PowerEdge:如何使用 OpenSSL 和 keytool 命令检查、验证和转换 SSL 证书

Summary: 如何使用 OpenSSL 和 Keytool 检查、验证和转换 SSL 证书。本文包括用于 PEM、DER、PKCS12 和证书指纹检查的命令。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

如何显示证书的内容:

  • 用于在 OpenSSL 中显示证书内容的命令:
$ openssl x509 -in <cert_file_name> -noout -text
输出示例: 
$ openssl x509 -in sin1091.cer -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            dd:a5:5c:60:f9:b7:16:9e
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=sin1090, OU=VMware
        Validity
            Not Before: May 24 10:29:00 2017 GMT
            Not After : Feb 19 12:22:39 2027 GMT
        Subject: CN=sin1091.eu.degussanet.com, C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c3:24:d9:23:08:32:ca:0e:f9:60:58:f0:8b:04:
                    6e:db:73:b1:83:a1:73:44:09:30:d7:64:6e:2f:26:
                    e5:87:fd:b9:f3:e6:10:78:32:f5:7c:8b:7f:c1:06:
                    d5:d1:42:d3:d8:e0:d0:84:91:c8:1c:4e:7e:2b:af:
                    65:36:5e:87:b0:43:4c:fa:ae:ca:c3:23:2d:75:15:
                    6a:d5:5f:66:6b:40:f6:c5:48:7a:8d:e5:f1:dd:4e:
                    aa:eb:89:65:8a:7e:69:eb:35:4f:75:56:88:24:48:
                    c7:9b:19:fb:39:43:ee:8a:bb:f5:1a:9b:b5:a3:47:
                    b1:60:ee:9a:72:f6:7b:d0:1f:ed:73:64:5f:e9:60:
                    75:64:03:25:a3:41:38:6d:06:22:dc:22:70:ae:9d:
                    b5:f8:26:7a:8e:d6:05:b1:97:67:89:ac:2c:b3:83:
                    8b:31:33:a8:7e:30:58:2c:10:42:ef:b6:05:98:ca:
                    6c:01:c9:47:9e:01:6e:be:c6:bc:cd:9f:e8:bc:8f:
                    94:70:f1:21:af:ae:b4:fd:76:db:a7:88:fc:e5:d7:
                    ea:08:eb:58:b9:41:37:af:7b:ec:f8:a1:b0:09:a7:
                    b9:b7:18:5b:a7:8e:b9:2f:b0:71:2a:3d:46:8b:c6:
                    4a:23:43:d9:21:94:2e:0e:e9:40:07:61:22:2e:b4:
                    08:27
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:sin1091.eu.degussanet.com
            X509v3 Subject Key Identifier:
                D7:4D:DB:D4:00:3A:45:A8:4E:5E:9A:60:DB:C0:94:EA:C0:94:75:DC
            X509v3 Authority Key Identifier:
                keyid:5F:81:58:14:37:20:61:1D:BC:47:F2:97:AF:39:45:F0:A5:A9:19:F4

    Signature Algorithm: sha256WithRSAEncryption
         99:9c:b1:e5:b2:9d:b1:ef:65:8f:3b:de:87:16:01:6e:bb:a2:
         37:cc:13:28:a2:a1:0b:88:04:c8:85:d0:34:19:d0:3d:41:e4:
         d3:6f:54:6f:ce:0d:25:a5:f1:c4:8e:cd:e3:e4:ca:92:1f:67:
         3a:bd:27:21:59:37:67:a6:71:53:a4:ab:e5:d4:2c:a4:8f:a4:
         f3:c9:de:6f:5f:f5:80:38:3f:9e:87:24:c7:dc:9e:d3:45:93:
         a1:4e:31:db:20:df:84:86:06:c8:39:21:9d:04:57:1f:a2:17:
         9b:e4:c7:77:61:73:9b:fe:b2:ac:66:ad:14:50:3a:82:65:10:
         3d:bc:15:0b:08:60:79:c1:d1:55:28:25:a4:9b:95:ae:c3:52:
         31:66:e9:a3:08:57:4c:ff:5a:ac:5e:09:6c:89:5b:cc:43:ad:
         0a:e5:dd:b7:8a:6a:be:e7:52:e9:cf:c9:4a:38:77:05:4c:00:
         ca:22:2e:e8:8d:a2:37:da:38:bc:5e:ce:2d:aa:5d:44:c8:58:
         cb:7e:a4:be:fb:0b:b3:b4:88:66:ed:8b:ac:41:b8:8d:8b:48:
         e5:1a:8e:45:ba:be:42:a3:39:07:85:f5:09:91:c3:38:d5:bf:
         73:3d:ba:6c:5c:cf:bc:4b:f9:3e:7b:9c:a6:bb:2b:10:c4:87:
         76:35:f1:0d
  • 使用 keytool 显示密钥库中存储的证书或密钥对的命令。PrivateKeyEntry 意味着它同时存储私钥和证书链条目。TrustedCertEntry 表示它仅存储受信任的证书和证书链条目: 
$ keytool -list -v -in <keystore_file_name>
输出示例
* * * * *
  
Alias name: vcenter_ca
Creation date: Mar 31, 2023
Entry type: trustedCertEntry

Owner: CN=vc.x400.sh, OU=Dell EMC, O=Dell EMC, L=Shanghai, ST=Shanghai, C=CN
Issuer: CN=vc.x400.sh, OU=Dell EMC, O=Dell EMC, L=Shanghai, ST=Shanghai, C=CN
Serial number: 840f560790ff8a93
Valid from: Fri Mar 31 18:51:25 CST 2023 until: Sat Mar 30 18:51:25 CST 2024
Certificate fingerprints:
         SHA1: 69:F4:39:70:C8:A4:EC:64:C1:46:04:81:44:A1:30:3C:A9:71:12:D0
         SHA256: 6C:D7:62:58:BE:AC:A3:D7:25:84:1F:65:93:23:4C:35:5F:25:B6:D2:A0:67:A1:FD:8C:A9:62:3A:D9:0E:24:D3
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 3072-bit RSA key
Version: 3
* * * * *
 

如何显示证书指纹或拇指指纹:

  • 默认情况下,用于在 OpenSSL 中显示证书指纹的命令是 OpenSSL 中的 sha1 指纹。在与另一个证书进行比较时,请确保使用相同的哈希算法:
$ openssl x509 -in <certificate file> -noout -fingerprint [-sha1 or -sha256 or -sha512]

输出示例:

$ openssl x509 -in server.pem -noout -fingerprint
SHA1 Fingerprint=DD:48:AE:B1:D5:7D:DF:B9:A4:B3:A9:4A:C4:CF:76:6C:C1:CE:3A:C9
  • 默认情况下,用于在 keytool 中显示证书指纹的命令为 sha256:
$ keytool -list -keystore <keystore file> 

输出示例:

$ keytool -list -keystore mykeystore.p12 -storepass Idpa_1234
Keystore type: PKCS12
Keystore provider: JsafeJCE

Your keystore contains 3 entries

website, Mar 31, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): E8:16:50:4E:9A:F1:48:7F:8E:12:8B:C2:51:DD:45:7B:26:0D:5F:81:49:17:77:3F:35:6F:B2:8E:2B:A0:12:42
tomcat, Mar 31, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): CD:CD:9B:3A:9A:78:CF:3C:B8:5A:21:AF:9B:BF:4B:3F:1B:7F:91:D0:38:6B:FF:14:23:FB:8E:46:AE:90:9D:E0
vcenter_ca, Mar 31, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 6C:D7:62:58:BE:AC:A3:D7:25:84:1F:65:93:23:4C:35:5F:25:B6:D2:A0:67:A1:FD:8C:A9:62:3A:D9:0E:24:D3

如何在不同格式之间转换证书和私钥:

  • 将证书格式从 DER 转换为 PEM:
$ openssl x509 -in <certificate file in DER format> -inform DER -out <certificate file in PEM format>
  • 将证书格式从PKCS7转换为PEM
$ openssl pkcs7 -print_certs -in <certificate file in PKCS7 format> -inform DER -out <certificate file in PEM format>
  • 将证书和私钥格式从 PKCS12 转换为 PEM。
(第一个命令是提取 PEM 格式的证书文件,第二个命令是提取 PEM 格式的私钥文件。) 
$ openssl pkcs12 -in <certificate file in PKCS12 format> -name <alias name> -nokeys -out <certificate file in PEM format>

$ openssl pkcs12 -in <certificate file in PKCS12 format> -name <alias name> -nodes -nocerts -out <private key file in PEM format>
  • 将证书或私钥对文件从 PEM 转换为 PKCS12 密钥库
(在此示例中,PEM 证书文件为 server.crt,私钥文件为 server.key,密钥库别名设置为”mykeypair“,PKCS12 密钥库文件为 mykeystore.p12
$ openssl pkcs12 -export -in <certificate file in PEM format> -inkey <private key file in PEM format> -name <alias name> -out <keystore file in PKCS12 format>

如何使用 OpenSSL 验证 HTTPS 握手中的证书。

  • 使用以下命令之一验证证书:
$ openssl s_client -CApath <path_to_certs> -connect <VC_FQDN>:443 -showcerts
Or
$ openssl s_client -CApath <path_to_certs> -host <VC_FQDN> -port:443 -showcerts
成功的输出示例(此命令可能需要一段时间才能完成运行): 
$ openssl s_client -CApath /tmp/certs/ -connect 10.10.10.100:443 -showcerts
CONNECTED(00000104)
---
Certificate chain
 0 s:/CN=vc18.externalvc.com/C=US
   i:/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc18.externalvc.com/OU=VMware
-----BEGIN CERTIFICATE-----
MIIDoDCCAoigAwIBAgIJAM/DCNs2KXy+MA0GCSqGSIb3DQEBCwUAMIGPMQswCQYD
VQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ
FgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExHTAbBgNV
BAoMFHBzYzE4LmV4dGVybmFsdmMuY29tMQ8wDQYDVQQLDAZWTXdhcmUwHhcNMTcw
NjMwMDUzOTE4WhcNMjcwNjI1MDUzNDI0WjArMRwwGgYDVQQDDBN2YzE4LmV4dGVy
bmFsdmMuY29tMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAL1X4Skcl6kjCw3I2vJqvOTFwdQXL87/EqQkuhKfOy87+lo78jdobtAj
CqtSV8bszbiJAEftZEWkX6OF45tM1fBmMvuDUMw4rFqV6q0vuBd1LE94SQQIrkb6
ze/U+EyDX2eIPWGL63f4XoGLfrx/hxHxGDhLpZBMUiUi7ccIlduNHRjJaW7HDorI
g/ABHX2xhU4Sf+E5KWO5INByvtiyVabiUGeDt+9foX78aSvvmsqonW+Bq3yJi65R
m2FOxsXNSLMbtdQ/aS6vCl5LYu7Snku6vAfloDNX5grUhU/iHdxXHkAFAXLIzQPt
FK92P8zBLykDwP+cLzud/KO9CfqskPUCAwEAAaNiMGAwHgYDVR0RBBcwFYITdmMx
OC5leHRlcm5hbHZjLmNvbTAdBgNVHQ4EFgQUpXe8h597EnWIks76bOf9y+51/lYw
HwYDVR0jBBgwFoAU3tDxXouzxNX7qfWfrBTRHdo+Pu8wDQYJKoZIhvcNAQELBQAD
ggEBAHvy40eQ2I8eUFFvEOng2MFAbJH3ZZs2I3w0XuyAMosO4Sw0JYo0hhDLBBZ1
Fw7IyRj6jtbvI3UlPLq6NofJUaweo5aphlSPxmbZSl/DcteS4pusujv4lT/h9J95
dc0KrFR7abX9rsv0nQQ78wrzE5CUva6TkXOQKg8oxaachYPwKi0zR1vFR56jTt9f
Hq9Z1lXYkg4JzSu+H4diOs/KNKZYiU+QsD+94I2GjopajYWVSTBkiGAOObG2/inb
L2UJW2rK3PASm2M8+x92V0hqlkxBYcvQpjEjuJep2+Ah6iuQIgW21OForIPxqbcu
PD5PwMn6eV4mVP7/mWdAfkGtY8I=
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=vc18.externalvc.com/C=US
issuer=/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc18.externalvc.com/OU=VMware
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1412 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
    Session-ID-ctx:
    Master-Key: 70FD868AA56807820DDAC23C2FAB3F2C1A5C683426F2924AEE8D9B52EBCD3F256EC4892D281F90F0F32A2A1C7DD0FB01
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1500280372
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
depth=1 CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = psc18.externalvc.com, OU = VMware
verify return:1
depth=0 CN = vc18.externalvc.com, C = US
verify return:1
read:errno=0
失败输出示例: 
$ openssl s_client -CApath /tmp/certs/ -host 10.62.91.64 -port 443 -showcerts
CONNECTED(00000124)
---
Certificate chain
 0 s:/CN=vc18.externalvc.com/C=US
   i:/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc18.externalvc.com/OU=VMware
-----BEGIN CERTIFICATE-----
MIIDoDCCAoigAwIBAgIJAM/DCNs2KXy+MA0GCSqGSIb3DQEBCwUAMIGPMQswCQYD
VQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ
FgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExHTAbBgNV
BAoMFHBzYzE4LmV4dGVybmFsdmMuY29tMQ8wDQYDVQQLDAZWTXdhcmUwHhcNMTcw
NjMwMDUzOTE4WhcNMjcwNjI1MDUzNDI0WjArMRwwGgYDVQQDDBN2YzE4LmV4dGVy
bmFsdmMuY29tMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAL1X4Skcl6kjCw3I2vJqvOTFwdQXL87/EqQkuhKfOy87+lo78jdobtAj
CqtSV8bszbiJAEftZEWkX6OF45tM1fBmMvuDUMw4rFqV6q0vuBd1LE94SQQIrkb6
ze/U+EyDX2eIPWGL63f4XoGLfrx/hxHxGDhLpZBMUiUi7ccIlduNHRjJaW7HDorI
g/ABHX2xhU4Sf+E5KWO5INByvtiyVabiUGeDt+9foX78aSvvmsqonW+Bq3yJi65R
m2FOxsXNSLMbtdQ/aS6vCl5LYu7Snku6vAfloDNX5grUhU/iHdxXHkAFAXLIzQPt
FK92P8zBLykDwP+cLzud/KO9CfqskPUCAwEAAaNiMGAwHgYDVR0RBBcwFYITdmMx
OC5leHRlcm5hbHZjLmNvbTAdBgNVHQ4EFgQUpXe8h597EnWIks76bOf9y+51/lYw
HwYDVR0jBBgwFoAU3tDxXouzxNX7qfWfrBTRHdo+Pu8wDQYJKoZIhvcNAQELBQAD
ggEBAHvy40eQ2I8eUFFvEOng2MFAbJH3ZZs2I3w0XuyAMosO4Sw0JYo0hhDLBBZ1
Fw7IyRj6jtbvI3UlPLq6NofJUaweo5aphlSPxmbZSl/DcteS4pusujv4lT/h9J95
dc0KrFR7abX9rsv0nQQ78wrzE5CUva6TkXOQKg8oxaachYPwKi0zR1vFR56jTt9f
Hq9Z1lXYkg4JzSu+H4diOs/KNKZYiU+QsD+94I2GjopajYWVSTBkiGAOObG2/inb
L2UJW2rK3PASm2M8+x92V0hqlkxBYcvQpjEjuJep2+Ah6iuQIgW21OForIPxqbcu
PD5PwMn6eV4mVP7/mWdAfkGtY8I=
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=vc18.externalvc.com/C=US
issuer=/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc18.externalvc.com/OU=VMware
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1412 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
    Session-ID-ctx:
    Master-Key: 85731E71188EF310D68C658099C62C11374845CAF00A0AF90F8B35118171C7D0002A76380AB2B4574C720DB178FA3297
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1500281143
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
depth=0 CN = vc18.externalvc.com, C = US
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = vc18.externalvc.com, C = US
verify error:num=21:unable to verify the first certificate
verify return:1
read:errno=0

如何离线验证 vCenter 证书:

如果您无法连接到 vCenter 并联机验证,您可以从网页浏览器导出 vCenter 证书,并将其保存到文件进行验证。

  1. 将文件从 DER 转换为 PEM 格式。
  2. 使用以下命令进行验证:
$openssl verify -CApath <path_to_certs> <certificate_file>

 

提醒:此命令仅接受 PEM 格式的证书文件作为目标。


如何使用 OpenSSL 验证私钥或公钥对:

  • 计算私钥模数哈希值:
$ openssl rsa -modulus -noout -in <private key file> | openssl md5
  • 计算证书模数哈希值:
$ openssl x509 -modulus -noout -in <certificate file> | openssl md5

如果两个哈希字符串相同,则表示密钥对匹配。否则,它不是有效的密钥对。

输出示例:

openssl rsa -modulus -noout -in server.key | openssl md5
(stdin)= b69cd7fc0b07ffef0a577e1e325ab015

openssl x509 -modulus -noout -in server.crt | openssl md5
(stdin)= b69cd7fc0b07ffef0a577e1e325ab015

Additional Information

更多信息:

  • TutorialsTeacher本超链接将引导您访问非 Dell Technologies 运营的网站。上了解不同的SSL证书格式。
  • 如何使用 testssl 命令指定可选的 spindle-group 参数,您可以实现这一点。
Testssl 是一个免费的命令行工具,可检查任何端口上的服务器服务是否支持 TLS/SSL 密码、协议以及最近的加密缺陷等。有关更多信息,请转到测试 TLS/SSL 加密本超链接将引导您访问非 Dell Technologies 运营的网站。

Affected Products

Microsoft Windows Server 2016, Microsoft Windows Server 2019, Microsoft Windows Server 2022, Microsoft Windows Server 2025, Red Hat Enterprise Linux Version 7, Red Hat Enterprise Linux Version 9, Red Hat Enterprise Linux Version 8 , SUSE Linux Enterprise Server 15, Ubuntu Server LTS, VMware ESXi 7.x, VMware ESXi 8.x ...

Products

Converged Infrastructure, Data Center Infrastructure, Desktops & All-in-Ones, Gateways & Embedded PCs, Electronics & Accessories, Laptops, Networking, Security, Servers, Software, Solutions, Storage, Tablets, Thin Clients, Workstations
Article Properties
Article Number: 000211907
Article Type: How To
Last Modified: 18 Jul 2025
Version:  7
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.