PowerEdge: Come controllare, convalidare e convertire un certificato SSL utilizzando i comandi OpenSSL e Keytool
摘要: Come controllare, convalidare e convertire i certificati SSL utilizzando OpenSSL e Keytool. Questo articolo include i comandi per PEM, DER, PKCS12 e i controlli delle impronte digitali dei certificati. ...
本文章適用於
本文章不適用於
本文無關於任何特定產品。
本文未識別所有產品版本。
說明
Come visualizzare il contenuto di un certificato:
- Comando per mostrare il contenuto del certificato in OpenSSL:
$ openssl x509 -in <cert_file_name> -noout -text
Output di esempio:
$ openssl x509 -in sin1091.cer -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: dd:a5:5c:60:f9:b7:16:9e Signature Algorithm: sha256WithRSAEncryption Issuer: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=sin1090, OU=VMware Validity Not Before: May 24 10:29:00 2017 GMT Not After : Feb 19 12:22:39 2027 GMT Subject: CN=sin1091.eu.degussanet.com, C=US Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c3:24:d9:23:08:32:ca:0e:f9:60:58:f0:8b:04: 6e:db:73:b1:83:a1:73:44:09:30:d7:64:6e:2f:26: e5:87:fd:b9:f3:e6:10:78:32:f5:7c:8b:7f:c1:06: d5:d1:42:d3:d8:e0:d0:84:91:c8:1c:4e:7e:2b:af: 65:36:5e:87:b0:43:4c:fa:ae:ca:c3:23:2d:75:15: 6a:d5:5f:66:6b:40:f6:c5:48:7a:8d:e5:f1:dd:4e: aa:eb:89:65:8a:7e:69:eb:35:4f:75:56:88:24:48: c7:9b:19:fb:39:43:ee:8a:bb:f5:1a:9b:b5:a3:47: b1:60:ee:9a:72:f6:7b:d0:1f:ed:73:64:5f:e9:60: 75:64:03:25:a3:41:38:6d:06:22:dc:22:70:ae:9d: b5:f8:26:7a:8e:d6:05:b1:97:67:89:ac:2c:b3:83: 8b:31:33:a8:7e:30:58:2c:10:42:ef:b6:05:98:ca: 6c:01:c9:47:9e:01:6e:be:c6:bc:cd:9f:e8:bc:8f: 94:70:f1:21:af:ae:b4:fd:76:db:a7:88:fc:e5:d7: ea:08:eb:58:b9:41:37:af:7b:ec:f8:a1:b0:09:a7: b9:b7:18:5b:a7:8e:b9:2f:b0:71:2a:3d:46:8b:c6: 4a:23:43:d9:21:94:2e:0e:e9:40:07:61:22:2e:b4: 08:27 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:sin1091.eu.degussanet.com X509v3 Subject Key Identifier: D7:4D:DB:D4:00:3A:45:A8:4E:5E:9A:60:DB:C0:94:EA:C0:94:75:DC X509v3 Authority Key Identifier: keyid:5F:81:58:14:37:20:61:1D:BC:47:F2:97:AF:39:45:F0:A5:A9:19:F4 Signature Algorithm: sha256WithRSAEncryption 99:9c:b1:e5:b2:9d:b1:ef:65:8f:3b:de:87:16:01:6e:bb:a2: 37:cc:13:28:a2:a1:0b:88:04:c8:85:d0:34:19:d0:3d:41:e4: d3:6f:54:6f:ce:0d:25:a5:f1:c4:8e:cd:e3:e4:ca:92:1f:67: 3a:bd:27:21:59:37:67:a6:71:53:a4:ab:e5:d4:2c:a4:8f:a4: f3:c9:de:6f:5f:f5:80:38:3f:9e:87:24:c7:dc:9e:d3:45:93: a1:4e:31:db:20:df:84:86:06:c8:39:21:9d:04:57:1f:a2:17: 9b:e4:c7:77:61:73:9b:fe:b2:ac:66:ad:14:50:3a:82:65:10: 3d:bc:15:0b:08:60:79:c1:d1:55:28:25:a4:9b:95:ae:c3:52: 31:66:e9:a3:08:57:4c:ff:5a:ac:5e:09:6c:89:5b:cc:43:ad: 0a:e5:dd:b7:8a:6a:be:e7:52:e9:cf:c9:4a:38:77:05:4c:00: ca:22:2e:e8:8d:a2:37:da:38:bc:5e:ce:2d:aa:5d:44:c8:58: cb:7e:a4:be:fb:0b:b3:b4:88:66:ed:8b:ac:41:b8:8d:8b:48: e5:1a:8e:45:ba:be:42:a3:39:07:85:f5:09:91:c3:38:d5:bf: 73:3d:ba:6c:5c:cf:bc:4b:f9:3e:7b:9c:a6:bb:2b:10:c4:87: 76:35:f1:0d
- Comando per visualizzare i certificati o le coppie di chiavi archiviati in un keystore utilizzando keytool. PrivateKeyEntry significa che archivia sia la chiave privata che le voci della catena di certificati. TrustedCertEntry significa che archivia solo certificati attendibili e voci della catena di certificati:
$ keytool -list -v -in <keystore_file_name>
Output di esempio
* * * *
Alias name: vcenter_ca Creation date: Mar 31, 2023 Entry type: trustedCertEntry Owner: CN=vc.x400.sh, OU=Dell EMC, O=Dell EMC, L=Shanghai, ST=Shanghai, C=CN Issuer: CN=vc.x400.sh, OU=Dell EMC, O=Dell EMC, L=Shanghai, ST=Shanghai, C=CN Serial number: 840f560790ff8a93 Valid from: Fri Mar 31 18:51:25 CST 2023 until: Sat Mar 30 18:51:25 CST 2024 Certificate fingerprints: SHA1: 69:F4:39:70:C8:A4:EC:64:C1:46:04:81:44:A1:30:3C:A9:71:12:D0 SHA256: 6C:D7:62:58:BE:AC:A3:D7:25:84:1F:65:93:23:4C:35:5F:25:B6:D2:A0:67:A1:FD:8C:A9:62:3A:D9:0E:24:D3 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 3072-bit RSA key Version: 3
* * * *
Come mostrare l'impronta digitale o il pollice del certificato:
- Il comando per mostrare l'impronta digitale di un certificato in OpenSSL per impostazione predefinita è sha1 fingerprint in OpenSSL. Accertarsi di utilizzare lo stesso algoritmo hash durante il confronto con un altro certificato:
$ openssl x509 -in <certificate file> -noout -fingerprint [-sha1 or -sha256 or -sha512]
Output di esempio:
$ openssl x509 -in server.pem -noout -fingerprint SHA1 Fingerprint=DD:48:AE:B1:D5:7D:DF:B9:A4:B3:A9:4A:C4:CF:76:6C:C1:CE:3A:C9
- Il comando per mostrare l'impronta digitale del certificato in keytool per impostazione predefinita è sha256:
$ keytool -list -keystore <keystore file>
Output di esempio:
$ keytool -list -keystore mykeystore.p12 -storepass Idpa_1234 Keystore type: PKCS12 Keystore provider: JsafeJCE Your keystore contains 3 entries website, Mar 31, 2023, trustedCertEntry, Certificate fingerprint (SHA-256): E8:16:50:4E:9A:F1:48:7F:8E:12:8B:C2:51:DD:45:7B:26:0D:5F:81:49:17:77:3F:35:6F:B2:8E:2B:A0:12:42 tomcat, Mar 31, 2023, PrivateKeyEntry, Certificate fingerprint (SHA-256): CD:CD:9B:3A:9A:78:CF:3C:B8:5A:21:AF:9B:BF:4B:3F:1B:7F:91:D0:38:6B:FF:14:23:FB:8E:46:AE:90:9D:E0 vcenter_ca, Mar 31, 2023, trustedCertEntry, Certificate fingerprint (SHA-256): 6C:D7:62:58:BE:AC:A3:D7:25:84:1F:65:93:23:4C:35:5F:25:B6:D2:A0:67:A1:FD:8C:A9:62:3A:D9:0E:24:D3
Come convertire il certificato e la chiave privata tra diversi formati:
- Convertire il formato del certificato da DER a PEM:
$ openssl x509 -in <certificate file in DER format> -inform DER -out <certificate file in PEM format>
- Convertire il formato del certificato da PKCS7 a PEM
$ openssl pkcs7 -print_certs -in <certificate file in PKCS7 format> -inform DER -out <certificate file in PEM format>
- Convertire il formato del certificato e della chiave privata da PKCS12 a PEM.
(il primo comando consiste nell'estrarre il file di certificato in formato PEM, il secondo comando consiste nell'estrarre il file della chiave privata in formato PEM).
$ openssl pkcs12 -in <certificate file in PKCS12 format> -name <alias name> -nokeys -out <certificate file in PEM format> $ openssl pkcs12 -in <certificate file in PKCS12 format> -name <alias name> -nodes -nocerts -out <private key file in PEM format>
- Conversione di file di certificati o coppie di chiavi private da PEM a keystore PKCS12
(In questo esempio, il file di certificato PEM è server.crt, il file della chiave privata è server.key, l'alias del keystore è impostato su "
mykeypair," e il file dell'archivio chiavi pkcs12 è mykeystore.p12)
$ openssl pkcs12 -export -in <certificate file in PEM format> -inkey <private key file in PEM format> -name <alias name> -out <keystore file in PKCS12 format>
Come convalidare un certificato nell'handshake HTTPS utilizzando OpenSSL.
- Per convalidare il certificato, utilizzare uno dei seguenti comandi:
$ openssl s_client -CApath <path_to_certs> -connect <VC_FQDN>:443 -showcerts Or $ openssl s_client -CApath <path_to_certs> -host <VC_FQDN> -port:443 -showcerts
Esempio di output di esito positivo (l'esecuzione di questo comando potrebbe richiedere del tempo):
$ openssl s_client -CApath /tmp/certs/ -connect 10.10.10.100:443 -showcerts CONNECTED(00000104) --- Certificate chain 0 s:/CN=vc18.externalvc.com/C=US i:/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc18.externalvc.com/OU=VMware -----BEGIN CERTIFICATE----- MIIDoDCCAoigAwIBAgIJAM/DCNs2KXy+MA0GCSqGSIb3DQEBCwUAMIGPMQswCQYD VQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ FgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExHTAbBgNV BAoMFHBzYzE4LmV4dGVybmFsdmMuY29tMQ8wDQYDVQQLDAZWTXdhcmUwHhcNMTcw NjMwMDUzOTE4WhcNMjcwNjI1MDUzNDI0WjArMRwwGgYDVQQDDBN2YzE4LmV4dGVy bmFsdmMuY29tMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAL1X4Skcl6kjCw3I2vJqvOTFwdQXL87/EqQkuhKfOy87+lo78jdobtAj CqtSV8bszbiJAEftZEWkX6OF45tM1fBmMvuDUMw4rFqV6q0vuBd1LE94SQQIrkb6 ze/U+EyDX2eIPWGL63f4XoGLfrx/hxHxGDhLpZBMUiUi7ccIlduNHRjJaW7HDorI g/ABHX2xhU4Sf+E5KWO5INByvtiyVabiUGeDt+9foX78aSvvmsqonW+Bq3yJi65R m2FOxsXNSLMbtdQ/aS6vCl5LYu7Snku6vAfloDNX5grUhU/iHdxXHkAFAXLIzQPt FK92P8zBLykDwP+cLzud/KO9CfqskPUCAwEAAaNiMGAwHgYDVR0RBBcwFYITdmMx OC5leHRlcm5hbHZjLmNvbTAdBgNVHQ4EFgQUpXe8h597EnWIks76bOf9y+51/lYw HwYDVR0jBBgwFoAU3tDxXouzxNX7qfWfrBTRHdo+Pu8wDQYJKoZIhvcNAQELBQAD ggEBAHvy40eQ2I8eUFFvEOng2MFAbJH3ZZs2I3w0XuyAMosO4Sw0JYo0hhDLBBZ1 Fw7IyRj6jtbvI3UlPLq6NofJUaweo5aphlSPxmbZSl/DcteS4pusujv4lT/h9J95 dc0KrFR7abX9rsv0nQQ78wrzE5CUva6TkXOQKg8oxaachYPwKi0zR1vFR56jTt9f Hq9Z1lXYkg4JzSu+H4diOs/KNKZYiU+QsD+94I2GjopajYWVSTBkiGAOObG2/inb L2UJW2rK3PASm2M8+x92V0hqlkxBYcvQpjEjuJep2+Ah6iuQIgW21OForIPxqbcu PD5PwMn6eV4mVP7/mWdAfkGtY8I= -----END CERTIFICATE----- --- Server certificate subject=/CN=vc18.externalvc.com/C=US issuer=/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc18.externalvc.com/OU=VMware --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1412 bytes and written 434 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: 70FD868AA56807820DDAC23C2FAB3F2C1A5C683426F2924AEE8D9B52EBCD3F256EC4892D281F90F0F32A2A1C7DD0FB01 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1500280372 Timeout : 300 (sec) Verify return code: 0 (ok) --- depth=1 CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = psc18.externalvc.com, OU = VMware verify return:1 depth=0 CN = vc18.externalvc.com, C = US verify return:1 read:errno=0
Esempio di output del guasto:
$ openssl s_client -CApath /tmp/certs/ -host 10.62.91.64 -port 443 -showcerts CONNECTED(00000124) --- Certificate chain 0 s:/CN=vc18.externalvc.com/C=US i:/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc18.externalvc.com/OU=VMware -----BEGIN CERTIFICATE----- MIIDoDCCAoigAwIBAgIJAM/DCNs2KXy+MA0GCSqGSIb3DQEBCwUAMIGPMQswCQYD VQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ FgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExHTAbBgNV BAoMFHBzYzE4LmV4dGVybmFsdmMuY29tMQ8wDQYDVQQLDAZWTXdhcmUwHhcNMTcw NjMwMDUzOTE4WhcNMjcwNjI1MDUzNDI0WjArMRwwGgYDVQQDDBN2YzE4LmV4dGVy bmFsdmMuY29tMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAL1X4Skcl6kjCw3I2vJqvOTFwdQXL87/EqQkuhKfOy87+lo78jdobtAj CqtSV8bszbiJAEftZEWkX6OF45tM1fBmMvuDUMw4rFqV6q0vuBd1LE94SQQIrkb6 ze/U+EyDX2eIPWGL63f4XoGLfrx/hxHxGDhLpZBMUiUi7ccIlduNHRjJaW7HDorI g/ABHX2xhU4Sf+E5KWO5INByvtiyVabiUGeDt+9foX78aSvvmsqonW+Bq3yJi65R m2FOxsXNSLMbtdQ/aS6vCl5LYu7Snku6vAfloDNX5grUhU/iHdxXHkAFAXLIzQPt FK92P8zBLykDwP+cLzud/KO9CfqskPUCAwEAAaNiMGAwHgYDVR0RBBcwFYITdmMx OC5leHRlcm5hbHZjLmNvbTAdBgNVHQ4EFgQUpXe8h597EnWIks76bOf9y+51/lYw HwYDVR0jBBgwFoAU3tDxXouzxNX7qfWfrBTRHdo+Pu8wDQYJKoZIhvcNAQELBQAD ggEBAHvy40eQ2I8eUFFvEOng2MFAbJH3ZZs2I3w0XuyAMosO4Sw0JYo0hhDLBBZ1 Fw7IyRj6jtbvI3UlPLq6NofJUaweo5aphlSPxmbZSl/DcteS4pusujv4lT/h9J95 dc0KrFR7abX9rsv0nQQ78wrzE5CUva6TkXOQKg8oxaachYPwKi0zR1vFR56jTt9f Hq9Z1lXYkg4JzSu+H4diOs/KNKZYiU+QsD+94I2GjopajYWVSTBkiGAOObG2/inb L2UJW2rK3PASm2M8+x92V0hqlkxBYcvQpjEjuJep2+Ah6iuQIgW21OForIPxqbcu PD5PwMn6eV4mVP7/mWdAfkGtY8I= -----END CERTIFICATE----- --- Server certificate subject=/CN=vc18.externalvc.com/C=US issuer=/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc18.externalvc.com/OU=VMware --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1412 bytes and written 434 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: 85731E71188EF310D68C658099C62C11374845CAF00A0AF90F8B35118171C7D0002A76380AB2B4574C720DB178FA3297 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1500281143 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- depth=0 CN = vc18.externalvc.com, C = US verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = vc18.externalvc.com, C = US verify error:num=21:unable to verify the first certificate verify return:1 read:errno=0
Come convalidare il certificato vCenter offline:
Se non si è in grado di connettersi a vCenter e verificare online, è possibile esportare il certificato vCenter dal web browser e salvarlo in un file per la convalida.
- Convertire il file dal formato DER al formato PEM.
- Utilizzare il seguente comando per convalidare:
$openssl verify -CApath <path_to_certs> <certificate_file>
NOTA: Questo comando accetta come destinazione solo il file di certificato in formato PEM.
Come convalidare una coppia di chiavi pubbliche o private utilizzando OpenSSL:
- Calcolare un valore hash del modulo della chiave privata:
$ openssl rsa -modulus -noout -in <private key file> | openssl md5
- Calcolare un valore hash del modulo del certificato:
$ openssl x509 -modulus -noout -in <certificate file> | openssl md5
Se le due stringhe hash sono uguali, significa che la coppia di chiavi corrisponde. In caso contrario, non si tratta di una coppia di chiavi valida.
Output di esempio:
openssl rsa -modulus -noout -in server.key | openssl md5 (stdin)= b69cd7fc0b07ffef0a577e1e325ab015 openssl x509 -modulus -noout -in server.crt | openssl md5 (stdin)= b69cd7fc0b07ffef0a577e1e325ab015
其他資訊
Ulteriori informazioni:
- Scopri i diversi formati di certificati SSL su TutorialsTeacher
.
- Come utilizzare il
testssl.
Testssl è uno strumento gratuito a riga di comando che controlla il servizio di un server su qualsiasi porta per il supporto di crittografie TLS/SSL, protocolli, difetti crittografici recenti e altro ancora. Per ulteriori informazioni, consultare Test della crittografia TLS/SSL.
受影響的產品
Microsoft Windows Server 2016, Microsoft Windows Server 2019, Microsoft Windows Server 2022, Microsoft Windows Server 2025, Red Hat Enterprise Linux Version 7, Red Hat Enterprise Linux Version 9, Red Hat Enterprise Linux Version 8
, SUSE Linux Enterprise Server 15, Ubuntu Server LTS, VMware ESXi 7.x, VMware ESXi 8.x
...
產品
Converged Infrastructure, Data Center Infrastructure, Desktops & All-in-Ones, Gateways & Embedded PCs, Electronics & Accessories, Laptops, Networking, Security, Servers, Software, Solutions, Storage, Tablets, Thin Clients, Workstations文章屬性
文章編號: 000211907
文章類型: How To
上次修改時間: 18 7月 2025
版本: 7
向其他 Dell 使用者尋求您問題的答案
支援服務
檢查您的裝置是否在支援服務的涵蓋範圍內。