如您需要技术咨询、解决方案定制、故障排除、运维监控等服务,可联系ericwcn#at#163.com。

OpenSSL拆解p12证书公约和私钥

Linux 立杰 933℃ 0评论

在使用Pfsense开源防火墙Openvpn的过程中,由于手上自由包含公私钥的P12格式证书,而导入pfsense需要将publicKey和PrivateKey分别导入,因此在Linux中使用openssl对其进行导出、拆解,具体如下:
1.首先确保您的系统已安装了OpenSSL

2.使用两条简单命令即可分别导出公钥和私钥

#导出p12证书私钥
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem 
#导出p12证书公钥
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem

就是这么简单两条命令就搞定了。

下文是引用的内容:
A .p12 file (successor to Microsoft’s .pfx, whose filename extension is sometimes used interchangeably in Microsoft nomenclature and elsewhere) contains a certificate and corresponding key. This is typically created on the system which generated the original CSR when applying the certificate to another system, particularly useful when applying wildcard certs to other systems.

Convert a .p12/.pfx file to PEM-formatted file containing both the key(s) and certificate(s) (note: including the “-nodes” flag here will prevent using a passphrase to encrypt the private key(s)):

openssl pkcs12 -in filename.pfx -out site.pem
Export only the private key(s) from a .p12/.pfx file to a .pem file:

openssl pkcs12 -nocerts -in filename.pfx -out sitekey.pem

# or, follow the convention of using the extension (.cer or .crt, .key, etc.) to hint at the file’s contents, at the expense of no longer showing whether the file format is PEM or binary DER:

openssl pkcs12 -nocerts -in filename.pfx -out site.key

Export only the client certificate(s) from a .p12/.pfx file to a .pem file (that is, omit any CA certs):

openssl pkcs12 -nokeys -clcerts -in filename.pfx -out siteclientcert.pem

Export only the CA certs from a .p12/.pfs file to a .pem file (that is, omit any client certs):

openssl pkcs12 -nokeys -cacerts -in filename.pfx -out sitecacert.pem

Strip the passphrase from a key (this reads the encrypted key, prompts for its passphrase, then outputs the key unencrypted):

openssl rsa -in somesystemkey.pem -out system.fqdn.like.this.key

Strip the passphrase from a certificate with embedded, encrypted key in two steps (N.B.: postpend the certificate to the file using the appropriate shell redirection “>>”!):

openssl rsa -in somesystemcert.pem -out system.fqdn.like.this.crt
openssl x509 -in somesystemcert.pem >> system.fqdn.like.this.crt

中文的keytool:http://blog.csdn.net/caomiao2006/article/details/9287751

转载请注明:知识库 » OpenSSL拆解p12证书公约和私钥

喜欢 (0)
发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址