PowerEdge: Sådan kontrolleres, valideres og konverteres SSL-certifikat ved hjælp af OpenSSL- og Keytool-kommandoer

Summary: Sådan kontrollerer, validerer og konverterer du SSL-certifikater ved hjælp af OpenSSL og Keytool. Denne artikel indeholder kommandoer til PEM-, DER-, PKCS12- og certifikatfingeraftrykskontrol. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Sådan vises indholdet af et certifikat:

  • Kommando til at vise certifikatindhold i OpenSSL:
$ openssl x509 -in <cert_file_name> -noout -text
Eksempel på output: 
$ openssl x509 -in sin1091.cer -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            dd:a5:5c:60:f9:b7:16:9e
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=sin1090, OU=VMware
        Validity
            Not Before: May 24 10:29:00 2017 GMT
            Not After : Feb 19 12:22:39 2027 GMT
        Subject: CN=sin1091.eu.degussanet.com, C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c3:24:d9:23:08:32:ca:0e:f9:60:58:f0:8b:04:
                    6e:db:73:b1:83:a1:73:44:09:30:d7:64:6e:2f:26:
                    e5:87:fd:b9:f3:e6:10:78:32:f5:7c:8b:7f:c1:06:
                    d5:d1:42:d3:d8:e0:d0:84:91:c8:1c:4e:7e:2b:af:
                    65:36:5e:87:b0:43:4c:fa:ae:ca:c3:23:2d:75:15:
                    6a:d5:5f:66:6b:40:f6:c5:48:7a:8d:e5:f1:dd:4e:
                    aa:eb:89:65:8a:7e:69:eb:35:4f:75:56:88:24:48:
                    c7:9b:19:fb:39:43:ee:8a:bb:f5:1a:9b:b5:a3:47:
                    b1:60:ee:9a:72:f6:7b:d0:1f:ed:73:64:5f:e9:60:
                    75:64:03:25:a3:41:38:6d:06:22:dc:22:70:ae:9d:
                    b5:f8:26:7a:8e:d6:05:b1:97:67:89:ac:2c:b3:83:
                    8b:31:33:a8:7e:30:58:2c:10:42:ef:b6:05:98:ca:
                    6c:01:c9:47:9e:01:6e:be:c6:bc:cd:9f:e8:bc:8f:
                    94:70:f1:21:af:ae:b4:fd:76:db:a7:88:fc:e5:d7:
                    ea:08:eb:58:b9:41:37:af:7b:ec:f8:a1:b0:09:a7:
                    b9:b7:18:5b:a7:8e:b9:2f:b0:71:2a:3d:46:8b:c6:
                    4a:23:43:d9:21:94:2e:0e:e9:40:07:61:22:2e:b4:
                    08:27
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:sin1091.eu.degussanet.com
            X509v3 Subject Key Identifier:
                D7:4D:DB:D4:00:3A:45:A8:4E:5E:9A:60:DB:C0:94:EA:C0:94:75:DC
            X509v3 Authority Key Identifier:
                keyid:5F:81:58:14:37:20:61:1D:BC:47:F2:97:AF:39:45:F0:A5:A9:19:F4

    Signature Algorithm: sha256WithRSAEncryption
         99:9c:b1:e5:b2:9d:b1:ef:65:8f:3b:de:87:16:01:6e:bb:a2:
         37:cc:13:28:a2:a1:0b:88:04:c8:85:d0:34:19:d0:3d:41:e4:
         d3:6f:54:6f:ce:0d:25:a5:f1:c4:8e:cd:e3:e4:ca:92:1f:67:
         3a:bd:27:21:59:37:67:a6:71:53:a4:ab:e5:d4:2c:a4:8f:a4:
         f3:c9:de:6f:5f:f5:80:38:3f:9e:87:24:c7:dc:9e:d3:45:93:
         a1:4e:31:db:20:df:84:86:06:c8:39:21:9d:04:57:1f:a2:17:
         9b:e4:c7:77:61:73:9b:fe:b2:ac:66:ad:14:50:3a:82:65:10:
         3d:bc:15:0b:08:60:79:c1:d1:55:28:25:a4:9b:95:ae:c3:52:
         31:66:e9:a3:08:57:4c:ff:5a:ac:5e:09:6c:89:5b:cc:43:ad:
         0a:e5:dd:b7:8a:6a:be:e7:52:e9:cf:c9:4a:38:77:05:4c:00:
         ca:22:2e:e8:8d:a2:37:da:38:bc:5e:ce:2d:aa:5d:44:c8:58:
         cb:7e:a4:be:fb:0b:b3:b4:88:66:ed:8b:ac:41:b8:8d:8b:48:
         e5:1a:8e:45:ba:be:42:a3:39:07:85:f5:09:91:c3:38:d5:bf:
         73:3d:ba:6c:5c:cf:bc:4b:f9:3e:7b:9c:a6:bb:2b:10:c4:87:
         76:35:f1:0d
  • Kommando til at vise certifikater eller nøglepar, der er gemt i et nøglelager ved hjælp af keytool. PrivateKeyEntry betyder, at den gemmer både private nøgle- og certifikatkædeposter. TrustedCertEntry betyder, at den kun gemmer pålidelige certifikat- og certifikatkædeposter: 
$ keytool -list -v -in <keystore_file_name>
Eksempel på output
* * * * * * * * * *
* * *  
Alias name: vcenter_ca
Creation date: Mar 31, 2023
Entry type: trustedCertEntry

Owner: CN=vc.x400.sh, OU=Dell EMC, O=Dell EMC, L=Shanghai, ST=Shanghai, C=CN
Issuer: CN=vc.x400.sh, OU=Dell EMC, O=Dell EMC, L=Shanghai, ST=Shanghai, C=CN
Serial number: 840f560790ff8a93
Valid from: Fri Mar 31 18:51:25 CST 2023 until: Sat Mar 30 18:51:25 CST 2024
Certificate fingerprints:
         SHA1: 69:F4:39:70:C8:A4:EC:64:C1:46:04:81:44:A1:30:3C:A9:71:12:D0
         SHA256: 6C:D7:62:58:BE:AC:A3:D7:25:84:1F:65:93:23:4C:35:5F:25:B6:D2:A0:67:A1:FD:8C:A9:62:3A:D9:0E:24:D3
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 3072-bit RSA key
Version: 3
* * * * * * * * * *
* * * 

Sådan viser du certifikatfingeraftryk eller tommelfingeraftryk:

  • Kommandoen til at vise et certifikatfingeraftryk i OpenSSL er som standard sha1-fingeraftryk i OpenSSL. Sørg for, at du bruger den samme hashalgorisme, når du sammenligner med et andet certifikat:
$ openssl x509 -in <certificate file> -noout -fingerprint [-sha1 or -sha256 or -sha512]

Eksempel på output:

$ openssl x509 -in server.pem -noout -fingerprint
SHA1 Fingerprint=DD:48:AE:B1:D5:7D:DF:B9:A4:B3:A9:4A:C4:CF:76:6C:C1:CE:3A:C9
  • Kommandoen til at vise certifikatfingeraftryk i keytool er som standard sha256:
$ keytool -list -keystore <keystore file> 

Eksempel på output:

$ keytool -list -keystore mykeystore.p12 -storepass Idpa_1234
Keystore type: PKCS12
Keystore provider: JsafeJCE

Your keystore contains 3 entries

website, Mar 31, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): E8:16:50:4E:9A:F1:48:7F:8E:12:8B:C2:51:DD:45:7B:26:0D:5F:81:49:17:77:3F:35:6F:B2:8E:2B:A0:12:42
tomcat, Mar 31, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): CD:CD:9B:3A:9A:78:CF:3C:B8:5A:21:AF:9B:BF:4B:3F:1B:7F:91:D0:38:6B:FF:14:23:FB:8E:46:AE:90:9D:E0
vcenter_ca, Mar 31, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 6C:D7:62:58:BE:AC:A3:D7:25:84:1F:65:93:23:4C:35:5F:25:B6:D2:A0:67:A1:FD:8C:A9:62:3A:D9:0E:24:D3

Sådan konverteres certifikat og privat nøgle mellem forskellige formater:

  • Konverter certifikatformat fra DER til PEM:
$ openssl x509 -in <certificate file in DER format> -inform DER -out <certificate file in PEM format>
  • Konverter certifikatformat fra PKCS7til PEM
$ openssl pkcs7 -print_certs -in <certificate file in PKCS7 format> -inform DER -out <certificate file in PEM format>
  • Konverter certifikat og privat nøgleformat fra PKCS12 til PEM.
(Den første kommando er at udtrække certifikatfil i et PEM-format, den anden kommando er at udtrække privat nøglefil i et PEM-format.) 
$ openssl pkcs12 -in <certificate file in PKCS12 format> -name <alias name> -nokeys -out <certificate file in PEM format>

$ openssl pkcs12 -in <certificate file in PKCS12 format> -name <alias name> -nodes -nocerts -out <private key file in PEM format>
  • Konverter certifikat- eller private nøgleparfiler fra PEM til PKCS12 keystore
(I dette eksempel er PEM-certifikatfilen server.crt, privat nøglefil er server.key, keystore-alias er indstillet til "mykeypair", og pkcs12 keystore-filen er mykeystore.p12) 
$ openssl pkcs12 -export -in <certificate file in PEM format> -inkey <private key file in PEM format> -name <alias name> -out <keystore file in PKCS12 format>

Sådan valideres et certifikat i HTTPS-handshake ved hjælp af OpenSSL.

  • Brug en af følgende kommandoer til at validere certifikatet:
$ openssl s_client -CApath <path_to_certs> -connect <VC_FQDN>:443 -showcerts
Or
$ openssl s_client -CApath <path_to_certs> -host <VC_FQDN> -port:443 -showcerts
Eksempel på output af vellykket (denne kommando kan tage et stykke tid at afslutte kørslen): 
$ openssl s_client -CApath /tmp/certs/ -connect 10.10.10.100:443 -showcerts
CONNECTED(00000104)
---
Certificate chain
 0 s:/CN=vc18.externalvc.com/C=US
   i:/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc18.externalvc.com/OU=VMware
-----BEGIN CERTIFICATE-----
MIIDoDCCAoigAwIBAgIJAM/DCNs2KXy+MA0GCSqGSIb3DQEBCwUAMIGPMQswCQYD
VQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ
FgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExHTAbBgNV
BAoMFHBzYzE4LmV4dGVybmFsdmMuY29tMQ8wDQYDVQQLDAZWTXdhcmUwHhcNMTcw
NjMwMDUzOTE4WhcNMjcwNjI1MDUzNDI0WjArMRwwGgYDVQQDDBN2YzE4LmV4dGVy
bmFsdmMuY29tMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAL1X4Skcl6kjCw3I2vJqvOTFwdQXL87/EqQkuhKfOy87+lo78jdobtAj
CqtSV8bszbiJAEftZEWkX6OF45tM1fBmMvuDUMw4rFqV6q0vuBd1LE94SQQIrkb6
ze/U+EyDX2eIPWGL63f4XoGLfrx/hxHxGDhLpZBMUiUi7ccIlduNHRjJaW7HDorI
g/ABHX2xhU4Sf+E5KWO5INByvtiyVabiUGeDt+9foX78aSvvmsqonW+Bq3yJi65R
m2FOxsXNSLMbtdQ/aS6vCl5LYu7Snku6vAfloDNX5grUhU/iHdxXHkAFAXLIzQPt
FK92P8zBLykDwP+cLzud/KO9CfqskPUCAwEAAaNiMGAwHgYDVR0RBBcwFYITdmMx
OC5leHRlcm5hbHZjLmNvbTAdBgNVHQ4EFgQUpXe8h597EnWIks76bOf9y+51/lYw
HwYDVR0jBBgwFoAU3tDxXouzxNX7qfWfrBTRHdo+Pu8wDQYJKoZIhvcNAQELBQAD
ggEBAHvy40eQ2I8eUFFvEOng2MFAbJH3ZZs2I3w0XuyAMosO4Sw0JYo0hhDLBBZ1
Fw7IyRj6jtbvI3UlPLq6NofJUaweo5aphlSPxmbZSl/DcteS4pusujv4lT/h9J95
dc0KrFR7abX9rsv0nQQ78wrzE5CUva6TkXOQKg8oxaachYPwKi0zR1vFR56jTt9f
Hq9Z1lXYkg4JzSu+H4diOs/KNKZYiU+QsD+94I2GjopajYWVSTBkiGAOObG2/inb
L2UJW2rK3PASm2M8+x92V0hqlkxBYcvQpjEjuJep2+Ah6iuQIgW21OForIPxqbcu
PD5PwMn6eV4mVP7/mWdAfkGtY8I=
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=vc18.externalvc.com/C=US
issuer=/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc18.externalvc.com/OU=VMware
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1412 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
    Session-ID-ctx:
    Master-Key: 70FD868AA56807820DDAC23C2FAB3F2C1A5C683426F2924AEE8D9B52EBCD3F256EC4892D281F90F0F32A2A1C7DD0FB01
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1500280372
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
depth=1 CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = psc18.externalvc.com, OU = VMware
verify return:1
depth=0 CN = vc18.externalvc.com, C = US
verify return:1
read:errno=0
Eksempel på output af fejl: 
$ openssl s_client -CApath /tmp/certs/ -host 10.62.91.64 -port 443 -showcerts
CONNECTED(00000124)
---
Certificate chain
 0 s:/CN=vc18.externalvc.com/C=US
   i:/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc18.externalvc.com/OU=VMware
-----BEGIN CERTIFICATE-----
MIIDoDCCAoigAwIBAgIJAM/DCNs2KXy+MA0GCSqGSIb3DQEBCwUAMIGPMQswCQYD
VQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ
FgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExHTAbBgNV
BAoMFHBzYzE4LmV4dGVybmFsdmMuY29tMQ8wDQYDVQQLDAZWTXdhcmUwHhcNMTcw
NjMwMDUzOTE4WhcNMjcwNjI1MDUzNDI0WjArMRwwGgYDVQQDDBN2YzE4LmV4dGVy
bmFsdmMuY29tMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAL1X4Skcl6kjCw3I2vJqvOTFwdQXL87/EqQkuhKfOy87+lo78jdobtAj
CqtSV8bszbiJAEftZEWkX6OF45tM1fBmMvuDUMw4rFqV6q0vuBd1LE94SQQIrkb6
ze/U+EyDX2eIPWGL63f4XoGLfrx/hxHxGDhLpZBMUiUi7ccIlduNHRjJaW7HDorI
g/ABHX2xhU4Sf+E5KWO5INByvtiyVabiUGeDt+9foX78aSvvmsqonW+Bq3yJi65R
m2FOxsXNSLMbtdQ/aS6vCl5LYu7Snku6vAfloDNX5grUhU/iHdxXHkAFAXLIzQPt
FK92P8zBLykDwP+cLzud/KO9CfqskPUCAwEAAaNiMGAwHgYDVR0RBBcwFYITdmMx
OC5leHRlcm5hbHZjLmNvbTAdBgNVHQ4EFgQUpXe8h597EnWIks76bOf9y+51/lYw
HwYDVR0jBBgwFoAU3tDxXouzxNX7qfWfrBTRHdo+Pu8wDQYJKoZIhvcNAQELBQAD
ggEBAHvy40eQ2I8eUFFvEOng2MFAbJH3ZZs2I3w0XuyAMosO4Sw0JYo0hhDLBBZ1
Fw7IyRj6jtbvI3UlPLq6NofJUaweo5aphlSPxmbZSl/DcteS4pusujv4lT/h9J95
dc0KrFR7abX9rsv0nQQ78wrzE5CUva6TkXOQKg8oxaachYPwKi0zR1vFR56jTt9f
Hq9Z1lXYkg4JzSu+H4diOs/KNKZYiU+QsD+94I2GjopajYWVSTBkiGAOObG2/inb
L2UJW2rK3PASm2M8+x92V0hqlkxBYcvQpjEjuJep2+Ah6iuQIgW21OForIPxqbcu
PD5PwMn6eV4mVP7/mWdAfkGtY8I=
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=vc18.externalvc.com/C=US
issuer=/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc18.externalvc.com/OU=VMware
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1412 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
    Session-ID-ctx:
    Master-Key: 85731E71188EF310D68C658099C62C11374845CAF00A0AF90F8B35118171C7D0002A76380AB2B4574C720DB178FA3297
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1500281143
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
depth=0 CN = vc18.externalvc.com, C = US
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = vc18.externalvc.com, C = US
verify error:num=21:unable to verify the first certificate
verify return:1
read:errno=0

Sådan valideres vCenter-certifikat offline:

Hvis du ikke kan oprette forbindelse til vCenter og bekræfte online, kan du eksportere vCenter-certifikatet fra webbrowseren og gemme det i en fil til validering.

  1. Konverter filen fra DER til PEM format.
  2. Brug følgende kommando til at validere:
$openssl verify -CApath <path_to_certs> <certificate_file>

 

BEMÆRK: Denne kommando accepterer kun PEM-formatcertifikatfilen som mål.


Sådan valideres et privat eller offentligt nøglepar ved hjælp af OpenSSL:

  • Beregn en hashværdi for privat nøglemodul:
$ openssl rsa -modulus -noout -in <private key file> | openssl md5
  • Beregn en hashværdi for certifikatmodul:
$ openssl x509 -modulus -noout -in <certificate file> | openssl md5

Hvis de to hashstrenge er de samme, betyder det, at nøgleparret matcher. Ellers er det ikke et gyldigt nøglepar.

Eksempel på output:

openssl rsa -modulus -noout -in server.key | openssl md5
(stdin)= b69cd7fc0b07ffef0a577e1e325ab015

openssl x509 -modulus -noout -in server.crt | openssl md5
(stdin)= b69cd7fc0b07ffef0a577e1e325ab015

Additional Information

Yderligere oplysninger:

  • Lær om forskellige SSL-certifikatformater på TutorialsTeacherDette hyperlink fører dig til et websted uden for Dell Technologies..
  • Sådan bruges testssl kommando.
Testssl er et gratis kommandolinjeværktøj, der kontrollerer en servers service på enhver port til understøttelse af TLS / SSL-cifre, protokoller samt nylige kryptografiske fejl og mere. Du kan finde flere oplysninger ved at gå til Test af TLS/SSL-krypteringDette hyperlink fører dig til et websted uden for Dell Technologies..

Affected Products

Microsoft Windows Server 2016, Microsoft Windows Server 2019, Microsoft Windows Server 2022, Microsoft Windows Server 2025, Red Hat Enterprise Linux Version 7, Red Hat Enterprise Linux Version 9, Red Hat Enterprise Linux Version 8 , SUSE Linux Enterprise Server 15, Ubuntu Server LTS, VMware ESXi 7.x, VMware ESXi 8.x ...

Products

Converged Infrastructure, Data Center Infrastructure, Desktops & All-in-Ones, Gateways & Embedded PCs, Electronics & Accessories, Laptops, Networking, Security, Servers, Software, Solutions, Storage, Tablets, Thin Clients, Workstations
Article Properties
Article Number: 000211907
Article Type: How To
Last Modified: 18 Jul 2025
Version:  7
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.