PFX证书处理-提取公/私钥及合并生成pfx
openssl pkcs12 -in myssl.pfx -nodes -out client.pem
# -nodes表示导出时不对私钥进行加密。单词是no DES
# 提取私钥
openssl rsa -in client.pem -out client.key
# 提取公钥
openssl x509 -in client.pem -out client.crt
# 用公钥(即证书)crt+私钥key合并生成pfx
openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -password pass:xxxxxxxx
RSA格式公/私钥及自签名证书生成
# 生成RSA私钥(无加密)
openssl genrsa -out rsa_private.key 2048
# 生成RSA公钥
openssl rsa -in rsa_private.key -pubout -out rsa_public.key
# 使用 已有RSA 私钥生成自签名证书
openssl req -new -x509 -days 365 -key rsa_private.key -out cert.crt
公/私钥生成及将私钥转换为PKCS8格式以便在java中使用
# 生成私钥
openssl genrsa -out rsa_private_key.pem 2048
# 将私钥转换成PKCS8格式(Java中使用)
openssl pkcs8 -topk8 -inform PEM -in rsa_private_key.pem -outform PEM -nocrypt -out rsa_private_key_pkcs8.pem
# 生成公钥
openssl rsa -in rsa_private_key.pem -pubout -out rsa_public_key.pem
dhe密钥协商的参数-,用于在nginx http 中设置ssl_dhparam参数
# dhe密钥协商的参数,用于在nginx http 添加ssl_dhparam /etc/nginx/dhparam.pem;
openssl dhparam -out dhparam.pem 2048
openssl dhparam -out /etc/nginx/dhparam.pem 2048
CA私钥、CA证书、服务器私钥、服务器证书、客户端私钥、客户端证书生成
openssl genrsa 2048 > ca-key.pem # CA 私钥
openssl req -new -x509 -nodes -days 36500 -key ca-key.pem -out ca-cert.pem # CA 证书
openssl req -newkey rsa:2048 -days 36500 -nodes -keyout server-key.pem -out server-req.pem # 服务器私钥
openssl rsa -in server-key.pem -out server-key.rsa # 转换为 RSA 格式
openssl x509 -req -in server-req.pem -days 36500 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem # 服务器证书
openssl verify -CAfile ca-cert.pem server-cert.pem # 验证
openssl req -newkey rsa:2048 -days 36500 -nodes -keyout client-key.pem -out client-req.pem # 客户端私钥
openssl rsa -in client-key.pem -out client-key.rsa # 转换为 RSA 格式
openssl x509 -req -in client-req.pem -days 36500 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem # 客户端证书
openssl verify -CAfile ca-cert.pem client-cert.pem # 验证
评论区