1. 生成私钥
OpenSSL (RSA)
# 生成RSA私钥
openssl genrsa -out private_key.key 2048
# 生成RSA私钥(带密码)
openssl genrsa -out private_key.key -aes256 -passout pass:password 2048
GMSSL (SM2)
# 生成SM2私钥
gmssl ecparam -genkey -name sm2p256v1 -out private_key.key
# 或者使用gmssl专用命令
gmssl sm2 -genkey -out private_key.key
# 生成SM2私钥(带密码)
gmssl sm2 -genkey -out private_key.key -passout pass:password
2. 生成证书请求 (CSR)
OpenSSL
# 生成证书请求
openssl req -new -key private_key.key -out cert.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=Company/CN=example.com"
# 交互式生成
openssl req -new -key private_key.key -out cert.csr
GMSSL
# 生成SM2证书请求
gmssl req -new -key private_key.key -out cert.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=Company/CN=example.com"
# 交互式生成
gmssl req -new -key private_key.key -out cert.csr
# 指定签名算法(国密)
gmssl req -new -key private_key.key -out cert.csr -sm3 -sigopt "distid:1234567812345678"
3. 生成自签名证书
OpenSSL
# 生成自签名证书
openssl x509 -req -days 365 -in cert.csr -signkey private_key.key -out cert.crt
# DER格式
openssl x509 -req -days 365 -in cert.csr -signkey private_key.key -out cert.der -outform DER
GMSSL
# 生成SM2自签名证书
gmssl x509 -req -days 365 -in cert.csr -signkey private_key.key -out cert.crt -sm3 -sigopt "distid:1234567812345678"
# DER格式
gmssl x509 -req -days 365 -in cert.csr -signkey private_key.key -out cert.der -outform DER -sm3
4. 查看证书信息
OpenSSL
# 查看PEM格式证书
openssl x509 -in cert.crt -text -noout
# 查看DER格式证书
openssl x509 -in cert.der -inform DER -text -noout
# 查看证书主题
openssl x509 -in cert.crt -subject -noout
GMSSL
# 查看SM2证书(语法相同)
gmssl x509 -in cert.crt -text -noout
# 查看从证书中提出的公钥文件的内容(16进制公钥)
$GMSSL_PATH ec -pubin -in ../cert_path/pub_key.pem -text -noout
# 查看DER格式
gmssl x509 -in cert.der -inform DER -text -noout
# 查看证书主题
gmssl x509 -in cert.crt -subject -noout
5. 查看私钥信息
OpenSSL
# 查看RSA私钥
openssl rsa -in private_key.key -text -noout
# 查看私钥(带密码)
openssl rsa -in private_key.key -text -noout -passin pass:password
GMSSL
# 查看SM2私钥
gmssl ec -in private_key.key -text -noout
# 或者
gmssl sm2 -in private_key.key -text -noout
# 查看私钥(带密码)
gmssl sm2 -in private_key.key -text -noout -passin pass:password
6. PKCS#12 格式转换
OpenSSL
# 生成PKCS12文件
openssl pkcs12 -export -out cert.p12 -inkey private_key.key -in cert.crt -passout pass:password
# 从PKCS12提取证书和私钥
openssl pkcs12 -in cert.p12 -nodes -out cert_and_key.pem -passin pass:password
GMSSL
# 生成SM2的PKCS12文件
gmssl pkcs12 -export -out cert.p12 -inkey private_key.key -in cert.crt -passout pass:password
# 从PKCS12提取(语法相同)
gmssl pkcs12 -in cert.p12 -nodes -out cert_and_key.pem -passin pass:password
7. 证书格式转换
OpenSSL
# PEM转DER
openssl x509 -in cert.crt -outform DER -out cert.der
# DER转PEM
openssl x509 -in cert.der -inform DER -outform PEM -out cert.crt
GMSSL
# PEM转DER(语法相同)
gmssl x509 -in cert.crt -outform DER -out cert.der
# DER转PEM
gmssl x509 -in cert.der -inform DER -outform PEM -out cert.crt
8. 验证证书
OpenSSL
# 验证证书
openssl verify -CAfile ca.crt cert.crt
# 验证证书链
openssl verify -CAfile ca.crt -untrusted intermediate.crt cert.crt
GMSSL
# 验证SM2证书(语法相同)
gmssl verify -CAfile ca.crt cert.crt
# 验证证书链
gmssl verify -CAfile ca.crt -untrusted intermediate.crt cert.crt
9. 加密/解密
OpenSSL
# RSA加密
openssl rsautl -encrypt -in plaintext.txt -out encrypted.bin -inkey public_key.pem -pubin
# RSA解密
openssl rsautl -decrypt -in encrypted.bin -out decrypted.txt -inkey private_key.key
GMSSL
# SM2加密
gmssl sm2utl -encrypt -in plaintext.txt -out encrypted.bin -pubin -inkey public_key.pem
# SM2解密
gmssl sm2utl -decrypt -in encrypted.bin -out decrypted.txt -inkey private_key.key
10. 签名/验签
OpenSSL
# RSA签名
openssl dgst -sha256 -sign private_key.key -out signature.bin data.txt
# RSA验签
openssl dgst -sha256 -verify public_key.pem -signature signature.bin data.txt
GMSSL
# SM2签名(使用SM3)
gmssl dgst -sm3 -sign private_key.key -out signature.bin data.txt
# SM2验签
gmssl dgst -sm3 -verify public_key.pem -signature signature.bin data.txt
# 或者使用sm2utl
gmssl sm2utl -sign -in data.txt -out signature.bin -inkey private_key.key
gmssl sm2utl -verify -in data.txt -signature signature.bin -pubin -inkey public_key.pem
11. 提取公钥
$GMSSL_PATH x509 -in test1102_py/aaa.pem -pubkey -noout
浙公网安备 33010602011771号