因为工作中要使用RSA公开密钥算法来处理各种公钥私钥和证书,所以有必要整理和记住它们的格式。
实际上在使用时也会有很多后缀。每个后缀的意思不理解的话,很难立马区分出来。
关于文件后缀的注意点
- .DER和.PEM的后缀表明的不是文件内容,而是编码格式。
- 内容都是二进制,但是并不是单单的MD5字符串,还带有格式。.DER和.PEM就是表明使用的是什么格式。
- .DER
- 使用ASN.1结构(ISO和ITU-T定义)来序列化的二进制文件。
- 使用 openssl命令带
-inform der来生成。
- .PEM
- 跟.DER一样的ASN.1结构数据经过Base64转换后文件
- 文件开头有
-- BEGIN--的话,可以认为就是.PEM - 使用openssl命令时的默认参数
- .CRT .CER .KEY .CSR的后缀表明的是文件内容,不是编码格式。
- .p12的后缀表明的是PKCS#12个人信息交换文件格式。
生成密钥和公钥
- RSA密钥生成
> openssl genrsa 1024 > private-key.pem
Generating RSA private key, 1024 bit long modulus
..................++++++
........................................++++++
e is 65537 (0x10001)
不带参数情况,默认生成PEM格式文件,所以后缀是.pem
- RSA公钥生成
> openssl rsa -in private-key.pem -pubout -out public-key.pem
writing RSA key
文件内容查看方法
- 密钥查看方法
> openssl rsa -in private-key.pem -text -noout
Private-Key: (1024 bit)
modulus:
00:e4:56:a1:6b:90:ce:f5:54:37:61:ca:a4:be:9a:
e5:62:0f:70:d7:7f:89:f4:40:82:2e:3e:d6:ab:b2:
7d:d2:fb:51:b1:72:6b:62:a0:f2:5d:0f:34:c2:1b:
dd:a2:53:52:18:eb:ea:fa:e2:5d:ad:db:c2:10:cf:
ac:66:01:7c:27:55:49:14:d9:ae:6d:d2:99:a1:2d:
e2:d4:ed:45:bc:18:d6:17:7c:08:3d:5b:05:12:52:
c5:14:1c:00:37:50:c7:28:e0:87:7f:d2:05:a3:38:
34:fc:2a:92:6d:7d:53:21:7d:2e:45:cd:d1:54:b7:
54:0a:b3:2e:5d:0c:db:c2:1f
publicExponent: 65537 (0x10001)
privateExponent:
00:d3:d8:37:ec:f7:2d:bb:d8:c5:85:1a:20:1c:a2:
d2:fc:56:7d:07:c2:51:38:66:7d:20:f0:b5:f4:18:
26:ba:8e:e6:ad:2e:0d:c9:34:af:87:7d:2b:22:87:
fd:e9:b3:49:f0:cb:38:78:49:7a:46:6a:23:b3:bb:
29:24:7e:6e:32:c3:3d:a0:fc:a9:23:51:79:b4:59:
f7:dd:9e:57:ca:52:cb:cd:e1:fe:8c:9a:3c:18:22:
a0:36:be:c2:8b:44:44:32:7f:4b:c6:34:ad:1a:dc:
e3:9b:a2:fa:86:c8:9f:d0:da:38:ee:88:d5:f5:33:
45:2b:7e:0e:eb:e8:5d:da:61
prime1:
00:f3:f4:3c:25:ed:78:93:12:30:04:ae:95:00:17:
87:f4:43:87:e6:66:71:28:98:96:c3:d8:21:6d:8a:
3f:a4:45:31:3d:fb:09:fb:4a:b3:38:6d:9a:ca:ba:
bc:47:65:e2:84:20:52:a6:46:a9:42:7e:b8:82:69:
2f:38:72:73:8f
prime2:
00:ef:9d:00:81:5b:0f:59:7c:4f:88:d6:1b:d5:b2:
a4:02:30:c4:e7:a2:73:b2:6d:59:31:e2:6d:d5:5a:
c1:8e:22:ff:04:8d:15:e5:78:20:3a:75:d4:18:3c:
aa:43:53:5e:95:72:9b:5f:df:a8:ba:25:6d:75:b4:
3b:8d:dd:40:71
exponent1:
08:27:df:26:e9:74:81:7e:37:2a:c0:e7:6c:54:5d:
10:36:7d:c1:9f:25:23:55:4e:9d:07:89:be:8e:c3:
a7:eb:44:45:2d:32:5d:3b:57:18:88:d9:86:f3:8d:
3d:d9:d3:23:d5:ac:cd:b0:49:12:57:08:36:1b:ec:
1f:37:fc:53
exponent2:
78:a2:7f:d5:a0:65:ca:f4:b6:0a:3b:59:8a:2e:45:
3a:41:19:71:51:2d:94:a0:4e:ee:b9:83:f8:8d:97:
b3:1a:d5:6f:92:24:7b:02:0e:9f:c0:20:c7:0f:0b:
dd:97:84:a0:13:32:3c:83:9b:2c:14:99:d6:4f:a6:
48:17:23:51
coefficient:
00:b5:74:c2:20:d1:57:16:f3:02:05:be:0a:78:f5:
ea:52:05:e0:c6:b1:46:80:5c:7a:62:18:1f:d2:e9:
61:34:6c:71:2e:97:e5:f7:b0:4e:0c:d7:c8:31:8e:
e7:a8:cd:8b:51:49:70:73:60:ff:3b:41:76:46:c1:
0a:28:93:97:ea
prime是素数的意思。使用prime1和prime2来生成秘钥。
- 公钥查看方法
> openssl rsa -pubin -in public-key.pem -text -noout
Modulus (1024 bit):
00:e4:56:a1:6b:90:ce:f5:54:37:61:ca:a4:be:9a:
e5:62:0f:70:d7:7f:89:f4:40:82:2e:3e:d6:ab:b2:
7d:d2:fb:51:b1:72:6b:62:a0:f2:5d:0f:34:c2:1b:
dd:a2:53:52:18:eb:ea:fa:e2:5d:ad:db:c2:10:cf:
ac:66:01:7c:27:55:49:14:d9:ae:6d:d2:99:a1:2d:
e2:d4:ed:45:bc:18:d6:17:7c:08:3d:5b:05:12:52:
c5:14:1c:00:37:50:c7:28:e0:87:7f:d2:05:a3:38:
34:fc:2a:92:6d:7d:53:21:7d:2e:45:cd:d1:54:b7:
54:0a:b3:2e:5d:0c:db:c2:1f
Exponent: 65537 (0x10001)
- 证书查看方法
证明书用openssl x509命令来查看。
> openssl x509 -in public-key.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
b0:a6:d9:14:7e:56:22:56
Signature Algorithm: sha1WithRSAEncryption
...
转换编码格式
- PEM格式密钥 <=> DER格式密钥
> openssl rsa -in private-key.pem -out private-key.der -outform der
-in 指定需要变换前的秘钥
-out 指出需要变换后的秘钥
-outform 指定输出格式(-outform pem情况,不明确写也可以)
-inform 指定输入格式
反过来变换
> openssl rsa -in private-key.der -inform der -out private-key.pem - PEM格式公钥 <=> DER格式公钥
> openssl rsa -pubin -in public-key.pem -out public-key.der -outform der
> openssl rsa -pubin -in public-key.der -inform der -out public-key.pem - PEM格式证书 <=> DER格式证书
> openssl x509 -in public-key.crt -out public-key.der.crt -outform der
> openssl x509 -in public-key.der.crt -inform der -out public-key.crt
证书做成(带签名的公钥)
- 作成
> openssl req -new -key private-key.pem > my-request.csr - CSR查看方法
> openssl req -in my-request.csr -text -noout
Certificate Request:
Data:
Version: 0 (0x0)
- CSR证书发行
> openssl x509 -req -in my-request.csr -CA ca-crt.pem -CAkey ca-private-key.pem -CAcreateserial -days 3650 -out public-key.crt
-CA ca-crt.pem 指定自身CA证明局
-CAkey ca-private-key.pem 指定自身CA证明局的秘钥
CA局の秘密鍵(上記 ca-crt.pemの中に書かれている公開鍵に対応する秘密鍵)
-CAcreateserial 指定序列号自动生成
- 从证书中抽取公钥
> openssl x509 -in public-key.crt -pubkey
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkVqFrkM71VDdhyqS+muViD3DX
f4n0QIIuPtarsn3S+1GxcmtioPJdDzTCG92iU1IY6+r64l2t28IQz6xmAXwnVUkU
2a5t0pmhLeLU7UW8GNYXfAg9WwUSUsUUHAA3UMco4Id/0gWjODT8KpJtfVMhfS5F
zdFUt1QKsy5dDNvCHwIDAQAB
-----END PUBLIC KEY-----
-----BEGIN CERTIFICATE-----
MIICAzCCAWwCCQCgYvbe6d0oLzANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJK
UDEOMAwGA1UECBMFVG9reW8xEDAOBgNVBAcTB1NoaWJ1eWExFTATBgNVBAoTDFJp
cHBsZXggSW5jLjAeFw0xNTAxMDYwNjU1MjJaFw0yNTAxMDMwNjU1MjJaMEYxCzAJ
BgNVBAYTAkpQMQ4wDAYDVQQIEwVUb2t5bzEQMA4GA1UEBxMHU2hpYnV5YTEVMBMG
A1UEChMMUmlwcGxleCBJbmMuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDk
VqFrkM71VDdhyqS+muViD3DXf4n0QIIuPtarsn3S+1GxcmtioPJdDzTCG92iU1IY
6+r64l2t28IQz6xmAXwnVUkU2a5t0pmhLeLU7UW8GNYXfAg9WwUSUsUUHAA3UMco
4Id/0gWjODT8KpJtfVMhfS5FzdFUt1QKsy5dDNvCHwIDAQABMA0GCSqGSIb3DQEB
BQUAA4GBAC/D6RWTTeshiWvrwwyU98aP47DVxzUhUbfR3HHaAe3r++/FlUlRsvZN
PPKjAjLdIOuzHPOPFbmOUzb+T8uPZp1P7oGe+g1MmjgyR9soKPETiLirCqa4sLfz
GTfdh3X/RrSfugcjHPJmfgtpLDml6K1ikulyPDH56l8/AKulJxLx
-----END CERTIFICATE-----
参数加上 -noout就只输出公钥。
> openssl x509 -in public-key.crt -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkVqFrkM71VDdhyqS+muViD3DX
f4n0QIIuPtarsn3S+1GxcmtioPJdDzTCG92iU1IY6+r64l2t28IQz6xmAXwnVUkU
2a5t0pmhLeLU7UW8GNYXfAg9WwUSUsUUHAA3UMco4Id/0gWjODT8KpJtfVMhfS5F
zdFUt1QKsy5dDNvCHwIDAQAB
-----END PUBLIC KEY-----
保存为PEM格式。
> openssl x509 -in public-key.crt -pubkey -noout > public-key-recovered.pem
