一、基本概念
非对称加密算法:http://baike.baidu.com/view/1490349.htm
数字签名:http://baike.baidu.com/view/7626.htm
HTTPS:http://baike.baidu.com/view/14121.htm
数字证书:http://baike.baidu.com/view/16501.htm
PKCS:http://baike.baidu.com/view/1477355.htm
X.509:http://baike.baidu.com/view/156016.htm
X.509和PKCS#7、PKCS#12等的区别:
x509是数字证书的规范,P7和P12是两种封装形式(分别用于分发公钥和传递证书)。我们使用的数字证书都是按照X.509来定义的,但是将证书用于传递时,比如服务器端以文件形式分发公钥,则需要使用P7标准来封装成PEM或DER编码方式的文件;又比如当从IE里把证书导出来时,可以以P12标准存成.pfx扩展名的证书,用于传递和再次导入。
二、证书格式分类
分为2大类:密钥库(含私钥,也可能有公钥)和公钥证书(仅含公钥)
密钥库文件格式【Keystore】
格式 : JKS
扩展名 : .jks/.ks
描述 : 【Java Keystore】密钥库的Java实现版本,provider为SUN
特点 : 密钥库和私钥用不同的密码进行保护
格式 : JCEKS
扩展名 : .jce
描述 : 【JCE Keystore】密钥库的JCE实现版本,provider为SUN JCE
特点 : 相对于JKS安全级别更高,保护Keystore私钥时采用TripleDES
格式 : PKCS12
扩展名 : .p12/.pfx
描述 : 【PKCS #12】个人信息交换语法标准
特点 : 1、包含私钥、公钥及其证书
2、密钥库和私钥用相同密码进行保护
格式 : BKS
扩展名 : .bks
描述 : Bouncycastle Keystore】密钥库的BC实现版本,provider为BC
特点 : 基于JCE实现
格式 : UBER
扩展名 : .ubr
描述 : 【Bouncycastle UBER Keystore】密钥库的BC更安全实现版本,provider为BC
证书文件格式【Certificate】
格式 : DER
扩展名 : .cer/.crt/.rsa
描述 : 【ASN .1 DER】用于存放证书
特点 : 不含私钥、二进制
格式 : PKCS7
扩展名 : .p7b/.p7r
描述 : 【PKCS #7】加密信息语法标准
特点 : 1、p7b以树状展示证书链,不含私钥
2、p7r为CA对证书请求签名的回复,只能用于导入
格式 : CMS
扩展名 : .p7c/.p7m/.p7s
描述 : 【Cryptographic Message Syntax】
特点 : 1、p7c只保存证书
2、p7m:signature with enveloped data
3、p7s:时间戳签名文件
格式 : PEM
扩展名 : .pem
描述 : 【Printable Encoded Message】
特点 : 1、该编码格式在RFC1421中定义,其实PEM是【Privacy-Enhanced Mail】的简写,但他也同样广泛运用于密钥管理
2、ASCII文件
3、一般基于base 64编码
格式 : PKCS10
扩展名 : .p10/.csr
描述 : 【PKCS #10】公钥加密标准【Certificate Signing Request】
特点 : 1、证书签名请求文件
2、ASCII文件
3、CA签名后以p7r文件回复
格式 : SPC
扩展名 : .pvk/.spc
描述 : 【Software Publishing Certificate】
特点 : 微软公司特有的双证书文件格式,经常用于代码签名,其中
1、pvk用于保存私钥
2、spc用于保存公钥
三、工具和环境安装
1. keytool
安装JDK后,在安装根目录的bin子目录下就会有keytool,如果在cmd下找不到keytool命令,检查下是否%JAVA_HOME%/bin已经被添加到%PATH%中,没有的话手动添加下。
keytool需要在cmd下使用。直接输入‘keytool -help’来查看帮助。
也可以参考这些页面:
http://blog.chinaunix.net/uid-17102734-id-2830223.html
http://ln-ydc.iteye.com/blog/1335213
http://blog.chinaunix.net/uid-7179329-id-2678195.html
2. openssl
直接去以下地址下载已经编译好的二进制文件安装即可:(也需要先安装Microsoft Visual C++ 2008 Redistributable Package)
http://slproweb.com/products/Win32OpenSSL.html
如果安装不成功,可以尝试使用源码进行编译安装:
openssl的下载地址如下:http://www.openssl.org/source/
下载最新版本并解压后,其中的INSTALL.W32和INSTALL.W64即为32位和64位Windows系统的安装说明。
按其中介绍的安装步骤如下:
1). 安装Windows SDK
对于windows7可以在以下地址下载和安装:http://www.microsoft.com/en-us/download/details.aspx?id=8279
或者安装Visual Studio 2013和MASM32也可以(添加对应的bin目录到%PATH%中),其中MASM32的下载地址为:http://www.masm32.com/masmdl.htm
2). 安装ActivePerl
下载地址:http://www.activestate.com/activeperl/downloads
选择32位或者64位进行下载并安装。
3). 下载并安装openssl
从上面提到的下载地址下载openssl的源码,解压到某个目录,例如:D:\Program Files\openssl-1.0.1i
然后按照INSTALL.xxx的指示,首先从cmd进入到该目录下,然后依次执行以下命令:
perl Configure VC-WIN64A
ms\do_win64a
nmake -f ms\ntdll.mak
cd out32dll
..\ms\test
另一种方式是,直接在linux使用即可,方法如下:
$ sudo apt-get install openssl
$ sudo apt-get install libssl0.9.8
$ sudo apt-get install libssl-dev
四、生成证书
1. keytool
以下参数的意义可以查看keytool的帮助来了解,更多的功能支持和参数使用也需要参考:keytool -help
1). 生成JKS格式私钥
E:\>keytool -genkey -alias mykey -keyalg RSA -keystore .\mykey.jks -st
orepass mypassword -keypass mypassword
您的名字与姓氏是什么?
[Unknown]: my
您的组织单位名称是什么?
[Unknown]: myOrg
您的组织名称是什么?
[Unknown]: myOrg
您所在的城市或区域名称是什么?
[Unknown]: bj
您所在的州或省份名称是什么?
[Unknown]: bj
该单位的两字母国家代码是什么
[Unknown]: cn
CN=my, OU=myOrg, O=myOrg, L=bj, ST=bj, C=cn 正确吗?
[否]: y
生成的mykey.jks中包含了私钥,可以用于服务器端进行加密时使用,信息如下:
E:\>keytool -list -v -alias mykey -keystore .\mykey.jks -storepass
mypassword
别名名称: mykey
创建日期: 2014-9-6
项类型: PrivateKeyEntry
认证链长度: 1
认证 [1]:
所有者:CN=my, OU=myOrg, O=myOrg, L=bj, ST=bj, C=cn
签发人:CN=my, OU=myOrg, O=myOrg, L=bj, ST=bj, C=cn
序列号:540aaec3
有效期: Sat Sep 06 14:50:43 CST 2014 至Fri Dec 05 14:50:43 CST 2014
证书指纹:
MD5:D6:5F:7B:8D:BF:61:E6:F4:7A:B8:0A:D0:F8:77:4B:F3
SHA1:92:1E:E6:7E:72:EA:14:A9:A4:6A:B8:0D:66:EB:09:51:69:CE:12:8D
签名算法名称:SHA1withRSA
版本: 3
mykey.jks为二进制文件。
2). 生成DER格式的根证书(自签名,仅含公钥)
E:\>keytool -export -alias mykey -keystore .\mykey.jks -file .\myc
erts.cer -storepass mypassword
保存在文件中的认证 <.\mycerts.cer>
生成的mycerts.cer仅包含公钥(是服务器用根证书自己签发给自己的一个数字证书),可以用于发布公钥给用户,用户将该公钥导入到信任的根证书后,访问服务器时不会提示证书不可信错误。该证书的信息如下:
E:\>keytool -printcert -v -file .\mycerts.cer
所有者:CN=my, OU=myOrg, O=myOrg, L=bj, ST=bj, C=cn
签发人:CN=my, OU=myOrg, O=myOrg, L=bj, ST=bj, C=cn
序列号:540aaec3
有效期: Sat Sep 06 14:50:43 CST 2014 至Fri Dec 05 14:50:43 CST 2014
证书指纹:
MD5:D6:5F:7B:8D:BF:61:E6:F4:7A:B8:0A:D0:F8:77:4B:F3
SHA1:92:1E:E6:7E:72:EA:14:A9:A4:6A:B8:0D:66:EB:09:51:69:CE:12:8D
签名算法名称:SHA1withRSA
版本: 3
mycerts.cer也为二进制文件。
3). 生成PEM格式的根证书(自签名,仅含公钥)
E:\>keytool -export -rfc -alias mykey -keystore .\mykey.jks -file
.\mycerts.pem -storepass mypassword
保存在文件中的认证 <.\mycerts.pem>
生成的mycerts.pem的信息如下:
E:\>keytool -printcert -v -file .\mycerts.pem
所有者:CN=my, OU=myOrg, O=myOrg, L=bj, ST=bj, C=cn
签发人:CN=my, OU=myOrg, O=myOrg, L=bj, ST=bj, C=cn
序列号:540aaec3
有效期: Sat Sep 06 14:50:43 CST 2014 至Fri Dec 05 14:50:43 CST 2014
证书指纹:
MD5:D6:5F:7B:8D:BF:61:E6:F4:7A:B8:0A:D0:F8:77:4B:F3
SHA1:92:1E:E6:7E:72:EA:14:A9:A4:6A:B8:0D:66:EB:09:51:69:CE:12:8D
签名算法名称:SHA1withRSA
版本: 3
但是mycerts.pem是ASCII文本形式进行存储的,二进制进行了BASE64编码,以下为文件内容:
-----BEGIN CERTIFICATE-----
MIICHzCCAYigAwIBAgIEVAquwzANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJjbjELMAkGA1UE
CBMCYmoxCzAJBgNVBAcTAmJqMQ4wDAYDVQQKEwVteU9yZzEOMAwGA1UECxMFbXlPcmcxCzAJBgNV
BAMTAm15MB4XDTE0MDkwNjA2NTA0M1oXDTE0MTIwNTA2NTA0M1owVDELMAkGA1UEBhMCY24xCzAJ
BgNVBAgTAmJqMQswCQYDVQQHEwJiajEOMAwGA1UEChMFbXlPcmcxDjAMBgNVBAsTBW15T3JnMQsw
CQYDVQQDEwJteTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAio6UUGH4GyPBW/s2T7Sq1RqI
Df7JU92QtEbCtUzO9wfIeFq9Z0iJCNOuQymLCAX42FmAzborG/gIZsMSqapSMMU5Ua4dWIIWSBQh
uFhNwTTlRjcwVh1bqbJuM5Mbb/1PvzfdA0rhBqvrAZnM02hd3HPToV43blqYCP14QzgJ8dECAwEA
ATANBgkqhkiG9w0BAQUFAAOBgQA96aXU+2O/AA6jXICJeWoEHBM9tAQxrivLr55IEEkh3FmTJOdH
2sCH1I7pwaIbTqY6GKTJkfNmgBJjXe1lQMR6VtKBop7nn3Vw7a6PoRJU/z8kqS4RxpQLqCszegmU
YHhfwIFDSCkFvYYlS3XeBbpcnAfN+0cT10WexfDF05701g==
-----END CERTIFICATE-----
2. openssl
查看帮助时,需要具体到二级命令,例如:
#显示所有二级命令
openssl -h
#显示具体的帮助
openssl genrsa -help
openssl req -help
openssl x509 -help
1). 生成私钥
a. 生成带密码保护的私钥:
E:\>openssl genrsa -des3 -out prvtkey.pem 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
................................................................................
................................................................................
.......+++
........+++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for prvtkey.pem:
Verifying - Enter pass phrase for prvtkey.pem:
生成的文件为ASCII文本存储,使用BASE64对二进制内容进行编码,文件内容如下:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,5AA63225E5DB7C59
DMrqtOku0tTBDVZCsKvn8n1KC5wxfn9S2nuHdq9bfgeUjdnEE4P8MnrC32K2cA/h
NmDKavlhlzK3aBY9sCdCuOnAlK60MjmOcJ9Lx0Xg7VayauBCMArPt9iHNQHz6x87
KboxddhxCYh+YFC13LuX/jBm9nRjOhZ3ZLK6qaCEoTCrv7UY0DsLRniG1AXan4VZ
/uI0+YkvyqfLPdOD3oGLWr2LjyhfAiXdj/QgiuaS85tXZaDAClNYFrHTfqiE8HJ6
m9Vv9FeLASR+er5x3DZ5yuwzNu9t0COkU4bwn92aqta1tBQj+79lcTWdakPIhxzF
NKKzPY9Eey4+g/UeeRx7WhZShhhOM7LSGMldzpLDKmBwRbGow/jziQe151gptwJr
0yKz1X321gJ987OeZpGs9jNr6+kry0m77U3iBEB/v4HkXHC/b2aVy8D4sq9mYdBn
onHDAvxS1RDnRMZPu4jiUjwGgRrLmvgYnmqOG7YJhvIKFRr0iyWAWvn2lAkuHJLB
Nz3IXDrKJywTWL2+gJ9nOX0gXADt1vspz9ul050G8Z44jpisf1g1WA39nraYObjE
egYuxbdb2Id8P09hnGU1G+H8O5hpGPe92PHia54QJkcwqpfKNbY3+RZ9+LnvV8dg
/lPwf58j6vibTDM7I01HrIr7uoWWgz9evvLf1Xp3ALlbjOWrOZEAzY8CfimcODFg
MuGq5UrMGJ33rnsKuL5HnFJU3niG7oKdBVcRDqhAlGLg9C58ISIgam13IglvrZGD
/9JJtf3fS0xsjt2SZ5EDeUTcw1l18BVYVqW7VH4Xp+lgwgBvYJN5wLVcHr65n6E8
ZVN0cc1D/Akk1DYmJgj+FGfWMW3dd9pvltoo8YdrWDjflUbSKr/xGwMOhW9yB33T
OReQNc7rRsubRA9CR/cBNITv0J05btVSvoAClQr1lfZvCXT1hifJ2bYufj13B3Zp
SwFkLzRmonJB1MkWZkIY5CGBiZVNpdHHFeebMUH7/ElY11HtEfm4u3ifwhSTcPKc
3bKCzbECFFARouJOD6GX04iUsxeQIwa6gZ0DJs/BIhJ/4Zgu2dZivFUKNS3mqn/x
ok2et6Hv7NFBWjppiwo+LombmRFANubcH2OQd4r8fdHPar5bNwRT8XTv87tNoANI
Tx92GdKNP5IPQqxik+W3xOXcAc1EXAq1cJM+B/0LeNeeTKCQvynirOmIlYaxIs3B
eVdkR7gH8GFeCaYD3Mf/EFJVHJ1WBZxNCVuabUeU7jdO2XmAwOmqHFstnzVQK+0X
XTyf5gonATfEhREFQSD9w+M2iC2I8wWWr6SD/SMVOKtw1DeMm0i5v1YPnC4ISGTM
5Ji1bwDablUUI5W29gLwS9Uej6fhFs3Qyk7EznbV14uuXJc1Irr9k7zIBtTGG4AZ
C7PF5kOUy6F/CefmnRzxI7CI7PGKxnDc48lcWNs0zeclpxRqwx/U9CLLgl7M8ypi
lnWG3BDysavatH1S/i9uAQXRZxYWFW3SSRE92cUlTBM0wo2UiKzQvNZjMz9GuJVY
GDryFFzAdU/vv0sayjSBEtOrawlz3o3oVnxYTAtagHn8uAcPkknLs+qkME/LF15J
-----END RSA PRIVATE KEY-----
b. 或者生成不带密码保护的私钥:
E:\>openssl genrsa -out prvtkey2.pem 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
..........................................+++
........................................+++
unable to write 'random state'
e is 65537 (0x10001)
生成的文件也为ASCII文本,使用BASE64编码,内容如下:
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAvc/06Rh04oQpPz6t3GU4JyoYN2yyR0a984wFJ2ehl2Ktwm5D
UmuxurzlfRWBV3K4srr6F+AaX49HfpFsioPtyprZUx6qmHBQJ36ZNCKS8iq1VSxh
jFsdQD0gruO3mNR4ha+omCLKRHoFKM5Q14iXS3H/VYO4VTloxehx3+mPZcU9i4L6
9djhXFunYPWzV1FVjueeDFQwIYkoaKDGYsbEg0fO+KLRkZd1w1eEYWTiMEoQWFLO
Z6OYswcoKRrBnc4jyHQilrcDY7xQoBYFrzGOg8CPNigQ6s/+gtARxIE5kycw+qP2
2BS3RVGeguyNqurawtgr9XoqA4DMoXzJOdbGhQIDAQABAoIBAQC1pFh+6ESSsF64
g0bl7oc6E3JxN7ezteL5OjmEaAufT3Nw6QvLx/ug9Du44+eOw940S/Ig/vi+EeMd
IBV6yJ26kUz/2gzvLCvIX8JEvgFZdb1p8Lq5Ekh/vP+V3Z1Ix6s+Y8c3L7PYq9xc
HHQIjlIahNEQCKlSBUpaegLfgCcV/241KRkxcBNlYpCgRdz2EULqA/ZeI+jUHeRc
wX7pUIxVzr9ct2QhaJw7W7+UKOvV8FrTQyk43+bXeN2AW7Q6iWOKVZzGujULURO7
O/bfppGKF8vNpDjg6RbS0EAsodMruEjFHgW7ieAFbESOxferJ3XIqS9GcJfmqZun
GBTn36jRAoGBAPbjL8vQGtdZjVivjWm+A6UDYqAVgUXvKveEAmMLJOcEJgC7ur/y
4POfQqgJqdIOEqr/etBwNoNyU493CFuk6KIO3Kg1ewumfVUKbYMNzjnYhleAcXtZ
pUBUCldGI/9jKXaZ6zAhgHTg6yuDShBphgnoWaz9Gq0whjL+X6JQNI0LAoGBAMTR
eScJ4d/tyMfMobCxAIWCKxtxc3OkY3qqocTrtZDcmEYRcpanXQ8pjSJKVw6Ba/OD
RV5U6ccgu71teY20VJdPp1ohqKlLnSGklTgD1l61Ji0Kw3CpgNsIrxYWcoTtxMqz
HZqKblUKiDTgRoW9v4cqqq274T/khl78VC0JIJSvAoGBAL/1bNg/el8uVeQ6uu0Y
vKS0uR5XGihSCUph7akspQiqBRJU5KMSKS3DCoS03sFgB8vE0Kz4UqppXecSWgFH
e0ll3NM8oesxDAnvDa70MQBxBiNKzvFlhkM6FMA+3QZZB4gbrO3DXqmBp9gxQIj6
Qym46uDB+tfl/rHvblQ5oGJ5AoGATjxCH22DNuMrc5h5EWZaobdrcT44uVg4HvOi
2Ecl5k55zSh0V0Rx7mwC6QWJ838orSSaN3QjdX8igZr5vYVYNsl36ZEFnT4sWMo2
coy78uupIDBuHeOTD/40st/7Z7GoDzcB5oNudil4mSQphFI3xwAD1omfcSli7HD6
+Ofu5osCgYEAmQGK5X/BGiTiH++DXn0jPz0wLC6Oe2BJNp/Z8/ZrRy83PdK3L+Ja
Q3NaEcIsN50/wHGR51EyG2x9qDZqB9HdoOTxNLKLht53Z1I0EvT5Xd1uMz0/RRkm
XQdBzEYSj8mxvI2eEesMY8r0KDNGdNczYZxKqzCJcjNJClug9NLyapk=
-----END RSA PRIVATE KEY-----
2). 生成PEM格式的根证书(自签名公钥证书)
E:\>openssl req -new -x509 -key prvtkey2.pem -out cacert.pem -days 1095
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:myorg
Organizational Unit Name (eg, section) []:mysec
Common Name (e.g. server FQDN or YOUR name) []:my
Email Address []:my@my.com
查看该文件的信息如下:
E:\>openssl x509 -in cacert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
80:b4:20:c4:37:1c:cc:58
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, ST=bj, L=bj, O=myorg, OU=mysec, CN=my/emailAddress=my@my.c
om
Validity
Not Before: Sep 6 08:43:14 2014 GMT
Not After : Sep 5 08:43:14 2017 GMT
Subject: C=cn, ST=bj, L=bj, O=myorg, OU=mysec, CN=my/emailAddress=my@my.
com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:cf:f4:e9:18:74:e2:84:29:3f:3e:ad:dc:65:
38:27:2a:18:37:6c:b2:47:46:bd:f3:8c:05:27:67:
a1:97:62:ad:c2:6e:43:52:6b:b1:ba:bc:e5:7d:15:
81:57:72:b8:b2:ba:fa:17:e0:1a:5f:8f:47:7e:91:
6c:8a:83:ed:ca:9a:d9:53:1e:aa:98:70:50:27:7e:
99:34:22:92:f2:2a:b5:55:2c:61:8c:5b:1d:40:3d:
20:ae:e3:b7:98:d4:78:85:af:a8:98:22:ca:44:7a:
05:28:ce:50:d7:88:97:4b:71:ff:55:83:b8:55:39:
68:c5:e8:71:df:e9:8f:65:c5:3d:8b:82:fa:f5:d8:
e1:5c:5b:a7:60:f5:b3:57:51:55:8e:e7:9e:0c:54:
30:21:89:28:68:a0:c6:62:c6:c4:83:47:ce:f8:a2:
d1:91:97:75:c3:57:84:61:64:e2:30:4a:10:58:52:
ce:67:a3:98:b3:07:28:29:1a:c1:9d:ce:23:c8:74:
22:96:b7:03:63:bc:50:a0:16:05:af:31:8e:83:c0:
8f:36:28:10:ea:cf:fe:82:d0:11:c4:81:39:93:27:
30:fa:a3:f6:d8:14:b7:45:51:9e:82:ec:8d:aa:ea:
da:c2:d8:2b:f5:7a:2a:03:80:cc:a1:7c:c9:39:d6:
c6:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
BC:36:80:E6:CB:3E:36:BD:72:94:2E:30:4D:DC:10:F6:BD:B9:65:A2
X509v3 Authority Key Identifier:
keyid:BC:36:80:E6:CB:3E:36:BD:72:94:2E:30:4D:DC:10:F6:BD:B9:65:A
2
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
74:b8:54:ab:3f:fb:df:04:d3:e0:0e:27:9d:2a:b3:57:a5:f4:
42:a4:c5:fc:18:04:a0:86:28:ac:82:2f:2e:5d:e3:84:ab:db:
83:c4:09:df:91:e0:cb:04:ed:ad:24:47:f0:9c:f1:fe:a6:42:
d8:95:ed:fb:8d:1a:a5:16:58:7f:a5:fd:23:12:53:9e:6b:41:
6e:5b:44:78:e2:2b:2e:81:1e:f4:81:5c:68:9e:2b:e6:67:17:
15:4c:86:c5:95:85:71:0f:b4:83:0b:d5:16:a1:7a:78:03:be:
c8:6a:0c:c0:d5:7f:84:71:c7:a8:88:02:f6:57:d9:66:58:23:
79:26:cf:ff:4f:d0:1f:da:72:29:94:7b:82:fc:49:44:b0:60:
35:5a:a2:98:d7:f0:f7:61:51:42:63:20:64:80:c6:d8:28:40:
34:7d:1d:7e:58:7e:c9:44:4c:79:e6:8d:bb:b0:ac:71:dc:e1:
22:35:bd:01:6b:c4:87:5f:fa:f1:61:60:f8:4c:be:d4:56:18:
6c:5e:66:33:9b:f7:f4:67:52:58:b9:6d:1d:ed:27:54:9d:dc:
c3:ab:0b:57:f0:d1:2c:c1:5b:ab:51:14:8a:22:d9:c5:f5:0c:
b8:f4:c8:b1:be:d6:83:99:45:90:4b:00:b6:5d:c8:6c:da:cb:
a5:da:3f:79
生成的文件为BASE64编码的ASCII文本,内容如下:
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIJAIC0IMQ3HMxYMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNV
BAYTAmNuMQswCQYDVQQIDAJiajELMAkGA1UEBwwCYmoxDjAMBgNVBAoMBW15b3Jn
MQ4wDAYDVQQLDAVteXNlYzELMAkGA1UEAwwCbXkxGDAWBgkqhkiG9w0BCQEWCW15
QG15LmNvbTAeFw0xNDA5MDYwODQzMTRaFw0xNzA5MDUwODQzMTRaMG4xCzAJBgNV
BAYTAmNuMQswCQYDVQQIDAJiajELMAkGA1UEBwwCYmoxDjAMBgNVBAoMBW15b3Jn
MQ4wDAYDVQQLDAVteXNlYzELMAkGA1UEAwwCbXkxGDAWBgkqhkiG9w0BCQEWCW15
QG15LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3P9OkYdOKE
KT8+rdxlOCcqGDdsskdGvfOMBSdnoZdircJuQ1Jrsbq85X0VgVdyuLK6+hfgGl+P
R36RbIqD7cqa2VMeqphwUCd+mTQikvIqtVUsYYxbHUA9IK7jt5jUeIWvqJgiykR6
BSjOUNeIl0tx/1WDuFU5aMXocd/pj2XFPYuC+vXY4Vxbp2D1s1dRVY7nngxUMCGJ
KGigxmLGxINHzvii0ZGXdcNXhGFk4jBKEFhSzmejmLMHKCkawZ3OI8h0Ipa3A2O8
UKAWBa8xjoPAjzYoEOrP/oLQEcSBOZMnMPqj9tgUt0VRnoLsjarq2sLYK/V6KgOA
zKF8yTnWxoUCAwEAAaNQME4wHQYDVR0OBBYEFLw2gObLPja9cpQuME3cEPa9uWWi
MB8GA1UdIwQYMBaAFLw2gObLPja9cpQuME3cEPa9uWWiMAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQEFBQADggEBAHS4VKs/+98E0+AOJ50qs1el9EKkxfwYBKCGKKyC
Ly5d44Sr24PECd+R4MsE7a0kR/Cc8f6mQtiV7fuNGqUWWH+l/SMSU55rQW5bRHji
Ky6BHvSBXGieK+ZnFxVMhsWVhXEPtIML1RahengDvshqDMDVf4Rxx6iIAvZX2WZY
I3kmz/9P0B/acimUe4L8SUSwYDVaopjX8PdhUUJjIGSAxtgoQDR9HX5YfslETHnm
jbuwrHHc4SI1vQFrxIdf+vFhYPhMvtRWGGxeZjOb9/RnUli5bR3tJ1Sd3MOrC1fw
0SzBW6tRFIoi2cX1DLj0yLG+1oOZRZBLALZdyGzay6XaP3k=
-----END CERTIFICATE-----
五、证书格式转换
1. 私钥:PEM 转 PKCS#12(.p12/.pfx)
E:\>openssl pkcs12 -export -in cacert.pem -out prvtkey.p12 -inkey
prvtkey2.pem
Loading 'screen' into random state - done
Enter Export Password:
Verifying - Enter Export Password:
unable to write 'random state'
可以用openssl查看信息:
E:\>openssl pkcs12 -info -in prvtkey.p12
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: DF 41 0B EB 66 9E 25 99 3D 6A 3B D2 8F 23 CF 5B B2 6D 93 C6
subject=/C=cn/ST=bj/L=bj/O=myorg/OU=mysec/CN=my/emailAddress=my@my.com
issuer=/C=cn/ST=bj/L=bj/O=myorg/OU=mysec/CN=my/emailAddress=my@my.com
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIJAIC0IMQ3HMxYMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNV
BAYTAmNuMQswCQYDVQQIDAJiajELMAkGA1UEBwwCYmoxDjAMBgNVBAoMBW15b3Jn
MQ4wDAYDVQQLDAVteXNlYzELMAkGA1UEAwwCbXkxGDAWBgkqhkiG9w0BCQEWCW15
QG15LmNvbTAeFw0xNDA5MDYwODQzMTRaFw0xNzA5MDUwODQzMTRaMG4xCzAJBgNV
BAYTAmNuMQswCQYDVQQIDAJiajELMAkGA1UEBwwCYmoxDjAMBgNVBAoMBW15b3Jn
MQ4wDAYDVQQLDAVteXNlYzELMAkGA1UEAwwCbXkxGDAWBgkqhkiG9w0BCQEWCW15
QG15LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3P9OkYdOKE
KT8+rdxlOCcqGDdsskdGvfOMBSdnoZdircJuQ1Jrsbq85X0VgVdyuLK6+hfgGl+P
R36RbIqD7cqa2VMeqphwUCd+mTQikvIqtVUsYYxbHUA9IK7jt5jUeIWvqJgiykR6
BSjOUNeIl0tx/1WDuFU5aMXocd/pj2XFPYuC+vXY4Vxbp2D1s1dRVY7nngxUMCGJ
KGigxmLGxINHzvii0ZGXdcNXhGFk4jBKEFhSzmejmLMHKCkawZ3OI8h0Ipa3A2O8
UKAWBa8xjoPAjzYoEOrP/oLQEcSBOZMnMPqj9tgUt0VRnoLsjarq2sLYK/V6KgOA
zKF8yTnWxoUCAwEAAaNQME4wHQYDVR0OBBYEFLw2gObLPja9cpQuME3cEPa9uWWi
MB8GA1UdIwQYMBaAFLw2gObLPja9cpQuME3cEPa9uWWiMAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQEFBQADggEBAHS4VKs/+98E0+AOJ50qs1el9EKkxfwYBKCGKKyC
Ly5d44Sr24PECd+R4MsE7a0kR/Cc8f6mQtiV7fuNGqUWWH+l/SMSU55rQW5bRHji
Ky6BHvSBXGieK+ZnFxVMhsWVhXEPtIML1RahengDvshqDMDVf4Rxx6iIAvZX2WZY
I3kmz/9P0B/acimUe4L8SUSwYDVaopjX8PdhUUJjIGSAxtgoQDR9HX5YfslETHnm
jbuwrHHc4SI1vQFrxIdf+vFhYPhMvtRWGGxeZjOb9/RnUli5bR3tJ1Sd3MOrC1fw
0SzBW6tRFIoi2cX1DLj0yLG+1oOZRZBLALZdyGzay6XaP3k=
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: DF 41 0B EB 66 9E 25 99 3D 6A 3B D2 8F 23 CF 5B B2 6D 93 C6
Key Attributes: <No Attributes>
Enter PEM pass phrase:
也可以使用keytool查看信息:
E:\>keytool -list -keystore ./prvtkey.p12 -storetype pkcs12 -v -st
orepass mypassword
Keystore 类型: PKCS12
Keystore 提供者: SunJSSE
您的 keystore 包含 1 输入
别名名称: 1
创建日期: 2014-9-6
项类型: PrivateKeyEntry
认证链长度: 1
认证 [1]:
所有者:EMAILADDRESS=my@my.com, CN=my, OU=mysec, O=myorg, L=bj, ST=bj, C=cn
签发人:EMAILADDRESS=my@my.com, CN=my, OU=mysec, O=myorg, L=bj, ST=bj, C=cn
序列号:80b420c4371ccc58
有效期: Sat Sep 06 16:43:14 CST 2014 至Tue Sep 05 16:43:14 CST 2017
证书指纹:
MD5:79:93:D2:9F:98:28:8C:B3:A4:C0:DD:D2:FC:7B:E6:E8
SHA1:DF:41:0B:EB:66:9E:25:99:3D:6A:3B:D2:8F:23:CF:5B:B2:6D:93:C6
签名算法名称:SHA1withRSA
版本: 3
扩展:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BC 36 80 E6 CB 3E 36 BD 72 94 2E 30 4D DC 10 F6 .6...>6.r..0M...
0010: BD B9 65 A2 ..e.
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: BC 36 80 E6 CB 3E 36 BD 72 94 2E 30 4D DC 10 F6 .6...>6.r..0M...
0010: BD B9 65 A2 ..e.
]
]
*******************************************
*******************************************
生成的文件为二进制文件。
2. 私钥:PKCS#12 转PEM
E:\>openssl pkcs12 -nocerts -nodes -in prvtkey.p12 -out private.pe
m
Enter Import Password:
MAC verified OK
生成的文件类似于使用openssl生成的私钥文件,为BASE64编码的ASCII文本文件,内容如下:
Bag Attributes
localKeyID: DF 41 0B EB 66 9E 25 99 3D 6A 3B D2 8F 23 CF 5B B2 6D 93 C6
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC9z/TpGHTihCk/
Pq3cZTgnKhg3bLJHRr3zjAUnZ6GXYq3CbkNSa7G6vOV9FYFXcriyuvoX4Bpfj0d+
kWyKg+3KmtlTHqqYcFAnfpk0IpLyKrVVLGGMWx1APSCu47eY1HiFr6iYIspEegUo
zlDXiJdLcf9Vg7hVOWjF6HHf6Y9lxT2Lgvr12OFcW6dg9bNXUVWO554MVDAhiSho
oMZixsSDR874otGRl3XDV4RhZOIwShBYUs5no5izBygpGsGdziPIdCKWtwNjvFCg
FgWvMY6DwI82KBDqz/6C0BHEgTmTJzD6o/bYFLdFUZ6C7I2q6trC2Cv1eioDgMyh
fMk51saFAgMBAAECggEBALWkWH7oRJKwXriDRuXuhzoTcnE3t7O14vk6OYRoC59P
c3DpC8vH+6D0O7jj547D3jRL8iD++L4R4x0gFXrInbqRTP/aDO8sK8hfwkS+AVl1
vWnwurkSSH+8/5XdnUjHqz5jxzcvs9ir3FwcdAiOUhqE0RAIqVIFSlp6At+AJxX/
bjUpGTFwE2VikKBF3PYRQuoD9l4j6NQd5FzBfulQjFXOv1y3ZCFonDtbv5Qo69Xw
WtNDKTjf5td43YBbtDqJY4pVnMa6NQtRE7s79t+mkYoXy82kOODpFtLQQCyh0yu4
SMUeBbuJ4AVsRI7F96sndcipL0Zwl+apm6cYFOffqNECgYEA9uMvy9Aa11mNWK+N
ab4DpQNioBWBRe8q94QCYwsk5wQmALu6v/Lg859CqAmp0g4Sqv960HA2g3JTj3cI
W6Toog7cqDV7C6Z9VQptgw3OOdiGV4Bxe1mlQFQKV0Yj/2MpdpnrMCGAdODrK4NK
EGmGCehZrP0arTCGMv5folA0jQsCgYEAxNF5Jwnh3+3Ix8yhsLEAhYIrG3Fzc6Rj
eqqhxOu1kNyYRhFylqddDymNIkpXDoFr84NFXlTpxyC7vW15jbRUl0+nWiGoqUud
IaSVOAPWXrumlQrDcKmA2wivFhZyhO3EyrMdmopuVQqINOBGhb2/hyqqrbvhP+SG
XvxULQkglK8CgYEAv/Vs2D96Xy5V5Dq67Ri8pLS5HlcaKFIJSmHtqSylCKoFElTk
oxIpLcMKhLTewWAHy8TQrPhSqmld5xJaAUd7SWXc0zyh6zEMCe8NrvQxAHEGI0rO
8WWGQzoUwD7dBlkHiBus7cNeqYGn2DFAiPpDKbjq4MH61+X+se9uVDmgYnkCgYBO
PEIfbYM24ytzmHkRZlqht2txPji5WDge86LYRyXmTnnNKHRXRHHubALpBYnzfyit
JJo3dCN1fyKBmvm9hVg2yXfpkQWdPixYyjZyjLvy66kgMG4d45MP/jSy3/tnsagP
NwHmg252KXiZJCmEUjfHAAPWiZ9xKWLscPr45+7miwKBgQCZAYrlf8EaJOIf74Ne
fSM/PTAsLo57YEk2n9nz9mtHLzc90rcv4lpDc1oRwiw3nT/AcZHnUTIbbH2oNmoH
0d2g5PE0souG3ndnUjQS9Pld3W4zPT9FGSZdB0HMRhKPybG8jZ4R6wxjyvQoM0Z0
1zNhnEqrMIlyM0kKW6D00vJqmQ==
-----END PRIVATE KEY-----
3. 公钥:PEM转DER
E:\>openssl x509 -in cacert.pem -inform PEM -out cacert.der -outfo
rm DER
把BASE64编码的ASCII文本文件转换为二进制文件。
4. 公钥:DER转PEM
E:\>openssl x509 -out cacert2.pem -outform PEM -in cacert.der -inf
orm DER
把二进制文件转换为BASE64编码的ASCII文本文件。