Openssl is introduced

Cryptography standard and we often see the Internet protocol, is a kind of everyone abide by the convention and standard, such as PKCS#1 specifies how to generate RSA secret key, public and private key format and other content, x509 standard specifies the certificate format.

OpenSSL is essentially a tool set that implements commonly used encryption algorithms, certificate generation, signature, and verification according to mainstream cryptography standards.

Because the information on the network is more miscellaneous, some are older versions, and some are incomplete, so a little summary of their own, convenient after re-access. The purpose of learning OpenSSL is to deepen the understanding of the basic content of cryptography and verify some knowledge points. Developers who are not cryptography do not need to study the source code of OpenSSL for the time being. It is better to supplement the algorithms, C/C++, compilation principles, data structures and other low-level knowledge. Therefore, this article will only outline the use framework and mainstream functions of OpenSSL. The complete functions and their origins are beyond the scope of this article.

This article will be divided into three categories to describe the use of OpenSSL instructions, including only the common instructions: DGST, ENC, RSA instruction set, REQ, X509, PKCS12. CA instruction is not studied because it is seldom used in ordinary times.

Asymmetric encryption

OpenSSL implements a total of four asymmetric encryption algorithms, including DH algorithm, RSA algorithm, DSA algorithm and elliptic curve algorithm (EC). DH algorithm Common user key exchange. The RSA algorithm can be used for both key exchange and digital signing, and, of course, data encryption if you can tolerate its slowness. DSA algorithm is generally only used for digital signature, here the main demonstration OF RSA algorithm, need to use DH algorithm can study pKEY instruction set.

  • Genrsa instruction

Genrsa instruction has been replaced by the more comprehensive genpkey instruction, but because of its relatively simple, pure function, can be used as a basis for learning Genpkey. In addition, some of the more detailed functions in Genpkey are not available at this stage, using GenRSA to directly generate private keys is relatively simple and convenient, easy to master. The optional parameters are as follows:

usage: genrsa [args] [numbits]
 -out file       output the key to 'file'(Output file name) -passout arg output file pass phrasesource(Set a password for the output file, unlike the symmetric algorithm, which encrypts the private key result, which encrypts the file)-f4             use F4 (0x10001) forThe E value(65537 is used as the value of E. In the RSA algorithm, E is used in the following scenarios: 1< E <φ(n), default) -3 Use 3forThe E value(3 is used as the value of E, not the default) // The following is the symmetric encryption option. -des ENCRYPT the generated key with DESin cbc mode
-des3           encrypt the generated key with DES in ede cbc mode (168 bit key)
-aes128, -aes192, -aes256
                 encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
                 encrypt PEM output with cbc camellia
Copy the code

Genrsa is connected with two parameters, the first option parameter, the second is the length of the M value in the RSA algorithm, generally 1024, the higher security level bit 2048. Where, if the symmetric encryption algorithm is not set, the private key result will not be encrypted; if it is not empty, the secret key to be used in the symmetric algorithm is required to be entered, as follows:

1. Generate a private key

openssl genrsa -out private.pem 1024 Generating RSA private key, 1024 bit long modulus .............. + + + + + +... ++++++ e is 65537 (0x10001)Copy the code

The results are as follows:

2. Generate a private key and use the symmetric algorithm to encrypt the secret key

openssl genrsa -aes128 -out private.pem 1024 Generating RSA private key, 1024 bit long modulus .................................................... + + + + + +... ++++++ e is 65537 (0x10001) Enter pass phrasefor private.pem:123456
Verifying - Enter pass phrase for private.pem:123456
Copy the code

Results:

  • Rsa instruction

Rsa has many functions, such as managing secret keys. The main function is to extract the public key from the private key and view the structure information of the secret key. You can use -help to view:

usage: Rsa [options] -check Check the validity of the secret key. -in file Name of the input file. -Inform format Format of the input file (DER, NET or PEM (default)) -modulus prints the MODULUS key -out file Specifies the output file name -outform format Specifies the output file format (DER, NET or PEM (default PEM)) -passin SRC Password of the input file -passout SRC Password of the output file -pubin This command indicates that the public key is entered. The default private key is used. -pubout This command indicates that the public key needs to be output. Default private key output - SGckey what it is? -text Prints informationCopy the code

The optional cipherName values, such as -aes-192 -cbc, can be viewed by using the -help command. They are not listed here. The main functions are shown as follows:

1. View key information

openssl rsa -in private.pem -text
Copy the code

Results:

Extract the public key from the private key

openssl rsa -in private.pem -pubout -out public.pem
Copy the code

3. Add/remove/change the symmetric encryption password for the secret key

Pem -des3 -passout pass:123456 -out e_rsa. pem // Remove the password protection for the RSA key openssl RSA -in E_rsa. pem -passin pass:123456 -out p_rsa. pem // Change the encryption algorithm to AES128, Pem -passin pass:123456 -aes128 -passout pass:123456 -out e_rsa.pemCopy the code

4. Convert the secret key format

// Convert the pem format to der format, Openssl rsa -in rsa. pem -passin pass:123456 -des -passout pass:123456 -outform der -out rsa.derCopy the code
  • Rsautl instruction

While the above two commands generate and manage the secret key, the rsautl directive is concerned with the specific use of the secret key, that is, how to use the RSA secret key to encrypt and decrypt operations.

Usage: Rsautl [options] // Input file (encrypted/decrypted/signed) and output file -in file Operated file -out file Output file after the operation is complete // Input secret key -inkey file Secret key used during the operation // Concentrated filling mode  -ssl use SSL v2 padding -raw use no padding -pkcs use PKCS# 1 v1.5 padding (default)
-oaep           use PKCS#1 OAEP-sign signs with the private key -verify signs with the public key -encrypt encrypts with the public key -decrypt decrypts with the private key -passin arg If the secret key has been symmetrically encrypted, // Others -keyForm arg Indicates the private key format. By default, pem-pubin indicates that the public key is entered. -certin Indicates that the certificate carrying the RSA public key is enteredCopy the code

1. Use public key encryption

Note that both the rsautl and pkeyutl directives in OpenSSL can only be decrypted using the private key, but both public and private keys can be used for encryption.

That is, when using the private key for encryption, you need to use the private key for decryption, and when using the public key for encryption, you still need to use the private key for decryption. Guess the reason is that the private key can extract the public key, so after using the private key for encryption, the public key is divided first, and then the public key is used for encryption? In order to understand the encryption standard and its implementation, the instructions are as follows:

openssl rsautl -encrypt -in plain.text -inkey public.pem -out encrypt.text 
Copy the code

Note: Why is the ciphertext result different each time the same plaintext is encrypted with a key? Because random numbers are filled according to the filling mode during RSA encryption, the encryption results are different each time.

2. Use the private key to decrypt

openssl rsautl -decrypt -in encrypt.text -inkey private.pem -out replain.text
Copy the code

3. Sign with the private key

openssl rsautl -sign -in plain.text -inkey private.pem -out signed.text
Copy the code

4. Use the public key to check the signature

Use -pubin to indicate that the entered secret key is a public key

openssl rsautl -verify -in signed.text -pubin -inkey public.pem -out verify.text
Copy the code

The algorithm

Abstract algorithms are often used for digital signatures, which technically consist of two steps: generating a summary and signing. Firstly, the abstract algorithm is used to compute the summary of the original text, and then the private key of the signer is used to sign the summary.

The hash function encryption in OpenSSL is mainly using the DGST command. You can also directly use the corresponding algorithm instruction, such as MD5. You can also directly use -help to view the option (actually typing a non-existing option to passively pop-up the prompt). However, due to the OpenSSL version, the command clutter, such as the MD5 directive can also specify other algorithm types, can be a pain.

In short, remember one, just use DGST directive to encrypt, it can be used in three scenarios:

1. Calculation summary

The calculation summary is formatted as follows:

Openssl DGST [Algorithm name] [File to compute abstracts]Copy the code

The available algorithms are -md4, -md5, -ripemd160, -sha, -sha1, -sha224, -sha256, -sha512, -sha384, and -wirlpool. You can run the openssl DGST -help command to view the algorithms

For example, 🌰 :

// Go to the corresponding foldercd/ Users/caoxk/Demo/opensslTest / / using the sha1 algorithm for plain. This paper calculated the text file, including plain. The contents of the text is 123456 openssl DGST - sha1 plain. The textCopy the code

Results:

SHA1(plain.text)= 7c4a8d09ca3762af61e59520943dc26494f8941b
Copy the code

Compared to the results of online encryption:

2. Use the private key to sign

Still follow DGST [instruction] [filename] format

// Hash plain.text using the default md5, Pem private key is used to sign the hash value and output it to the test.text file in hexadecimal format. Openssl DGST -sign privately. pem -hex-out test.text plain.textCopy the code

Results:

3. Use the public key to verify the signature

openssl dgst -verify public.pem -signature test.text plain.text 
Copy the code

Results:

Verified OK
Copy the code

Note That validation fails when using hex output. The hex command is only for demonstration purposes and needs to be removed for real use. The same is true of the -hexdump command in RSA.

Symmetric encryption

OpenSSL provides a total of eight symmetric encryption algorithms, and supports four common block cipher encryption modes: electronic cipher-book mode (ECB), Encrypted Block link mode (CBC), encrypted feedback mode (CFB), and output feedback mode (OFB). This is illustrated in the ECB mode of AES128.

The enC instruction parameters are as follows:

usage: enc -ciphername [-AadePp] [-base64] [-bufsize number] [-debug]
    [-in file] [-iv IV] [-K key] [-k password]
    [-kfile file] [-md digest] [-none] [-nopad] [-nosalt]
    [-out file] [-pass arg] [-S salt] [-salt]

 -a/-base64 Output/decryption using base64-ddecryption-eIn file Specifies the file to be encrypted or decrypted. -iv iv offset is not required in ECB mode. -k key Specifies the key used in symmetric encryption. Will require input from the keyboard - out file output file - p print - salt this option as the default values, which means the default random salt, use - nosalt cancel manually specify salt salt - S valueCopy the code

Enc will salt the key by default, so the result will be different from the online AES encryption. You can use -s to manually specify the value of salt, but the specific salt algorithm is not known.

// Use aes-128 algorithm in ECB mode to salt the secret key 123 by default, then perform symmetric encryption for plain.text, and output the result to openssl enc in result.text-e -aes-128-ecb -in plain.text -p -k 123 -a- out the result. The text / / salt salt = EF3004BF880585F5 / / salt after the key key = 32 bdf1964b275bf4f7a344d066e3a23e / / after the base64 encryption result value U2FsdGVkX1/vMAS/iAWF9XW23uJDpttgH/3J0n18R30=Copy the code

Decryption:

openssl enc -d -aes-128-ecb -in result.text -p -k 123 -a/ / salt information has been included in the result. The text file, don't need to input a salt again = 041 c31ba86ca7d29 key = DED2653F37157BC56C7D52919D6FF828 123456Copy the code

New asymmetric encryption instructions

After the openSSL update, there is a pkey series of three instructions genpkey, pkey, pkeyutl, and the original genrsa, RSA, rsautl one to one.

The new instruction set only combines and extends the functionality of crude oil, so these instructions are not the focus of this article. The detailed use of these instructions can be viewed in the OpenSSL genpkey -help. Here are just a few of the most commonly used instructions:

1.genpkeyGenerate the private key

// Generate a private key in pem format using rsa algorithm with a random length of 1024 and output it to the rsa_pri.key file. Print the private key/public key parameter/structure text in the file. Openssl genpkey -out rsa_pri. Key -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:1024 -textCopy the code

Results:

2,pkeyExtract the public key from the private key

The pkey command processes public or private keys. They can be converted from one form to another and their structure printed out. The instructions are as follows:

-passin arg Indicates the password of the input file. -outform X Indicates the output format (DER/PEM). -out file Indicates the output file. -pubin reads the private key by default. This option specifies that the public key is read in. -pubout outputs the private key by default, and this option outputs the public key, which is used to generate a public key from the private keyCopy the code

Extract the public key from the private key:

openssl pkey -in private.pem -pubout -out public.pem
Copy the code

Results:

3. Pkeyutl encryption and decryption

// Public key encryption openSSL pkeyutl -encrypt-in plain.text -inkey public.pem -out encrypt.text // Private key encryption openSSL pkeyutl -decrypt -in  encrypt.text -inkey private.pem -out decrypt.textCopy the code

4. Pkeyutl signature and verification

openssl pkeyutl -sign -in plain.text -inkey private.pem -out signed.text

openssl pkeyutl -verify -pubin -inkey public.pem -in plain.text -sigfile signed.text  -out verify.text
Copy the code

Certificate of class

The cryptography standard related to the certificate format is PKCS#10, which specifies the format of CSR files. Req directive is based on this standard to realize the generation, viewing, verification, self-signing and other functions of CSR files.

  • The req instruction

You can use req as follows: req [options]

outfile. The options are:

[new/x509] When the -new option is used, the certificate request is generated. When the X509 option is used, the self-signed certificate is generated. [/key/ newKey /keyout] Key and newkey are mutually exclusive. Key specifies an existing key file. Newkey automatically generates a key when a certificate request or self-signed certificate is generated, and the generated key name is specified by the keyout parameter. When the newkey option is specified, rsa:bits indicates that an RSA key is generated, and bits are specified. Specify dSA :file to generate the DSA key. File refers to the parameter file (generated by DSaparam) that generates the DSA key. [in/out/inform/outform/keyform]

inThe out option specifies the certificate request or self-signed certificate file name when viewing the certificate request content or generating a self-signed certificate, or the public key file name (when using the Pubkey option), and other output information. Inform, OutForm, and keyForm are specified respectivelyin, out, and key. The default file format is PEM. [pubkey/noout/text/ Default] text Prints all the information in the request file (excluding the public key). Pubkey extracts the public key in the CSR file, and noout does not output the request content in the CSR file. By default, only request content is printed. In addition to the above main parameters, there are many other parameters, not described one by one, interested readers can check reQ's MAN manualCopy the code

1. Generate a CSR file

The CSR file is generated and output using the privately. pem private key, during which personal information is required

openssl req -new -key private.pem -out request.csr
Copy the code

The original RSA key is used to generate the certificate request file. The -batch option is specified and the information about the applicant is not asked. The body information is specified by the subj command line, and the public key is displayed

openssl req -new -key RSA.pem -passin pass:123456 -out client.pem -subj /C=AU/ST=Some-State/O=Internet -pubkey
Copy the code

Automatically generates a 1024-bit RSA key and a certificate request file. The -nodes file is specified. The key file is not encrypted

openssl req -new -newkey rsa:1024 -out client.pem -keyout RSA.pem -subj /C=AU/ST=Some-State/O=Internet -nodes
Copy the code

2. View/verify the CSR file

By default, only the CSR content is displayed. -text displays all the structure of the CSR content. -noout does not display the CSR content

openssl req -in request.csr -noout -text
Copy the code

Results:

3. Extract the public key from the CSR file

openssl req -in request.csr -pubkey
Copy the code

Results:

4. Generate a self-signed certificate

-X509 requires three parameters: the certificate request file CSR, the private key for signing the certificate, and the certificate output file

// Use privy. pem private key to sign the request file of request. CSR and output openSSL req -x509 -in request. CSR -out client.cer -key privy. pemCopy the code

Results:

Viewing the contents of the certificate is covered in the next instruction, X509.

  • X509 instruction

OpenSSL implements x.509 standard codec for certificates, PKCS#12 codec and PKCS#7 codec. It also provides a text database to support certificate management functions, including certificate key generation, request generation, certificate issuance, revocation and verification.

In fact, the CA application provided by OpenSSL is a small certificate Management center (CA) that implements the entire certificate issuing process and most of the mechanisms for certificate management.

This directive is rich in functions such as viewing certificate information, signing certificates as a pseudo-CA authority (just like the REQ-X509 directive), converting certificate formats, and so on. Because there are too many functions, only the most important and commonly used functions are introduced here:

1. View the certificate file information

The default certificate is in PEM format. Openssl x509 -in apple. cer -text -inform DERCopy the code

Results:

2. View the public key in the certificate

// Print only the public key in the certificate, but not the certificate. Openssl x509 -in iOS_develop. cer -inform DER -pubkey -nooutCopy the code

3. Convert the certificate format

openssl x509 -in apple.cer -inform DER -out cert.pem -outform PEM
Copy the code

4. Sign the CSR file

This is the same as REQ-X509 and will not be repeated here.

  • As PKCS12 instruction

PKCS# standard has 1-15, the specific content can go to the network, after the text will also be a brief analysis of some of the mainstream standards of cryptography. OpenSSL is based on these standards to implement some of the functions used.

The PKCS#12 standard defines the format of personally identifiable information, including private keys, certificates, various secrets, and extended fields. The P12 file is a private key file, which can contain only private keys or certificates and private keys. Commonly used for users to move their personally identifiable information between devices.

In iOS, developers generate CSR files with their private keys and then download a certificate from apple’s official website. This certificate can only be used by the developer. Others cannot use the certificate because they do not have a private key corresponding to the certificate. The p12 file can be shared with others, who can use the certificate to sign the code after installing the private key on their computer. However, it seems that there is no need to share p12 files in the new version, so we can verify the results and explore the principle when we have time.

Common functions are as follows:

1. Extract the private key from the P12 file

Note that you must add -Nodes otherwise the encryption password is required to encrypt the private key by default

openssl pkcs12 -in caoxk1107-private.p12 -out private.pem -nodes
Copy the code

-nodes:

CaoxkdeMacBook -pro :opensslTest caoxk$openSSL pkcs12 -in caoxk1107- privately. p12 -out privately. pem // Enter the password of the p12 file Import Password: MAC Verified OK // Enter the Password of the encrypted exported PEM file. Enter PEM pass Phrase: caoxkdeMacBook-Pro:opensslTest caoxk$Copy the code

Results:

Input – nodes:

CaoxkdeMacBook -pro :opensslTest caoxk$openSSL pkcs12 -in caoxk1107- privately. p12 -out privately. pem -nodes // Only the password of the P12 file is required Enter Import Password: MAC verified OK caoxkdeMacBook-Pro:opensslTest caoxk$Copy the code

Results:

2. Synthesize the certificate and private key into a P12 file

openssl pkcs12 -export -in alicecert.pem -inkey alicekey.pem -certfile cacert.pem -out alice.p12 
Copy the code

3. View the P12 file

In the previous command, -text is used to view information. In the pkcs12 command, -info is used to view the contents of the P12 file. Note that -nodes is still used; otherwise, the private key will be encrypted and will not be displayed.

View the P12 file exported from the private key when creating the CSR file:

 openssl pkcs12 -in caoxk1107-private.p12 -nodes -info
Copy the code

Results:

MAC Iteration 1
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
    friendlyName: caoxk1107
    localKeyID: 17 E6 1A 74 F3 38 00 05 46 B4 B1 42 18 1A FC 34 9B AB DB 08 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDRaMHFhRycODXw
D7JBQ8N/JbN/PeXEqLuvXNa9MtCvAf2lhsm90dwyUyfiLcWVHO1Xz2SmySAC3Rpw
6h0XRpGSGCDl7jqx9yFkZwTw/cVco0K4iP473aa+3+x7CboTyrgKEKP+uwEVZINO
/zGIf9QAg2F9dV1A3jxzZYmWvAzmfWq62n76gqUN2Fs0TDFBV0bFUNuw0SUZQpXQ
Ex/j18kGCps+Y8ab0sVy9O+shKUYjdhURwniXJkHI2T0SYMHg844KshWh8FMit74
s7cUkgdPQd09Ubj7oBGN/XfcysMx5tgevXXhw9yqZLv+2dFEVzn6NKvxg7HNBY3u
r/a37fPTAgMBAAECggEAElQA4bDM2D9zORemml+79JzwIOrh+VxrUOXnRZf0+9xI
vvwVHDAJ/b2ZeApZiLuHanAUdySTUKzZa5iSAz+B7i9+caFwMbNXkNoTbKRJadpA
NLaIyeSUe5BNulcXmjPb98WNFPZ5Gc46T+e2BiRqAcF9/uUOzGanE9KHQFIlLucS
riBfYyvJw1S/AVoHvlBk6wldvnB5IRdcHHBdl+bLofBTxkDXcLDikhttxps9ix3P
YecuPEs5TkBiredYO9tJKCPYkcz2rdBioQHCRBsx3LInVzkVHEHrVLBbt9T3wgBA
IA+pliuUeVV/HeelqLGMwYQBlCmSxiZ5/gKF8zQ6wQKBgQDss5BaBg89sP68Rr6J
ba4j72pThoaeO+kYPGNeWKz9zhT3phf81NjxQ/THuJTPJ0bWhoKz58/HP1LTL9W1
lsihU7VNa7kVqOteWTDNkli087Kes5iqoWJVdLrJv2Tn+4EXltX0L5Musquord7v
3AE6dar9aleDzEp0wFr/x7wv5wKBgQDie4yqVLXzXOqnlPXdAsjEx7IC/ysgUsuD
HrvOBzjq9nGilk4IjGgCdzZujn3A80UcPN8boCcrVSDc0qTM8MCqD8t+8yEgRLD6
UA1MgUQfqZKictpsuwsNkQ/2OqUSPkCGUaSqfucCuYJtfxf/vbRfEYkvxShMuI1j
9bewWFqPNQKBgQCgeAOu5FjEzA+GeLeH19GtDwyYX6U39QnLonUDaz6sOmBAnFu6
zlndBuMV228XGVuO6FYHvWpBfA6cmdtaZkTSCjvpptQteP1IU1Mgqsx0sJoxuTQQ
yaQupxpS1+yC0SDtaxbVmsM/b2Wsz2NKXW5/wXIQp115PrBjglyu9yv/lQKBgAaD
oTcg+p7GVGV/jlbOBrJKQB9/8WCboQjjcGlrocJ4VipkAliSmUdA4IrrhEhxdtJq
Gcy0nYvMhgZz9JOEdTYvAB5lpdVExIZemRNTQH9cpEAR56Bq/NVmD7x4UVkl+zsh
zAevYLueVFcL6cfMUAzP908tb4xNXpu6bI8g63HlAoGAQNEzqSzVoLDpeeMUbo5y
OtCcT5p4Rin8VBG/izUFo6vXfeDcQU/VDaegDDokEvrPIGymxu1CHIfqF+E81KrK
cY/YmTkk9q6/jzFfJVQIZ29Y40kPBnEeWc1ij/H0ImwsUmKyvOh2Bq9wiFx4RHw+
LnXrKAC9CEnvZUmpam41UQ0=
-----END PRIVATE KEY-----
Copy the code

View the P12 file exported via the certificate in the keychain

openssl pkcs12 -in privateKeyFromKeychain.p12 -info -nodes
Copy the code

Results:

PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    friendlyName: iPhone Developer: yue hu (ZJ7BM73MA2)
    localKeyID: 17 E6 1A 74 F3 38 00 05 46 B4 B1 42 18 1A FC 34 9B AB DB 08 
subject=/UID=JUNRCFGNSU/CN=iPhone Developer: yue hu (ZJ7BM73MA2)/OU=3BFC8YW44Z/O=Wuhan New World Jewelry Co., Ltd./C=US
issuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority
-----BEGIN CERTIFICATE-----
MIIFpzCCBI+gAwIBAgIIKFFF+H2MnPUwDQYJKoZIhvcNAQELBQAwgZYxCzAJBgNV
BAYTAlVTMRMwEQYDVQQKDApBcHBsZSBJbmMuMSwwKgYDVQQLDCNBcHBsZSBXb3Js
ZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9uczFEMEIGA1UEAww7QXBwbGUgV29ybGR3
aWRlIERldmVsb3BlciBSZWxhdGlvbnMgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMTkxMTA3MDYyNTAwWhcNMjAxMTA2MDYyNTAwWjCBmjEaMBgGCgmSJomT8ixk
AQEMCkpVTlJDRkdOU1UxLjAsBgNVBAMMJWlQaG9uZSBEZXZlbG9wZXI6IHl1ZSBo
dSAoWko3Qk03M01BMikxEzARBgNVBAsMCjNCRkM4WVc0NFoxKjAoBgNVBAoMIVd1
aGFuIE5ldyBXb3JsZCBKZXdlbHJ5IENvLiwgTHRkLjELMAkGA1UEBhMCVVMwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRaMHFhRycODXwD7JBQ8N/JbN/
PeXEqLuvXNa9MtCvAf2lhsm90dwyUyfiLcWVHO1Xz2SmySAC3Rpw6h0XRpGSGCDl
7jqx9yFkZwTw/cVco0K4iP473aa+3+x7CboTyrgKEKP+uwEVZINO/zGIf9QAg2F9
dV1A3jxzZYmWvAzmfWq62n76gqUN2Fs0TDFBV0bFUNuw0SUZQpXQEx/j18kGCps+
Y8ab0sVy9O+shKUYjdhURwniXJkHI2T0SYMHg844KshWh8FMit74s7cUkgdPQd09
Ubj7oBGN/XfcysMx5tgevXXhw9yqZLv+2dFEVzn6NKvxg7HNBY3ur/a37fPTAgMB
AAGjggHxMIIB7TAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFIgnFwmpthhgi+zr
uvZHWcVSVKO3MD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL29j
c3AuYXBwbGUuY29tL29jc3AwMy13d2RyMDEwggEdBgNVHSAEggEUMIIBEDCCAQwG
CSqGSIb3Y2QFATCB/jCBwwYIKwYBBQUHAgIwgbYMgbNSZWxpYW5jZSBvbiB0aGlz
IGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2Yg
dGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9u
cyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBw
cmFjdGljZSBzdGF0ZW1lbnRzLjA2BggrBgEFBQcCARYqaHR0cDovL3d3dy5hcHBs
ZS5jb20vY2VydGlmaWNhdGVhdXRob3JpdHkvMBYGA1UdJQEB/wQMMAoGCCsGAQUF
BwMDMB0GA1UdDgQWBBQX5hp08zgABUa0sUIYGvw0m6vbCDAOBgNVHQ8BAf8EBAMC
B4AwEwYKKoZIhvdjZAYBAgEB/wQCBQAwDQYJKoZIhvcNAQELBQADggEBAFM9T1dB
P5JXQ6cj9QOgLWaIBfdo3WRT/H3ZXBmaIuJVCjlAbK1QORQt3xBgGoqp68fPC6rl
Z/jikrgNuVFt1bsRxM60xkhBMbYKSlGU4SuwJK7vjH5/z1VcEqiep0MRNnFzruih
gahBWFYUhSJ4R87SoszIULxwF8xzZHMqcZgrOkydOSIMhKLgDOGOj80wpvnj/uDP
Mo8EUr1zaIS+T0BBWdnOV5gp7ZOzTT2ws/h0SI79sxVwesUAw8S0d1WjazsiCvSm
MGbHD3lW+3l+4O334l5CKfTSa9HzUMGazio+6GZ3D8KKgW7trfRvhHjqWjjCBLx0
sfXPbULNRAyEFFE=
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
    friendlyName: caoxk1107
    localKeyID: 17 E6 1A 74 F3 38 00 05 46 B4 B1 42 18 1A FC 34 9B AB DB 08 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDRaMHFhRycODXw
D7JBQ8N/JbN/PeXEqLuvXNa9MtCvAf2lhsm90dwyUyfiLcWVHO1Xz2SmySAC3Rpw
6h0XRpGSGCDl7jqx9yFkZwTw/cVco0K4iP473aa+3+x7CboTyrgKEKP+uwEVZINO
/zGIf9QAg2F9dV1A3jxzZYmWvAzmfWq62n76gqUN2Fs0TDFBV0bFUNuw0SUZQpXQ
Ex/j18kGCps+Y8ab0sVy9O+shKUYjdhURwniXJkHI2T0SYMHg844KshWh8FMit74
s7cUkgdPQd09Ubj7oBGN/XfcysMx5tgevXXhw9yqZLv+2dFEVzn6NKvxg7HNBY3u
r/a37fPTAgMBAAECggEAElQA4bDM2D9zORemml+79JzwIOrh+VxrUOXnRZf0+9xI
vvwVHDAJ/b2ZeApZiLuHanAUdySTUKzZa5iSAz+B7i9+caFwMbNXkNoTbKRJadpA
NLaIyeSUe5BNulcXmjPb98WNFPZ5Gc46T+e2BiRqAcF9/uUOzGanE9KHQFIlLucS
riBfYyvJw1S/AVoHvlBk6wldvnB5IRdcHHBdl+bLofBTxkDXcLDikhttxps9ix3P
YecuPEs5TkBiredYO9tJKCPYkcz2rdBioQHCRBsx3LInVzkVHEHrVLBbt9T3wgBA
IA+pliuUeVV/HeelqLGMwYQBlCmSxiZ5/gKF8zQ6wQKBgQDss5BaBg89sP68Rr6J
ba4j72pThoaeO+kYPGNeWKz9zhT3phf81NjxQ/THuJTPJ0bWhoKz58/HP1LTL9W1
lsihU7VNa7kVqOteWTDNkli087Kes5iqoWJVdLrJv2Tn+4EXltX0L5Musquord7v
3AE6dar9aleDzEp0wFr/x7wv5wKBgQDie4yqVLXzXOqnlPXdAsjEx7IC/ysgUsuD
HrvOBzjq9nGilk4IjGgCdzZujn3A80UcPN8boCcrVSDc0qTM8MCqD8t+8yEgRLD6
UA1MgUQfqZKictpsuwsNkQ/2OqUSPkCGUaSqfucCuYJtfxf/vbRfEYkvxShMuI1j
9bewWFqPNQKBgQCgeAOu5FjEzA+GeLeH19GtDwyYX6U39QnLonUDaz6sOmBAnFu6
zlndBuMV228XGVuO6FYHvWpBfA6cmdtaZkTSCjvpptQteP1IU1Mgqsx0sJoxuTQQ
yaQupxpS1+yC0SDtaxbVmsM/b2Wsz2NKXW5/wXIQp115PrBjglyu9yv/lQKBgAaD
oTcg+p7GVGV/jlbOBrJKQB9/8WCboQjjcGlrocJ4VipkAliSmUdA4IrrhEhxdtJq
Gcy0nYvMhgZz9JOEdTYvAB5lpdVExIZemRNTQH9cpEAR56Bq/NVmD7x4UVkl+zsh
zAevYLueVFcL6cfMUAzP908tb4xNXpu6bI8g63HlAoGAQNEzqSzVoLDpeeMUbo5y
OtCcT5p4Rin8VBG/izUFo6vXfeDcQU/VDaegDDokEvrPIGymxu1CHIfqF+E81KrK
cY/YmTkk9q6/jzFfJVQIZ29Y40kPBnEeWc1ij/H0ImwsUmKyvOh2Bq9wiFx4RHw+
LnXrKAC9CEnvZUmpam41UQ0=
-----END PRIVATE KEY-----
Copy the code

Remarks As can be clearly seen from the result, the p12 file after being exported contains the certificate and private key that have been installed in the keystring (only the private key matching the certificate can be successfully installed). The P12 file exported from the private key when the CSR file is generated contains only the private key.

  • CA commands

The CA directive is equivalent to OpenSSL’s internal implementation of a small CA system that issues certificate requests and generates CRLS, and maintains a textual database of the status of issued certificates. The use of this directive is not discussed in this article because it is rarely used in practice.

Next time

So far, the main functions of OpenSSL are introduced. If there are any errors, please kindly correct them. Also, how exactly does man Comman work? No manual entry for RSA If there is a master know, also please inform, thanks very much!

Some terms will be explained and summarized later, and practices will be made based on the application of certificates in iOS, the use of HTTPS, and the iOS signature mechanism.