在使用Pfsense开源防火墙Openvpn的过程中,由于手上自由包含公私钥的P12格式证书,而导入pfsense需要将publicKey和PrivateKey分别导入,因此在Linux中使用openssl对其进行导出、拆解,具体如下:
1.首先确保您的系统已安装了OpenSSL
2.使用两条简单命令即可分别导出公钥和私钥
#导出p12证书私钥 openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem #导出p12证书公钥 openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem
就是这么简单两条命令就搞定了。
下文是引用的内容:
A .p12 file (successor to Microsoft’s .pfx, whose filename extension is sometimes used interchangeably in Microsoft nomenclature and elsewhere) contains a certificate and corresponding key. This is typically created on the system which generated the original CSR when applying the certificate to another system, particularly useful when applying wildcard certs to other systems.
Convert a .p12/.pfx file to PEM-formatted file containing both the key(s) and certificate(s) (note: including the “-nodes” flag here will prevent using a passphrase to encrypt the private key(s)):
openssl pkcs12 -in filename.pfx -out site.pem
Export only the private key(s) from a .p12/.pfx file to a .pem file:
openssl pkcs12 -nocerts -in filename.pfx -out sitekey.pem
# or, follow the convention of using the extension (.cer or .crt, .key, etc.) to hint at the file’s contents, at the expense of no longer showing whether the file format is PEM or binary DER:
openssl pkcs12 -nocerts -in filename.pfx -out site.key
Export only the client certificate(s) from a .p12/.pfx file to a .pem file (that is, omit any CA certs):
openssl pkcs12 -nokeys -clcerts -in filename.pfx -out siteclientcert.pem
Export only the CA certs from a .p12/.pfs file to a .pem file (that is, omit any client certs):
openssl pkcs12 -nokeys -cacerts -in filename.pfx -out sitecacert.pem
Strip the passphrase from a key (this reads the encrypted key, prompts for its passphrase, then outputs the key unencrypted):
openssl rsa -in somesystemkey.pem -out system.fqdn.like.this.key
Strip the passphrase from a certificate with embedded, encrypted key in two steps (N.B.: postpend the certificate to the file using the appropriate shell redirection “»”!):
openssl rsa -in somesystemcert.pem -out system.fqdn.like.this.crt openssl x509 -in somesystemcert.pem >> system.fqdn.like.this.crt
中文的keytool:http://blog.csdn.net/caomiao2006/article/details/9287751
转载请注明:自动化运维 » OpenSSL拆解p12证书公约和私钥