BlueMap1e's Blog

——By BlueMap1e

OpenSSL CLI 密钥对生成工具 个人使用经验

Posted on Edited on In , Views: Disqus:
Symbols count in article: 2.2k Reading time ≈ 11 mins.

前言

一篇OpenSSL 密钥对生成工具个人使用经验,不定期更新。

获取帮助

1
openssl genpkey -h

输出如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Usage: genpkey [options]

General options:
 -help               Display this summary
 -engine val         Use engine, possibly a hardware device
 -paramfile infile   Parameters file
 -algorithm val      The public key algorithm
 -quiet              Do not output status while generating keys
 -pkeyopt val        Set the public key algorithm option as opt:value
 -config infile      Load a configuration file (this may load modules)

Output options:
 -out outfile        Output file
 -outform PEM|DER    output format (DER or PEM)
 -pass val           Output file pass phrase source
 -genparam           Generate parameters, not key
 -text               Print the in text
 -*                  Cipher to use to encrypt the key

Provider options:
 -provider-path val  Provider load path (must be before 'provider' argument if required)
 -provider val       Provider to load (can be specified multiple times)
 -propquery val      Property query used when fetching algorithms
Order of options may be important!  See the documentation.

简单的生成密钥对指令

私钥生成

为了生成一个密钥对,至少需要指定一个算法,指定输出文件的名称。

例如以下命令,它将会生成一个Ed25519私钥文件,文件名是private-key-Ed25519.pem

1
openssl genpkey -algorithm Ed25519 -out private-key-Ed25519.pem

公钥提取

可以从私钥文件中提取公钥。

例如以下命令,它会尝试从private-key-Ed25519.pem私钥文件中提取对应的Ed25519公钥文件:

1
openssl pkey -in private-key-Ed25519.pem -pubout -out public-key-Ed25519.pem

查看公钥与私钥内容

可以用pkey指令访问OpenSSL的私钥文件,可以输出私钥、公钥的算法与内容:

例如以下命令,它会尝试从private-key-Ed25519.pem文件中读取算法、私钥内容、公钥内容,并显示在屏幕上:

1
openssl pkey -in private-key-Ed25519.pem -text -noout

一个示例输出如下:

1
2
3
4
5
6
7
8
9
ED25519 Private-Key:
priv:
    ea:f7:04:a2:20:b6:e8:65:40:65:ad:44:df:b4:9f:
    9f:9b:6c:b6:8d:92:66:a9:73:96:cb:ae:aa:bd:52:
    28:69
pub:
    42:a3:68:18:8e:df:3e:0c:c0:49:29:ef:e3:27:c7:
    31:75:b1:39:43:f4:26:2c:38:07:d4:d9:43:e1:a1:
    70:45

总体选项

-engine

指定引擎,通常没必要(实则我也不会)

-paramfile

输入参数文件

-algorithm

指定算法,目前支持的算法有RSA, RSA-PSS, EC, X25519, X448, Ed25519, Ed448。(版本3.1.3

举个例子,生成RSA-2048私钥(这里不用指定参数是因为RSA默认2048位):

1
openssl genpkey -algorithm RSA -out RSA-2048-Private-Key.pem

-quiet

生成密钥时不输出信息,例如熵池等等。

-pkeyopt

修改算法的安全参数,这里很难一一列举,具体可以去看OpenSSL的文档:/docs/manmaster/man1/openssl-genpkey.html

安全参数是否可用需要根据选择的算法来判断。

例如,这一串命令可以生成一个RSA-4096私钥:

1
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out RSA-4096-Private-Key.pem

-config

外部导入配置文件,例如:

1
openssl genpkey -algorithm RSA -out RSA-4096-Private-Key.pem -config my-config.cnf

Config文件,我个人还没弄清楚怎么写,这就不做误导性示范了。

输出选项

-out

指定输出文件名,例如输出为RSA-2048-Private-Key.pem:

1
openssl genpkey -algorithm RSA -out RSA-2048-Private-Key.pem

-outform

指定输出文件格式,支持两种格式——PEMDER

**PEM(Privacy Enhanced Mail)**:可读的文本格式,包括边界标记、数据类型,编码为Base64。

**DER(Distinguished Encoding Rules)**:不可读的二进制格式,格式紧凑,无边界标记。

通常而言,为了提高兼容性和可读性,PEM是常见的选择,也是默认选项。

如果要以DER格式输出文件,一个例子如下:

1
openssl genpkey -algorithm RSA -outform DER -out RSA-2048-Private-Key.der

-pass

类似于对称加密的密钥,可以通过各种方式指定输出密钥文件的密码短语(Pass Phrase),例如:

1
openssl genpkey -algorithm X25519 -out X25519-Private-Key.pem -pass pass:your_password

-genparam

只生成参数而不生成密钥,此时genpkey指令可以兼容更多的算法,其中额外的有DHDSA

例如,生成DSA参数:

1
openssl genpkey -algorithm DSA -genparam

一个示例输出如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
..+.....+..+.......+.+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
...........................+.....+.+....+...................+.............+........+.......+........................+.+...........+.+.....+......+..............+.....................+...........+....+...+.+........+.....+...+..+..........+..+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
-----BEGIN DSA PARAMETERS-----
MIICKAKCAQEAruL2N9/nisKseg6CFjB/mXNC0FFRTcnecvbF+9eD6UepnH7mv0K1
+RFL8ECrHGxlYgAkLA9MN+ZiQQ7BSE6qQt0CEGMkgIW6GFUPt6opupB5Ql+qmEBo
uivQr44/VJKjC0vzli85I+UD2f24xrroqssAf4n9B4t22Bg6dxV2AGAfDLdzsNwQ
GITaruJmEj6Xkgyx3rx3KTvQfLtiHdMUJ9rBs5JonomNrEuX5kjf55chFub9IYDF
Vpjsp57hvEJmDU6kQKihkax69V+NmF4T8cs3kAukYfLn/VubbF+FOEZuzQQsAO5n
tGCedKsKmXCtxCgCqZu+FLIxil+A0w36OQIdAI4/RI2+Im2ZhBKGdtJ2Y8a9ndsU
w5bAokSt+tECggEAEct/e8totsdL3RkD+qMq31Gk58yZoda876Uej6YJYYgt7RwB
CCzOEYP/Hf/ditPSpJ4kFc8/qFp0nHAq4pctZKtywVE3T2XVwdzgBF0uLwIb505G
o92Gcb/eEir8mBxSOvVT6X1hmZsnwHehWyasYYcNrjdorH9UvQ9VwAE5nnkK/HLH
KxQ9P7MAdc6dGYxjFjW36ljlRCUvvNeeVPc+J5a0/JJxfm19YLatWaCnpfp1nHes
YsQ3QdB6LKWd7OFwP6lw+OEKWRc3XhczfUBzOBPqj/QBUfHCQX6PgUJyLgiZTD/N
YGOQzq0L9umxt/lrDQbrIKIuDLyWxe8gVyQ41g==
-----END DSA PARAMETERS-----

-text

把整个算法的过程结果直接全部输出到stdout,也就是打印到屏幕上,其中包括各种中间参数和密钥例如:

1
openssl genpkey -algorithm RSA -text

一个示例输出如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
..+...+..........+..+.........+....+...+++++++++++++++++++++++++++++++++++++++*.+.+............+...+......+.....+++++++++++++++++++++++++++++++++++++++*....+...........+...+.........+.......+...........+.........+...+.+..+...............+...+....+.....+.+.....+....+...........+......+.+.....+...+............+.........+....+..+...+......+....+..+....+.....+...+...+.......+......+......+...+......+...........+....+.........+..+......+.........+.............+..+.+...+......+.....+...+......+.+......+..+...+...+.......+..+.+......+......+........+.+......+............+......+.........+......+..............+...+.......+......+..........................++++++
..........+++++++++++++++++++++++++++++++++++++++*...+.............................+...+...+....+......+.....+.............+.....+..........+..+...+.+...+...+.....+.......+++++++++++++++++++++++++++++++++++++++*...............+....+........................+.....+.+.....+.......+..+.............+.....+....+......+........+.......+...............+.....+.........+...+.+..++++++
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCo7n8puayHyAh0
lU6/QfL9XrnyXcMKs4onmdPntVP2UO17jHvYXStNKhLKJkZKEta0yEKihdZdOzmN
AJd2Er5uVWOixQAwphFurajknfEerfe6dOKiTXObWNjgwcHw/xUOT7FKNop8h5DG
X56OwHzWQMma9fWarqxEYR36b8pIno/D7+rKZxrZaJObWoexu/KQT0JCusW1qgTM
i3XFXw4/Lzv/joP/knoxmAIzGb5+YNRAL9TIZioA3AwgiRJrgQNdB9HQTijZplbJ
705eEwVoUSM1AddlS+wV2uhVSSThM/i87MQtSbsvfkUZauYLioJSfxaGWW4Y3Ybe
7ej4ELufAgMBAAECggEAG44bi/DPZa6JQosAN05Ilm+XISOOJva2OFNtL0Ryl6EH
u7lkkhxQbdvJCNRJbte30fFAfUYbe0Wn04ofKpFQIqsm/2vm5giQm18UR4ZDyF9U
I0Phm9vKWbKaXb79JZRWGOmC37oZyMpMIS+Dq4FWW5RhzjcEguCvFNBKlYkak9GV
eKYWdNLA0au4AXRqVmaI7YmGxakHSpVHPIGULk33dlll3/iLNQS3YH9vqvoe3GK8
87ekSAAWTsOZUiJ0MAWMhfkfEDjG3zFq632rg2S+m4e2J1pGVcXPTuHjTSdacWCM
DNekPsKEBByMi00aZtcogxO6zHm121EoHPulcK26oQKBgQDYRq9JQFOCk6ZpeCeb
U6slj+QcAnc95XaXtdg1Kh17IISTLJD1p3tSnbziBWmmugpL9P8tJC63ZcdadYqn
cMzYctNSgMuOgNWKBtXPH4qxWJ8JL8I4Ft8NOiajfVonSjGz+emNzWnNUdDYx5PP
w2WkD82mbAOOUu81Uj4h5WWi+QKBgQDH9avwENMi60WARd1vb+jfS78yuSf3zTe9
s5XgSr2hAHjX0xODAOAEiX253Ube83n9oEkhHMKTcQfzrIgoJ3G5UZ6Pd43tiqrp
ejygyxlOpH+grSiwHc7i3WZWx31kjBCmoFgCQUBfH4UUYzwOqvZgoC3G4lVvYug/
33SRqXZhVwKBgHI8I6nVSEbYJjXfOUxZzTRx5FLHGqSe5x0K98BdFmVKr7vs9kRK
ymDA4Fuh8EQYUAf+yCnXyrUkFUA6hZobgpdxTx1s2hfTBPd61MQqLN+vp5D6oONv
cTFTXcVNGKlYDxi5EBvOO+wvItjd0b0TwEP/9OfKdbZfJ+pKHndY625BAoGAIlif
fO/W5GOXH45gl7iYPmqrX9IP/G+CiJIlR05vPg1vtFqsOk9XK1BWiStp9ffKV3dF
uGtRPLQokoFrLcKAtT1AyBHYDhpIeywk59Wa9jgpN/cmSwIDvFIdNwCzGCc64PQf
ydtdbDlkyXi2IyrYgQZidov/8s8BZ59BTZfXHqcCgYEAtciV66BhhLSJ0P2hn453
Q2/XvHXU68CKhl/8sG8CyrPxO6Wk3oCIeZPhV0k8HAoU00r1L+j4uwY43/WDJtR5
ljEn5xndTNmd0WWfaV1BruM7ql0I/URwpE6D6rsFq4SFHnKkVsB1Hb6d7YxRt+ct
kjGDW1ZkJzDWKlf7Lf9oKqc=
-----END PRIVATE KEY-----
Private-Key: (2048 bit, 2 primes)
modulus:
    00:a8:ee:7f:29:b9:ac:87:c8:08:74:95:4e:bf:41:
    f2:fd:5e:b9:f2:5d:c3:0a:b3:8a:27:99:d3:e7:b5:
    53:f6:50:ed:7b:8c:7b:d8:5d:2b:4d:2a:12:ca:26:
    46:4a:12:d6:b4:c8:42:a2:85:d6:5d:3b:39:8d:00:
    97:76:12:be:6e:55:63:a2:c5:00:30:a6:11:6e:ad:
    a8:e4:9d:f1:1e:ad:f7:ba:74:e2:a2:4d:73:9b:58:
    d8:e0:c1:c1:f0:ff:15:0e:4f:b1:4a:36:8a:7c:87:
    90:c6:5f:9e:8e:c0:7c:d6:40:c9:9a:f5:f5:9a:ae:
    ac:44:61:1d:fa:6f:ca:48:9e:8f:c3:ef:ea:ca:67:
    1a:d9:68:93:9b:5a:87:b1:bb:f2:90:4f:42:42:ba:
    c5:b5:aa:04:cc:8b:75:c5:5f:0e:3f:2f:3b:ff:8e:
    83:ff:92:7a:31:98:02:33:19:be:7e:60:d4:40:2f:
    d4:c8:66:2a:00:dc:0c:20:89:12:6b:81:03:5d:07:
    d1:d0:4e:28:d9:a6:56:c9:ef:4e:5e:13:05:68:51:
    23:35:01:d7:65:4b:ec:15:da:e8:55:49:24:e1:33:
    f8:bc:ec:c4:2d:49:bb:2f:7e:45:19:6a:e6:0b:8a:
    82:52:7f:16:86:59:6e:18:dd:86:de:ed:e8:f8:10:
    bb:9f
publicExponent: 65537 (0x10001)
privateExponent:
    1b:8e:1b:8b:f0:cf:65:ae:89:42:8b:00:37:4e:48:
    96:6f:97:21:23:8e:26:f6:b6:38:53:6d:2f:44:72:
    97:a1:07:bb:b9:64:92:1c:50:6d:db:c9:08:d4:49:
    6e:d7:b7:d1:f1:40:7d:46:1b:7b:45:a7:d3:8a:1f:
    2a:91:50:22:ab:26:ff:6b:e6:e6:08:90:9b:5f:14:
    47:86:43:c8:5f:54:23:43:e1:9b:db:ca:59:b2:9a:
    5d:be:fd:25:94:56:18:e9:82:df:ba:19:c8:ca:4c:
    21:2f:83:ab:81:56:5b:94:61:ce:37:04:82:e0:af:
    14:d0:4a:95:89:1a:93:d1:95:78:a6:16:74:d2:c0:
    d1:ab:b8:01:74:6a:56:66:88:ed:89:86:c5:a9:07:
    4a:95:47:3c:81:94:2e:4d:f7:76:59:65:df:f8:8b:
    35:04:b7:60:7f:6f:aa:fa:1e:dc:62:bc:f3:b7:a4:
    48:00:16:4e:c3:99:52:22:74:30:05:8c:85:f9:1f:
    10:38:c6:df:31:6a:eb:7d:ab:83:64:be:9b:87:b6:
    27:5a:46:55:c5:cf:4e:e1:e3:4d:27:5a:71:60:8c:
    0c:d7:a4:3e:c2:84:04:1c:8c:8b:4d:1a:66:d7:28:
    83:13:ba:cc:79:b5:db:51:28:1c:fb:a5:70:ad:ba:
    a1
prime1:
    00:d8:46:af:49:40:53:82:93:a6:69:78:27:9b:53:
    ab:25:8f:e4:1c:02:77:3d:e5:76:97:b5:d8:35:2a:
    1d:7b:20:84:93:2c:90:f5:a7:7b:52:9d:bc:e2:05:
    69:a6:ba:0a:4b:f4:ff:2d:24:2e:b7:65:c7:5a:75:
    8a:a7:70:cc:d8:72:d3:52:80:cb:8e:80:d5:8a:06:
    d5:cf:1f:8a:b1:58:9f:09:2f:c2:38:16:df:0d:3a:
    26:a3:7d:5a:27:4a:31:b3:f9:e9:8d:cd:69:cd:51:
    d0:d8:c7:93:cf:c3:65:a4:0f:cd:a6:6c:03:8e:52:
    ef:35:52:3e:21:e5:65:a2:f9
prime2:
    00:c7:f5:ab:f0:10:d3:22:eb:45:80:45:dd:6f:6f:
    e8:df:4b:bf:32:b9:27:f7:cd:37:bd:b3:95:e0:4a:
    bd:a1:00:78:d7:d3:13:83:00:e0:04:89:7d:b9:dd:
    46:de:f3:79:fd:a0:49:21:1c:c2:93:71:07:f3:ac:
    88:28:27:71:b9:51:9e:8f:77:8d:ed:8a:aa:e9:7a:
    3c:a0:cb:19:4e:a4:7f:a0:ad:28:b0:1d:ce:e2:dd:
    66:56:c7:7d:64:8c:10:a6:a0:58:02:41:40:5f:1f:
    85:14:63:3c:0e:aa:f6:60:a0:2d:c6:e2:55:6f:62:
    e8:3f:df:74:91:a9:76:61:57
exponent1:
    72:3c:23:a9:d5:48:46:d8:26:35:df:39:4c:59:cd:
    34:71:e4:52:c7:1a:a4:9e:e7:1d:0a:f7:c0:5d:16:
    65:4a:af:bb:ec:f6:44:4a:ca:60:c0:e0:5b:a1:f0:
    44:18:50:07:fe:c8:29:d7:ca:b5:24:15:40:3a:85:
    9a:1b:82:97:71:4f:1d:6c:da:17:d3:04:f7:7a:d4:
    c4:2a:2c:df:af:a7:90:fa:a0:e3:6f:71:31:53:5d:
    c5:4d:18:a9:58:0f:18:b9:10:1b:ce:3b:ec:2f:22:
    d8:dd:d1:bd:13:c0:43:ff:f4:e7:ca:75:b6:5f:27:
    ea:4a:1e:77:58:eb:6e:41
exponent2:
    22:58:9f:7c:ef:d6:e4:63:97:1f:8e:60:97:b8:98:
    3e:6a:ab:5f:d2:0f:fc:6f:82:88:92:25:47:4e:6f:
    3e:0d:6f:b4:5a:ac:3a:4f:57:2b:50:56:89:2b:69:
    f5:f7:ca:57:77:45:b8:6b:51:3c:b4:28:92:81:6b:
    2d:c2:80:b5:3d:40:c8:11:d8:0e:1a:48:7b:2c:24:
    e7:d5:9a:f6:38:29:37:f7:26:4b:02:03:bc:52:1d:
    37:00:b3:18:27:3a:e0:f4:1f:c9:db:5d:6c:39:64:
    c9:78:b6:23:2a:d8:81:06:62:76:8b:ff:f2:cf:01:
    67:9f:41:4d:97:d7:1e:a7
coefficient:
    00:b5:c8:95:eb:a0:61:84:b4:89:d0:fd:a1:9f:8e:
    77:43:6f:d7:bc:75:d4:eb:c0:8a:86:5f:fc:b0:6f:
    02:ca:b3:f1:3b:a5:a4:de:80:88:79:93:e1:57:49:
    3c:1c:0a:14:d3:4a:f5:2f:e8:f8:bb:06:38:df:f5:
    83:26:d4:79:96:31:27:e7:19:dd:4c:d9:9d:d1:65:
    9f:69:5d:41:ae:e3:3b:aa:5d:08:fd:44:70:a4:4e:
    83:ea:bb:05:ab:84:85:1e:72:a4:56:c0:75:1d:be:
    9d:ed:8c:51:b7:e7:2d:92:31:83:5b:56:64:27:30:
    d6:2a:57:fb:2d:ff:68:2a:a7

-*

这个指令的意思是可以自己指定用于保护密钥文件的对称加密算法,当然前提是当前版本的OpenSSL支持。

例如,使用AES-128-CTR对这个密钥文件进行加密:

1
openssl genpkey -algorithm RSA -AES-128-CTR -out RSA-2048-Encrypted-Private-Key.pem
Related Posts
如果你觉得文章写得还不错,可以赏作者一杯咖啡喝,或者一顿饭吃。感谢支持!THYzrcoMQf7d7wzGu1PvDraTef87abSv9V