非对称加密算法:http://baike.baidu.com/view/1490349.htm
数字签名:http://baike.baidu.com/view/7626.htm
https:http://baike.baidu.com/view/14121.htm
数字证书:http://baike.baidu.com/view/16501.htm
pkcs:http://baike.baidu.com/view/1477355.htm
x.509:http://baike.baidu.com/view/156016.htm
x.509和pkcs#7、pkcs#12等的区别:
x509是数字证书的规范,p7和p12是两种封装形式(分别用于分发公钥和传递证书)。我们使用的数字证书都是按照x.509来定义的,但是将证书用于传递时,比如服务器端以文件形式分发公钥,则需要使用p7标准来封装成pem或der编码方式的文件;又比如当从ie里把证书导出来时,可以以p12标准存成.pfx扩展名的证书,用于传递和再次导入。
分为2大类:密钥库(含私钥,也可能有公钥)和公钥证书(仅含公钥)
密钥库文件格式【keystore】
格式 : jks
扩展名 : .jks/.ks
描述 : 【java keystore】密钥库的java实现版本,provider为sun
特点 : 密钥库和私钥用不同的密码进行保护
格式 : jceks
扩展名 : .jce
描述 : 【jce keystore】密钥库的jce实现版本,provider为sun jce
特点 : 相对于jks安全级别更高,保护keystore私钥时采用tripledes
格式 : pkcs12
扩展名 : .p12/.pfx
描述 : 【pkcs #12】个人信息交换语法标准
特点 : 1、包含私钥、公钥及其证书
2、密钥库和私钥用相同密码进行保护
格式 : bks
扩展名 : .bks
描述 : bouncycastle keystore】密钥库的bc实现版本,provider为bc
特点 : 基于jce实现
格式 : uber
扩展名 : .ubr
描述 : 【bouncycastle uber keystore】密钥库的bc更安全实现版本,provider为bc
证书文件格式【certificate】
格式 : der
扩展名 : .cer/.crt/.rsa
描述 : 【asn .1 der】用于存放证书
特点 : 不含私钥、二进制
格式 : pkcs7
扩展名 : .p7b/.p7r
描述 : 【pkcs #7】加密信息语法标准
特点 : 1、p7b以树状展示证书链,不含私钥
2、p7r为ca对证书请求签名的回复,只能用于导入
格式 : cms
扩展名 : .p7c/.p7m/.p7s
描述 : 【cryptographic message syntax】
特点 : 1、p7c只保存证书
2、p7m:signature with enveloped data
3、p7s:时间戳签名文件
格式 : pem
扩展名 : .pem
描述 : 【printable encoded message】
特点 : 1、该编码格式在rfc1421中定义,其实pem是【privacy-enhanced mail】的简写,但他也同样广泛运用于密钥管理
2、ascii文件
3、一般基于base 64编码
格式 : pkcs10
扩展名 : .p10/.csr
描述 : 【pkcs #10】公钥加密标准【certificate signing request】
特点 : 1、证书签名请求文件
2、ascii文件
3、ca签名后以p7r文件回复
格式 : spc
扩展名 : .pvk/.spc
描述 : 【software publishing certificate】
特点 : 微软公司特有的双证书文件格式,经常用于代码签名,其中
1、pvk用于保存私钥
2、spc用于保存公钥
1. keytool
安装jdk后,在安装根目录的bin子目录下就会有keytool,如果在cmd下找不到keytool命令,检查下是否%java_home%/bin已经被添加到%path%中,没有的话手动添加下。
keytool需要在cmd下使用。直接输入‘keytool -help’来查看帮助。
也可以参考这些页面:
http://blog.chinaunix.net/uid-17102734-id-2830223.html
http://ln-ydc.iteye.com/blog/1335213
http://blog.chinaunix.net/uid-7179329-id-2678195.html
2. openssl
直接去以下地址下载已经编译好的二进制文件安装即可:(也需要先安装microsoft visual c 2008 redistributable package)
http://slproweb.com/products/win32openssl.html
如果安装不成功,可以尝试使用源码进行编译安装:
openssl的下载地址如下:http://www.openssl.org/source/
下载最新版本并解压后,其中的install.w32和install.w64即为32位和64位windows系统的安装说明。
按其中介绍的安装步骤如下:
1). 安装windows sdk
对于windows7可以在以下地址下载和安装:http://www.microsoft.com/en-us/download/details.aspx?id=8279
或者安装visual studio 2013和masm32也可以(添加对应的bin目录到%path%中),其中masm32的下载地址为:http://www.masm32.com/masmdl.htm
2). 安装activeperl
下载地址:http://www.activestate.com/activeperl/downloads
选择32位或者64位进行下载并安装。
3). 下载并安装openssl
从上面提到的下载地址下载openssl的源码,解压到某个目录,例如:d:\program files\openssl-1.0.1i
然后按照install.xxx的指示,首先从cmd进入到该目录下,然后依次执行以下命令:
perl configure vc-win64a
ms\do_win64a
nmake -f ms\ntdll.mak
cd out32dll
..\ms\test
另一种方式是,直接在linux使用即可,方法如下:
$ sudo apt-get install openssl
$ sudo apt-get install libssl0.9.8
$ sudo apt-get install libssl-dev
1. keytool
以下参数的意义可以查看keytool的帮助来了解,更多的功能支持和参数使用也需要参考:keytool -help
1). 生成jks格式私钥
e:\>keytool -genkey -alias mykey -keyalg rsa -keystore .\mykey.jks -st
orepass mypassword -keypass mypassword
您的名字与姓氏是什么?
[unknown]: my
您的组织单位名称是什么?
[unknown]: myorg
您的组织名称是什么?
[unknown]: myorg
您所在的城市或区域名称是什么?
[unknown]: bj
您所在的州或省份名称是什么?
[unknown]: bj
该单位的两字母国家代码是什么
[unknown]: cn
cn=my, ou=myorg, o=myorg, l=bj, st=bj, c=cn 正确吗?
[否]: y
生成的mykey.jks中包含了私钥,可以用于服务器端进行加密时使用,信息如下:
e:\>keytool -list -v -alias mykey -keystore .\mykey.jks -storepass
mypassword
别名名称: mykey
创建日期: 2014-9-6
项类型: privatekeyentry
认证链长度: 1
认证 [1]:
所有者:cn=my, ou=myorg, o=myorg, l=bj, st=bj, c=cn
签发人:cn=my, ou=myorg, o=myorg, l=bj, st=bj, c=cn
序列号:540aaec3
有效期: sat sep 06 14:50:43 cst 2014 至fri dec 05 14:50:43 cst 2014
证书指纹:
md5:d6:5f:7b:8d:bf:61:e6:f4:7a:b8:0a:d0:f8:77:4b:f3
sha1:92:1e:e6:7e:72:ea:14:a9:a4:6a:b8:0d:66:eb:09:51:69:ce:12:8d
签名算法名称:sha1withrsa
版本: 3
mykey.jks为二进制文件。
2). 生成der格式的根证书(自签名,仅含公钥)
e:\>keytool -export -alias mykey -keystore .\mykey.jks -file .\myc
erts.cer -storepass mypassword
保存在文件中的认证 <.\mycerts.cer>
生成的mycerts.cer仅包含公钥(是服务器用根证书自己签发给自己的一个数字证书),可以用于发布公钥给用户,用户将该公钥导入到信任的根证书后,访问服务器时不会提示证书不可信错误。该证书的信息如下:
e:\>keytool -printcert -v -file .\mycerts.cer
所有者:cn=my, ou=myorg, o=myorg, l=bj, st=bj, c=cn
签发人:cn=my, ou=myorg, o=myorg, l=bj, st=bj, c=cn
序列号:540aaec3
有效期: sat sep 06 14:50:43 cst 2014 至fri dec 05 14:50:43 cst 2014
证书指纹:
md5:d6:5f:7b:8d:bf:61:e6:f4:7a:b8:0a:d0:f8:77:4b:f3
sha1:92:1e:e6:7e:72:ea:14:a9:a4:6a:b8:0d:66:eb:09:51:69:ce:12:8d
签名算法名称:sha1withrsa
版本: 3
mycerts.cer也为二进制文件。
3). 生成pem格式的根证书(自签名,仅含公钥)
e:\>keytool -export -rfc -alias mykey -keystore .\mykey.jks -file
.\mycerts.pem -storepass mypassword
保存在文件中的认证 <.\mycerts.pem>
生成的mycerts.pem的信息如下:
e:\>keytool -printcert -v -file .\mycerts.pem
所有者:cn=my, ou=myorg, o=myorg, l=bj, st=bj, c=cn
签发人:cn=my, ou=myorg, o=myorg, l=bj, st=bj, c=cn
序列号:540aaec3
有效期: sat sep 06 14:50:43 cst 2014 至fri dec 05 14:50:43 cst 2014
证书指纹:
md5:d6:5f:7b:8d:bf:61:e6:f4:7a:b8:0a:d0:f8:77:4b:f3
sha1:92:1e:e6:7e:72:ea:14:a9:a4:6a:b8:0d:66:eb:09:51:69:ce:12:8d
签名算法名称:sha1withrsa
版本: 3
但是mycerts.pem是ascii文本形式进行存储的,二进制进行了base64编码,以下为文件内容:
-----begin certificate-----
miichzccayigawibagievaquwzanbgkqhkig9w0baqufadbumqswcqydvqqgewjjbjelmakga1ue
cbmcymoxczajbgnvbactamjqmq4wdaydvqqkewvteu9yzzeomawga1uecxmfbxlpcmcxczajbgnv
bamtam15mb4xdte0mdkwnja2nta0m1oxdte0mtiwnta2nta0m1owvdelmakga1uebhmcy24xczaj
bgnvbagtamjqmqswcqydvqqhewjiajeomawga1uechmfbxlpcmcxdjambgnvbastbw15t3jnmqsw
cqydvqqdewjtetcbnzanbgkqhkig9w0baqefaaobjqawgykcgyeaio6uugh4gypbw/s2t7sq1rqi
df7ju92qtebctuzo9wfiefq9z0ijcnouqymlcax42fmazborg/gizsmsqapsmmu5ua4dwiiwsbqh
ufhnwttlrjcwvh1bqbjum5mbb/1pvzfda0rhbqvraznm02hd3hptov43blqycp14qzgj8decawea
atanbgkqhkig9w0baqufaaobgqa96axu 2o/aa6jxicjewoehbm9taqxrivlr55ieekh3fmtjodh
2sch1i7pwaibtqy6gktjkfnmgbjjxe1lqmr6vtkbop7nn3vw7a6porju/z8kqs4rxpqlqcszegmu
yhhfwifdsckfvyyls3xebbpcnafn 0ct10wexfdf05701g==
-----end certificate-----
2. openssl
查看帮助时,需要具体到二级命令,例如:
#显示所有二级命令
openssl -h
#显示具体的帮助
openssl genrsa -help
openssl req -help
openssl x509 -help
1). 生成私钥
a. 生成带密码保护的私钥:
e:\>openssl genrsa -des3 -out prvtkey.pem 2048
loading 'screen' into random state - done
generating rsa private key, 2048 bit long modulus
................................................................................
................................................................................
.......
........
unable to write 'random state'
e is 65537 (0x10001)
enter pass phrase for prvtkey.pem:
verifying - enter pass phrase for prvtkey.pem:
生成的文件为ascii文本存储,使用base64对二进制内容进行编码,文件内容如下:
-----begin rsa private key-----
proc-type: 4,encrypted
dek-info: des-ede3-cbc,5aa63225e5db7c59
dmrqtoku0ttbdvzcskvn8n1kc5wxfn9s2nuhdq9bfgeujdnee4p8mnrc32k2ca/h
nmdkavlhlzk3aby9scdcuonalk60mjmocj9lx0xg7vayaubcmarpt9ihnqhz6x87
kboxddhxcyh yfc13lux/jbm9nrjohz3zlk6qaceotcrv7uy0dslrnig1axan4vz
/ui0 ykvyqflpdod3oglwr2ljyhfaixdj/qgiuas85txzadaclnyfrhtfqie8hj6
m9vv9felasr er5x3dz5yuwznu9t0coku4bwn92aqta1tbqj 79lctwdakpihxzf
nkkzpy9eey4 g/ueerx7whzshhhom7lsgmldzpldkmbwrbgow/jziqe151gptwjr
0ykz1x321gj987oezpgs9jnr6 kry0m77u3ibeb/v4hkxhc/b2avy8d4sq9mydbn
onhdavxs1rdnrmzpu4jiujwggrrlmvgynmqog7yjhvikfrr0iywawvn2lakuhjlb
nz3ixdrkjywtwl2 gj9nox0gxadt1vspz9ul050g8z44jpisf1g1wa39nrayobje
egyuxbdb2id8p09hngu1g h8o5hpgpe92phia54qjkcwqpfknby3 rz9 lnvv8dg
/lpwf58j6vibtdm7i01hrir7uowwgz9evvlf1xp3allbjowrozeazy8cfimcodfg
mugq5urmgj33rnskul5hnfju3nig7okdbvcrdqhalglg9c58isigam13iglvrzgd
/9jjtf3fs0xsjt2sz5edeutcw1l18bvyvqw7vh4xp lgwgbvyjn5wlvchr65n6e8
zvn0cc1d/akk1dymjgj fgfwmw3dd9pvltoo8ydrwdjflubskr/xgwmohw9yb33t
oreqnc7rrsubra9cr/cbnitv0j05btvsvoaclqr1lfzvcxt1hifj2byufj13b3zp
swfklzrmonjb1mkwzkiy5cgbizvnpdhhfeebmuh7/ely11htefm4u3ifwhstcpkc
3bkczbecffaroujod6gx04iusxeqiwa6gz0djs/bihj/4zgu2dzivfukns3mqn/x
ok2et6hv7nfbwjppiwo lombmrfanubch2oqd4r8fdhpar5bnwrt8xtv87tnoani
tx92gdknp5ipqqxik w3xoxcac1exaq1cjm b/0leneetkcqvyniromilyaxis3b
evdkr7gh8gfecayd3mf/efjvhj1wbzxncvuabueu7jdo2xmawomqhfstnzvqk 0x
xtyf5gonatfehrefqsd9w m2ic2i8wwwr6sd/smvoktw1demm0i5v1ypnc4isgtm
5ji1bwdabluui5w29glws9uej6fhfs3qyk7eznbv14uuxjc1irr9k7zibttgg4az
c7pf5kouy6f/cefmnrzxi7ci7pgkxndc48lcwns0zeclpxrqwx/u9cllgl7m8ypi
lnwg3bdysavath1s/i9uaqxrzxywfw3ssre92cultbm0wo2uikzqvnzjmz9gujvy
gdryffzadu/vv0sayjsbetorawlz3o3ovnxytataghn8uacpkknls qkme/lf15j
-----end rsa private key-----
b. 或者生成不带密码保护的私钥:
e:\>openssl genrsa -out prvtkey2.pem 2048
loading 'screen' into random state - done
generating rsa private key, 2048 bit long modulus
..........................................
........................................
unable to write 'random state'
e is 65537 (0x10001)
生成的文件也为ascii文本,使用base64编码,内容如下:
-----begin rsa private key-----
miiepqibaakcaqeavc/06rh04oqppz6t3gu4jyoyn2yyr0a984wfj2ehl2ktwm5d
umuxurzlfrwbv3k4srr6f aax49hfpfsioptyprzux6qmhbqj36zncks8iq1vsxh
jfsdqd0gruo3mnr4ha omclkrhofkm5q14ixs3h/vyo4vtloxehx3 mpzcu9i4l6
9djhxfunypwzv1fvjueedfqwiykoakdgysbeg0fo klrkzd1w1eeywtimeoqwflo
z6oyswcokrrbnc4jyhqilrcdy7xqobyfrzgog8cpnigq6s/ gtarxie5kycw qp2
2bs3rvgeguynqurawtgr9xoqa4dmoxzjodbghqidaqabaoibaqc1pfh 6esssf64
g0bl7oc6e3jxn7eztel5ojmeaauft3nw6qvlx/ug9du44 eow940s/ig/vi eemd
ibv6yj26kuz/2gzvlcvix8jevgfzdb1p8lq5ekh/vp v3z1ix6s y8c3l7pyq9xc
hhqijliahneqcklsbupaeglfgccv/241krkxcbnlypcgrdz2eulqa/zei juherc
wx7puixvzr9ct2qhajw7w7 ukovv8frtqyk43 bxen2aw7q6iwokvzzgujuluro7
o/bfppgkf8vnpdjg6rbs0easodmruejfhgw7ieafbesoxferj3xiqs9gcjfmqzun
gbtn36jraogbapbjl8vqgtdzjvivjwm a6udyqavguxvkveeammljocejgc7ur/y
4pofqqgjqdioeqr/etbwnonyu493cfuk6kio3kg1ewumfvukbymnzjnyhleacxtz
pubucldgi/9jkxaz6zahghtg6yudshbphgnowaz9gq0whjl x6jqni0laogbamtr
escj4d/tymfmobcxaiwckxtxc3oky3qqoctrtzdcmeyrcpanxq8pjsjkvw6ba/od
rv5u6ccgu71tey20vjdpp1ohqkllnsgkltgd1l61ji0kw3cpgnsirxywcottxmqz
hzqkblukidtgrow9v4cqqq274t/khl78vc0jijsvaogbal/1bng/el8uveq6uu0y
vks0ur5xgihscuph7akspqiqbrju5kmsks3dcos03sfgb8ve0kz4uqppxecswgfh
e0ll3nm8oesxdanvda70mqbxbinkzvflhkm6fma 3qzzb4gbro3dxqmbp9gxqij6
qym46udb tfl/rhvblq5ogj5aogatjxch22dnumrc5h5ewzaobdrct44uvg4hvoi
2ecl5k55zsh0v0rx7mwc6qwj838orssan3qjdx8igzr5vyvynsl36zefnt4swmo2
coy78uupidbuheotd/40st/7z7godzcb5onudil4msqphfi3xwad1omfcsli7hd6
ofu5oscgyeamqgk5x/bgitih dxn0jpz0wlc6oe2bjnp/z8/zrry83pdk3l ja
q3naecisn50/whgr51eyg2x9qdzqb9hdootxnlklht53z1i0evt5xd1umz0/rrkm
xqdbzeysj8mxvi2eeesmy8r0kdngdnczyzxkqzcjcjnjclug9nlyapk=
-----end rsa private key-----
2). 生成pem格式的根证书(自签名公钥证书)
e:\>openssl req -new -x509 -key prvtkey2.pem -out cacert.pem -days 1095
loading 'screen' into random state - done
you are about to be asked to enter information that will be incorporated
into your certificate request.
what you are about to enter is what is called a distinguished name or a dn.
there are quite a few fields but you can leave some blank
for some fields there will be a default value,
if you enter '.', the field will be left blank.
-----
country name (2 letter code) [au]:cn
state or province name (full name) [some-state]:bj
locality name (eg, city) []:bj
organization name (eg, company) [internet widgits pty ltd]:myorg
organizational unit name (eg, section) []:mysec
common name (e.g. server fqdn or your name) []:my
email address []:[email protected]
查看该文件的信息如下:
e:\>openssl x509 -in cacert.pem -text -noout
certificate:
data:
version: 3 (0x2)
serial number:
80:b4:20:c4:37:1c:cc:58
signature algorithm: sha1withrsaencryption
issuer: c=cn, st=bj, l=bj, o=myorg, ou=mysec, cn=my/[email protected]
om
validity
not before: sep 6 08:43:14 2014 gmt
not after : sep 5 08:43:14 2017 gmt
subject: c=cn, st=bj, l=bj, o=myorg, ou=mysec, cn=my/emailaddress=my@my.
com
subject public key info:
public key algorithm: rsaencryption
public-key: (2048 bit)
modulus:
00:bd:cf:f4:e9:18:74:e2:84:29:3f:3e:ad:dc:65:
38:27:2a:18:37:6c:b2:47:46:bd:f3:8c:05:27:67:
a1:97:62:ad:c2:6e:43:52:6b:b1:ba:bc:e5:7d:15:
81:57:72:b8:b2:ba:fa:17:e0:1a:5f:8f:47:7e:91:
6c:8a:83:ed:ca:9a:d9:53:1e:aa:98:70:50:27:7e:
99:34:22:92:f2:2a:b5:55:2c:61:8c:5b:1d:40:3d:
20:ae:e3:b7:98:d4:78:85:af:a8:98:22:ca:44:7a:
05:28:ce:50:d7:88:97:4b:71:ff:55:83:b8:55:39:
68:c5:e8:71:df:e9:8f:65:c5:3d:8b:82:fa:f5:d8:
e1:5c:5b:a7:60:f5:b3:57:51:55:8e:e7:9e:0c:54:
30:21:89:28:68:a0:c6:62:c6:c4:83:47:ce:f8:a2:
d1:91:97:75:c3:57:84:61:64:e2:30:4a:10:58:52:
ce:67:a3:98:b3:07:28:29:1a:c1:9d:ce:23:c8:74:
22:96:b7:03:63:bc:50:a0:16:05:af:31:8e:83:c0:
8f:36:28:10:ea:cf:fe:82:d0:11:c4:81:39:93:27:
30:fa:a3:f6:d8:14:b7:45:51:9e:82:ec:8d:aa:ea:
da:c2:d8:2b:f5:7a:2a:03:80:cc:a1:7c:c9:39:d6:
c6:85
exponent: 65537 (0x10001)
x509v3 extensions:
x509v3 subject key identifier:
bc:36:80:e6:cb:3e:36:bd:72:94:2e:30:4d:dc:10:f6:bd:b9:65:a2
x509v3 authority key identifier:
keyid:bc:36:80:e6:cb:3e:36:bd:72:94:2e:30:4d:dc:10:f6:bd:b9:65:a
2
x509v3 basic constraints:
ca:true
signature algorithm: sha1withrsaencryption
74:b8:54:ab:3f:fb:df:04:d3:e0:0e:27:9d:2a:b3:57:a5:f4:
42:a4:c5:fc:18:04:a0:86:28:ac:82:2f:2e:5d:e3:84:ab:db:
83:c4:09:df:91:e0:cb:04:ed:ad:24:47:f0:9c:f1:fe:a6:42:
d8:95:ed:fb:8d:1a:a5:16:58:7f:a5:fd:23:12:53:9e:6b:41:
6e:5b:44:78:e2:2b:2e:81:1e:f4:81:5c:68:9e:2b:e6:67:17:
15:4c:86:c5:95:85:71:0f:b4:83:0b:d5:16:a1:7a:78:03:be:
c8:6a:0c:c0:d5:7f:84:71:c7:a8:88:02:f6:57:d9:66:58:23:
79:26:cf:ff:4f:d0:1f:da:72:29:94:7b:82:fc:49:44:b0:60:
35:5a:a2:98:d7:f0:f7:61:51:42:63:20:64:80:c6:d8:28:40:
34:7d:1d:7e:58:7e:c9:44:4c:79:e6:8d:bb:b0:ac:71:dc:e1:
22:35:bd:01:6b:c4:87:5f:fa:f1:61:60:f8:4c:be:d4:56:18:
6c:5e:66:33:9b:f7:f4:67:52:58:b9:6d:1d:ed:27:54:9d:dc:
c3:ab:0b:57:f0:d1:2c:c1:5b:ab:51:14:8a:22:d9:c5:f5:0c:
b8:f4:c8:b1:be:d6:83:99:45:90:4b:00:b6:5d:c8:6c:da:cb:
a5:da:3f:79
生成的文件为base64编码的ascii文本,内容如下:
-----begin certificate-----
miidrzccapegawibagijaic0imq3hmxyma0gcsqgsib3dqebbquamg4xczajbgnv
baytamnumqswcqydvqqidajiajelmakga1uebwwcymoxdjambgnvbaombw15b3jn
mq4wdaydvqqldavtexnlyzelmakga1ueawwcbxkxgdawbgkqhkig9w0bcqewcw15
qg15lmnvbtaefw0xnda5mdywodqzmtrafw0xnza5mduwodqzmtramg4xczajbgnv
baytamnumqswcqydvqqidajiajelmakga1uebwwcymoxdjambgnvbaombw15b3jn
mq4wdaydvqqldavtexnlyzelmakga1ueawwcbxkxgdawbgkqhkig9w0bcqewcw15
qg15lmnvbtccasiwdqyjkozihvcnaqebbqadggepadccaqocggebal3p9okydoke
kt8 rdxloccqgddsskdgvfombsdnozdircjuq1jrsbq85x0vgvdyulk6 hfggl p
r36rbiqd7cqa2vmeqphwucd mtqikviqtvusyyxbhua9ik7jt5jueiwvqjgiykr6
bsjouneil0tx/1wdufu5amxocd/pj2xfpyuc vxy4vxbp2d1s1drvy7nngxumcgj
kgigxmlgxinhzvii0zgxdcnxhgfk4jbkefhszmejmlmhkckawz3oi8h0ipa3a2o8
ukawba8xjopajzyoeorp/olqecsbozmnmpqj9tgut0vrnolsjarq2slyk/v6kgoa
zkf8ytnwxoucaweaaanqme4whqydvr0obbyeflw2goblpja9cpqume3cepa9uwwi
mb8ga1udiwqymbaaflw2goblpja9cpqume3cepa9uwwimawga1udewqfmambaf8w
dqyjkozihvcnaqefbqadggebahs4vks/ 98e0 aoj50qs1el9ekkxfwybkcgkkyc
ly5d44sr24pecd r4mse7a0kr/cc8f6mqtiv7fungquwwh l/smsu55rqw5brhji
ky6bhvsbxgiek znfxvmhswvhxeptiml1rahengdvshqdmdvf4rxx6iiavzx2wzy
i3kmz/9p0b/acimue4l8suswydvaopjx8pdhuujjigsaxtgoqdr9hx5yfslethnm
jbuwrhhc4si1vqfrxidf vfhyphmvtrwggxezjob9/rnuli5br3tj1sd3morc1fw
0szbw6trfioi2cx1dlj0ylg 1oozrzblalzdygzay6xap3k=
-----end certificate-----
1. 私钥:pem 转 pkcs#12(.p12/.pfx)
e:\>openssl pkcs12 -export -in cacert.pem -out prvtkey.p12 -inkey
prvtkey2.pem
loading 'screen' into random state - done
enter export password:
verifying - enter export password:
unable to write 'random state'
可以用openssl查看信息:
e:\>openssl pkcs12 -info -in prvtkey.p12
enter import password:
mac iteration 2048
mac verified ok
pkcs7 encrypted data: pbewithsha1and40bitrc2-cbc, iteration 2048
certificate bag
bag attributes
localkeyid: df 41 0b eb 66 9e 25 99 3d 6a 3b d2 8f 23 cf 5b b2 6d 93 c6
subject=/c=cn/st=bj/l=bj/o=myorg/ou=mysec/cn=my/[email protected]
issuer=/c=cn/st=bj/l=bj/o=myorg/ou=mysec/cn=my/[email protected]
-----begin certificate-----
miidrzccapegawibagijaic0imq3hmxyma0gcsqgsib3dqebbquamg4xczajbgnv
baytamnumqswcqydvqqidajiajelmakga1uebwwcymoxdjambgnvbaombw15b3jn
mq4wdaydvqqldavtexnlyzelmakga1ueawwcbxkxgdawbgkqhkig9w0bcqewcw15
qg15lmnvbtaefw0xnda5mdywodqzmtrafw0xnza5mduwodqzmtramg4xczajbgnv
baytamnumqswcqydvqqidajiajelmakga1uebwwcymoxdjambgnvbaombw15b3jn
mq4wdaydvqqldavtexnlyzelmakga1ueawwcbxkxgdawbgkqhkig9w0bcqewcw15
qg15lmnvbtccasiwdqyjkozihvcnaqebbqadggepadccaqocggebal3p9okydoke
kt8 rdxloccqgddsskdgvfombsdnozdircjuq1jrsbq85x0vgvdyulk6 hfggl p
r36rbiqd7cqa2vmeqphwucd mtqikviqtvusyyxbhua9ik7jt5jueiwvqjgiykr6
bsjouneil0tx/1wdufu5amxocd/pj2xfpyuc vxy4vxbp2d1s1drvy7nngxumcgj
kgigxmlgxinhzvii0zgxdcnxhgfk4jbkefhszmejmlmhkckawz3oi8h0ipa3a2o8
ukawba8xjopajzyoeorp/olqecsbozmnmpqj9tgut0vrnolsjarq2slyk/v6kgoa
zkf8ytnwxoucaweaaanqme4whqydvr0obbyeflw2goblpja9cpqume3cepa9uwwi
mb8ga1udiwqymbaaflw2goblpja9cpqume3cepa9uwwimawga1udewqfmambaf8w
dqyjkozihvcnaqefbqadggebahs4vks/ 98e0 aoj50qs1el9ekkxfwybkcgkkyc
ly5d44sr24pecd r4mse7a0kr/cc8f6mqtiv7fungquwwh l/smsu55rqw5brhji
ky6bhvsbxgiek znfxvmhswvhxeptiml1rahengdvshqdmdvf4rxx6iiavzx2wzy
i3kmz/9p0b/acimue4l8suswydvaopjx8pdhuujjigsaxtgoqdr9hx5yfslethnm
jbuwrhhc4si1vqfrxidf vfhyphmvtrwggxezjob9/rnuli5br3tj1sd3morc1fw
0szbw6trfioi2cx1dlj0ylg 1oozrzblalzdygzay6xap3k=
-----end certificate-----
pkcs7 data
shrouded keybag: pbewithsha1and3-keytripledes-cbc, iteration 2048
bag attributes
localkeyid: df 41 0b eb 66 9e 25 99 3d 6a 3b d2 8f 23 cf 5b b2 6d 93 c6
key attributes:
enter pem pass phrase:
也可以使用keytool查看信息:
e:\>keytool -list -keystore ./prvtkey.p12 -storetype pkcs12 -v -st
orepass mypassword
keystore 类型: pkcs12
keystore 提供者: sunjsse
您的 keystore 包含 1 输入
别名名称: 1
创建日期: 2014-9-6
项类型: privatekeyentry
认证链长度: 1
认证 [1]:
所有者:[email protected], cn=my, ou=mysec, o=myorg, l=bj, st=bj, c=cn
签发人:[email protected], cn=my, ou=mysec, o=myorg, l=bj, st=bj, c=cn
序列号:80b420c4371ccc58
有效期: sat sep 06 16:43:14 cst 2014 至tue sep 05 16:43:14 cst 2017
证书指纹:
md5:79:93:d2:9f:98:28:8c:b3:a4:c0:dd:d2:fc:7b:e6:e8
sha1:df:41:0b:eb:66:9e:25:99:3d:6a:3b:d2:8f:23:cf:5b:b2:6d:93:c6
签名算法名称:sha1withrsa
版本: 3
扩展:
#1: objectid: 2.5.29.14 criticality=false
subjectkeyidentifier [
keyidentifier [
0000: bc 36 80 e6 cb 3e 36 bd 72 94 2e 30 4d dc 10 f6 .6...>6.r..0m...
0010: bd b9 65 a2 ..e.
]
]
#2: objectid: 2.5.29.19 criticality=false
basicconstraints:[
ca:true
pathlen:2147483647
]
#3: objectid: 2.5.29.35 criticality=false
authoritykeyidentifier [
keyidentifier [
0000: bc 36 80 e6 cb 3e 36 bd 72 94 2e 30 4d dc 10 f6 .6...>6.r..0m...
0010: bd b9 65 a2 ..e.
]
]
*******************************************
*******************************************
生成的文件为二进制文件。
2. 私钥:pkcs#12 转pem
e:\>openssl pkcs12 -nocerts -nodes -in prvtkey.p12 -out private.pe
m
enter import password:
mac verified ok
生成的文件类似于使用openssl生成的私钥文件,为base64编码的ascii文本文件,内容如下:
bag attributes
localkeyid: df 41 0b eb 66 9e 25 99 3d 6a 3b d2 8f 23 cf 5b b2 6d 93 c6
key attributes:
-----begin private key-----
miievwibadanbgkqhkig9w0baqefaascbkkwggslageaaoibaqc9z/tpghtihck/
pq3cztgnkhg3bljhrr3zjaunz6gxyq3cbknsa7g6vov9fyfxcriyuvox4bpfj0d
kwykg 3kmtlthqqycfanfpk0iplykrvvlggmwx1apscu47ey1hifr6iyispeeguo
zldxijdlcf9vg7hvowjf6hhf6y9lxt2lgvr12ofcw6dg9bnxuvwo554mvdahisho
omzixssdr874otgrl3xdv4rhzoiwshbyus5no5izbygpgsgdzipidckwtwnjvfcg
fgwvmy6dwi82kbdqz/6c0bhegtmtjzd6o/byfldfuz6c7i2q6trc2cv1eiodgmyh
fmk51safagmbaaecggebalwkwh7orjkwxridruxuhzotcne3t7o14vk6oyroc59p
c3dpc8vh 6d0o7jj547d3jrl8id l4r4x0gfxrinbqrtp/ado8sk8hfwks avl1
vwnwurkssh 8/5xdnujhqz5jxzcvs9ir3fwcdaiouhqe0raiqvifslp6at ajxx/
bjupgtfwe2vikkbf3pyrquod9l4j6nqd5fzbfulqjfxov1y3zcfondtbv5qo69xw
wtndktjf5td43ybbtdqjy4pvnma6nqtre7s79t mkyoxy82koodpftlqqcyh0yu4
smuebbuj4avsri7f96sndcipl0zwl apm6cyfoffqnecgyea9umvy9aa11mnwk n
ab4dpqniobwbre8q94qcywsk5wqmalu6v/lg859cqamp0g4sqv960ha2g3jtj3ci
w6toog7cqdv7c6z9vqptgw3oodigv4bxe1mlqfqkv0yj/2mpdpnrmcgadodrk4nk
egmgcehzrp0artcgmv5fola0jqscgyeaxnf5jwnh3 3ix8yhsleahyirg3fzc6rj
eqqhxou1knyyrhfylqdddymnikpxdofr84nfxltpxyc7vw15jbrul0 nwigoquud
iasvoapwxrumlqrdckma2wivfhzyho3eyrmdmopuvqqinobghb2/hyqqrbvhp sg
xvxulqkglk8cgyeav/vs2d96xy5v5dq67ri8pls5hlcakfijsmhtqsylckofeltk
oxiplcmkhltewwahy8tqrphsqmld5xjaaud7swxc0zyh6zemce8nrvqxahegi0ro
8wwgqzouwd7dblkhibus7cneqygn2dfaippdkbjq4mh61 x se9uvdmgynkcgybo
peifbym24ytzmhkrzlqht2txpji5wdge86lyryxmtnnnkhrxrhhubalpbynzfyit
jjo3dcn1fykbmvm9hvg2yxfpkqwdpixyyjzyjlvy66kgmg4d45mp/jsy3/tnsagp
nwhmg252kxizjcmeujfhaapwiz9xkwlscpr45 7miwkbgqczayrlf8eajoif74ne
fsm/ptaslo57yek2n9nz9mthlzc90rcv4lpdc1orwiw3nt/aczhnutibbh2onmoh
0d2g5pe0soug3ndnujqs9pld3w4zpt9fgszdb0hmrhkpybg8jz4r6wxjyvqom0z0
1znhneqrmilym0kkw6d00vjqmq==
-----end private key-----
3. 公钥:pem转der
e:\>openssl x509 -in cacert.pem -inform pem -out cacert.der -outfo
rm der
把base64编码的ascii文本文件转换为二进制文件。
4. 公钥:der转pem
e:\>openssl x509 -out cacert2.pem -outform pem -in cacert.der -inf
orm der
把二进制文件转换为base64编码的ascii文本文件。