Вы находитесь на странице: 1из 79

. 1.

0
OpenSSL.

.00009-01 34 01
79

. . .

. . . .

.00009-01 34 01 -


2006


openssl
.
.
c
OpenSSL, 1998-2004,
The OpenSSL Project.
.

.00009-01 34 01

OPENSSL
1.1 . . .
1.2
1.3 . . . .
1.4 .
1.5 .

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

6
6
6
6
7
7
9

3 CA
3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2 . . . . . . . . . . . . . . . . . . . . . . .
3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.3.1 . . . .
3.3.2 (CRL)
3.3.3 . . . . . . . . . . . . .
3.4 . . . . . . . . . . . . . . . . . . . . . .
3.5 SPKAC . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.8 . . . . . . . . . . . . . . . . . . . . . . . . . .
3.9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.10 . . . . . . . . . . . . . . . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

10
10
10
10
10
12
13
16
16
16
18
18
18
18

4 CRL
4.1 . . .
4.2
4.3 . . . .
4.4 . . . . . . .
4.5 . . . . . . . .

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

20
20
20
20
20
21

.
.
.
.
.

22
22
22
22
22
23

5 CRL2PKCS7
5.1 . . .
5.2
5.3 . . . .
5.4 . . . . . . . .
5.5 . . . . . . .

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

6 DGST
24
6.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
6.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
6.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

.00009-01 34 01

7 ENC
7.1 . . . .
7.2 .
7.3 . . . . .
7.4 . . . . . . . .
7.4.1 . . . . .

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

8 OCSP
8.1 . . . . . . . . . . . . . . . . .
8.2 . . . . . . . . .
8.3 . . . . . . . . . . . . .
8.3.1 oscp
8.3.2 ocsp
8.4 OCSP- . . . . . . . . .
8.5 . . . . . . . . . . . . . . . .
8.6 . . . . . . . . . . . . . . . . .
9 PKCS7
9.1 . . .
9.2
9.3 . . . .
9.4 . . . . . . . .
9.5 . . . . . . .
9.6 . . . . . .
10 PKCS8
10.1 . . .
10.2
10.3 . . . .
10.4 . . . . . . .
10.5 . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

11 REQ
11.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11.4 . . . . . . . . . . . . . . . . . . . . . . .
11.5 distinguished name attribute
11.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11.9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12 SMIME
12.1 . . .
12.2
12.3 . . . .
12.4 . . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

25
25
25
25
26
26

.
.
.
.
.
.
.
.

28
28
28
28
28
31
31
32
32

.
.
.
.
.
.

34
34
34
34
34
34
35

.
.
.
.
.

36
36
36
36
37
38

.
.
.
.
.
.
.
.
.

39
39
39
39
42
44
44
46
47
47

.
.
.
.

48
48
48
48
51

.00009-01 34 01

12.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13 S_CLIENT
13.1 . . . . . . . . . . . . . . . . . . . .
13.2 . . . . . . . . . . . . . . . . .
13.3 . . . . . . . . . . . . . . . . . . . . .
13.4 ,
13.5 . . . . . . . . . . . . . . . . . . . . . . . .
14 S_SERVER
14.1 . . .
14.2
14.3 . . . .
14.4 ,
14.5 . . . . . . .
15 VERIFY
15.1 . . .
15.2
15.3 . . . .
15.4 . .
15.5 . . . . . .

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

53
53
53
53
55
56

. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

57
57
57
57
60
60

.
.
.
.
.

61
61
61
61
62
63

.
.
.
.
.
.
.
.
.
.
.
.

68
68
68
68
68
69
70
71
72
74
75
76
76

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

16 X509
16.1 . . . . . . . . . . . . . . . . . .
16.2 . . . . . . . . . . . . . . .
16.3 . . . . . . . . . . . . . . . . . . .
16.3.1 ,
16.3.2 . . . . . .
16.3.3 . . . . . . . . . . . . .
16.3.4 . . . . .
16.3.5 . . . . . . . . . . . . . .
16.3.6 . . . . . . . . . . . . . . . . .
16.4 . . . . . . . . . . . . . . . . . . . . . . .
16.5 . . . . . . . . . . . . . . . . . . . . . .
16.6 . . . . . . . . . . . . .

51
51

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.00009-01 34 01

OPENSSL

1.1

OpenSSL , Secure
Sockets Layer (SSL v2/v3) Transport Layer Security (TLS v1) , .
openssl - OpenSSL .
:
X.509, .
-.

.
SSL/TLS .

S/MIME.

1.2

openssl [ ] [ ]
openssl [list-standard-commands] ,

openssl no-XXX [ ]

1.3

openssl (.
), (. ).
list-standard-commands ( )
.
no-XXX , ( XXX ). , no-XXX
0 () no-XXX; 1
XXX.
stderr. - .
no-XXX , quit,
no-XXX.

.00009-01 34 01

1.4

asn1parse
base64
ca
ciphers
crl
crl2pkcs7
dgst
enc
errstr
passwd
pkcs12
pkcs7
rand
req
s_client

s_server

s_time
sess_id
smime
speed
verify
version
x509

1.5

ASN.1-,
base64

- SSL/TLS
(CRL)
PKCS#7 CRL

-
.


PKCS#12
PKCS#7

X.509 (CSR)
SSL/TLS- , ,
SSL/TLS.
, OpenSSL.
SSL/TLS- ,
, SSL/TLS.
, OpenSSL. , SSL, http-.
SSL
SSL-
S/MIME

X.509
OpenSSL
X.509

, ,
-passin -passout.
. ,
. , , : ,

.00009-01 34 01

.
-

pass:
. ( ps Unix- ),
,
.
env:var
var. (, ps
Unix- ),
.
file:pathname
pathname .
-passin passout, ,
. :
, , .
fd:number
,
number. , ,
.
stdin
.

.00009-01 34 01

.
:
DGST (. 6) 34.11-94
-md_gost94;
ENC (. 7)
-gost89 28147-89;
OCSP (. 8)
-digest -md_gost94;
REQ (. 11) ,
-gost2001: .
SMIME (. 12) encrypt ;
X509 (c. 16) 34.11-94
(fingerprint) .
, 31 2007 34.10-94
.

.00009-01 34 01

10

CA

3.1

ca .

(CRL). .

3.2

openssl ca [-verbose] [-config filename] [-name section] [-gencrl] [-revoke file] [-crl_reason
reason] [-crl_hold instruction] [-crl_compromise time] [-crl_CA_compromise time] [-crldays days]
[-crlhours hours] [-crlexts section] [-startdate date] [-enddate date] [-days arg] [-md arg] [-policy
arg] [-keyfile arg] [-key arg] [-passin arg] [-cert file] [-selfsign] [-in file] [-out file] [-notext] [outdir dir] [-infiles] [-spkac file] [-ss_cert file] [-preserveDN] [-noemailDN] [-batch] [-msie_hack]
[-extensions section] [-extfile section] [-engine id] [-subj arg] [-utf8] [-multivalue-rdn]

3.3

.
3.3.1

-config filename
-name section

-in filename

-ss_cert filename
-spkac filename

-infiles

-out filename

-outdir directory

, .
,
( , default_ca
ca ).
, , .
, .
, challenge
Netscape , . . 3.5
.
, ,
, .
.
.
.
.
, , .pem.
,

.00009-01 34 01

-cert file
-keyfile filename
-key password

-selfsign

-passin arg
-verbose
-notext
-startdate date

-enddate date

-days arg
-md alg

-policy arg

-msie_hack

-preserveDN

11

.
, , .
.
( Unix- ps), .
. , , (
-keyfile). , , .
-spkac, -ss_cert -gencrl, -selfsign .
-selfsign (. configuration option database) , ,
, .
, . arg . 1.5.

.

. (
ASN.1 UTCTime; ).
. ( ASN.1
UTCTime; ).
.
. ,
-34.10 md_gost94, .
,
. , ,
. . 3.4.

Microsoft Internet Explorer.

IE , .
Distinguished Name .
, , .
IE.

.00009-01 34 01

-noemailDN

-batch
-extensions section

-extfile file

-engine id

-subj arg

-utf8

-multivalue-rdn

3.3.2

12

Distinguished Name EMAIL,


,
altName. , EMAIL

.
email_in_dn .
() . .
, ,
( X509_extensions, -extfile). , V1. (
), V3.
( ,
-extensions).
engine ( ) .

subject
name,

arg

/type0=value0/type1=value1/type2=..., \( ), .
,
UTF8,
ASCII. , ,
, UTF-8 .
, -subj RDN. :
/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe
-multi-rdn , UID
123456+CN=John Doe.

(CRL)

-gencrl
-crldays num

.
. nextUpdate .
,

.00009-01 34 01

-crlhours num
-revoke filename
-crl_reason reason

13

.
, , .
, reason
:
unspecified ( )
keyCompromise ( )
CACompromise ( )
affiliationChanged ( )
superseded ( )
cessationOfOperation ( )
certificateHold ( )
removeFromCRL ( )

-crl_hold instruction

-crl_compromise
time

-crl_CA_compromise
time
-crlexts section

3.3.3

, ,
.
V2. removeFromCRL ( )
,
delta, .
certificateHold ( ) instruction , OID. OID, holdInstructionNone (
RFC2459), holdInstructionCallIssuer holdInstructionReject.
keyCompromise ( ),
time. time GeneralizedTime, .. (
).
, -crl_compromise, ,
CACompromise.
,
, . , V1,
( ), V2. CRL,
( ). ,
( Netscape)
V2.

, ca, : -name, .
default_ca

.00009-01 34 01

14

ca ( ). default_ca, ca : RANDFILE,
preserve, msie_hack. RANDFILE, , , .
. .
, ,
( ).

oid_file

oid_section

new_certs_dir
certificate
private_key
RANDFILE
default_days
default_startdate

default_enddate

default_crl_hours
default_crl_days

default_md

, OID
(OBJECT IDENTIFIERS). :
OID , , , , .
, OID.
:
OID= OID.
.
, -outdir. ,
. .
, -cert. , . .
, -keyfile. , . .
, .
, -days. .
, -startdate. . , .
, -enddate.
, default_days ( -
).
, -crlhours -crldays.
, . , .
,
, ,
(RSA).
, (
). .

.00009-01 34 01

database
unique_subject

serial

crlnumber

x509_extensions
crl_extensions
preserve
email_in_dn

msie_hack
policy
name_opt, cert_opt

15

. . , .
yes,
subject. no,
subject.
yes ( 0.9.8) OpenSSL.

no, selfsign.
, . .
.
,
.
,
. , .
, -extensions.
, -crlexts.
, -preserveDN
, -noemailDN. EMAIL distinguished name ,
no. ,
EMAIL distinguished name .
, -msie_hack
, -policy. . . 3.4 .

. , -nameopt -certopt x509 (. 16), ,
no_signame no_sigdump
(
, .. ).
ca_default
.
,
OpenSSL.
, ,
,
.

.00009-01 34 01

copy_extensions

3.4

16

, .
none, ,
. copy, , ,
, .
copyall,
: ,
. .
3.10.
,
subjectAltName.

, distinguished
name . match,
. supplied, . optional,
. , , , -preserveDN,
.

3.5

SPKAC

-spkac
challenge Netscape. KEYGEN html, . SPKAC spkac.
, -spkac,
SPKAC, SPKAC, DN
"-". ,
.

3.6

: ,
. req,
, .
, demoCA, demoCA/private demoCA/newcerts. demoCA/cacert.pem,
demoCA/private/cakey.pem. demoCA/serial, , , 01,
demoCA/index.txt.

.00009-01 34 01

17

:
openssl ca -in req.pem -out newcert.pem
:
openssl ca -in req.pem -extensions v3_ca -out newcert.pem
:
openssl ca -gencrl -out crl.pem
:
openssl ca -infiles req1.pem req2.pem req3.pem
SPKAC Netscape:
openssl ca -spkac spkac.txt
SPKAC ( SPKAC ):
SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5
CN=Steve Test
emailAddress=steve@openssl.org
0.OU=OpenSSL Group
1.OU=Another Group

ca:

[ ca ]
default_ca

= CA_default

# The default ca section

[ CA_default ]
dir
database
new_certs_dir

= ./demoCA
= $dir/index.txt
= $dir/newcerts

certificate
serial
private_key
RANDFILE

=
=
=
=

# top dir
# index file.
# new certs dir

$dir/cacert.pem
#
$dir/serial
#
$dir/private/cakey.pem#
$dir/private/.rand
#

The CA cert
serial no file
CA private key
random number file

default_days
= 365
default_crl_days= 30
default_md
= md5

# how long to certify for


# how long before next CRL
# md to use

policy
email_in_dn

# default policy
# Dont add the email into cert DN

= policy_any
= no

name_opt
= ca_default
cert_opt
= ca_default
copy_extensions = none
[ policy_any ]
countryName
stateOrProvinceName

# Subject name display option


# Certificate display option
# Dont copy extensions from request

= supplied
= optional
,

.00009-01 34 01

organizationName
organizationalUnitName
commonName
emailAddress

3.7

=
=
=
=

18

optional
optional
supplied
optional

:
, ,
. .
/usr/local/ssl/lib/openssl.cnf
./demoCA
./demoCA/cacert.pem
./demoCA/private/cakey.pem
./demoCA/serial
./demoCA/serial.old
./demoCA/index.txt
./demoCA/index.txt.old
./demoCA/certs
./demoCA/.rnd

3.8


()








OPENSSL_CONF
. -config .

3.9

,
, .
,
.
V2 , -,
.
,
SPKAC .

3.10

ca .
ca ,
. :
.

.00009-01 34 01

19

ca :
, ca
.
copy_extensions . . ,
basicConstraints CA:TRUE, copy_extensions copyall,
, , .
, copy_extensions copy
basicConstraints CA:FALSE . ,
basicConstraints, .
,
keyUsage,
.
.
, :
basicConstraints = CA:TRUE, pathlen:0
CA:TRUE, .

.00009-01 34 01

CRL

4.1

20

crl DER PEM.

4.2

openssl crl [-inform PEM|DER] [-outform PEM|DER][-text] [-in filename] [-out filename] [noout] [-hash] [-issuer] [-lastupdate] [-nextupdate] [-CAfile file] [-CApath dir]

4.3

-inform DER|PEM

-outform DER|PEM
-in filename
-out filename
-text
-noout
-hash

-issuer
-lastupdate
-nextupdate
-CAfile file
-CApath dir

4.4

. DER CRL DER. PEM () DER-


base64 .
. ,
-inform.
. , .
. , .
.
.
- issuer.
issuer name.
.
lastUpdate.
nextUpdate.

.
:
subject name (
x509 -hash).

PEM- :
-----BEGIN X509 CRL---------END X509 CRL----

.00009-01 34 01

4.5

21


openssl crl -in
Output the text form
openssl crl -in

PEM DER:
crl.pem -outform DER -out crl.der
of a DER encoded certificate:
crl.der -text -noout

.00009-01 34 01

22

CRL2PKCS7

5.1

crl2pkcs7 () PKCS#7-, (
).

5.2

openssl crl2pkcs7 [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-out filename] [certfile filename] [-nocrl]

5.3

-inform DER|PEM

-outform DER|PEM

-in filename

-out filename

-certfile filename

-nocrl

5.4

.
DER CRL DER-. PEM () DER- base64 .
PKCS#7-. DER
CRL DER-. PEM () DER base64 .
,
. ,
.
, PKCS#7-. , PKCS#7 .
, PEM-. PKCS#7-.
, .
, . ,
.

PKCS#7- :
openssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem
PKCS#7- DER- ,
:
openssl crl2pkcs7 -nocrl -certfile newcert.pem -certfile
demoCA/cacert.pem -outform DER -out p7.der

.00009-01 34 01

5.5

23

PKCS#7- signed data, , .


.
MIME- application/x-x509-user-cert.
PEM-
Microsoft Internet Explorer
Active-X Xenroll.

.00009-01 34 01

24

DGST

6.1

- .
(). -md_gost94 .

6.2

openssl dgst -md_gost94 [-c][-d] [-hex] [-binary] [-out filename] [-sign filename] [-passin arg][verify filename] [-prverify filename] [-signature filename] [file...]

6.3

-d
-hex

-binary
-out filename
-md_gost94
-sign filename
-passin arg
-verify filename

-prverify filename
-signature filename
-rand file(s)

file...

- , , .
BIO.
- . -,
.
- .
, .
34.11-94
, , .
. . 1.5.
, . ,
.
, .
, .
, ,
.
, : ; MS-Windows, , OpenVMS : .
, -.
, .

. , .

.00009-01 34 01

ENC

7.1

25

, .
base64,
, .

7.2

openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e][-d] [-a] [-A] [-gost89] [-k
password] [-kfile filename] [-K key] [-iv IV] [-p][-P] [-bufsize number] [-nopad] [-debug]

7.3

-in filename
-out filename
-pass arg
-salt

-nosalt

-e
-d
-a

-A

-gost89
-k password

-kfile filename

,
,
.
arg . 1.5.
.
, ,
OpenSSL SSLeay. OpenSSL 0.9.5.
. OpenSSL SSLeay.
: .
.
base64- . , ,
base64. , base64.
-a, base64- .
.
28147-89
, .
OpenSSL. , -pass.
, , . OpenSSL.
, -pass.
,

.00009-01 34 01

-S salt
-K key

-iv IV

-p
-P

-bufsize number
-nopad
-debug

7.4

26

:
, .
: ,
. ,
-iv. ,
, -K,
, . ,
, .
:
,
. -K,
. ,
.


: , .
I/O

BIO, IO.

.
-salt , , , OpenSSL.
-salt , .
,
.
:
.
7.4.1

base64 :
openssl base64 -in file.bin -out file.b64
:
openssl base64 -d -in file.b64 -out file.bin
, 28147-89:
openssl enc -gost89 -salt -in file.txt -out file.enc
, :
openssl enc -gost89 -d -salt -in file.enc -out file.txt -k
mypassword

.00009-01 34 01

27

, base64 (,
):
openssl enc -gost89 -a -salt -in file.txt -out file.enc
base64 :
openssl enc -gost89 -d -salt -a -in file.enc -out file.txt
, ( ):
openssl enc -gost89 -d -in file.enc -out file.txt -K 0102030405...

.00009-01 34 01

28

OCSP

8.1

OCSP (- ) () (RFC 2560).


oscp OSCP.
, OCSP-,
oscp-.

8.2

openssl ocsp [-out file] [-issuer file] [-cert file] [-serial n] [-signer file] [-signkey file] [-sign_other
file] [-no_certs] [-req_text] [-resp_text] [-text] [-reqout file] [-respout file] [-reqin file] [-respin
file] [-nonce] [-no_nonce] [-url URL ] [-host host:n] [-path] [-CApath dir] [-CAfile file] [-VAfile
file] [-validity_period n] [-status_age n] [-noverify] [-verify_other file] [-trust_other] [-no_intern]
[-no_signature_verify] [-no_cert_verify] [-no_chain] [-no_cert_checks] [-port num] [-index file] [CA file] [-rsigner file] [-rkey file] [-rother file] [-resp_no_certs] [-nmin n] [-ndays n] [-resp_key_id]
[-nrequest n]

8.3

8.3.1

oscp

-out filename

.
.
-issuer filename
, .
. , ,
PEM.
-cert filename
, filename. issuer;
, .
-serial num
, cert, ,
, num.
, 0x.
- num.
-signer filename, - ocsp- ,
signkey filename
signer, , signkey.
signkey ,
, . , ocsp .

.00009-01 34 01

-sign_other filename
-nonce, -no_nonce

29

, .
OCSP- nonce . , OCSP-
respin, nonce ; nonce nonce. OCSP- (
cert serial), nonce ; no_nonce nonce .

-req_text, -resp_text,
-text
-reqout file, -respout
file
-reqin file, -respin
file

OCSP-,
.
DER-
.
OCSP- . , OCSP (, serial, cert
host).
-url responder_url
URL . URL, HTTP, HTTPS (SSL/TLS).
-host hostname:port, host , OCSP- -path pathname
port hostname. path http- /
.
-CAfile file, -CApath , pathname
. OCSP-.
-verify_other file
, ,
, OCSP-. ; , .
-trust_other
, verify_certs,
,
. ,

.
-VAfile file
, , . verify_certs -trust_other.
-noverify
OCSP- nonce. , ,
, .
-no_intern
, OCSP-,
, .
, ,
-verify_certs -VAfile.

.00009-01 34 01

30

no_signature_verify

OCSP-. , , ,
.
-no_cert_verify
, OCSP-.
OCSP-
, .
-no_chain

.
-no_cert_checks
,
OCSP-. ,
;
.
-validity_period
,
nsec,
-status_age OCSP-. age
notBefore
notAfter.
, . OCSP-
. , -validity_period
.
5 .
notAfter, ,
. notBefore, ,
age . .
-digest

.
SHA1.
-md_gost94.

.00009-01 34 01

8.3.2

31

ocsp

-index indexfile

indexfile ca openssl (. 3), .


index, ocsp (), . (),
, ( issuer serial),
( respin) ocsp ( url).
index, CA
rsigner.
-CA file
,
indexfile.
-rsigner file
, OCSP-.
-rother file
, OCSP.
-resp_no_certs
OCSP-.
-resp_key_id
ID
, subject. , .. RFC 2560
.
-rkey file
OCSP-:
, ,
rsigner.
-port portnum
, OCSP-.
url.
-nrequest number
OCSP- number ,
.
-nmin
minutes, ,
-ndays days
: nextUpdate. , nextUpdate , , .

8.4

OCSP-

OCSP- , RFC2560.
OCSP-
OCSP- .
OCSP- . ,
, CAfile CApath,
OpenSSL.
, OCSP
.

.00009-01 34 01

32

CA
OCSP-: , OCSP .
, OCSP-,
.
OCSP- OCSPSigning extended key usage, OCSP
.
, OCSP-, , OCSP. , OCSP .
, OCSP .
, OCSP- ,
( ), .
OCSP- , ,
OCSP-. :
openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem

-VAfile.

8.5

, . , -CApath, -CAfile (
VA) -VAfile.
OCSP- :
OCSP-.
HTTP- POST- OCSP. , ,
, .
.
ocsp CGI- respin respout.

8.6

OCSP- :
tt openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der
OCSP- URL- http://ocsp.myhost.com/,

openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -url
http://ocsp.myhost.com/ -resp_text -respout resp.der
OCSP- :
openssl ocsp -respin resp.der -text

.00009-01 34 01

33

OCSP- 8888 (. 3.6) .


.
openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem
-CA demoCA/cacert.pem -text -out log.txt
, :
openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem
-CA demoCA/cacert.pem -nrequest 1
:
openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA
demoCA/cacert.pem -issuer demoCA/cacert.pem -serial 1
, , .
openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA
demoCA/cacert.pem -reqin req.der -respout resp.der

.00009-01 34 01

34

PKCS7

9.1

pkcs7 PKCS#7 DER PEM.

9.2

openssl pkcs7 [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-out filename] [print_certs] [-text] [-noout] [-engine id]

9.3

-inform DER|PEM

-outform DER|PEM
-in filename
-out filename
-print_certs

-text
-noout
-engine id

9.4

. DER
PKCS#7 1.5 DER-. PEM ()
DER- base64 .
. ,
-inform.
. ,
.
. .
, .
subject issuer .
, subject issuer.
PKCS#7- ( , -print_certs).
engine ( )
.

PKCS#7- PEM DER:


openssl pkcs7 -in file.pem -outform DER -out file.der
, :
openssl pkcs7 -in file.pem -print_certs -out certs.pem

9.5

PEM- PKCS#7- :

.00009-01 34 01

35

-----BEGIN PKCS7---------END PKCS7---- :


-----BEGIN CERTIFICATE---------END CERTIFICATE-----

9.6

, PKCS#7-.
1.5 PKCS#7, RFC2315.

.00009-01 34 01

10

PKCS8

10.1

36

pkcs8 PKCS#8.
PKCS#8 PrivateKeyInfo
EncryptedPrivateKeyInfo format PKCS#5 (
1.5 2.0) PKCS#12.

10.2

openssl pkcs8 [-topk8] [-inform PEM|DER] [-outform PEM|DER] [-in file- name] [-passin arg]
[-out filename] [-passout arg] [-noiter] [-nocrypt] [-nooct] [-embed] [-nsdb] [-v2 alg] [-v1 alg]
[-engine id]

10.3

-topk8

-inform DER|PEM

-outform DER|PEM
-in filename

-passin arg
-out filename

-passout arg

,
PKCS#8 .
: PKCS#8.
. PKCS#8, PEM DER-. PEM- DER .
. ,
-inform.
, .
, .
, .
. arg . 1.5.
, . , . - , .
.
. arg . 1.5.

.00009-01 34 01

-nocrypt

-v2 alg

-v1 alg
-engine id

10.4

37

, PKCS#8 PKCS#8 EncryptedPrivateKeyInfo, , . ,


PrivateKeyInfo.
, .
.
2.0.
PKCS#5. , PKCS#8
pbeWithMD5AndDES-CBC, 56- DES, ,
1.5 PKCS#8. 2.0,
, , 168 DES 128- RC2, 2.0.
OpenSSL,
.
arg , , des, des3 rc2. des3.
, 1.5 PKCS#5
PKCS#12 .
engine ( )
.

PKCS#8- PEM :
-----BEGIN ENCRYPTED PRIVATE KEY---------END ENCRYPTED PRIVATE KEY---- :
-----BEGIN PRIVATE KEY---------END PRIVATE KEY---- , PKCS#5 2.0
, ,
SSLeay- . ,
.
56-, PKCS#8.

.00009-01 34 01

38

PKCS#12-
PKCS#8: ,
.
DER-
PKCS#8, ASN1,
PEM.

10.5

PKCS#5 v2.0
DES:
openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem
PKCS#8, ,
1.5 PKCS#5:
openssl pkcs8 -in key.pem -topk8 -out enckey.pem
PKCS#8, ,
PKCS#12 (3DES):
openssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES
PKCS#8 DER-:
openssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem
PKCS#8 :
openssl pkcs8 -in pk8.pem -out key.pem

.00009-01 34 01

11

REQ

11.1

39

req PKCS#10. ,
, , .
. req openssl
. , PKCS#8-. ,
(, ), mkkey . ,
mkkey, req openssl. ,
req
YARROW :
. mkkey .

11.2

openssl req [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-passin arg] [-out filename]
[-passout arg] [-text] [-pubkey] [-noout] [-verify] [-modulus] [-new] [-rand file(s)] [-newkey
rsa:bits] [-newkey dsa:file] [-nodes] [-key filename] [-keyform PEM|DER] [-keyout file- name]
[-[md5|sha1|md2|mdc2]] [-config filename] [-subj arg] [-multi- value-rdn] [-x509] [-days n] [set_serial n] [-asn1-kludge] [-newhdr] [-extensions section] [-reqexts section] [-utf8] [-nameopt]
[-batch] [-verbose] [-engine id]

11.3

-inform DER|PEM

-outform DER|PEM
-in filename

-passin arg
-out filename
-passout arg

. DER ASN.1 DER , PKCS#10. PEM


: DER-,
base64, .
, ,
-inform.
, .
, . ,
(-new -newkey).
. arg . 1.5.

. .
. arg . 1.5.

.00009-01 34 01

-text
-pubkey
-noout
-modulus
-verify
-new

-rand file(s)

-newkey arg

-key filename
-keyform PEM|DER
-keyout filename

-nodes
-config filename

-subj arg

40

.
.
.
, .
.
.
. ,
, .
-key ,
RSA, , .
, , . , : ; MS-Windows, ,
OpenVMS : .

. arg :. 34.10-2001 : A, B, C;
XA, XB. -newkey , , :
gost2001:A.
, .
,
-key. PEM.
,
. , ,
.
, ,
.
.
, , ,
OPENSSL_CONF.
subject . arg
/type0=value0/type1=value1/type2=...,
\( ), .

.00009-01 34 01

-multivalue-rdn

-x509

-days n
-set serial n

-extensions section
-reqexts section

-utf8

-nameopt option

-asn1-kludge

41

, -subj RDN. :
/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe
-multi-rdn , UID
123456+CN=John Doe.
.
. , ( ) .
set_serial, 0.
-x509,
. 30 .
.
, 0x.
, .
( -x509) .


.
,
UTF8,
ASCII. , ,
, UTF-8 .
, subject
issuer. , .
-nameopt.
. 16.
req , , PKCS#10. , ,
. .
PKCS#10 SET OF. , , ,
SET OF.
SET OF, .
, .

.00009-01 34 01

-newhdr

-batch
-verbose
-engine id

11.4

42

NEW PEM . ( Netscape) .


.
.
engine ( ) .

req .
, (,
req)
.
.

input_password
output_password

default_bits

default_keyfile

oid_file

oid_section

RANDFILE
encrypt_key

( ) ( ). passin passout
, , .
. , 512. ,
-new.
-newkey .
. , .
-keyout .
, OID
(OBJECT IDENTIFIERS). :
OID , , , , .
, OID.
:
OID= OID.
.
, .
0,
.
-nodes.

.00009-01 34 01

default_md

string_mask

req_extensions

x509_extensions

prompt

utf8

attributes

distinguished_name

43

,
, ,
(RSA).
, (
).
.
. default ( ) PrintableStrings,
T61Strings BMPStrings. pkix PrintableStrings and BMPStrings PKIX RFC2459.
utf8only, UTF8Strings: PKIX
RFC2459 2003 . , nombstr
PrintableStrings T61Strings: BMPStrings and UTF8Strings, Netscape.
pkix ( , ,
Active-X Xenroll Windows), utf8only
,
, .
- -reqexts .
,
, , -x509. - extensions .
no, . ,
distinguished_name attributes.
,
UTF8,
ASCII. , ,
, UTF-8 .
,
: distinguished_name.
, challengePassword
unstructuredName.
OpenSSL, ,
.
,
distinguished name, . 11.5.
,

.00009-01 34 01

11.5

44

distinguished name
attribute

distinguished name attribute. prompt no,


,
CN=Ivanov Ivan Ivanovich OU=Company emailAddress=someone@somewhere.org
(, )
-
req. .
, prompt no, . :
fieldName="prompt"
fieldName_default=" "
fieldName_min= 2
fieldName_max= 4
fieldName , commonName CN.
"prompt" . ,
. , . , ,
..
fieldName_min and
fieldName_max: (, countryName
PrintableString).
( organizationName) DN . ,
, . ,
fieldName , , . , , organizationName
1.organizationName.
OID. OpenSSL , commonName, countryName, localityName, organizationName, organizationUnitName,
stateOrProvinceName. emailAddress, name, surname, givenName
initials dnQualifier.
OID oid_file oid_section.
DirectoryString.

11.6

:
openssl req -in req.pem -text -verify -noout
:

.00009-01 34 01

45

openssl req -new -key key.pem -out req.pem


, :
openssl req -newkey gost2001:A -keyout key.pem -out req.pem
:
openssl req -x509 -newkey gost2001:A -keyout key.pem -out req.pem
, oid_file:
1.2.3.4
1.2.3.6

shortName
otherName

A longer Name
Other longer Name

, oid_section
:
testoid1=1.2.3.5
testoid2=${testoid1}.6

, :
[ req ]
default_bits
default_keyfile
distinguished_name
attributes
x509_extensions

=
=
=
=
=

1024
privkey.pem
req_distinguished_name
req_attributes
v3_ca

dirstring_type = nobmp
[ req_distinguished_name ]
countryName
countryName_default
countryName_min
countryName_max

=
=
=
=

localityName

= Locality Name (eg, city)

organizationalUnitName

= Organizational Unit Name (eg, section)

commonName
commonName_max

= Common Name (eg, YOUR name)


= 64

emailAddress
emailAddress_max

= Email Address
= 40

[ req_attributes ]
challengePassword
challengePassword_min
challengePassword_max

= A challenge password
= 4
= 20

Country Name (2 letter code)


AU
2
2

[ v3_ca ]
subjectKeyIdentifier=hash

.00009-01 34 01

46

authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

:
RANDFILE

= $ENV::HOME/.rnd

[ req ]
default_bits
default_keyfile
distinguished_name
attributes
prompt
output_password

=
=
=
=
=
=

[ req_distinguished_name
C
=
ST
=
L
=
O
=
OU
=
CN
=
emailAddress
=
[ req_attributes ]
challengePassword

11.7

1024
keyfile.pem
req_distinguished_name
req_attributes
no
mypass
]
GB
Test State or Province
Test Locality
Organization Name
Organizational Unit Name
Common Name
test@email.address

= A challenge password

, PEM :
-----BEGIN CERTIFICATE REQUEST---------END CERTIFICATE REQUEST---- (
Netscape) :
-----BEGIN NEW CERTIFICATE REQUEST---------END NEW CERTIFICATE REQUEST---- -newhdr,
. .
, Microsoft IE Active-X Xenroll, , KeyUsage,
( ) OID,
extendedKeyUsage.

.00009-01 34 01

11.8

47

:
Using configuration from /some/path/openssl.cnf
Unable to load config info
:
unable to find distinguished_name in config
problems making Certificate Request
: ! ( ) ,
. . .
:
Attributes:
a0:00
, attributes , SET OF (DER- 0xa0 0x00).
:
Attributes:
, SET OF ( ). . -asn1-kludge.

11.9

OPENSSL_CONF, ,
. -config
. SSLEAY_CONF
, .

.00009-01 34 01

12

48

SMIME

12.1

smime S/MIME. , , .

12.2

openssl smime [-encrypt] [-decrypt] [-sign] [-verify] [-pk7out] [-gost89] [-in file] [-certfile file]
[-signer file] [-recip file] [-inform SMIME|PEM|DER] [-passin arg] [-inkey file] [-out file] [outform SMIME|PEM|DER] [-content file] [-to addr] [-from ad] [-subject s] [-text] [-rand file(s)]
[cert.pem]...

12.3

, .
.

-encrypt

-decrypt

-sign

-verify

-pk7out
-in filename

-inform
SMIME|PEM|DER

.
.
MIME.

. MIME. .
. , . MIME.
. .
, .

PKCS#7- PEM-.
, ,
MIME,
.
PKCS#7-.
SMIME, S/MIME.
PEM DER
PKCS#7- .
PKCS#7-,
PKCS#7- (
-encrypt -sign), .
,

.00009-01 34 01

-content filename

-text

-add

-CAfile file
-CApath dir

-gost89

-nointern

-noverify
-nochain

-nosigs
-nocerts

49

, () , -verify. , PKCS#7- , .

S/MIME;
multipart/signed MIME content type.
MIME- (text/plain)
.
:
MIME- text/plain, .
. PKCS#7-
PEM DER.
S/MIME .
, . -verify.
, . -verify.
, - subject name.
. -encrypt.
.
, ,
, ( ).
, , -certfile. , ,
.
.
,
,
,
.
.
, , . .
, (,
-certfile).

.00009-01 34 01

-binary

-nodetach

-certfile file

-signer file

-recip file

-inkey file

-passin arg
-rand file(s)

cert.pem...
-to, -from, -subject

-policy
-purpose

-ignore_critical
-crl_check

50

, , CR LF ,
S/MIME. .
, MIME-.
:
, , S/MIME. ,
MIME multipart/signed.
. .
. PEM-.
. ,
.
. ,
.
,
. . ,
, -recip
-signer.
. arg . 1.5.
, ,
.
, : ; MS-Windows, , OpenVMS : .
. .
.
, . ,
S/MIME, , , , .


, openssl
sslclient, sslserver, nssslserver, smimeencrypt, smimesign,crlsign, any.

X509v3, .

,

.00009-01 34 01

-crl_check_all
-policy_check
-explicit_policy
-x509_strict
-policy_print

12.4

51






x509

MIME-
.
. sendmail
.
MIME, ( ). -text .
, ,
. ,
(. 12.6).

S/MIME,
.
( -add)
.
,
. ,
.
-encrypt -decrypt
. , enveloped data
PKCS#7. PKCS#7 encrypted data .

12.5
1
2
3
4
5

.
.
.
PKCS#7- MIME-.
,
.

12.6

.00009-01 34 01

52

openssl smime -sign -in message.txt -text -out mail.msg -signer


mycert.pem
:
openssl smime -sign -in message.txt -text -out mail.msg -nodetach
-signer mycert.pem
, :
openssl smime -sign -in in.txt -text -out mail.msg -signer
mycert.pem -inkey mykey.pem -certfile mycerts.pem
Unix- sendmail,
:
openssl smime -sign -in in.txt -text -signer mycert.pem -from
steve@openssl.org -to someone@somewhere -subject Signed message
| sendmail someone@somewhere

:
openssl smime -verify -in mail.msg -signer user.pem -out
signedtext.txt
, gost89:
openssl smime -encrypt -in in.txt -from steve@openssl.org -to
someone@somewhere -subject <<Encrypted message>> -gost89 user.pem -out
mail.msg
:
openssl smime -sign -in ml.txt -signer my.pem -text | openssl smime
-encrypt -out mail.msg -from steve@openssl.org -to someone@somewhere
-subject Signed and Encrypted message -gost89 user.pem
: -text, MIME-.
:
openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
Netscape PKCS#7-
. ,
, base64, :
-----BEGIN PKCS7---------END PKCS7----
openssl smime -verify -inform PEM -in signature.pem -content
content.txt
base64
openssl smime -verify -inform DER -in signature.der -content
content.txt

.00009-01 34 01

13
13.1

53

S_CLIENT

s_client SSL/TLS- , SSL/TLS-.


SSL-.

13.2

openssl s_client [-connect host:port] [-verify depth] [-cert filename] [-certform DER|PEM] [-key
filename] [-keyform DER|PEM] [-pass arg] [-CApath directory] [-CAfile filename] [-reconnect]
[-pause] [-showcerts] [-debug] [-msg] [-nbio_test] [-state] [-nbio] [-crlf] [-ign_eof] [-quiet] [ssl2] [-ssl3] [-tls1] [-no_ssl2] [-no_ssl3] [-no_tls1] [-bugs] [-cipher cipherlist] [-starttls protocol]
[-engine id] [-rand file(s)]

13.3

-connect host:port

-host
-port
-cert certname

-certform format
-crl_check
-crl_check_all
-key keyfile
-keyform format
-pass arg
-verify depth

, ,
. , , 4433.
.
, -connect
, .
, -connect
, ,
. .
: DER PEM.
PEM.
.

, . , .
: DER PEM. PEM.
. arg . 1.5.
.
.
,
. ,
.
,

.00009-01 34 01

-CApath directory

-CAfile file

-reconnect

-pause
-showcerts
-prexit

-state
-debug
-msg
-nbio_test
-nbio
-crlf
-ign_eof
-quiet

54

, . -, . 15
.

.
, , .
, 5
ID.
.
read write.
, . , .
.

,
. , -
- , URL. : ,
, , .
SSL-.
, .
.
-
-
CR+LF,
.
.
. , -ign_eof.

.00009-01 34 01

55

-ssl2, -ssl3, -tls1, - SSL- TLSno_ssl2, -no_ssl3, - . no_tls1


, SSL v3, SSL v2 TLS
.
,
,
.
TLS
-no_tls, SSL, -ssl2.
-bugs
SSL TLS .
.
-cipher cipherlist
, . ,
- ,
- .
. ciphers.
-starttls protocol
- ()
TLS . protocol - .
smtp, pop3, imap, and ftp.
-engine id
engine ( )
.
-rand file(s)
, ,
.
, : ; MS-Windows, , OpenVMS : .
-mtu
TCP
.
-serverpref
(
SSLv2)

13.4

SSL-, , , .
( , -quiet, -ign_eof) , R, Q,
, .

.00009-01 34 01

13.5

56

s_client SSL-. SSL HTTP-


openssl s_client -connect servername:443 ( https
443). , http-, GET /
-.
, , , ,
-bugs, -ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1 , . -
OpenSSL.

- , , .
, , ,
,
. s_client
. URL. ,
-prexit http- .
-cert,
, .
, , .
,
-showcerts, .

.00009-01 34 01

14
14.1

57

S_SERVER

s_server SSL/TLS- ,

SSL/TLS.

14.2

openssl s_server [-accept port] [-context id] [-verify depth] [-Verify depth] [-cert filename] [certform DER|PEM] [-key keyfile] [-keyform DER|PEM] [-pass arg] [-dcert filename] [-dcertform
DER|PEM] [-dkey key- file] [-dkeyform DER|PEM] [-dpass arg] [-dhparam filename] [-nbio] [nbio_test] [-crlf] [-debug] [-msg] [-state] [-CApath directory] [-CAfile filename] [-nocert] [-cipher
cipherlist] [-quiet] [-no_tmp_rsa] [-ssl2] [-ssl3] [-tls1] [-no_ssl2] [-no_ssl3] [-no_tls1] [-no_dhe]
[-bugs] [-hack] [-www] [-WWW] [-HTTP] [-engine id] [-id_pre- fix arg] [-rand file(s)]

14.3

-accept port
-context id

-cert certname

-certform format
-key keyfile
-keyform format
-pass arg
-dcert filename,
dkey keyname

TCP-,
. , 4433.
SSL.
. ,
.
, .
- ,
.
, server.pem.
: DER PEM.
PEM.
, .
, .
: DER PEM. PEM.
.
arg . 1.5.
- ,
, ,
-cert -key, , ,
. , - , .
,
.

.00009-01 34 01

58

-dcertform format, - ,
dkeyform format, - .
dpassarg
-nocert
, .
( DH).
-dhparam filename
DH, .
DH- ,
DH-. , . , ,
s_server.
-no_dhe
, DH-
, DH-.
-verify depth, -Verify . depth
. -verify ,
, -Verify ,
.
-CApath directory
,
. -, . 15 .

.
-CAfile file
, , . , .
-state
SSL-.
-debug
, .
-msg
.
-nbio_test
-
-nbio
-
-crlf
CR+LF,
.
-ign_eof

.
-quiet
. , -ign_eof.

.00009-01 34 01

59

-ssl2, -ssl3, -tls1, - SSL- TLSno_ssl2, -no_ssl3, - . no_tls1


, SSL v3, SSL v2 TLS
.
-bugs
SSL TLS .
.
-hack

SSL Netscape.
-cipher cipherlist
, .
-, -
, . - ,
. . ciphers.
-www
.
- . HTML-, , , -.
-WWW
-. , URL
https://myhost/page.html, ./page.html.
-HTTP
-. , URL
https://myhost/page.html, ./page.html. ,
HTML- (, HTTP, CRLF).
-starttls protocol
- ()
TLS . protocol - .
smtp, pop3, imap, and ftp.
-engine id
engine ( )
.
-id_prefix arg
SSL/TLS , arg.
SSL/TLS- ( ), ,
(range)
(, ).

.00009-01 34 01

-rand file(s)

14.4

60

, ,
.
, : ; MS-Windows, , OpenVMS : .

SSL- -www
-WWW, , , , ,
.
,
. :
q SSL-, .
Q SSL- .
r SSL-.
R SSL- .
P underlying TCP-:
- .
S .

14.5

s_server SSL-.
-, , ,
openssl s_server -accept 443 -www
, , , SSL , . .
sess_id.

.00009-01 34 01

15

61

VERIFY

15.1

verify .

15.2

openssl verify [-CApath directory] [-CAfile file] [-purpose purpose] [-untrusted file] [-help] [issuer_checks] [-verbose] [-] [certifi- cates]

15.3

-CApath directory

-CAfile file
-untrusted file
-purpose purpose

-help
-verbose
-issuer_checks

certificates

-policy
-purpose

. : hash.0
( hash subject
name; . 16.) Unix- c_rehash .
.
PEM-, .
.

. . : sslserver, nssslserver, smimesign, smimeencrypt.
. 15.4.
.
.
, ,
. ,
.
,
.
. , , . , -.
, . , .
PEM.


, openssl
sslclient, sslserver, nssslserver, smimeencrypt, smimesign,crlsign, any.
,

.00009-01 34 01

-ignore_critical
-crl_check
-crl_check_all
-policy_check
-explicit_policy
-x509_strict
-policy_print

15.4

62


X509v3, .






x509

verify , internal SSL and S/MIME verification,


.
,
verify, : , ,
,
. .
.
. ,
. , . ,
.
,
. OpenSSL 0.9.5a , subject name issuer , .
OpenSSL 0.9.6. , subject name issuer , .
( )
, , keyUsage ( )
.
,
, .
; , , ,
.

. -purpose , . (leaf) , , . ,
16.6.

.00009-01 34 01

63

. .
SSLeay OpenSSL
.
.
notBefore notAfter
. .
, . -
, .

15.5

, ,
. :
server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
error 24 at 1 depth lookup:invalid CA certificate
, subject name . .
, ,
0, , - 1
. .
. , x509_vfy.h.
, ; .

0
X509_V_OK

ok


,
: , ,
.
. .

. .

SubjectPublicKeyInfo .

X509_V_ERR_UNABLE_TO_GET unable to get issuer


_ISSUER_CERT
certificate

X509_V_ERR_UNABLE_TO_GET unable to get certificate


_CRL
CRL

X509_V_ERR_UNABLE_TO_
DECRYPT_CRL_SIGNATURE

unable
to
decrypt
CRLs signature

X509_V_ERR_UNABLE_TO_
DECODE_ISSUER_PUBLIC_KEY

unable to decode issuer


public key

.00009-01 34 01

64

7
X509_V_ERR_CERT_
SIGNATURE_FAILURE
8
X509_V_ERR_CRL_
SIGNATURE_FAILURE

certificate
signature
failure
CRL signature failure

X509_V_ERR_CERT_NOT_YET_
VALID

certificate is not yet


valid

10

X509_V_ERR_CERT_HAS_
EXPIRED

certificate has expired

11

X509_V_ERR_CRL_NOT_YET_
VALID

CRL is not yet valid

12

X509_V_ERR_CRL_HAS_
EXPIRED

CRL has expired

13

X509_V_ERR_ERROR_IN_CERT_ format
error
in
NOT_BEFORE_FIELD
certificates notBefore
field
X509_V_ERR_ERROR_IN_CERT_ format
error
in
NOT_AFTER_FIELD
certificates
notAfter
field
X509_V_ERR_ERROR_IN_CRL
format error in CRLs
_LAST_UPDATE_FIELD
lastUpdate field

.

: notBefore
.
: notAfter
.
.
.
notBefore

notAfter

lastUpdate .

nextUpdate .

.
.



.
, .

14

15

16

X509_V_ERR_ERROR_IN_CRL
_NEXT_UPDATE_FIELD

format error in CRLs


nextUpdate field

17

X509_V_ERR_OUT_OF_MEM

out of memory

18

X509_V_ERR_DEPTH_ZERO
_SELF_SIGNED_CERT

self signed certificate

19

X509_V_ERR_SELF_SIGNED
_CERT_IN_CHAIN

self signed certificate in


certificate chain

.00009-01 34 01

20
X509_V_ERR_UNABLE_TO_GET unable to get
_ISSUER_CERT_LOCALLY
issuer certificate

65

local

21

X509_V_ERR_UNABLE_TO_
VERIFY_LEAF_SIGNATURE

unable to verify the


first certificate

22

X509_V_ERR_CERT_CHAIN_
TOO_LONG

certificate
long

23

X509_V_ERR_CERT_REVOKED

certificate revoked

24

X509_V_ERR_INVALID_CA

invalid CA certificate

25

X509_V_ERR_PATH_LENGTH_
EXCEEDED

path length constraint


exceeded

26

X509_V_ERR_INVALID_
PURPOSE

unsupported certificate
purpose

27

X509_V_ERR_CERT_
UNTRUSTED

certificate not trusted

28

X509_V_ERR_CERT_REJECTED

certificate rejected

chain

too

,
, .
,

.
,
,
.
.
.
.

.
,
.
the
basicConstraints pathlength
.


.

.

.

.00009-01 34 01

66

29
X509_V_ERR_SUBJECT_ISSUER subject issuer mismatch
_MISMATCH

30

X509_V_ERR_AKID_SKID_
MISMATCH

authority and subject


key identifier mismatch

31

X509_V_ERR_AKID_ISSUER
_SERIAL_MISMATCH

authority and issuer


serial number mismatch

32

X509_V_ERR_KEYUSAGE_
NO_CERTSIGN

key usage
include
signing

does not
certificate

, ,
subject name

issuer name
.

,
-issuer_checks.
,

, ,

subject key
authority
key
identifier
.

,
-issuer_checks.
,

, ,
issuer name serial
number

authority
key
identifier
of the current certificate.

,
-issuer_checks.
,

, ,

keyUsage

.00009-01 34 01

50
X509_V_ERR_APPLICATION_
VERIFICATION

67

application verification
failure

,
. .

.00009-01 34 01

16

X509

16.1

68

x509 . , , -
.

16.2

openssl x509 [-inform DER|PEM|NET] [-outform DER|PEM|NET] [-keyform DER|PEM] [CAform DER|PEM] [-CAkeyform DER|PEM] [-in filename] [-out filename] [-serial] [-hash] [subject_hash] [-issuer_hash] [-subject] [-issuer] [-nameopt option] [-email] [-startdate] [-enddate]
[-purpose] [-dates] [-modulus] [-fingerprint] [-alias] [-noout] [-trustout] [-clrtrust] [-clrreject]
[-addtrust arg] [-addreject arg] [-setalias arg] [-days arg] [-set_serial n] [-signkey filename]
[-x509toreq] [-req] [-CA filename] [-CAkey filename] [-CAcreateserial] [-CAserial filename] [text] [-C] [-md2|-md5|-sha1|-mdc2|-md_gost94] [-clrext] [-extfile filename] [-extensions section]
[-engine id]

16.3

, .
16.3.1

-inform
DER|PEM|NET

-outform
DER|PEM|NET
-in filename

-out filename

-md5

. , X509, , , -req. DER DER-


, PEM DER- base64 c
. NET
Netscape,

. ,
-inform.
, . ,
.
. , .
MD5 (fingerprint) -signkey ( ,
)
,

.00009-01 34 01

-sha1

-md_gost94
-engine id

16.3.2

69

SHA1 (fingerprint)
-signkey ( , )
34.11-94 (fingerprint) .
engine ( ) .

: -alias -purpose ,
16.3.3.

-text

-certopt option

-noout
-modulus
-serial
-subject_hash

-issuer_hash
-hash
-subject
-issuer
-nameopt option

-email
-startdate
-enddate
-dates
-fingerprint

. , ,
subject name issuer name, ,
.
-text.
option , . certopt .
.
, .

subject name . OpenSSL ,
subject name.
issuer name .
-hash .
subject name.
issuer name.
, subject
issuer. , .
-nameopt. . 16.3.5.
() , .
notBefore.
notAfter.
.
- DER-
(. 16.5).
,

.00009-01 34 01

-
16.3.3

70

, ,
.
, ,
.

. .
, ,
.

. . , SSL-, SSL-.
. 15 .
OpenSSL ,
.

-trustout

-setalias arg
-alias
-clrtrust
-clrreject
-addtrust arg

-addreject arg

x509
.
, ,
, .
. , - .
. , .
, .
.
.
.
, clientAuth ( SSL-),
serverAuth ( SSL-) emailProtection ( S/MIME). OpenSSL- .
.
, -addtrust.

.00009-01 34 01

-purpose

16.3.4

71

. .
16.6.

x509 ; , -.

-signkey filename

-clrext

-keyform PEM|DER
-days arg
-x509toreq
-req

-set_serial n


.
,
issuer name subject name (..
), .
,
, -days. , -clrext.
,
,
subject name .
. ,
( -signkey -CA). ,
.
(DER PEM) , -signkey.
. 30 .
. -signkey
.
.
,
.
. -signkey -CA.
-CA, ( CAserial -CAcreateserial) .
(
0x). ,
.

.00009-01 34 01

-CA filename

-CAkey filename

-CAserial filename

-CAcreateserial

-extfile filename

-extensions section

16.3.5

72

, . , x509 -. , issuer name


subject name ,
, .
, , -req. -req ,
.
, ,
.
, ,
.
, .
-CA ,
, .
, .
.
( ) .srl. ,
mycacert.pem, mycacert.srl.
, , . 02,
1. ,
-CA ,
.
, , . ,
.
,
. , ()
,
extensions, .

- nameopt , subject name issuer


name. nameopt , , OpenSSL. , - . ,

.00009-01 34 01

73

compat
RFC2253

oneline

multiline
esc_2253

esc_ctrl

esc_msb

use_quote

utf8

no_type

show_type

. .
, RFC2253 esc_2253, esc_ctrl, esc_msb, utf8, dump_nostr,
dump_unknown, dump_der, sep_comma_plus, dn_rev sname.
, , RFC2253. esc_2253, esc_ctrl, esc_msb, utf8,
dump_nostr, dump_der, use_quote, sep_comma_plus_space, space_eq
sname.
. esc_ctrl,
esc_msb, sep_multiline, space_eq, lname align.
, RFC2253 ,
,+>;. , # , .
, .. ASCII, 0x20 (), (0x7f).
RFC2253 \XX notation ( XX , ).
(most significant) , , ASCII- 127.
,

,
\.
UTF-.
RFC2253. UTF-8- , ( esc_msb) () . , , 0xff, \UXXXX
\WXXXXXXXX . , , UTF-8-
.
. ,
. ,
.
ASN.1. . BMPSTRING: Hello World.

.00009-01 34 01

74

dump_der

, ,
, DER-. , .
RFC2253 #XXXX...
dump_nostr
( OCTET
STRING). ,
, .
dump_all
. dump_der
DER- .
dump_unknown
, OID OpenSSL.
sep_comma_plus,
. - sep_comma_plus_space, RDN AVA (
sep_semi_plus_space, AVA , sep_multiline
). , space, .
sep_multiline LF RDN + AVA. ,

.
dn_rev
DN . RFC2253.
AVA, .
nofname,
sname, . nofname
lname, oid
. sname
( CN commonName). lname . oid
OID .
align
.
sep_multiline.
space_eq
=, .
16.3.6

, , certopt, text. .

compatible
no_header
no_version
no_serial
no_signame

.
.
, .. Certificate
Data.



,

.00009-01 34 01

no_validity
no_subject
no_issuer
no_pubkey
no_sigdump
no_aux
no_extensions
ext_default
ext_error
ext_parse
ext_dump
ca_default

16.4

75

, .. notBefore notAfter.
subject name.
issuer name.
.
.
.
3 X509.
; .

.
ASN.1-.
.
, ca, no_issuer, no_pubkey, no_header, no_version, no_sigdump
no_signame.

:
openssl x509 -in cert.pem -noout -text
:
openssl x509 -in cert.pem -noout -serial
subject name :
openssl x509 -in cert.pem -noout -subject
subject name RFC2253-:
openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
subject name , UTF-8:
openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb
MD5- :
openssl x509 -in cert.pem -noout -fingerprint
SHA1- :
openssl x509 -sha1 -in cert.pem -noout -fingerprint
PEM- DER-:
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
:
openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
,
:
openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions
v3_ca -signkey key.pem -out cacert.pem
, ,
:
openssl x509 -req -in req.pem -extfile openssl.cnf -extensions
v3_usr -CA cacert.pem -CAkey key.pem -CAcreateserial

.00009-01 34 01

76

SSL-
Steves Class 1 CA:
openssl x509 -in cert.pem -addtrust clientAuth -setalias "Steves
Class 1 CAout trust.pem

16.5

PEM- :
-----BEGIN CERTIFICATE---------END CERTIFICATE---- , , :
-----BEGIN X509 CERTIFICATE---------END X509 CERTIFICATE---- :
-----BEGIN TRUSTED CERTIFICATE---------END TRUSTED CERTIFICATE---- UTF-8, , , T61Strings ISO8859-1. ,
Netscape Microsoft IE, .
, .
-fingerprint - DER- . -
. -
,
.
Netscape MD5, Microsoft IE SHA1.
-email subject name subject alternative name. :
.

16.6

-purpose ,
.
.
,
,
-verify.
basicConstraints
, . true, ,
false, .
true.

.00009-01 34 01

77

V1 ( )
, , .
Verisign, V1.
keyUsage, .
keyCertSign, .
extended key usage . ( ),
.
.
basicConstraints, keyUsage 1 .

SSL Client

extended key usage


OID web client authentication. keyUsage digitalSignature. Netscape
SSL client.
SSL Client CA
extended key usage
OID web client authentication. Netscape SSL CA,
, basicConstraints.
SSL Server
extended key usage OID web server authentication / SGC OID. keyUsage
digitalSignature keyEncipherment ( ). Netscape
SSL server.
SSL Server CA
extended key usage
OID web server authentication / SGC OID. Netscape
SSL CA, ,
basicConstraints.
Netscape SSL Server Netscape SSL- SSL-, keyEncipherment keyUsage. ,
- . , SSL-.
Common S/MIME extended key usage
Client Tests
OID email protection. Netscape S/MIME. S/MIME
Netscape,
SSL client, ; , Verisign S/MIME.

.00009-01 34 01

78

S/MIME Signing

S/MIME-
digitalSignature,
keyUsage.
S/MIME Encryption S/MIME-
keyEncipherment, keyUsage.
S/MIME CA
extended key usage
OID email protection. Netscape S/MIME CA,
, basicConstraints.
CRL Signing
keyUsage CRL signing.
CRL Signing CA
.
basicConstraints.

.00009-01 34 01

79


()


. -

- ()

.
.