RSA(1) OpenSSL RSA(1)
NAME
rsa - RSA key
processing tool
# 注释 :rsa 是 RSA key 处理工具
SYNOPSIS
openssl rsa
[-inform PEM│NET│DER] [-outform PEM│NET│DER] [-in filename] [-passin arg] [-out
filename] [-passout arg] [-sgckey] [-des]
[-des3] [-idea] [-text] [-noout] [-modulus] [-check]
[-pubin] [-pub-out] [-engine id]
DESCRIPTION
The rsa command
processes RSA keys. They can be converted between var-
ious forms and
their components printed out. Note this command uses
the traditional
SSLeay compatible format for private key encryption:
newer
applications should use the more secure PKCS#8 format using the
pkcs8
utility.
# 注释 :rsa 命令处理 RSA private key 。可以打印一个 key
的信息,转换格式
# 要注意,该命令使用传统的 SSLeay 兼容格式来用于 private key
加密,新的应用程序应该使用更加安全的 PKCS#8 格式(pkcs8 命令)
COMMAND OPTIONS
-inform
DER│NET│PEM
This specifies the input format. The DER option uses
an ASN1 DER
encoded form compatible with the PKCS#1 RSAPrivateKey or
Subject-
PublicKeyInfo format. The PEM form is the default format: it
con-
sists of the DER format base64 encoded with additional header
and
footer lines. On input PKCS#8 format private keys are also
accepted. The NET form is a format is described in the NOTES sec-
tion.
# 注释 :-inform 指出输入的 private key 的格式。 DER 使用
ASN1 DER 编码格式,兼容 PKCS#1 RSA private key
# 或者 Subject-PublicKeyInfo 格式。而 PEM 格式是默认的格式
:它由 DER 格式经过 base64 编码,再加上 header 和 footer 行
# 组成。该命令还接受 PKCS#8 格式
-outform DER│NET│PEM
This specifies the
output format, the options have the same mean-
ing as the -inform
option.
# 注释 :-outform 用于指定输出的格式。
-in filename
This specifies the input
filename to read a key from or standard
input if this option is not
specified. If the key is encrypted a
pass phrase will be prompted
for.
# 注释 :-in 指定输入的 key 文件名,默认是从 stdin
读取输入。
# 如果 key 被加密,则会提示输入口令句,也可以通过 -passin
指定口令句
-passin arg
the input file password source.
For more information about the
format of arg see the PASS PHRASE
ARGUMENTS section in openssl(1).
# 注释 :-passin 指定输入的口令句来源
-out filename
This specifies the output
filename to write a key to or standard
output if this option is not
specified. If any encryption options
are set then a pass phrase will be
prompted for. The output file-
name should not be the same as the input
filename.
# 注释 :-out 指定输出的文件名。默认是输出到 stdout
# 如果指定了加密选项,则会提示口令句,或者用 -passout
-passout password
the output file password
source. For more information about the
format of arg see the PASS PHRASE
ARGUMENTS section in openssl(1).
-sgckey
use the modified NET algorithm used
with some versions of
Microsoft IIS and SGC keys.
-des│-des3│-idea
These options encrypt the
private key with the DES, triple DES, or
the IDEA ciphers respectively
before outputting it. A pass phrase
is prompted for. If none of these
options is specified the key is
written in plain text. This means that
using the rsa utility to
read in an encrypted key with no encryption
option can be used to
remove the pass phrase from a key, or by setting
the encryption
options it can be use to add or change the pass phrase.
These
options can only be used with PEM format output files.
# 注释 :选择加密算法
-text
prints out the various public or
private key components in plain
text in addition to the encoded
version.
# 注释 :-text 打印 public key 或者 private key
的信息
-noout
this option prevents output of the
encoded version of the key.
# 注释 :-noout 防止输出 key 的编码版本,也就是不输出被解码的原来的
private key
-modulus
this option prints out the value of
the modulus of the key.
# 注释 :-modulus 打印key 的 modulus 值,同时输出解密后的
private key
-check
this option checks the consistency of
an RSA private key.
# 注释 :-check 检查一个 RSA private key
的一致性
-pubin
by default a private key is read from
the input file: with this
option a public key is read instead.
# 注释 :-pubin 表示把输入的文件当成 public key 而不是 private
key
-pubout
by default a private key is output:
with this option a public key
will be output instead. This option is
automatically set if the
input is a public key.
# 注释 :-pubout 表示输出一个 public key ,
-engine id
specifying an engine (by it’s unique id string)
will cause req to
attempt to obtain a functional reference to the
specified engine,
thus initialising it if needed. The engine will then be
set as the
default for all available algorithms.
NOTES
The PEM private key
format uses the header and footer lines:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
The PEM public key format uses the header and footer lines:
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
The NET form is a format compatible with older Netscape servers
and
Microsoft IIS .key files, this uses unsalted RC4 for its
encryption.
It is not very secure and so should only be used when
necessary.
Some newer version of IIS have additional data in the exported
.key
files. To use these with the utility, view the file with a binary
edi-
tor and look for the string "private-key", then trace back to the
byte
sequence 0x30, 0x82 (this is an ASN1 SEQUENCE). Copy all the data
from
this point onwards to another file and use that as the input to
the
rsa utility with the -inform NET option. If you get an error
after
entering the password try the -sgckey option.
EXAMPLES
To remove the pass
phrase on an RSA private key:
# 注释 :要去掉一个 rsa private key 的口令句,用下面的命令
openssl rsa -in key.pem -out keyout.pem
To encrypt a private key using triple DES:
# 注释 :要加密一个 private key(用 DES-3)用下面的命令
openssl rsa -in key.pem -des3 -out keyout.pem
To convert a private key from PEM to DER format:
# 注释 :把一个 PEM 格式的 private key 转成 DER 格式的
openssl rsa -in key.pem -outform DER -out
keyout.der
To print out the components of a private key to standard
output:
# 注释 :打印一个 private key 的信息到 stdout,用下面的命令
openssl rsa -in key.pem -text -noout
To just output the public part of a private key:
# 注释 :要输出一个 private key 对应的 public
key,用下面的命令
openssl rsa -in key.pem -pubout -out pubkey.pem
BUGS
The command line password arguments don’t currently work
with NET for-
mat.
There should be an option that automatically handles .key files,
with-
out having to manually edit them.
SEE ALSO
pkcs8(1), dsa(1), genrsa(1), gendsa(1)
0.9.7a 2003-01-30 RSA(1)
