_opt = ca_default
default_days = 3650
default_crl_days = 30
default_md = sha256
preserve = no
policy = policy_ca
[ policy_ca ]
countryName = supplied
stateOrProvinceName = supplied
localityName = supplied
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = pri_key.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
utf8 = yes
prompt = no
[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = GuangDong
localityName = ShenZhen
organizationName = TangTring
commonName = SubCA
[ usr_cert ]
basicConstraints = CA:FALSE
[ v3_ca ]
basicConstraints = CA:TRUE
[ req_attributes ]
cd csr
openssl req -new -key ../key/pri_key.pem -out subca_csr.pem -config ../subca.conf
3.3 创建二级CA证书
cd ../cert
openssl ca -in ../csr/subca_csr.pem -out subca_cert.crt -config ../../01_RootCA/rootca.conf -days 3650
输出内容如下:
Using configuration from ../../01_RootCA/rootca.conf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 3 (0x3)
Validity
Not Before: Sep 24 07:55:39 2024 GMT
Not After : Sep 22 07:55:39 2034 GMT
Subject:
countryName = CN
stateOrProvinceName = GuangDong
localityName = ShenZhen
organizationName = TangTring
commonName = SubCA
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Sep 22 07:55:39 2034 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database updated
生成的二级CA证书如下:
$ openssl x509 -in subca_cert.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=RootCA
Validity
Not Before: Sep 24 07:55:39 2024 GMT
Not After : Sep 22 07:55:39 2034 GMT
Subject: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=SubCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:be:8b:38:47:90:f9:dd:6d:79:3d:0d:1f:8e:ee:
e1:2b:8d:7b:ce:a9:3b:0a:03:4b:c0:d2:dc:3d:a9:
69:d2:49:5e:22:65:bc:96:cf:05:1d:a9:ed:a7:fb:
a5:03:71:30:0f:4d:7c:cb:4d:b5:bd:d0:22:5c:42:
83:ff:27:1f:31:c2:e3:e9:d4:b8:d1:c9:9a:3d:d1:
91:31:f0:56:c3:85:b9:e9:06:5b:f6:fb:82:bc:33:
f6:c4:e7:58:36:f3:eb:6c:ea:2d:24:b7:ca:ff:21:
e2:b1:00:7f:5f:d6:39:c1:16:5a:d1:c6:58:a7:db:
1f:cd:43:df:f3:c0:b9:ca:88:3d:f9:6d:a4:08:d2:
f9:58:d5:50:ea:60:e1:92:89:21:df:30:42:f6:b5:
ec:fe:2d:c0:03:cb:77:da:46:02:5c:ea:cf:fc:80:
21:1e:10:83:d0:b8:19:bc:68:77:45:ce:53:98:c9:
c8:89:af:3e:19:73:f1:cd:9c:92:05:34:0b:f3:4d:
77:2d:cc:c5:db:f0:0e:cf:c8:d9:e3:1b:da:31:d6:
9c:c9:3e:2c:f3:a3:90:0e:c0:a2:f5:0c:35:9e:95:
ed:8e:26:c8:97:2c:ec:5d:5c:93:8b:70:18:3b:a5:
30:c8:4c:77:3f:fe:47:10:f9:bc:1a:81:1f:13:07:
58:a5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Subject Key Identifier:
B6:CC:8A:AD:75:53:3A:5A:95:3D:53:20:7B:87:2E:E4:8A:90:63:F9
X509v3 Authority Key Identifier:
D9:C2:22:B4:CA:46:BA:AC:32:D6:AC:97:BF:81:17:09:A9:D5:04:F6
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
8f:37:94:68:95:fe:91:d4:f3:ea:eb:70:10:24:02:c4:af:87:
a6:09:60:d3:e7:5b:c4:b5:62:4b:58:d4:7a:d0:b4:15:ca:2e:
d1:1b:32:a1:8c:7f:8b:68:43:1a:61:e4:7a:01:b1:56:30:b3:
a5:1e:5e:d9:35:8f:cf:9a:34:80:8a:ab:7c:68:f3:54:fb:71:
45:87:09:5f:71:0d:d2:c8:a9:36:fc:6a:5d:00:7a:d3:2a:7a:
00:f5:d4:37:25:66:ed:0d:b2:df:3f:fd:7c:11:71:17:f0:a6:
41:2c:d6:70:3d:76:af:ef:4d:03:ee:ba:05:8a:1b:ea:0c:5a:
dc:ca:5e:07:b4:fc:b0:71:80:f2:bd:20:e7:5f:ca:42:51:f7:
90:2a:cc:f5:de:be:cf:42:22:58:51:28:fa:43:af:e3:68:7b:
11:20:35:a1:9e:0f:da:bc:e2:2a:4e:c4:9b:f7:ed:e1:65:96:
68:4a:24:59:c2:fd:04:3d:e5:e3:4d:38:4a:0d:38:7a:0a:e3:
fd:48:ad:88:93:f0:bb:a0:21:c3:fe:9e:ce:b5:e6:11:8b:2a:
4b:3a:12:b0:9c:92:4c:bb:a6:1c:ba:f7:de:6f:9e:ff:6b:fa:
d0:fa:8b:37:7b:76:be:cd:e5:e4:c6:7f:6e:43:49:ff:70:64:
86:c0:35:e0
4 使用二级CA证书签发实体端证书
4.1 创建实体端证书配置文件
cd ../../03_Client/
mkdir key csr cert
touch client.conf
client.conf文件内容如下:
[ req ]
prompt = no
distinguished_name = server_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
attributes = req_attributes
[ server_distinguished_name ]
countryName = CN
stateOrProvinceName = GuangDong
localityName = ShenZhen
organizationName = TangTring
commonName = SPNM04_CN
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ req_attributes ]
[ req_ext ]
subjectAltName =
[ alternate_names ]
DNS.1 = SPNM04_CN.cn
DNS.2 = bbs.SPNM04_CN.cn
4.2 创建实体端证书秘钥
cd key
openssl genrsa -out pri_key.pem 2048
4.3 创建实体端证书签名请求
cd ../csr
openssl req -new -key ../key/pri_key.pem -out client_csr.pem -config ../client.conf
4.4 生成实体端证书
cd ../cert
openssl ca -in ../csr/client_csr.pem -out client_cert.crt -config ../../02_SubCA/subca.conf -days 1825
输出内容如下:
Using configuration from ../../02_SubCA/subca.conf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 24 08:22:57 2024 GMT
Not After : Sep 23 08:22:57 2029 GMT
Subject:
countryName = CN
stateOrProvinceName = GuangDong
localityName = ShenZhen
organizationName = TangTring
commonName = SPNM04_CN
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
DNS:SPNM04_CN.cn, DNS:bbs.SPNM04_CN.cn
Certificate is to be certified until Sep 23 08:22:57 2029 GMT (1825 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database updated
生成的实体端证书如下:
$ openssl x509 -in client_cert.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=SubCA
Validity
Not Before: Sep 24 08:22:57 2024 GMT
Not After : Sep 23 08:22:57 2029 GMT
Subject: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=SPNM04_CN
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e4:5c:fd:94:01:11:47:8e:25:6a:76:42:1d:65:
bc:68:dd:52:ba:1b:0e:43:98:c9:f2:27:a9:bb:13:
a1:e9:76:43:e3:ac:c7:7e:ab:2e:cf:fc:e6:72:0a:
1f:b4:0d:6c:dc:f1:c7:09:b2:09:72:d2:8f:53:6f:
65:bf:1a:4d:dc:80:ca:5c:c0:66:be:4c:8a:77:e5:
47:95:b6:96:eb:75:83:13:09:95:d6:e8:3c:ac:bf:
e3:96:54:b7:c6:16:ea:5c:84:15:9a:c7:9a:22:c5:
33:60:97:30:63:1d:37:c0:8a:6d:b4:50:1f:86:99:
86:1c:88:0e:bf:9e:db:c6:03:e2:85:90:32:53:2a:
7c:72:7c:40:1f:d7:ba:46:88:56:d8:5d:7c:c1:0c:
4f:95:4a:ec:53:5f:63:cf:fc:aa:43:b9:f0:23:e2:
f9:4c:29:30:95:4f:3b:57:af:51:ff:27:05:f9:4f:
15:63:2f:34:92:c6:b3:ad:fd:21:3b:9d:36:b0:c1:
6b:12:9c:60:d9:15:85:8f:d2:f1:ee:3c:1e:d3:c9:
f0:86:ee:57:36:0c:07:2a:c6:d6:85:aa:96:a2:a4:
7b:5c:8f:c1:22:3c:d5:4e:23:47:fa:99:87:fc:5c:
90:3d:5f:3d:f4:57:e6:40:c2:a9:7d:6b:47:09:87:
10:ef
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
DNS:SPNM04_CN.cn, DNS:bbs.SPNM04_CN.cn
X509v3 Subject Key Identifier:
C1:B6:B5:FC:8A:8D:8A:21:E9:60:DE:5B:8C:C1:AB:CA:59:44:57:D4
X509v3 Authority Key Identifier:
B6:CC:8A:AD:75:53:3A:5A:95:3D:53:20:7B:87:2E:E4:8A:90:63:F9
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
24:2c:17:dc:80:0b:a4:61:20:18:f6:70:0b:72:26:a5:44:41:
af:8c:76:be:d3:a9:25:e1:26:95:a2:5c:2c:5d:bd:7b:26:00:
91:29:69:5b:20:4c:09:4a:4d:7a:b6:41:8e:d3:b7:df:7e:05:
26:af:7f:4a:d4:97:88:10:d9:61:1b:03:1a:b4:48:db:0c:c8:
fc:ec:58:49:dc:50:c5:8a:1c:22:7e:4a:40:a2:b3:43:b8:f9:
f6:32:98:6e:31:46:2e:bd:2a:7e:ca:ba:07:2d:c3:9b:5f:14:
33:2e:99:64:c0:dc:74:d3:a3:10:4c:7d:9f:26:59:5e:d5:a4:
c7:1a:c2:08:9a:fd:eb:4d:7e:9a:23:78:94:7c:f0:1b:a5:2d:
81:35:71:84:b1:66:dd:4e:b7:78:f6:79:ed:b6:37:e2:e8:9d:
89:25:3e:94:76:78:00:20:d7:3f:9d:e1:71:ea:e1:5a:2d:da:
c5:20:70:65:e5:9d:48:06:91:3a:5f:d3:92:0a:68:f2:84:de:
a3:3f:11:10:f3:61:be:a8:eb:85:88:a1:95:f8:a5:c7:bf:d9:
85:a7:8e:5e:38:3f:3c:dc:e3:41:0d:9d:94:c8:d5:3f:c3:33:
59:21:da:47:03:10:49:78:12:5f:ca:55:9b:e2:54:b9:bd:75:
92:0d:d7:79
5 其他常用openssl命令
5.1 聚合证书
聚合的时候要注意顺序
cd ../../
cat 03_Client/cert/client_cert.crt 02_SubCA/cert/subca_cert.crt 01_RootCA/cert/rootca_cert.crt | tee 03_Client/all_cert.crt
5.2 pem和der格式转换
转换 RSA 秘钥格式:
openssl rsa -inform pem -in pri_key.pem -outform der -out pri_key.der
crt证书转换为pem证书:
openssl x509 -in client_cert.crt -outform pem -out client_cert.pem
crt、pem证书转换为der证书格式:
openssl x509 -inform pem -in client_cert.crt -outform der -out client_cert.der
openssl x509 -inform pem -in client_cert.pem -outform der -out client_cert.der
pem证书转换为der证书:
openssl x509 -inform der -in client_cert.der -outform pem -out client_cert.pem