openssl dgst -verify pub.pem -sha256 -signature sign.txt file.txt 通过公钥pub.pem验证签名文件sign.txt和file.txt
openssl x509 -in new.crt -pubkey -noout > pubkey.pem 从证书new.crt提取公钥文件pubkey.pem
openssl base64 -in test.base64 -d -out text.bin 将base64编码文件test.base64转为二进制文件tetx.bin 需要手动在test.base64后添加换行符
openssl dgst -binary -sha256 -out hash.bin test.tar 计算test.tar包的hash值 (二进制格式)
openssl base64 -in hash.bin -out hash.base64 计算base64编码
对csr文件进行签名:
openssl smime -sign -binary -signer certificat.pem -inkey key.pem -in testCSRfile_to_sign.pem -out testCSRfile_smime.signed -nodetach
openssl smime -verify -noverify -in testCSRfile_smime.signed -pk7out -out testCSRfile_P7.signed
openssl pkcs7 -in testCSRfile_P7.signed -out testCSRfile_P7_DER.signed -outform der
mv testCSRfile_P7_DER.signed PKCS10_testCSRfile.data
openssl常用命令
http://man.linuxde.net/openssl
ECC证书请求文件
openssl ecparam -name prime256v1 -genkey -out server-ecc.key 生成密钥
openssl req -new -key server-ecc.key -out server.csr 生成csr请求文件
从p7b格式证书链提取证书
openssl pkcs7 -inform der -in consol_p7_MP_ECC_256_18.p7b -out MP_ECC.p7b
openssl pkcs7 -print_certs -in MP_ECC.p7b -out MP_ECC.cer
验证证书链
openssl verify -CAfile MP_RSA_2048_chain.cer -untrusted rsa_sec.cer submp.cer
MP_RSA_2048_chain二级证书链,有根证书和二级证书
rsa_sec.cer二级证书
submp.cer叶子证书
证书链验证证书
openssl verify -CAfile cert.pem test.crt
cert.pem证书链
test.crt叶子证书
ECC证书签名验签
1 从证书test.cer中获取到公钥信息,将获取到的信息存为public_key.pem
openssl x509 -noout -pubkey -in test.cer
2 对t数据进行sha256签名,
testsign.txt待签名文件,
test.private私钥,
sha256.sign签名结果
openssl dgst -sign test.private -sha256 -out sha256.sign testsign.txt
3 验证签名
openssl dgst -verify public_key.pem -sha256 -signature sha256.sign testsign.txt
查看证书test.crt内容
openssl x509 -in ./test.crt -text
查看key
openssl rsa -in ./test.key -text
检测私钥一致性
openssl rsa -in test.key -check
https://www.cnblogs.com/wyzhou/p/9738964.html
pem文件是用ASCLL(BASE64)编码的
DER文件是二进制编码
公钥经过CA签名后可以当作证书
合成证书链,证书格式需要转化为pem格式
openssl crl2pkcs7 -inform PEM -certfile rootca.crt -certfile second-platform-ca.crt -certfile leaf.pem -outform PEM -out root1.p7b -nocrl
转化p7b文件
openssl pkcs7 -print_certs -in root1.p7b -out cert1.cer
验证证书链
openssl verify -CAfile cert1.cer fourth.pem
der转化pem
openssl x509 -inform der -in myserver.der -outform pem -out myserver.pem
pem转化der
openssl x509 -inform pem -in myserver.pem -outform der -out myserver.der