文章編號: 000211907
一般程序:如何使用 OpenSSL 和 Keytool 命令檢查、驗證和轉換 SSL 憑證
摘要: 如何使用 OpenSSL 和 keytool 命令檢查、驗證和轉換憑證。
文章內容
說明
如何顯示憑證的內容:
- 在 OpenSSL 中顯示憑證內容的命令:
$ openssl x509 -in <cert_file_name> -noout -text
範例輸出:
$ openssl x509 -in sin1091.cer -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: dd:a5:5c:60:f9:b7:16:9e Signature Algorithm: sha256WithRSAEncryption Issuer: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=sin1090, OU=VMware Validity Not Before: May 24 10:29:00 2017 GMT Not After : Feb 19 12:22:39 2027 GMT Subject: CN=sin1091.eu.degussanet.com, C=US Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c3:24:d9:23:08:32:ca:0e:f9:60:58:f0:8b:04: 6e:db:73:b1:83:a1:73:44:09:30:d7:64:6e:2f:26: e5:87:fd:b9:f3:e6:10:78:32:f5:7c:8b:7f:c1:06: d5:d1:42:d3:d8:e0:d0:84:91:c8:1c:4e:7e:2b:af: 65:36:5e:87:b0:43:4c:fa:ae:ca:c3:23:2d:75:15: 6a:d5:5f:66:6b:40:f6:c5:48:7a:8d:e5:f1:dd:4e: aa:eb:89:65:8a:7e:69:eb:35:4f:75:56:88:24:48: c7:9b:19:fb:39:43:ee:8a:bb:f5:1a:9b:b5:a3:47: b1:60:ee:9a:72:f6:7b:d0:1f:ed:73:64:5f:e9:60: 75:64:03:25:a3:41:38:6d:06:22:dc:22:70:ae:9d: b5:f8:26:7a:8e:d6:05:b1:97:67:89:ac:2c:b3:83: 8b:31:33:a8:7e:30:58:2c:10:42:ef:b6:05:98:ca: 6c:01:c9:47:9e:01:6e:be:c6:bc:cd:9f:e8:bc:8f: 94:70:f1:21:af:ae:b4:fd:76:db:a7:88:fc:e5:d7: ea:08:eb:58:b9:41:37:af:7b:ec:f8:a1:b0:09:a7: b9:b7:18:5b:a7:8e:b9:2f:b0:71:2a:3d:46:8b:c6: 4a:23:43:d9:21:94:2e:0e:e9:40:07:61:22:2e:b4: 08:27 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:sin1091.eu.degussanet.com X509v3 Subject Key Identifier: D7:4D:DB:D4:00:3A:45:A8:4E:5E:9A:60:DB:C0:94:EA:C0:94:75:DC X509v3 Authority Key Identifier: keyid:5F:81:58:14:37:20:61:1D:BC:47:F2:97:AF:39:45:F0:A5:A9:19:F4 Signature Algorithm: sha256WithRSAEncryption 99:9c:b1:e5:b2:9d:b1:ef:65:8f:3b:de:87:16:01:6e:bb:a2: 37:cc:13:28:a2:a1:0b:88:04:c8:85:d0:34:19:d0:3d:41:e4: d3:6f:54:6f:ce:0d:25:a5:f1:c4:8e:cd:e3:e4:ca:92:1f:67: 3a:bd:27:21:59:37:67:a6:71:53:a4:ab:e5:d4:2c:a4:8f:a4: f3:c9:de:6f:5f:f5:80:38:3f:9e:87:24:c7:dc:9e:d3:45:93: a1:4e:31:db:20:df:84:86:06:c8:39:21:9d:04:57:1f:a2:17: 9b:e4:c7:77:61:73:9b:fe:b2:ac:66:ad:14:50:3a:82:65:10: 3d:bc:15:0b:08:60:79:c1:d1:55:28:25:a4:9b:95:ae:c3:52: 31:66:e9:a3:08:57:4c:ff:5a:ac:5e:09:6c:89:5b:cc:43:ad: 0a:e5:dd:b7:8a:6a:be:e7:52:e9:cf:c9:4a:38:77:05:4c:00: ca:22:2e:e8:8d:a2:37:da:38:bc:5e:ce:2d:aa:5d:44:c8:58: cb:7e:a4:be:fb:0b:b3:b4:88:66:ed:8b:ac:41:b8:8d:8b:48: e5:1a:8e:45:ba:be:42:a3:39:07:85:f5:09:91:c3:38:d5:bf: 73:3d:ba:6c:5c:cf:bc:4b:f9:3e:7b:9c:a6:bb:2b:10:c4:87: 76:35:f1:0d
- 顯示使用 keytool 儲存在金鑰存放區的憑證或金鑰對的命令。PrivateKeyEntry 表示同時儲存私密金鑰和憑證鏈項目。TrustedCertEntry 表示它僅儲存受信任的憑證和憑證鏈結項目:
$ keytool -list -v -in <keystore_file_name>
範例輸出
* * * *
* * * *
Alias name: vcenter_ca Creation date: Mar 31, 2023 Entry type: trustedCertEntry Owner: CN=vc.x400.sh, OU=Dell EMC, O=Dell EMC, L=Shanghai, ST=Shanghai, C=CN Issuer: CN=vc.x400.sh, OU=Dell EMC, O=Dell EMC, L=Shanghai, ST=Shanghai, C=CN Serial number: 840f560790ff8a93 Valid from: Fri Mar 31 18:51:25 CST 2023 until: Sat Mar 30 18:51:25 CST 2024 Certificate fingerprints: SHA1: 69:F4:39:70:C8:A4:EC:64:C1:46:04:81:44:A1:30:3C:A9:71:12:D0 SHA256: 6C:D7:62:58:BE:AC:A3:D7:25:84:1F:65:93:23:4C:35:5F:25:B6:D2:A0:67:A1:FD:8C:A9:62:3A:D9:0E:24:D3 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 3072-bit RSA key Version: 3* * *
如何顯示憑證指紋或拇指指紋:
- 預設在 OpenSSL 中顯示憑證指紋的命令是 OpenSSL 中的 sha1 指紋。與其他憑證進行比較時,請確保使用相同的哈希演演演算法:
$ openssl x509 -in <certificate file> -noout -fingerprint [-sha1 or -sha256 or -sha512]
範例輸出:
$ openssl x509 -in server.pem -noout -fingerprint SHA1 Fingerprint=DD:48:AE:B1:D5:7D:DF:B9:A4:B3:A9:4A:C4:CF:76:6C:C1:CE:3A:C9
- 預設在 keytool 中顯示憑證指紋的命令為 sha256:
$ keytool -list -keystore <keystore file>
範例輸出:
$ keytool -list -keystore mykeystore.p12 -storepass Idpa_1234 Keystore type: PKCS12 Keystore provider: JsafeJCE Your keystore contains 3 entries website, Mar 31, 2023, trustedCertEntry, Certificate fingerprint (SHA-256): E8:16:50:4E:9A:F1:48:7F:8E:12:8B:C2:51:DD:45:7B:26:0D:5F:81:49:17:77:3F:35:6F:B2:8E:2B:A0:12:42 tomcat, Mar 31, 2023, PrivateKeyEntry, Certificate fingerprint (SHA-256): CD:CD:9B:3A:9A:78:CF:3C:B8:5A:21:AF:9B:BF:4B:3F:1B:7F:91:D0:38:6B:FF:14:23:FB:8E:46:AE:90:9D:E0 vcenter_ca, Mar 31, 2023, trustedCertEntry, Certificate fingerprint (SHA-256): 6C:D7:62:58:BE:AC:A3:D7:25:84:1F:65:93:23:4C:35:5F:25:B6:D2:A0:67:A1:FD:8C:A9:62:3A:D9:0E:24:D3
如何在不同格式之間轉換憑證和私密金鑰:
(在 教程教師
中瞭解不同的SSL證書格式)
- 將憑證格式從 DER 轉換為 PEM:
$ openssl x509 -in <certificate file in DER format> -inform DER -out <certificate file in PEM format>
- 將憑證格式從 PKCS7 轉換為 PEM
$ openssl pkcs7 -print_certs -in <certificate file in PKCS7 format> -inform DER -out <certificate file in PEM format>
- 將憑證和私密金鑰格式從 PKCS12 轉換為 PEM。
(第一個命令是擷取 PEM 格式的憑證檔案,第二個命令是擷取 PEM 格式的私密金鑰檔案。)
$ openssl pkcs12 -in <certificate file in PKCS12 format> -name <alias name> -nokeys -out <certificate file in PEM format> $ openssl pkcs12 -in <certificate file in PKCS12 format> -name <alias name> -nodes -nocerts -out <private key file in PEM format>
- 將憑證或私密金鑰對檔案從 PEM 轉換為 PKCS12 金鑰存放區
(在此範例中,PEM 憑證檔案為 server.crt、私密金鑰檔案server.key、金鑰存放區別名設定為「mykeypair」,而 pkcs12 金鑰存放區檔案為 mykeystore.p12)
$ openssl pkcs12 -export -in <certificate file in PEM format> -inkey <private key file in PEM format> -name <alias name> -out <keystore file in PKCS12 format>
如何使用 OpenSSL 在 HTTPS 交握中驗證憑證
- 使用下列其中一個命令驗證憑證:
$ openssl s_client -CApath <path_to_certs> -connect <VC_FQDN>:443 -showcerts Or $ openssl s_client -CApath <path_to_certs> -host <VC_FQDN> -port:443 -showcerts
成功的範例輸出 (此命令可能需要一段時間才能完成執行):
$ openssl s_client -CApath /tmp/certs/ -connect 10.10.10.100:443 -showcerts CONNECTED(00000104) --- Certificate chain 0 s:/CN=vc18.externalvc.com/C=US i:/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc18.externalvc.com/OU=VMware -----BEGIN CERTIFICATE----- MIIDoDCCAoigAwIBAgIJAM/DCNs2KXy+MA0GCSqGSIb3DQEBCwUAMIGPMQswCQYD VQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ FgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExHTAbBgNV BAoMFHBzYzE4LmV4dGVybmFsdmMuY29tMQ8wDQYDVQQLDAZWTXdhcmUwHhcNMTcw NjMwMDUzOTE4WhcNMjcwNjI1MDUzNDI0WjArMRwwGgYDVQQDDBN2YzE4LmV4dGVy bmFsdmMuY29tMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAL1X4Skcl6kjCw3I2vJqvOTFwdQXL87/EqQkuhKfOy87+lo78jdobtAj CqtSV8bszbiJAEftZEWkX6OF45tM1fBmMvuDUMw4rFqV6q0vuBd1LE94SQQIrkb6 ze/U+EyDX2eIPWGL63f4XoGLfrx/hxHxGDhLpZBMUiUi7ccIlduNHRjJaW7HDorI g/ABHX2xhU4Sf+E5KWO5INByvtiyVabiUGeDt+9foX78aSvvmsqonW+Bq3yJi65R m2FOxsXNSLMbtdQ/aS6vCl5LYu7Snku6vAfloDNX5grUhU/iHdxXHkAFAXLIzQPt FK92P8zBLykDwP+cLzud/KO9CfqskPUCAwEAAaNiMGAwHgYDVR0RBBcwFYITdmMx OC5leHRlcm5hbHZjLmNvbTAdBgNVHQ4EFgQUpXe8h597EnWIks76bOf9y+51/lYw HwYDVR0jBBgwFoAU3tDxXouzxNX7qfWfrBTRHdo+Pu8wDQYJKoZIhvcNAQELBQAD ggEBAHvy40eQ2I8eUFFvEOng2MFAbJH3ZZs2I3w0XuyAMosO4Sw0JYo0hhDLBBZ1 Fw7IyRj6jtbvI3UlPLq6NofJUaweo5aphlSPxmbZSl/DcteS4pusujv4lT/h9J95 dc0KrFR7abX9rsv0nQQ78wrzE5CUva6TkXOQKg8oxaachYPwKi0zR1vFR56jTt9f Hq9Z1lXYkg4JzSu+H4diOs/KNKZYiU+QsD+94I2GjopajYWVSTBkiGAOObG2/inb L2UJW2rK3PASm2M8+x92V0hqlkxBYcvQpjEjuJep2+Ah6iuQIgW21OForIPxqbcu PD5PwMn6eV4mVP7/mWdAfkGtY8I= -----END CERTIFICATE----- --- Server certificate subject=/CN=vc18.externalvc.com/C=US issuer=/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc18.externalvc.com/OU=VMware --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1412 bytes and written 434 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: 70FD868AA56807820DDAC23C2FAB3F2C1A5C683426F2924AEE8D9B52EBCD3F256EC4892D281F90F0F32A2A1C7DD0FB01 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1500280372 Timeout : 300 (sec) Verify return code: 0 (ok) --- depth=1 CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = psc18.externalvc.com, OU = VMware verify return:1 depth=0 CN = vc18.externalvc.com, C = US verify return:1 read:errno=0
失敗的範例輸出:
$ openssl s_client -CApath /tmp/certs/ -host 10.62.91.64 -port 443 -showcerts CONNECTED(00000124) --- Certificate chain 0 s:/CN=vc18.externalvc.com/C=US i:/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc18.externalvc.com/OU=VMware -----BEGIN CERTIFICATE----- MIIDoDCCAoigAwIBAgIJAM/DCNs2KXy+MA0GCSqGSIb3DQEBCwUAMIGPMQswCQYD VQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ FgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExHTAbBgNV BAoMFHBzYzE4LmV4dGVybmFsdmMuY29tMQ8wDQYDVQQLDAZWTXdhcmUwHhcNMTcw NjMwMDUzOTE4WhcNMjcwNjI1MDUzNDI0WjArMRwwGgYDVQQDDBN2YzE4LmV4dGVy bmFsdmMuY29tMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAL1X4Skcl6kjCw3I2vJqvOTFwdQXL87/EqQkuhKfOy87+lo78jdobtAj CqtSV8bszbiJAEftZEWkX6OF45tM1fBmMvuDUMw4rFqV6q0vuBd1LE94SQQIrkb6 ze/U+EyDX2eIPWGL63f4XoGLfrx/hxHxGDhLpZBMUiUi7ccIlduNHRjJaW7HDorI g/ABHX2xhU4Sf+E5KWO5INByvtiyVabiUGeDt+9foX78aSvvmsqonW+Bq3yJi65R m2FOxsXNSLMbtdQ/aS6vCl5LYu7Snku6vAfloDNX5grUhU/iHdxXHkAFAXLIzQPt FK92P8zBLykDwP+cLzud/KO9CfqskPUCAwEAAaNiMGAwHgYDVR0RBBcwFYITdmMx OC5leHRlcm5hbHZjLmNvbTAdBgNVHQ4EFgQUpXe8h597EnWIks76bOf9y+51/lYw HwYDVR0jBBgwFoAU3tDxXouzxNX7qfWfrBTRHdo+Pu8wDQYJKoZIhvcNAQELBQAD ggEBAHvy40eQ2I8eUFFvEOng2MFAbJH3ZZs2I3w0XuyAMosO4Sw0JYo0hhDLBBZ1 Fw7IyRj6jtbvI3UlPLq6NofJUaweo5aphlSPxmbZSl/DcteS4pusujv4lT/h9J95 dc0KrFR7abX9rsv0nQQ78wrzE5CUva6TkXOQKg8oxaachYPwKi0zR1vFR56jTt9f Hq9Z1lXYkg4JzSu+H4diOs/KNKZYiU+QsD+94I2GjopajYWVSTBkiGAOObG2/inb L2UJW2rK3PASm2M8+x92V0hqlkxBYcvQpjEjuJep2+Ah6iuQIgW21OForIPxqbcu PD5PwMn6eV4mVP7/mWdAfkGtY8I= -----END CERTIFICATE----- --- Server certificate subject=/CN=vc18.externalvc.com/C=US issuer=/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc18.externalvc.com/OU=VMware --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1412 bytes and written 434 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: 85731E71188EF310D68C658099C62C11374845CAF00A0AF90F8B35118171C7D0002A76380AB2B4574C720DB178FA3297 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1500281143 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- depth=0 CN = vc18.externalvc.com, C = US verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = vc18.externalvc.com, C = US verify error:num=21:unable to verify the first certificate verify return:1 read:errno=0
如何離線驗證 vCenter 憑證
如果您無法連線至 vCenter 及線上驗證,我們可以從網頁瀏覽器匯出 vCenter 憑證,並儲存至檔案進行驗證。- 將檔案從 DER 轉換為 PEM 格式。
- 使用下列命令進行驗證:
$openssl verify -CApath <path_to_certs> <certificate_file>
注意:此命令僅接受 PEM 格式的憑證檔案做為目標。
如何使用 OpenSSL 驗證私密或公鑰對
- 計算私密金鑰模數雜湊值:
$ openssl rsa -modulus -noout -in <private key file> | openssl md5
- 計算憑證模數雜湊值:
$ openssl x509 -modulus -noout -in <certificate file> | openssl md5
如果兩個哈希字串相同,則表示密鑰對匹配。否則,它不是有效的密鑰對。
範例輸出:
openssl rsa -modulus -noout -in server.key | openssl md5 (stdin)= b69cd7fc0b07ffef0a577e1e325ab015 openssl x509 -modulus -noout -in server.crt | openssl md5 (stdin)= b69cd7fc0b07ffef0a577e1e325ab015
文章屬性
受影響的產品
Data Protection
產品
Converged Infrastructure, Data Center Infrastructure, Desktops & All-in-Ones, Gateways & Embedded PCs, Electronics & Accessories, Laptops, Networking, Security, Servers, Software, Solutions, Storage, Tablets, Thin Clients, Workstations
上次發佈日期
10 4月 2023
版本
3
文章類型
How To