用OpenSSL搭建PKI证书体系

1 创建PKI结构目录

mkdir 07_PKI
cd 07_PKI
mkdir 01_RootCA 02_SubCA 03_Client

2 创建根CA

cd 01_RootCA
mkdir key csr cert newcerts
touch index.txt index.txt.attr
echo 01 > serial

2.1 创建根CA密钥对

2.1.1 生成 长度为2048 bit 的RSA私钥。

cd key
openssl genrsa -out pri_key.pem 2048

2.1.2 查看生成的RSA私钥。

openssl rsa -in pri_key.pem -text

2.1.3 从私钥文件中提取RSA公钥

openssl rsa -in pri_key.pem -pubout -out pub_key.pem#

2.2 创建根CA的证书签名请求（CSR）

2.2.1 创建CSR

创建根 CA 配置文件 rootca.conf:

cd ..
touch rootca.conf

根 CA 配置文件 rootca.conf 内容如下：

[ ca ]
default_ca  = CA_default[ CA_default ]
dir         = E:/07_PKI/01_RootCA
certs       = $dir/cert
crl_dir     = $dir/crl
database    = $dir/index.txt
new_certs_dir   = $dir/newcerts
certificate = $dir/cert/rootca_cert.crt
serial      = $dir/serial
crlnumber   = $dir/crlnumber
crl         = $dir/crl.pem
private_key = $dir/key/pri_key.pem
RANDFILE    = $dir/key/.rand
unique_subject  = nox509_extensions = usr_cert
copy_extensions = copyname_opt    = ca_default
cert_opt    = ca_defaultdefault_days    = 5475
default_crl_days= 60
default_md  = sha256
preserve    = no
policy      = policy_ca[ policy_ca ]
countryName     = supplied
stateOrProvinceName = supplied
localityName        = supplied
organizationName    = supplied
organizationalUnitName  = optional
commonName      = supplied
emailAddress    = optional[ req ]
default_bits        = 2048
default_keyfile     = pri_key.pem
distinguished_name  = req_distinguished_name
attributes      = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
utf8 = yes
prompt                  = no[ req_distinguished_name ]
countryName         = CN
stateOrProvinceName = GuangDong
localityName        = ShenZhen
organizationName    = TangTring
commonName          = RootCA[ usr_cert ]
basicConstraints = CA:TRUE[ v3_ca ]
basicConstraints = CA:TRUE[ req_attributes ]

创建根 CA 证书签名请求文件，指定签名算法为 sha256，默认为 sha1 算法。

cd csr
openssl req -new -key ../key/pri_key.pem -out rootca_csr.pem -config ../rootca.conf

2.2.2 查看CSR

openssl req -in rootca_csr.pem

输出内容如下：

-----BEGIN CERTIFICATE REQUEST-----
MIICnjCCAYYCAQAwWTELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5nRG9uZzER
MA8GA1UEBwwIU2hlblpoZW4xEjAQBgNVBAoMCVRhbmdUcmluZzEPMA0GA1UEAwwG
Um9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsGjDN8ge3f9i
CrAfsrLln/RMXz7EAqMMIjGmChMlQdXEArCT/FdxfoomOWfTHRTREnFthZ9w+TOq
kvgOyQuiFGTJRZ2c3T2FidfFJ5yA06UOELBXWXqhjvYYP+EWGtdn0kOg/tA7QKTG
ZyggQzJQmsAfZkk5vpV1Ok+ZtwoxWZPL0/xBRxZAuF2gxByN4Mt81rsgWLowPX5X
tINDCifEx1BlHZGxlWUWVIVj1SAf+g2S42s5d1xNrZNpKTMe46bduLuYGk4SqeZP
uXyTkVLq00VmgM7Ma9UHucrBmYQ/ybDJlOjgON1rVQqXR0dWTwx65iOVzAf+0hYj
Lc96+ZarEwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAAecVqSze262UIRgBYWG
RQAri+DM84tfVzj7ayIZnpBCHpi2dsatFRxAmwgKwhv/syE7xyTRQ8kUzBBIts6s
hqDblMRl/RDO05iXlk1US3rIoWhJvUrK++aWLHQTYfMMCCdEblRg4IMi1E1CFWSW
nmsnqHsb/JSdWKrGlpZFHamLHafR0IcTWwLierQ30DEvDuLLYbWO2VKq2u2r69V8
MDhOc8em1PEEdLGZR+QkJ+wKj1xt5ICn2KuQfrQXk5QdnkR2Wti/hZMm4rOQd8A1
APOWJAroYwdgNam/csyNF7binpEczCSamseWgrajTPhIdB+IUfjk3ha+djP10ivo
JYo=
-----END CERTIFICATE REQUEST-----

以文本形式输出请求文件头使用 -noout -text 参数.

openssl req -in rootca_csr.pem -text -noout

输出如下：

Certificate Request:Data:Version: 1 (0x0)Subject: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=RootCASubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:b0:68:c3:37:c8:1e:dd:ff:62:0a:b0:1f:b2:b2:e5:9f:f4:4c:5f:3e:c4:02:a3:0c:22:31:a6:0a:13:25:41:d5:c4:02:b0:93:fc:57:71:7e:8a:26:39:67:d3:1d:14:d1:12:71:6d:85:9f:70:f9:33:aa:92:f8:0e:c9:0b:a2:14:64:c9:45:9d:9c:dd:3d:85:89:d7:c5:27:9c:80:d3:a5:0e:10:b0:57:59:7a:a1:8e:f6:18:3f:e1:16:1a:d7:67:d2:43:a0:fe:d0:3b:40:a4:c6:67:28:20:43:32:50:9a:c0:1f:66:49:39:be:95:75:3a:4f:99:b7:0a:31:59:93:cb:d3:fc:41:47:16:40:b8:5d:a0:c4:1c:8d:e0:cb:7c:d6:bb:20:58:ba:30:3d:7e:57:b4:83:43:0a:27:c4:c7:50:65:1d:91:b1:95:65:16:54:85:63:d5:20:1f:fa:0d:92:e3:6b:39:77:5c:4d:ad:93:69:29:33:1e:e3:a6:dd:b8:bb:98:1a:4e:12:a9:e6:4f:b9:7c:93:91:52:ea:d3:45:66:80:ce:cc:6b:d5:07:b9:ca:c1:99:84:3f:c9:b0:c9:94:e8:e0:38:dd:6b:55:0a:97:47:47:56:4f:0c:7a:e6:23:95:cc:07:fe:d2:16:23:2d:cf:7a:f9:96:ab:13Exponent: 65537 (0x10001)Attributes:(none)Requested Extensions:Signature Algorithm: sha256WithRSAEncryptionSignature Value:07:9c:56:a4:b3:7b:6e:b6:50:84:60:05:85:86:45:00:2b:8b:e0:cc:f3:8b:5f:57:38:fb:6b:22:19:9e:90:42:1e:98:b6:76:c6:ad:15:1c:40:9b:08:0a:c2:1b:ff:b3:21:3b:c7:24:d1:43:c9:14:cc:10:48:b6:ce:ac:86:a0:db:94:c4:65:fd:10:ce:d3:98:97:96:4d:54:4b:7a:c8:a1:68:49:bd:4a:ca:fb:e6:96:2c:74:13:61:f3:0c:08:27:44:6e:54:60:e0:83:22:d4:4d:42:15:64:96:9e:6b:27:a8:7b:1b:fc:94:9d:58:aa:c6:96:96:45:1d:a9:8b:1d:a7:d1:d0:87:13:5b:02:e2:7a:b4:37:d0:31:2f:0e:e2:cb:61:b5:8e:d9:52:aa:da:ed:ab:eb:d5:7c:30:38:4e:73:c7:a6:d4:f1:04:74:b1:99:47:e4:24:27:ec:0a:8f:5c:6d:e4:80:a7:d8:ab:90:7e:b4:17:93:94:1d:9e:44:76:5a:d8:bf:85:93:26:e2:b3:90:77:c0:35:00:f3:96:24:0a:e8:63:07:60:35:a9:bf:72:cc:8d:17:b6:e2:9e:91:1c:cc:24:9a:9a:c7:96:82:b6:a3:4c:f8:48:74:1f:88:51:f8:e4:de:16:be:76:33:f5:d2:2b:e8:25:8a

2.2.3 验证CSR的签名

openssl req -verify -in rootca_csr.pem -noout

输出：

Certificate request self-signature verify OK

2.3 创建根CA自签名证书

2.3.1 生成根CA证书

生成自签名的根CA证书：

cd ../cert
openssl ca -selfsign -in ../csr/rootca_csr.pem -out rootca_cert.crt -config ../rootca.conf

输出内容如下：

Using configuration from ../rootca.conf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Sep 24 07:32:28 2024 GMTNot After : Sep 21 07:32:28 2039 GMTSubject:countryName               = CNstateOrProvinceName       = GuangDonglocalityName              = ShenZhenorganizationName          = TangTringcommonName                = RootCAX509v3 extensions:X509v3 Basic Constraints:CA:TRUE
Certificate is to be certified until Sep 21 07:32:28 2039 GMT (5475 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database updated

2.3.2 查看证书文件：

以文本形式查看证书文件：

openssl x509 -in rootca_cert.crt -text -noout

输出内容如下：

Certificate:Data:Version: 3 (0x2)Serial Number:54:31:e1:11:20:6c:0e:7b:a2:3b:fc:17:64:a4:30:a3:d7:75:b2:00Signature Algorithm: sha256WithRSAEncryptionIssuer: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=RootCAValidityNot Before: Sep 24 02:52:22 2024 GMTNot After : Sep 22 02:52:22 2034 GMTSubject: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=RootCASubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:b0:68:c3:37:c8:1e:dd:ff:62:0a:b0:1f:b2:b2:e5:9f:f4:4c:5f:3e:c4:02:a3:0c:22:31:a6:0a:13:25:41:d5:c4:02:b0:93:fc:57:71:7e:8a:26:39:67:d3:1d:14:d1:12:71:6d:85:9f:70:f9:33:aa:92:f8:0e:c9:0b:a2:14:64:c9:45:9d:9c:dd:3d:85:89:d7:c5:27:9c:80:d3:a5:0e:10:b0:57:59:7a:a1:8e:f6:18:3f:e1:16:1a:d7:67:d2:43:a0:fe:d0:3b:40:a4:c6:67:28:20:43:32:50:9a:c0:1f:66:49:39:be:95:75:3a:4f:99:b7:0a:31:59:93:cb:d3:fc:41:47:16:40:b8:5d:a0:c4:1c:8d:e0:cb:7c:d6:bb:20:58:ba:30:3d:7e:57:b4:83:43:0a:27:c4:c7:50:65:1d:91:b1:95:65:16:54:85:63:d5:20:1f:fa:0d:92:e3:6b:39:77:5c:4d:ad:93:69:29:33:1e:e3:a6:dd:b8:bb:98:1a:4e:12:a9:e6:4f:b9:7c:93:91:52:ea:d3:45:66:80:ce:cc:6b:d5:07:b9:ca:c1:99:84:3f:c9:b0:c9:94:e8:e0:38:dd:6b:55:0a:97:47:47:56:4f:0c:7a:e6:23:95:cc:07:fe:d2:16:23:2d:cf:7a:f9:96:ab:13Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Subject Key Identifier:D9:C2:22:B4:CA:46:BA:AC:32:D6:AC:97:BF:81:17:09:A9:D5:04:F6X509v3 Authority Key Identifier:D9:C2:22:B4:CA:46:BA:AC:32:D6:AC:97:BF:81:17:09:A9:D5:04:F6X509v3 Basic Constraints: criticalCA:TRUESignature Algorithm: sha256WithRSAEncryptionSignature Value:76:02:c3:e9:da:e5:c9:37:75:57:fd:97:62:80:9f:3b:67:a0:f3:32:7d:1e:3a:f4:bd:c2:e4:10:3f:b6:64:7c:2e:9a:47:e4:5a:56:c6:c4:fc:b9:68:2a:ef:83:d9:10:b3:e2:23:93:2c:47:49:4c:df:d4:3f:ea:c2:76:bb:2a:c4:a0:c6:c0:f9:2c:5a:43:1f:dd:84:16:89:6d:a6:b4:7c:16:58:fa:90:a9:36:0c:b1:e4:d8:57:30:a4:47:d9:ec:a4:df:df:57:ea:69:9a:fa:27:7c:db:77:5f:ad:25:84:78:8b:a5:2c:cc:22:93:01:f8:9d:65:ce:dc:4a:b3:a2:e7:df:b8:c4:74:ee:99:d3:27:db:1e:6a:13:e2:b1:d2:6d:86:05:be:f7:46:e6:4d:14:67:85:27:a2:af:6b:39:95:ed:b3:a3:43:3d:17:4c:5c:53:2d:42:97:47:6a:9b:bb:d2:3a:4e:7d:92:74:a3:51:a8:dd:d4:c7:c1:9a:e1:31:68:3c:71:ea:42:1b:77:09:d0:1d:29:ca:16:a7:87:28:47:f4:c9:c9:43:c1:1d:d6:9d:4a:27:40:c8:86:e2:39:c0:3d:a7:ad:d6:0a:ae:d2:f9:bf:21:aa:b8:68:23:db:83:fd:d9:72:f8:39:d4:be:1d:3f:f6:2c:39:e8

3 创建二级CA证书

cd ../../02_SubCA
mkdir key csr cert newcerts
touch index.txt index.txt.attr
echo 01 > serial

3.1 创建二级CA秘钥对

cd key
openssl genrsa -out pri_key.pem 2048

3.2 创建二级CA证书签名请求

创建二级CA配置文件

cd ../
vim subca.conf

subca.conf 文件内容如下：

[ ca ]
default_ca  = CA_default[ CA_default ]
dir         = E:/07_PKI/02_SubCA
certs       = $dir/cert
crl_dir     = $dir/crl
database    = $dir/index.txt
new_certs_dir   = $dir/newcerts
certificate = $dir/cert/subca_cert.crt
serial      = $dir/serial
crlnumber   = $dir/crlnumber
crl         = $dir/crl.pem
private_key = $dir/key/pri_key.pem
RANDFILE    = $dir/key/.rand
unique_subject  = nox509_extensions = usr_cert
copy_extensions = copyname_opt    = ca_default
cert_opt    = ca_defaultdefault_days = 3650
default_crl_days = 30
default_md  = sha256
preserve    = no
policy      = policy_ca[ policy_ca ]
countryName = supplied
stateOrProvinceName = supplied
localityName = supplied
organizationName    = supplied
organizationalUnitName = optional
commonName   = supplied
emailAddress = optional[ req ]
default_bits        = 2048
default_keyfile     = pri_key.pem
distinguished_name  = req_distinguished_name
attributes      = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
utf8 = yes
prompt = no[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = GuangDong
localityName = ShenZhen
organizationName = TangTring
commonName = SubCA[ usr_cert ]
basicConstraints = CA:FALSE[ v3_ca ]
basicConstraints = CA:TRUE[ req_attributes ]

cd csr
openssl req -new -key ../key/pri_key.pem -out subca_csr.pem -config ../subca.conf

3.3 创建二级CA证书

cd ../cert
openssl ca -in ../csr/subca_csr.pem -out subca_cert.crt -config ../../01_RootCA/rootca.conf -days 3650

输出内容如下：

Using configuration from ../../01_RootCA/rootca.conf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 3 (0x3)ValidityNot Before: Sep 24 07:55:39 2024 GMTNot After : Sep 22 07:55:39 2034 GMTSubject:countryName               = CNstateOrProvinceName       = GuangDonglocalityName              = ShenZhenorganizationName          = TangTringcommonName                = SubCAX509v3 extensions:X509v3 Basic Constraints:CA:TRUE
Certificate is to be certified until Sep 22 07:55:39 2034 GMT (3650 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database updated

生成的二级CA证书如下：

$ openssl x509 -in subca_cert.crt -text -noout
Certificate:Data:Version: 3 (0x2)Serial Number: 3 (0x3)Signature Algorithm: sha256WithRSAEncryptionIssuer: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=RootCAValidityNot Before: Sep 24 07:55:39 2024 GMTNot After : Sep 22 07:55:39 2034 GMTSubject: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=SubCASubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:be:8b:38:47:90:f9:dd:6d:79:3d:0d:1f:8e:ee:e1:2b:8d:7b:ce:a9:3b:0a:03:4b:c0:d2:dc:3d:a9:69:d2:49:5e:22:65:bc:96:cf:05:1d:a9:ed:a7:fb:a5:03:71:30:0f:4d:7c:cb:4d:b5:bd:d0:22:5c:42:83:ff:27:1f:31:c2:e3:e9:d4:b8:d1:c9:9a:3d:d1:91:31:f0:56:c3:85:b9:e9:06:5b:f6:fb:82:bc:33:f6:c4:e7:58:36:f3:eb:6c:ea:2d:24:b7:ca:ff:21:e2:b1:00:7f:5f:d6:39:c1:16:5a:d1:c6:58:a7:db:1f:cd:43:df:f3:c0:b9:ca:88:3d:f9:6d:a4:08:d2:f9:58:d5:50:ea:60:e1:92:89:21:df:30:42:f6:b5:ec:fe:2d:c0:03:cb:77:da:46:02:5c:ea:cf:fc:80:21:1e:10:83:d0:b8:19:bc:68:77:45:ce:53:98:c9:c8:89:af:3e:19:73:f1:cd:9c:92:05:34:0b:f3:4d:77:2d:cc:c5:db:f0:0e:cf:c8:d9:e3:1b:da:31:d6:9c:c9:3e:2c:f3:a3:90:0e:c0:a2:f5:0c:35:9e:95:ed:8e:26:c8:97:2c:ec:5d:5c:93:8b:70:18:3b:a5:30:c8:4c:77:3f:fe:47:10:f9:bc:1a:81:1f:13:07:58:a5Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Basic Constraints:CA:TRUEX509v3 Subject Key Identifier:B6:CC:8A:AD:75:53:3A:5A:95:3D:53:20:7B:87:2E:E4:8A:90:63:F9X509v3 Authority Key Identifier:D9:C2:22:B4:CA:46:BA:AC:32:D6:AC:97:BF:81:17:09:A9:D5:04:F6Signature Algorithm: sha256WithRSAEncryptionSignature Value:8f:37:94:68:95:fe:91:d4:f3:ea:eb:70:10:24:02:c4:af:87:a6:09:60:d3:e7:5b:c4:b5:62:4b:58:d4:7a:d0:b4:15:ca:2e:d1:1b:32:a1:8c:7f:8b:68:43:1a:61:e4:7a:01:b1:56:30:b3:a5:1e:5e:d9:35:8f:cf:9a:34:80:8a:ab:7c:68:f3:54:fb:71:45:87:09:5f:71:0d:d2:c8:a9:36:fc:6a:5d:00:7a:d3:2a:7a:00:f5:d4:37:25:66:ed:0d:b2:df:3f:fd:7c:11:71:17:f0:a6:41:2c:d6:70:3d:76:af:ef:4d:03:ee:ba:05:8a:1b:ea:0c:5a:dc:ca:5e:07:b4:fc:b0:71:80:f2:bd:20:e7:5f:ca:42:51:f7:90:2a:cc:f5:de:be:cf:42:22:58:51:28:fa:43:af:e3:68:7b:11:20:35:a1:9e:0f:da:bc:e2:2a:4e:c4:9b:f7:ed:e1:65:96:68:4a:24:59:c2:fd:04:3d:e5:e3:4d:38:4a:0d:38:7a:0a:e3:fd:48:ad:88:93:f0:bb:a0:21:c3:fe:9e:ce:b5:e6:11:8b:2a:4b:3a:12:b0:9c:92:4c:bb:a6:1c:ba:f7:de:6f:9e:ff:6b:fa:d0:fa:8b:37:7b:76:be:cd:e5:e4:c6:7f:6e:43:49:ff:70:64:86:c0:35:e0

4 使用二级CA证书签发实体端证书

4.1 创建实体端证书配置文件

cd ../../03_Client/
mkdir key csr cert
touch client.conf

client.conf文件内容如下：

[ req ]
prompt             = no
distinguished_name = server_distinguished_name
req_extensions     = req_ext
x509_extensions = v3_req
attributes      = req_attributes[ server_distinguished_name ]
countryName         = CN
stateOrProvinceName = GuangDong
localityName        = ShenZhen
organizationName    = TangTring
commonName          = SPNM04_CN[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment[ req_attributes ][ req_ext ]
subjectAltName = @alternate_names[ alternate_names ]
DNS.1 = SPNM04_CN.cn
DNS.2 = bbs.SPNM04_CN.cn

4.2 创建实体端证书秘钥

cd key
openssl genrsa -out pri_key.pem 2048

4.3 创建实体端证书签名请求

cd ../csr
openssl req -new -key ../key/pri_key.pem -out client_csr.pem -config ../client.conf

4.4 生成实体端证书

cd ../cert
openssl ca -in ../csr/client_csr.pem -out client_cert.crt -config ../../02_SubCA/subca.conf -days 1825

输出内容如下：

Using configuration from ../../02_SubCA/subca.conf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Sep 24 08:22:57 2024 GMTNot After : Sep 23 08:22:57 2029 GMTSubject:countryName               = CNstateOrProvinceName       = GuangDonglocalityName              = ShenZhenorganizationName          = TangTringcommonName                = SPNM04_CNX509v3 extensions:X509v3 Basic Constraints:CA:FALSEX509v3 Subject Alternative Name:DNS:SPNM04_CN.cn, DNS:bbs.SPNM04_CN.cn
Certificate is to be certified until Sep 23 08:22:57 2029 GMT (1825 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database updated

生成的实体端证书如下：

$ openssl x509 -in client_cert.crt -text -noout
Certificate:Data:Version: 3 (0x2)Serial Number: 1 (0x1)Signature Algorithm: sha256WithRSAEncryptionIssuer: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=SubCAValidityNot Before: Sep 24 08:22:57 2024 GMTNot After : Sep 23 08:22:57 2029 GMTSubject: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=SPNM04_CNSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:e4:5c:fd:94:01:11:47:8e:25:6a:76:42:1d:65:bc:68:dd:52:ba:1b:0e:43:98:c9:f2:27:a9:bb:13:a1:e9:76:43:e3:ac:c7:7e:ab:2e:cf:fc:e6:72:0a:1f:b4:0d:6c:dc:f1:c7:09:b2:09:72:d2:8f:53:6f:65:bf:1a:4d:dc:80:ca:5c:c0:66:be:4c:8a:77:e5:47:95:b6:96:eb:75:83:13:09:95:d6:e8:3c:ac:bf:e3:96:54:b7:c6:16:ea:5c:84:15:9a:c7:9a:22:c5:33:60:97:30:63:1d:37:c0:8a:6d:b4:50:1f:86:99:86:1c:88:0e:bf:9e:db:c6:03:e2:85:90:32:53:2a:7c:72:7c:40:1f:d7:ba:46:88:56:d8:5d:7c:c1:0c:4f:95:4a:ec:53:5f:63:cf:fc:aa:43:b9:f0:23:e2:f9:4c:29:30:95:4f:3b:57:af:51:ff:27:05:f9:4f:15:63:2f:34:92:c6:b3:ad:fd:21:3b:9d:36:b0:c1:6b:12:9c:60:d9:15:85:8f:d2:f1:ee:3c:1e:d3:c9:f0:86:ee:57:36:0c:07:2a:c6:d6:85:aa:96:a2:a4:7b:5c:8f:c1:22:3c:d5:4e:23:47:fa:99:87:fc:5c:90:3d:5f:3d:f4:57:e6:40:c2:a9:7d:6b:47:09:87:10:efExponent: 65537 (0x10001)X509v3 extensions:X509v3 Basic Constraints:CA:FALSEX509v3 Subject Alternative Name:DNS:SPNM04_CN.cn, DNS:bbs.SPNM04_CN.cnX509v3 Subject Key Identifier:C1:B6:B5:FC:8A:8D:8A:21:E9:60:DE:5B:8C:C1:AB:CA:59:44:57:D4X509v3 Authority Key Identifier:B6:CC:8A:AD:75:53:3A:5A:95:3D:53:20:7B:87:2E:E4:8A:90:63:F9Signature Algorithm: sha256WithRSAEncryptionSignature Value:24:2c:17:dc:80:0b:a4:61:20:18:f6:70:0b:72:26:a5:44:41:af:8c:76:be:d3:a9:25:e1:26:95:a2:5c:2c:5d:bd:7b:26:00:91:29:69:5b:20:4c:09:4a:4d:7a:b6:41:8e:d3:b7:df:7e:05:26:af:7f:4a:d4:97:88:10:d9:61:1b:03:1a:b4:48:db:0c:c8:fc:ec:58:49:dc:50:c5:8a:1c:22:7e:4a:40:a2:b3:43:b8:f9:f6:32:98:6e:31:46:2e:bd:2a:7e:ca:ba:07:2d:c3:9b:5f:14:33:2e:99:64:c0:dc:74:d3:a3:10:4c:7d:9f:26:59:5e:d5:a4:c7:1a:c2:08:9a:fd:eb:4d:7e:9a:23:78:94:7c:f0:1b:a5:2d:81:35:71:84:b1:66:dd:4e:b7:78:f6:79:ed:b6:37:e2:e8:9d:89:25:3e:94:76:78:00:20:d7:3f:9d:e1:71:ea:e1:5a:2d:da:c5:20:70:65:e5:9d:48:06:91:3a:5f:d3:92:0a:68:f2:84:de:a3:3f:11:10:f3:61:be:a8:eb:85:88:a1:95:f8:a5:c7:bf:d9:85:a7:8e:5e:38:3f:3c:dc:e3:41:0d:9d:94:c8:d5:3f:c3:33:59:21:da:47:03:10:49:78:12:5f:ca:55:9b:e2:54:b9:bd:75:92:0d:d7:79

5 其他常用openssl命令

5.1 聚合证书

聚合的时候要注意顺序

cd ../../
cat 03_Client/cert/client_cert.crt 02_SubCA/cert/subca_cert.crt 01_RootCA/cert/rootca_cert.crt | tee 03_Client/all_cert.crt

5.2 pem和der格式转换

转换 RSA 秘钥格式：

openssl rsa -inform pem -in pri_key.pem -outform der -out pri_key.der

crt证书转换为pem证书：

openssl x509 -in client_cert.crt -outform pem -out client_cert.pem

crt、pem证书转换为der证书格式：

openssl x509 -inform pem -in client_cert.crt -outform der -out client_cert.der
openssl x509 -inform pem -in client_cert.pem -outform der -out client_cert.der

pem证书转换为der证书：

openssl x509 -inform der -in client_cert.der -outform pem -out client_cert.pem