# 前言
一篇 OpenSSL 密钥对生成工具个人使用经验,不定期更新。
# 获取帮助
openssl genpkey -h |
输出如下:
Usage: genpkey [options] | |
General options: | |
-help Display this summary | |
-engine val Use engine, possibly a hardware device | |
-paramfile infile Parameters file | |
-algorithm val The public key algorithm | |
-quiet Do not output status while generating keys | |
-pkeyopt val Set the public key algorithm option as opt:value | |
-config infile Load a configuration file (this may load modules) | |
Output options: | |
-out outfile Output file | |
-outform PEM|DER output format (DER or PEM) | |
-pass val Output file pass phrase source | |
-genparam Generate parameters, not key | |
-text Print the in text | |
-* Cipher to use to encrypt the key | |
Provider options: | |
-provider-path val Provider load path (must be before 'provider' argument if required) | |
-provider val Provider to load (can be specified multiple times) | |
-propquery val Property query used when fetching algorithms | |
Order of options may be important! See the documentation. |
# 简单的生成密钥对指令
# 私钥生成
为了生成一个密钥对,至少需要指定一个算法,指定输出文件的名称。
例如以下命令,它将会生成一个 Ed25519 私钥文件,文件名是 private-key-Ed25519.pem :
openssl genpkey -algorithm Ed25519 -out private-key-Ed25519.pem |
# 公钥提取
可以从私钥文件中提取公钥。
例如以下命令,它会尝试从 private-key-Ed25519.pem 私钥文件中提取对应的 Ed25519 公钥文件:
openssl pkey -in private-key-Ed25519.pem -pubout -out public-key-Ed25519.pem |
# 查看公钥与私钥内容
可以用 pkey 指令访问 OpenSSL 的私钥文件,可以输出私钥、公钥的算法与内容:
例如以下命令,它会尝试从 private-key-Ed25519.pem 文件中读取算法、私钥内容、公钥内容,并显示在屏幕上:
openssl pkey -in private-key-Ed25519.pem -text -noout |
一个示例输出如下:
ED25519 Private-Key: | |
priv: | |
ea:f7:04:a2:20:b6:e8:65:40:65:ad:44:df:b4:9f: | |
9f:9b:6c:b6:8d:92:66:a9:73:96:cb:ae:aa:bd:52: | |
28:69 | |
pub: | |
42:a3:68:18:8e:df:3e:0c:c0:49:29:ef:e3:27:c7: | |
31:75:b1:39:43:f4:26:2c:38:07:d4:d9:43:e1:a1: | |
70:45 |
# 总体选项
# -engine
指定引擎,通常没必要(实则我也不会)
# -paramfile
输入参数文件
# -algorithm
指定算法,目前支持的算法有 RSA , RSA-PSS , EC , X25519 , X448 , Ed25519 , Ed448 。(版本 3.1.3 )
举个例子,生成 RSA-2048 私钥(这里不用指定参数是因为 RSA 默认 2048 位):
openssl genpkey -algorithm RSA -out RSA-2048-Private-Key.pem |
# -quiet
生成密钥时不输出信息,例如熵池等等。
# -pkeyopt
修改算法的安全参数,这里很难一一列举,具体可以去看 OpenSSL 的文档:/docs/manmaster/man1/openssl-genpkey.html
安全参数是否可用需要根据选择的算法来判断。
例如,这一串命令可以生成一个 RSA-4096 私钥:
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out RSA-4096-Private-Key.pem |
# -config
外部导入配置文件,例如:
openssl genpkey -algorithm RSA -out RSA-4096-Private-Key.pem -config my-config.cnf |
Config 文件,我个人还没弄清楚怎么写,这就不做误导性示范了。
# 输出选项
# -out
指定输出文件名,例如输出为 RSA-2048-Private-Key.pem :
openssl genpkey -algorithm RSA -out RSA-2048-Private-Key.pem |
# -outform
指定输出文件格式,支持两种格式 —— PEM 和 DER
PEM(Privacy Enhanced Mail):可读的文本格式,包括边界标记、数据类型,编码为 Base64。
DER(Distinguished Encoding Rules):不可读的二进制格式,格式紧凑,无边界标记。
通常而言,为了提高兼容性和可读性,PEM 是常见的选择,也是默认选项。
如果要以 DER 格式输出文件,一个例子如下:
openssl genpkey -algorithm RSA -outform DER -out RSA-2048-Private-Key.der |
# -pass
类似于对称加密的密钥,可以通过各种方式指定输出密钥文件的密码短语(Pass Phrase),例如:
openssl genpkey -algorithm X25519 -out X25519-Private-Key.pem -pass pass:your_password |
# -genparam
只生成参数而不生成密钥,此时 genpkey 指令可以兼容更多的算法,其中额外的有 DH , DSA :
例如,生成 DSA 参数:
openssl genpkey -algorithm DSA -genparam |
一个示例输出如下:
..+.....+..+.......+.+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++* | |
...........................+.....+.+....+...................+.............+........+.......+........................+.+...........+.+.....+......+..............+.....................+...........+....+...+.+........+.....+...+..+..........+..+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++* | |
-----BEGIN DSA PARAMETERS----- | |
MIICKAKCAQEAruL2N9/nisKseg6CFjB/mXNC0FFRTcnecvbF+9eD6UepnH7mv0K1 | |
+RFL8ECrHGxlYgAkLA9MN+ZiQQ7BSE6qQt0CEGMkgIW6GFUPt6opupB5Ql+qmEBo | |
uivQr44/VJKjC0vzli85I+UD2f24xrroqssAf4n9B4t22Bg6dxV2AGAfDLdzsNwQ | |
GITaruJmEj6Xkgyx3rx3KTvQfLtiHdMUJ9rBs5JonomNrEuX5kjf55chFub9IYDF | |
Vpjsp57hvEJmDU6kQKihkax69V+NmF4T8cs3kAukYfLn/VubbF+FOEZuzQQsAO5n | |
tGCedKsKmXCtxCgCqZu+FLIxil+A0w36OQIdAI4/RI2+Im2ZhBKGdtJ2Y8a9ndsU | |
w5bAokSt+tECggEAEct/e8totsdL3RkD+qMq31Gk58yZoda876Uej6YJYYgt7RwB | |
CCzOEYP/Hf/ditPSpJ4kFc8/qFp0nHAq4pctZKtywVE3T2XVwdzgBF0uLwIb505G | |
o92Gcb/eEir8mBxSOvVT6X1hmZsnwHehWyasYYcNrjdorH9UvQ9VwAE5nnkK/HLH | |
KxQ9P7MAdc6dGYxjFjW36ljlRCUvvNeeVPc+J5a0/JJxfm19YLatWaCnpfp1nHes | |
YsQ3QdB6LKWd7OFwP6lw+OEKWRc3XhczfUBzOBPqj/QBUfHCQX6PgUJyLgiZTD/N | |
YGOQzq0L9umxt/lrDQbrIKIuDLyWxe8gVyQ41g== | |
-----END DSA PARAMETERS----- |
# -text
把整个算法的过程结果直接全部输出到 stdout,也就是打印到屏幕上,其中包括各种中间参数和密钥例如:
openssl genpkey -algorithm RSA -text |
一个示例输出如下:
..+...+..........+..+.........+....+...+++++++++++++++++++++++++++++++++++++++*.+.+............+...+......+.....+++++++++++++++++++++++++++++++++++++++*....+...........+...+.........+.......+...........+.........+...+.+..+...............+...+....+.....+.+.....+....+...........+......+.+.....+...+............+.........+....+..+...+......+....+..+....+.....+...+...+.......+......+......+...+......+...........+....+.........+..+......+.........+.............+..+.+...+......+.....+...+......+.+......+..+...+...+.......+..+.+......+......+........+.+......+............+......+.........+......+..............+...+.......+......+..........................++++++ | |
..........+++++++++++++++++++++++++++++++++++++++*...+.............................+...+...+....+......+.....+.............+.....+..........+..+...+.+...+...+.....+.......+++++++++++++++++++++++++++++++++++++++*...............+....+........................+.....+.+.....+.......+..+.............+.....+....+......+........+.......+...............+.....+.........+...+.+..++++++ | |
-----BEGIN PRIVATE KEY----- | |
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCo7n8puayHyAh0 | |
lU6/QfL9XrnyXcMKs4onmdPntVP2UO17jHvYXStNKhLKJkZKEta0yEKihdZdOzmN | |
AJd2Er5uVWOixQAwphFurajknfEerfe6dOKiTXObWNjgwcHw/xUOT7FKNop8h5DG | |
X56OwHzWQMma9fWarqxEYR36b8pIno/D7+rKZxrZaJObWoexu/KQT0JCusW1qgTM | |
i3XFXw4/Lzv/joP/knoxmAIzGb5+YNRAL9TIZioA3AwgiRJrgQNdB9HQTijZplbJ | |
705eEwVoUSM1AddlS+wV2uhVSSThM/i87MQtSbsvfkUZauYLioJSfxaGWW4Y3Ybe | |
7ej4ELufAgMBAAECggEAG44bi/DPZa6JQosAN05Ilm+XISOOJva2OFNtL0Ryl6EH | |
u7lkkhxQbdvJCNRJbte30fFAfUYbe0Wn04ofKpFQIqsm/2vm5giQm18UR4ZDyF9U | |
I0Phm9vKWbKaXb79JZRWGOmC37oZyMpMIS+Dq4FWW5RhzjcEguCvFNBKlYkak9GV | |
eKYWdNLA0au4AXRqVmaI7YmGxakHSpVHPIGULk33dlll3/iLNQS3YH9vqvoe3GK8 | |
87ekSAAWTsOZUiJ0MAWMhfkfEDjG3zFq632rg2S+m4e2J1pGVcXPTuHjTSdacWCM | |
DNekPsKEBByMi00aZtcogxO6zHm121EoHPulcK26oQKBgQDYRq9JQFOCk6ZpeCeb | |
U6slj+QcAnc95XaXtdg1Kh17IISTLJD1p3tSnbziBWmmugpL9P8tJC63ZcdadYqn | |
cMzYctNSgMuOgNWKBtXPH4qxWJ8JL8I4Ft8NOiajfVonSjGz+emNzWnNUdDYx5PP | |
w2WkD82mbAOOUu81Uj4h5WWi+QKBgQDH9avwENMi60WARd1vb+jfS78yuSf3zTe9 | |
s5XgSr2hAHjX0xODAOAEiX253Ube83n9oEkhHMKTcQfzrIgoJ3G5UZ6Pd43tiqrp | |
ejygyxlOpH+grSiwHc7i3WZWx31kjBCmoFgCQUBfH4UUYzwOqvZgoC3G4lVvYug/ | |
33SRqXZhVwKBgHI8I6nVSEbYJjXfOUxZzTRx5FLHGqSe5x0K98BdFmVKr7vs9kRK | |
ymDA4Fuh8EQYUAf+yCnXyrUkFUA6hZobgpdxTx1s2hfTBPd61MQqLN+vp5D6oONv | |
cTFTXcVNGKlYDxi5EBvOO+wvItjd0b0TwEP/9OfKdbZfJ+pKHndY625BAoGAIlif | |
fO/W5GOXH45gl7iYPmqrX9IP/G+CiJIlR05vPg1vtFqsOk9XK1BWiStp9ffKV3dF | |
uGtRPLQokoFrLcKAtT1AyBHYDhpIeywk59Wa9jgpN/cmSwIDvFIdNwCzGCc64PQf | |
ydtdbDlkyXi2IyrYgQZidov/8s8BZ59BTZfXHqcCgYEAtciV66BhhLSJ0P2hn453 | |
Q2/XvHXU68CKhl/8sG8CyrPxO6Wk3oCIeZPhV0k8HAoU00r1L+j4uwY43/WDJtR5 | |
ljEn5xndTNmd0WWfaV1BruM7ql0I/URwpE6D6rsFq4SFHnKkVsB1Hb6d7YxRt+ct | |
kjGDW1ZkJzDWKlf7Lf9oKqc= | |
-----END PRIVATE KEY----- | |
Private-Key: (2048 bit, 2 primes) | |
modulus: | |
00:a8:ee:7f:29:b9:ac:87:c8:08:74:95:4e:bf:41: | |
f2:fd:5e:b9:f2:5d:c3:0a:b3:8a:27:99:d3:e7:b5: | |
53:f6:50:ed:7b:8c:7b:d8:5d:2b:4d:2a:12:ca:26: | |
46:4a:12:d6:b4:c8:42:a2:85:d6:5d:3b:39:8d:00: | |
97:76:12:be:6e:55:63:a2:c5:00:30:a6:11:6e:ad: | |
a8:e4:9d:f1:1e:ad:f7:ba:74:e2:a2:4d:73:9b:58: | |
d8:e0:c1:c1:f0:ff:15:0e:4f:b1:4a:36:8a:7c:87: | |
90:c6:5f:9e:8e:c0:7c:d6:40:c9:9a:f5:f5:9a:ae: | |
ac:44:61:1d:fa:6f:ca:48:9e:8f:c3:ef:ea:ca:67: | |
1a:d9:68:93:9b:5a:87:b1:bb:f2:90:4f:42:42:ba: | |
c5:b5:aa:04:cc:8b:75:c5:5f:0e:3f:2f:3b:ff:8e: | |
83:ff:92:7a:31:98:02:33:19:be:7e:60:d4:40:2f: | |
d4:c8:66:2a:00:dc:0c:20:89:12:6b:81:03:5d:07: | |
d1:d0:4e:28:d9:a6:56:c9:ef:4e:5e:13:05:68:51: | |
23:35:01:d7:65:4b:ec:15:da:e8:55:49:24:e1:33: | |
f8:bc:ec:c4:2d:49:bb:2f:7e:45:19:6a:e6:0b:8a: | |
82:52:7f:16:86:59:6e:18:dd:86:de:ed:e8:f8:10: | |
bb:9f | |
publicExponent: 65537 (0x10001) | |
privateExponent: | |
1b:8e:1b:8b:f0:cf:65:ae:89:42:8b:00:37:4e:48: | |
96:6f:97:21:23:8e:26:f6:b6:38:53:6d:2f:44:72: | |
97:a1:07:bb:b9:64:92:1c:50:6d:db:c9:08:d4:49: | |
6e:d7:b7:d1:f1:40:7d:46:1b:7b:45:a7:d3:8a:1f: | |
2a:91:50:22:ab:26:ff:6b:e6:e6:08:90:9b:5f:14: | |
47:86:43:c8:5f:54:23:43:e1:9b:db:ca:59:b2:9a: | |
5d:be:fd:25:94:56:18:e9:82:df:ba:19:c8:ca:4c: | |
21:2f:83:ab:81:56:5b:94:61:ce:37:04:82:e0:af: | |
14:d0:4a:95:89:1a:93:d1:95:78:a6:16:74:d2:c0: | |
d1:ab:b8:01:74:6a:56:66:88:ed:89:86:c5:a9:07: | |
4a:95:47:3c:81:94:2e:4d:f7:76:59:65:df:f8:8b: | |
35:04:b7:60:7f:6f:aa:fa:1e:dc:62:bc:f3:b7:a4: | |
48:00:16:4e:c3:99:52:22:74:30:05:8c:85:f9:1f: | |
10:38:c6:df:31:6a:eb:7d:ab:83:64:be:9b:87:b6: | |
27:5a:46:55:c5:cf:4e:e1:e3:4d:27:5a:71:60:8c: | |
0c:d7:a4:3e:c2:84:04:1c:8c:8b:4d:1a:66:d7:28: | |
83:13:ba:cc:79:b5:db:51:28:1c:fb:a5:70:ad:ba: | |
a1 | |
prime1: | |
00:d8:46:af:49:40:53:82:93:a6:69:78:27:9b:53: | |
ab:25:8f:e4:1c:02:77:3d:e5:76:97:b5:d8:35:2a: | |
1d:7b:20:84:93:2c:90:f5:a7:7b:52:9d:bc:e2:05: | |
69:a6:ba:0a:4b:f4:ff:2d:24:2e:b7:65:c7:5a:75: | |
8a:a7:70:cc:d8:72:d3:52:80:cb:8e:80:d5:8a:06: | |
d5:cf:1f:8a:b1:58:9f:09:2f:c2:38:16:df:0d:3a: | |
26:a3:7d:5a:27:4a:31:b3:f9:e9:8d:cd:69:cd:51: | |
d0:d8:c7:93:cf:c3:65:a4:0f:cd:a6:6c:03:8e:52: | |
ef:35:52:3e:21:e5:65:a2:f9 | |
prime2: | |
00:c7:f5:ab:f0:10:d3:22:eb:45:80:45:dd:6f:6f: | |
e8:df:4b:bf:32:b9:27:f7:cd:37:bd:b3:95:e0:4a: | |
bd:a1:00:78:d7:d3:13:83:00:e0:04:89:7d:b9:dd: | |
46:de:f3:79:fd:a0:49:21:1c:c2:93:71:07:f3:ac: | |
88:28:27:71:b9:51:9e:8f:77:8d:ed:8a:aa:e9:7a: | |
3c:a0:cb:19:4e:a4:7f:a0:ad:28:b0:1d:ce:e2:dd: | |
66:56:c7:7d:64:8c:10:a6:a0:58:02:41:40:5f:1f: | |
85:14:63:3c:0e:aa:f6:60:a0:2d:c6:e2:55:6f:62: | |
e8:3f:df:74:91:a9:76:61:57 | |
exponent1: | |
72:3c:23:a9:d5:48:46:d8:26:35:df:39:4c:59:cd: | |
34:71:e4:52:c7:1a:a4:9e:e7:1d:0a:f7:c0:5d:16: | |
65:4a:af:bb:ec:f6:44:4a:ca:60:c0:e0:5b:a1:f0: | |
44:18:50:07:fe:c8:29:d7:ca:b5:24:15:40:3a:85: | |
9a:1b:82:97:71:4f:1d:6c:da:17:d3:04:f7:7a:d4: | |
c4:2a:2c:df:af:a7:90:fa:a0:e3:6f:71:31:53:5d: | |
c5:4d:18:a9:58:0f:18:b9:10:1b:ce:3b:ec:2f:22: | |
d8:dd:d1:bd:13:c0:43:ff:f4:e7:ca:75:b6:5f:27: | |
ea:4a:1e:77:58:eb:6e:41 | |
exponent2: | |
22:58:9f:7c:ef:d6:e4:63:97:1f:8e:60:97:b8:98: | |
3e:6a:ab:5f:d2:0f:fc:6f:82:88:92:25:47:4e:6f: | |
3e:0d:6f:b4:5a:ac:3a:4f:57:2b:50:56:89:2b:69: | |
f5:f7:ca:57:77:45:b8:6b:51:3c:b4:28:92:81:6b: | |
2d:c2:80:b5:3d:40:c8:11:d8:0e:1a:48:7b:2c:24: | |
e7:d5:9a:f6:38:29:37:f7:26:4b:02:03:bc:52:1d: | |
37:00:b3:18:27:3a:e0:f4:1f:c9:db:5d:6c:39:64: | |
c9:78:b6:23:2a:d8:81:06:62:76:8b:ff:f2:cf:01: | |
67:9f:41:4d:97:d7:1e:a7 | |
coefficient: | |
00:b5:c8:95:eb:a0:61:84:b4:89:d0:fd:a1:9f:8e: | |
77:43:6f:d7:bc:75:d4:eb:c0:8a:86:5f:fc:b0:6f: | |
02:ca:b3:f1:3b:a5:a4:de:80:88:79:93:e1:57:49: | |
3c:1c:0a:14:d3:4a:f5:2f:e8:f8:bb:06:38:df:f5: | |
83:26:d4:79:96:31:27:e7:19:dd:4c:d9:9d:d1:65: | |
9f:69:5d:41:ae:e3:3b:aa:5d:08:fd:44:70:a4:4e: | |
83:ea:bb:05:ab:84:85:1e:72:a4:56:c0:75:1d:be: | |
9d:ed:8c:51:b7:e7:2d:92:31:83:5b:56:64:27:30: | |
d6:2a:57:fb:2d:ff:68:2a:a7 |
# -*
这个指令的意思是可以自己指定用于保护密钥文件的对称加密算法,当然前提是当前版本的 OpenSSL 支持。
例如,使用 AES-128-CTR 对这个密钥文件进行加密:
openssl genpkey -algorithm RSA -AES-128-CTR -out RSA-2048-Encrypted-Private-Key.pem |
