1.生成自签名证书
openssl req -new -x509 -days 3650 -keyout root-cert.key -out root-cert.crt
2.生成证书请求
openssl genrsa -out subcert.key 2048
openssl req -new -key
subcert.key -out
subcert.csr
3.用root-cert.crt 签名subcert.csr
mkdir -p demoCA/{certs,crl,newcerts,private}
touch demoCA/index.txt
echo 00 > demoCA/serial
openssl ca -in server.csr -out subcert.crt -cert root-cert.crt -keyfile root-cert.key -extensions v3_req -days 365
3.用root-cert.crt 签名subcert.csr
opesnssl x509 -req -days 365 -extensions ca_v3 -in root-cert.crt -CAkey root-cert.key -out subcert.crt
4.证书格式转换
openssl x509 -in test.crt -out
test.pem -outform PEM
openssl x509 -in
test.crt -
test der -out
test.der
openssl x509 -inform der -in
test.der -out
test.pem
openssl x509 -inform DER -in
test.der -out
test.crt
openssl pkcs12 -export -out rootcert.pfx -inkey rootcrt.key -in rootcrt.crt
5.获取签名后证书的签名部分
SIGNATURE_HEX=$( openssl x509 -in server.pem -text -noout -certopt ca_default -certopt no_validity -certopt no_serial -certopt no_subject -certopt no_extensions -certopt no_signame|grep -v 'Signature Algorithm'|tr -d '[:space:]:')
echo $SIGNATURE_HEX |xxd -r -p >cert-sigature.bin
6.用公钥解密签名
openssl rsautl -verify -inkey cert-pub.key -in cert-signature.bin -pubin> cert-sig-decrypted.bin
7.查看解密后签名的hash信息
openssl asnlparse -inform der -in
cert-sig-decrypted.bin
8.获取签名证书的主体部分
openssl asnlparse -in test.pem -strparse 4 -out cert-body.bin -noout
9.用hash对获取的证书主体部分进行摘要
openssl dgst -sha256 cert-body.bin
10.签名验证签名
SA私钥对SHA1计算得到的摘要值签名。
openssl dgst -sign rsa_private.key -sha1 -out sha1_rsa_file.sign file.txt
用相应的公钥和相同的摘要算法进行验签,否则会失败。
openssl dgst -verify rsa_public.key -sha1 -signature sha1_rsa_file.sign file.txt
11.ca证书验证证书链
openssl verify -CAfile root-crt cert-1.crt
待续。。。。
阅读(4408) | 评论(0) | 转发(0) |
