SaltStack常用组件使用 SaltStack配置文件说明 轻量级DNS、DHCP服务软件DNSMASQ 千万级PV(日)的移动应用架构如何实现 高效运维最佳实践-运维自动化之殇 Ubuntu 14.04 Linux如何配置静态IP地址和DNS服务器 ELK 常见错误与解决办法 Elasticsearch 集群配置管理常用操作 常用数字证书格式相互转换-OpenSSL/Keytool/Jks2pfx ELK 综合日志归档分析系统(2)-Logstash安装配置 Elasticsearch之Shield认证与权限管理 ELK 综合日志归档分析系统(1)-Elasticsearch-Redis安装配置 Redmine 3.2 安装配置指南 CentOS6 大型web系统数据缓存设计 Redis 集群方案 Linux 内核TCP优化详解 SaltStack初始化安装配置 OpenLDAP常用操作 OpenLDAP统一身份认证 [CentOS6/7] 构建Linux Skype Message消息推送API服务(Zabbix集成告警) Tomcat 生产服务器性能优化 Zabbix结合iptables监控网络流量 Linux操作系统环境配置与优先级问题 深入 NGINX: 我们如何设计性能和扩展 Windows SQL Server 性能计数器详细说明 Windows性能计数器说明 Ubuntu安装openntpd报错:Starting openntpd: /etc/openntpd/ntpd.conf: Permission denied locale: Cannot set LC_ALL to default locale: No such file or directory OpenSSL拆解p12证书公约和私钥 Linux sar 统计系统性能(网卡、内存和交换空间、CPU资源等) Linux Shell /dev/null 2>&1 含义 Windows 2003操作系统网络不通 构建私有yum安装源镜像站点(openstack) CentOS6/RedHat6新增网卡识别问题 Ubuntu 14.04 Server优化与使用问题解决 Redhat/CentOS6系统使用ntfs-3g挂载NTFS分区 Linux GPT挂载超过2TB磁盘 Linux系统性能优化、测试和监控工具梳理 修复WIN2003远程桌面服务无法访问 解决CentOS“Zabbix discoverer processes 75% busy”的问题 REHL/CentOS安装phpMyadmin

OpenSSL拆解p12证书公约和私钥

2015年01月17日

在使用Pfsense开源防火墙Openvpn的过程中,由于手上自由包含公私钥的P12格式证书,而导入pfsense需要将publicKey和PrivateKey分别导入,因此在Linux中使用openssl对其进行导出、拆解,具体如下:

1.首先确保您的系统已安装了OpenSSL

2.使用两条简单命令即可分别导出公钥和私钥

#导出p12证书私钥
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem 
#导出p12证书公钥
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem

就是这么简单两条命令就搞定了。

下文是引用的内容:

A .p12 file (successor to Microsoft’s .pfx, whose filename extension is sometimes used interchangeably in Microsoft nomenclature and elsewhere) contains a certificate and corresponding key. This is typically created on the system which generated the original CSR when applying the certificate to another system, particularly useful when applying wildcard certs to other systems.

Convert a .p12/.pfx file to PEM-formatted file containing both the key(s) and certificate(s) (note: including the “-nodes” flag here will prevent using a passphrase to encrypt the private key(s)):

openssl pkcs12 -in filename.pfx -out site.pem

Export only the private key(s) from a .p12/.pfx file to a .pem file:

openssl pkcs12 -nocerts -in filename.pfx -out sitekey.pem

# or, follow the convention of using the extension (.cer or .crt, .key, etc.) to hint at the file’s contents, at the expense of no longer showing whether the file format is PEM or binary DER:

openssl pkcs12 -nocerts -in filename.pfx -out site.key

Export only the client certificate(s) from a .p12/.pfx file to a .pem file (that is, omit any CA certs):

openssl pkcs12 -nokeys -clcerts -in filename.pfx -out siteclientcert.pem

Export only the CA certs from a .p12/.pfs file to a .pem file (that is, omit any client certs):

openssl pkcs12 -nokeys -cacerts -in filename.pfx -out sitecacert.pem

Strip the passphrase from a key (this reads the encrypted key, prompts for its passphrase, then outputs the key unencrypted):

openssl rsa -in somesystemkey.pem -out system.fqdn.like.this.key

Strip the passphrase from a certificate with embedded, encrypted key in two steps (N.B.: postpend the certificate to the file using the appropriate shell redirection “»”!):

openssl rsa -in somesystemcert.pem -out system.fqdn.like.this.crt
openssl x509 -in somesystemcert.pem >> system.fqdn.like.this.crt

中文的keytool:http://blog.csdn.net/caomiao2006/article/details/9287751

转载请注明:自动化运维 » OpenSSL拆解p12证书公约和私钥