Fatal编程技术网
  • openssl/
  • 如何创建可由OpenSSL命令行工具解析的单行x509证书

如何创建可由OpenSSL命令行工具解析的单行x509证书

openssl certificate

如何创建可由OpenSSL命令行工具解析的单行x509证书,openssl,certificate,ssl-certificate,x509certificate,x509,Openssl,Certificate,Ssl Certificate,X509certificate,X509,我想准备一个单行x509证书字符串,它可以被OpenSSL命令行实用程序解析 我使用OpenSSL命令行实用程序创建了一个私钥 openssl genrsa -out privatekey.pem 1024 然后创建了一个公钥 openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825 证书内容如下: $ openssl x509 -in publickey.cer -----BEGIN CERTIFICA

我想准备一个单行x509证书字符串,它可以被OpenSSL命令行实用程序解析

我使用OpenSSL命令行实用程序创建了一个私钥

openssl genrsa -out privatekey.pem 1024
然后创建了一个公钥

openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825
证书内容如下:

$ openssl x509 -in publickey.cer
-----BEGIN CERTIFICATE-----
MIICZjCCAc+gAwIBAgIUUnH/2DwpRMsAkWtkE1jccev9FtwwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTA5MTAxMTE0NDRaFw0yNDA5
MDgxMTE0NDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAJ1Z9/FRGmzCCB1F6txz2JMpHy+WNgvtPfyRQh6vjC3g7mcD
CHOPORT9vg/9ye2smr0gcPnkJwzA6ftaw0fWvHCXtVcb+cFs7xL3JbC7HexJQWFT
4fcQ6KhckTfn8qvkHdSMEX1y6+sFKFgftUgAtWmhRNnYTPaFEjFEjc8MVeM9AgMB
AAGjUzBRMB0GA1UdDgQWBBQ+mp9v3pEw5Oy4FiE3Go9vs/56zzAfBgNVHSMEGDAW
gBQ+mp9v3pEw5Oy4FiE3Go9vs/56zzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4GBAAlemG77/vf1bvGlADLc+/sPeZ6ppuMz/y3qVRqfFJ+78RMTSrLW
SPGUyDFauTAvf7fNj+D/Pt+OrMue+AK+PCi0JxIWxIIv+XJqoSxHTwoBqujn93Xs
+vm03hED1aoCs/s7rSsckAR/OjkMtQDoVer/F0izuE7ebAh4IFYXYTUD
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----\nMIICZjCCAc+gAwIBAgIUUnH/2DwpRMsAkWtkE1jccev9FtwwDQYJKoZIhvcNAQEL\nBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM\nGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTA5MTAxMTE0NDRaFw0yNDA5\nMDgxMTE0NDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw\nHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEB\nBQADgY0AMIGJAoGBAJ1Z9/FRGmzCCB1F6txz2JMpHy+WNgvtPfyRQh6vjC3g7mcD\nCHOPORT9vg/9ye2smr0gcPnkJwzA6ftaw0fWvHCXtVcb+cFs7xL3JbC7HexJQWFT\n4fcQ6KhckTfn8qvkHdSMEX1y6+sFKFgftUgAtWmhRNnYTPaFEjFEjc8MVeM9AgMB\nAAGjUzBRMB0GA1UdDgQWBBQ+mp9v3pEw5Oy4FiE3Go9vs/56zzAfBgNVHSMEGDAW\ngBQ+mp9v3pEw5Oy4FiE3Go9vs/56zzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3\nDQEBCwUAA4GBAAlemG77/vf1bvGlADLc+/sPeZ6ppuMz/y3qVRqfFJ+78RMTSrLW\nSPGUyDFauTAvf7fNj+D/Pt+OrMue+AK+PCi0JxIWxIIv+XJqoSxHTwoBqujn93Xs\n+vm03hED1aoCs/s7rSsckAR/OjkMtQDoVer/F0izuE7ebAh4IFYXYTUD\n-----END CERTIFICATE-----\n
然后,我使用以下命令将换行符转换为
\n

转换后的证书是

$ openssl x509 -in publickey.cer
-----BEGIN CERTIFICATE-----
MIICZjCCAc+gAwIBAgIUUnH/2DwpRMsAkWtkE1jccev9FtwwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTA5MTAxMTE0NDRaFw0yNDA5
MDgxMTE0NDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAJ1Z9/FRGmzCCB1F6txz2JMpHy+WNgvtPfyRQh6vjC3g7mcD
CHOPORT9vg/9ye2smr0gcPnkJwzA6ftaw0fWvHCXtVcb+cFs7xL3JbC7HexJQWFT
4fcQ6KhckTfn8qvkHdSMEX1y6+sFKFgftUgAtWmhRNnYTPaFEjFEjc8MVeM9AgMB
AAGjUzBRMB0GA1UdDgQWBBQ+mp9v3pEw5Oy4FiE3Go9vs/56zzAfBgNVHSMEGDAW
gBQ+mp9v3pEw5Oy4FiE3Go9vs/56zzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4GBAAlemG77/vf1bvGlADLc+/sPeZ6ppuMz/y3qVRqfFJ+78RMTSrLW
SPGUyDFauTAvf7fNj+D/Pt+OrMue+AK+PCi0JxIWxIIv+XJqoSxHTwoBqujn93Xs
+vm03hED1aoCs/s7rSsckAR/OjkMtQDoVer/F0izuE7ebAh4IFYXYTUD
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----\nMIICZjCCAc+gAwIBAgIUUnH/2DwpRMsAkWtkE1jccev9FtwwDQYJKoZIhvcNAQEL\nBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM\nGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTA5MTAxMTE0NDRaFw0yNDA5\nMDgxMTE0NDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw\nHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEB\nBQADgY0AMIGJAoGBAJ1Z9/FRGmzCCB1F6txz2JMpHy+WNgvtPfyRQh6vjC3g7mcD\nCHOPORT9vg/9ye2smr0gcPnkJwzA6ftaw0fWvHCXtVcb+cFs7xL3JbC7HexJQWFT\n4fcQ6KhckTfn8qvkHdSMEX1y6+sFKFgftUgAtWmhRNnYTPaFEjFEjc8MVeM9AgMB\nAAGjUzBRMB0GA1UdDgQWBBQ+mp9v3pEw5Oy4FiE3Go9vs/56zzAfBgNVHSMEGDAW\ngBQ+mp9v3pEw5Oy4FiE3Go9vs/56zzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3\nDQEBCwUAA4GBAAlemG77/vf1bvGlADLc+/sPeZ6ppuMz/y3qVRqfFJ+78RMTSrLW\nSPGUyDFauTAvf7fNj+D/Pt+OrMue+AK+PCi0JxIWxIIv+XJqoSxHTwoBqujn93Xs\n+vm03hED1aoCs/s7rSsckAR/OjkMtQDoVer/F0izuE7ebAh4IFYXYTUD\n-----END CERTIFICATE-----\n
但是OpenSSL命令行工具无法解析这一单行证书

$ openssl x509 -in single_line_publickey.cer 
unable to load certificate
140671947637184:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
看起来它无法找到封装边界
----开始证书------
----结束证书------
。从标准中,我发现
开始证书
结束证书
标签需要用换行符分隔。这里看起来好像
\n
不起作用。我尝试了
\r\n
来模拟CR+LF,但仍然遇到同样的问题

我观察到,当我在换行符中保留
begincertificate
END certificate
标签时,OpenSSL命令行工具能够解析证书。 证书文件为

$ cat multi_line_publickey.cer
-----BEGIN CERTIFICATE-----
MIICZjCCAc+gAwIBAgIUUnH/2DwpRMsAkWtkE1jccev9FtwwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTA5MTAxMTE0NDRaFw0yNDA5MDgxMTE0NDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ1Z9/FRGmzCCB1F6txz2JMpHy+WNgvtPfyRQh6vjC3g7mcDCHOPORT9vg/9ye2smr0gcPnkJwzA6ftaw0fWvHCXtVcb+cFs7xL3JbC7HexJQWFT4fcQ6KhckTfn8qvkHdSMEX1y6+sFKFgftUgAtWmhRNnYTPaFEjFEjc8MVeM9AgMBAAGjUzBRMB0GA1UdDgQWBBQ+mp9v3pEw5Oy4FiE3Go9vs/56zzAfBgNVHSMEGDAWgBQ+mp9v3pEw5Oy4FiE3Go9vs/56zzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAAlemG77/vf1bvGlADLc+/sPeZ6ppuMz/y3qVRqfFJ+78RMTSrLWSPGUyDFauTAvf7fNj+D/Pt+OrMue+AK+PCi0JxIWxIIv+XJqoSxHTwoBqujn93Xs+vm03hED1aoCs/s7rSsckAR/OjkMtQDoVer/F0izuE7ebAh4IFYXYTUD
-----END CERTIFICATE-----
OpenSSL工具能够解析它

$ openssl x509 -in multi_line_publickey.cer -noout -subject
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
但这里我有三行。如何以OpenSSL命令行实用程序可以解析的方式将此证书准备为一行?

您可以使用bash黑暗魔法来获得所需内容。如果您看到您的
单行\u publickey.cer
,它也有
\n
字符,当您回显时会显示出来。这意味着您可以强制echo将其打印为换行符

如果您尝试以下方法:

echo -ne $(cat single_line_publickey.cer) | openssl x509 -noout -text
你可以用bash黑魔法来得到你想要的东西。如果您看到您的
单行\u publickey.cer
,它也有
\n
字符,当您回显时会显示出来。这意味着您可以强制echo将其打印为换行符

如果您尝试以下方法:

echo -ne $(cat single_line_publickey.cer) | openssl x509 -noout -text
事情应该会好起来的

我想准备一个单行x509证书字符串,它可以被OpenSSL命令行实用程序解析

-----BEGIN CERTIFICATE-----
MIICZjCCAc+gAwIBAgIUUnH/2DwpRMsAkWtkE1jccev9FtwwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTA5MTAxMTE0NDRaFw0yNDA5MDgxMTE0NDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ1Z9/FRGmzCCB1F6txz2JMpHy+WNgvtPfyRQh6vjC3g7mcDCHOPORT9vg/9ye2smr0gcPnkJwzA6ftaw0fWvHCXtVcb+cFs7xL3JbC7HexJQWFT4fcQ6KhckTfn8qvkHdSMEX1y6+sFKFgftUgAtWmhRNnYTPaFEjFEjc8MVeM9AgMBAAGjUzBRMB0GA1UdDgQWBBQ+mp9v3pEw5Oy4FiE3Go9vs/56zzAfBgNVHSMEGDAWgBQ+mp9v3pEw5Oy4FiE3Go9vs/56zzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAAlemG77/vf1bvGlADLc+/sPeZ6ppuMz/y3qVRqfFJ+78RMTSrLWSPGUyDFauTAvf7fNj+D/Pt+OrMue+AK+PCi0JxIWxIIv+XJqoSxHTwoBqujn93Xs+vm03hED1aoCs/s7rSsckAR/OjkMtQDoVer/F0izuE7ebAh4IFYXYTUD
-----END CERTIFICATE-----
PEM编码在RFC 1421中有详细说明。在这些规格中,它说:

  • 封装边界在它们自己的线上
  • 消息是Base64编码的
  • 行限制为64个字符
  • 行尾是CR('\r')和LF('\n')
OpenSSL从未很好地处理过格式错误的证书。从我记事起就是这样。相当多的库不能很好地处理EOL。它们也会在CRLF线路末端阻塞

相反,OpenSSH文件格式RFC表示实现必须处理CR、LF或CRLF的eol。RFC还表示,证书和密钥应该使用本机平台约定编写,因此您将在该字段中看到这三种约定

我想准备一个单行x509证书字符串,它可以被OpenSSL命令行实用程序解析

-----BEGIN CERTIFICATE-----
MIICZjCCAc+gAwIBAgIUUnH/2DwpRMsAkWtkE1jccev9FtwwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTA5MTAxMTE0NDRaFw0yNDA5MDgxMTE0NDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ1Z9/FRGmzCCB1F6txz2JMpHy+WNgvtPfyRQh6vjC3g7mcDCHOPORT9vg/9ye2smr0gcPnkJwzA6ftaw0fWvHCXtVcb+cFs7xL3JbC7HexJQWFT4fcQ6KhckTfn8qvkHdSMEX1y6+sFKFgftUgAtWmhRNnYTPaFEjFEjc8MVeM9AgMBAAGjUzBRMB0GA1UdDgQWBBQ+mp9v3pEw5Oy4FiE3Go9vs/56zzAfBgNVHSMEGDAWgBQ+mp9v3pEw5Oy4FiE3Go9vs/56zzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAAlemG77/vf1bvGlADLc+/sPeZ6ppuMz/y3qVRqfFJ+78RMTSrLWSPGUyDFauTAvf7fNj+D/Pt+OrMue+AK+PCi0JxIWxIIv+XJqoSxHTwoBqujn93Xs+vm03hED1aoCs/s7rSsckAR/OjkMtQDoVer/F0izuE7ebAh4IFYXYTUD
-----END CERTIFICATE-----
PEM编码在RFC 1421中有详细说明。在这些规格中,它说:

  • 封装边界在它们自己的线上
  • 消息是Base64编码的
  • 行限制为64个字符
  • 行尾是CR('\r')和LF('\n')
OpenSSL从未很好地处理过格式错误的证书。从我记事起就是这样。相当多的库不能很好地处理EOL。它们也会在CRLF线路末端阻塞

相反,OpenSSH文件格式RFC表示实现必须处理CR、LF或CRLF的eol。RFC还表示,证书和密钥应该使用本机平台约定编写,因此您将在该字段中看到所有三个。

如果您不介意dark awk magic,请继续

没有
----开始证书------
----结束证书------
新行:

awk 'NR>2 { sub(/\r/, ""); printf "%s",last} { last=$0 }' ca.crt
证书,包括页眉、页脚,不含新行字符:

awk 'NF {sub(/\r/, ""); printf "%s",$0;}' ca.crt
证书,包括页眉、页脚和新行字符,如
\n

awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}'
如果你不介意黑暗魔法,请继续

没有
----开始证书------
----结束证书------
新行:

awk 'NR>2 { sub(/\r/, ""); printf "%s",last} { last=$0 }' ca.crt
证书,包括页眉、页脚,不含新行字符:

awk 'NF {sub(/\r/, ""); printf "%s",$0;}' ca.crt
证书,包括页眉、页脚和新行字符,如
\n

awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}'
“单行线”背后的原因是什么?我有一个只接受字符串作为输入的web前端。我希望用户通过这个前端传递证书。然后,前端将此单行证书作为参数传递给openstack热堆栈创建。前端有非常基本的Javascript支持,模块非常有限。听起来你应该只传输base64,然后自己编写PEM的页眉和页脚。“单行”背后的原因是什么?我有一个只接受字符串作为输入的web前端。我希望用户通过这个前端传递证书。然后,前端将此单行证书作为参数传递给openstack热堆栈创建。前端具有非常基本的Javascript支持,模块非常有限。听起来您应该只传输base64,然后自己编写PEM页眉和页脚。OpenSSL CLI无法识别CR('\r')或LF('\n')。我尝试了,
-----开始证书------\rBASE64Certificate\r------结束证书------
,但OpenSSL CLI无法识别换行符。不确定OpenSSL是否将哪个符号视为换行符。我正在使用Ubuntu 18.04.3 LTS.OpenSSL CLI无法识别CR('\r')或LF('\n')。我尝试了,
-----开始证书------\rBASE64Certificate\r------结束证书------
,但OpenSSL CLI无法识别换行符。不确定OpenSSL是否将哪个符号视为换行符。我正在使用Ubuntu18.04.3 LTS。