PEM 证书(base64编码格式)
1
2
3
4
5
6
7
8
9
10
11
12
13
14# 查看证书内容
openssl x509 -text -noout -in cert.pem
# 验证证书的有效性
openssl verify -CAfile <(cat root-ca.pem internal-ca.pem ) server.pem
# 正常时的返回
server.pem: OK
# 验证失败的返回例子
openssl verify -CAfile <(cat root-ca.pem internal-ca.pem ) server.pem
O = system, CN = xxxxxx
error 18 at 0 depth lookup: self-signed certificate
O = system, CN = xxxxxx
error 10 at 0 depth lookup: certificate has expired
error server.pem: verification failedPKCS#12 【Public Key Cryptography Standards】证书
常见扩展名:.p12/.pfx,包含证书和私钥的二进制文件,通常带有密码保护。1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17# 从p12导出证书
openssl pkcs12 -in cert.p12 -out output/cert.pem -nokeys
Enter Import Password:
MAC verified OK
# 确认证书内容
openssl x509 -text -noout -in output/cert.pem
# 从p12导出秘钥
openssl pkcs12 -in cert.p12 -out output/key.pem -nocerts -nodes
Enter Import Password:
MAC verified OK
# 把证书和私钥合并成p12形式
openssl pkcs12 -export -inkey output/key.pem -in output/cert.pem -out output/new-cert.p12
Enter Export Password:
Verifying - Enter Export Password:PEM 转换成 DER证书(二进制的证书编码形式)
openssl x509 -inform pem -outform der -in output/cert.pem -out output/cert.derJava证明书keystore的一览导出
1
2keytool -list -v -storepass changeit -keystore /usr/local/jdk1.8.0_221/jre/lib/security/cacerts > keystore
less keystore辅助命令
用openssl进行密码的base64变换
1 | # 转换成base64 (-n:去掉输出中的换行) |