本篇文章介紹使用 openssl 指令產生 RSA 的私鑰和公鑰,包含 PEM、DER 和 PVK 格式。其中 PEM 分為 PKCS#1 和 PKCS#8 兩種格式。同時也說明如何生成包含密碼的方式。
產生私鑰
無密碼
PEM (PKCS#1)
輸入下面指令,會產生 private.pem 私鑰檔案
1
| openssl genrsa -out private.pem 2048
|
檔案內容大概長這樣
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| -----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA3MiYJlVyBkmU9NKeV7gVBvkf7Je0PlzFl04G047XVaOV5mYB
A5dYxjQw/Gib7EWE7XAO9gB9woCtFiKTeIaZ1dWMCGWAxRjTnb+eTtMQd2+U0VyD
eMRD8joF2FuPnSwacSbccRzoa+Eg0PUKS/jB7iSDj1o7oBf3pgakogR5rwTx/i9Q
C866vYHQOHbVOT0MsWEiUlKhoyHxSXbnSF8ln4naYVJOzlVsH62ON2KcTge4EFVa
8BbpL+3igcejk149hQZO78be04zbZpW+nim0RjRkFTny/s5jrqlNg1we3eh19CI6
vWRJrllNVWdvWQmgqb106qqt4wn7EJp8aJAWeQIDAQABAoIBAG3WbbtEbwGpwa06
ywOg1PUvIy61GjqcNMDdVJATVBWK2JxSytZaiROyC1zHPisBOuxU/1xrSiVllraY
ZP1lGUtEffH/bVygyUaFeeCFKIACxuqRN+bw3Uy4iQfmJUBwHIeGaczsMMTar1TF
U2YQT4qGJ909asRuqAm07FqeF1t2Ecb4AMcFhbewunt046bRQJxpYFyVRqeedATG
nn7DKuXR11Wqhp8jmAJUsGQbxFdJhEZ2A+ejQnuhSRXZYNDyXEjKKZvMXIBI9pk1
60GyIEYZy4Mek4cPgXJUgMqhlvKgk8Pd3u/0Q7N9H/6fg/72lq4hxWhkQEW/0Jxb
G8CxaMECgYEA8hvllTCYrtfzOErWJdeI6Zng59q78BGKyTHEU/9TMunTlmYcoFGW
DepH1zGeGOoxdfVORLkBfdk3ZawNLMT71tUrLk8V0ElfXiLedSN6Tzo1y8tK6XqV
49FCVFwNXbewuuEuOckXxA+LRFnGF0HWO22EYaDVssoBaYvBLGbpCN0CgYEA6XN4
LuHR6h/cZ0bsWh0KWrNsBwnGuKDYfIVp35gN2dPbaUP3LdSTd6op7PlMOF2ajnzv
89e87bf7k+0LaTBJfE0/5PBLG1FBoU2K15mMK/pr8Sn56ijFQzQCCZYX78F/omp4
3ZNR3SdzdffFYQWvyVMFYfpTzEEDnnUVrSFdXE0CgYEA0B1Y0VCvvoQVJ4t035yR
rTRAFy14Jdn+cgocmJO+4eILppnp+4mGMjn0PTAClaoikCIogHyDorlonDY0MQq2
7Kna73i96IhZuSLCFPFFPvtrqN38bAya8fU8TiW+u5OeEFZmlPeePUObVErTM8S9
MeJnTECj0YdBhYfDqrZflOUCgYEAi5idtEMauAqHTEaPzK7y4xvJLEg/SWX9LjDF
B4wwNCJIYKDgrMohyHu7iFXmqwnmAvBYuBI4ilnrGSC1IxhZyPeUjnzWHKaxPRhW
Pug1dpLPey1joQ7yLmZqFXtoItktTlymm7CdUkZl95PKtmKlJBj97gG3nDsAQ/+1
j4qU/j0CgYEAyEDhAtyjajCr415qfVihAMkcUSXL8bDgfiMbSyx7sd+8GUAA7DfJ
gvc+4wMpsLm80or3l0IO+vcJOjU2oFWnskCFSpS7RTo7HpZ9CoZcwmrGKEaOM2Eo
CE/8wy00flm7YpmPnssut2/VzLo/6zFG4aV63ck2SkLLO9vO+oZ/+FM=
-----END RSA PRIVATE KEY-----
|
其中,2048 是金鑰長度,可以自行設定。目前的安全性建議為 2048 以上。
PEM (PKCS#8)
預設的 格式是 PKCS#1,如果要輸出 PKCS#8:
1
| openssl genrsa 2048 | openssl pkcs8 -topk8 -out private.pkcs8.pem -nocrypt
|
檔案格式如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| -----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDSJGfksH3Q8B0v
MHhcowgm3iwZuvTqyR0g+enZFpP31BH0PZesbVemyIrKoO4BmHSAuojMtb1fVCae
RltQq+eRbH1j4BqFu0/UIYB4Z6c5JApHuykwstDCI6eVIGT+iSg0fqIgpHLegp9u
rUKfdfu+n6ofFuw32kUFU/tauzhNzrpddzKM3eubEt7V5cTKI5xuM1flBLT+IYgF
MYYpGyCFF3iidR3RSZUe7BVJgzcFK4McgU2VQd/V8J54Zt2wAXZuqDOWBGg4M5sE
dwfE0yoVFs6TWe9Upb5pssNtwY/L2Gr6qa9SbIW0IuOeeEkz5WdMSloxV06HuPuv
U006r8YxAgMBAAECggEAP0eVPYlkKcHUl/w5knPJpaKrlwf0bqsnKWH4aFXjMvLa
gTj27oZyqZekK8ZwRWy6UHVbcoGbyBQYGPtIzi8l6WXJEIVQl0rDjDaWcCuOcKeI
rPcQPUjrkjqYYVDC+N8mi0BC5B+BM74T8okcEda+ezWrTfdiJKOGu0cB3t2X4927
/cOxozy/nyRDHpnhGr44Imk+Q5Qu7tcqhh8SN5PpzSf2sOY+GMLDvMiS8on/Jter
q6pcTKcSD600GleIJCO+T3ziMSWcAoFQDksgdSkcTMb5yObvD8dgWZ1WWZDTCN1N
Kro8iumMIEkZcSXMS3ARTwBc8N2joezlVej+t7Um7QKBgQDv/s9TZScj9h080CMC
CvRc5tte85GRdFbX7oNPHa0o3CePTJ9W3vHYQlM+AJZ3xPpXHx/1diX4l4PRaFaH
IxpHd4BgdzqtQWc7Txb4uIIXRySyFYbN7EVg5mw5wc0oSHeFD+7t8zqhpB5DopZl
1VjO1of7bS9QFIO2d2h0+v7hywKBgQDgJ/HHveW6FxZsI5vtP2GlPvf4xt7JKbHe
L9npsqlLviLhRMCA2Lmd9/NgC8AJeljpOBqBWJHSRYe4dNI1oc1gZfV1g8oktZWj
Y0y/M9Wqf8K7D7J3wJRa2oqaB85qNyNv3Aby244bgay7JNGJsRJTb4zMDSQ2cTrB
DOydHSYIcwKBgGWDiZzD15d9fgaAH564lX5KZBY4vqUg6a7yg3ZOnjT/Unhpt6he
KzwHagB67SqCFkYNs033iL4rEKXeFWOZ9H6wTIwBQr+QP6M1pAjWuqgv/pSZSGkH
/JytOq//itD0PiH5iF38GRvQOMDxH965LJRo6CHwoCemVcQzo+p/VJqbAoGATbrM
Rt18+ijjZ6B5g63E6I6LYsNjohJJUaj6QeXoexF1+vPiZUvCIhtHU/j/IMpCZq1D
07Ko7meaBsbL1jlDhLgWhCetQ0mMmFno1SzeXP9swX1R/+DSESdThNJMK9zu9u0v
o6uq/bLb+RFtb/ftSO2Xv3KXKiHdo/AdZOYkuC0CgYEA4aeXToSXefZge1oIT96Y
LaT0/szNKTc7geBdvNen++YSpfCpIJ/PtUE5zjJPSAcqAdqIY3kcODZOK5zGJWHx
UwVwiEvNaTynogNWjmUBex22zTcmOeMkOUuQNrSjZNNmLt1j1SdQIOYyKkBayzW/
nELTGQhP5GSozsIKCkVi9JQ=
-----END PRIVATE KEY-----
|
DER 格式
如果要產生 DER 格式:
1
| openssl genrsa 2048 | openssl rsa -out private.der -outform DER
|
有密碼
PEM (PKCS#1)
1
| openssl genrsa -out encrypted-private.pem -aes256 2048
|
會產生這樣的檔案
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| -----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,11FC8CE259A9D1CD4B8B1FBF2E60E2C5
vzowkFEwoD98bgjis2Occ0VIS7TTRtSFTnqOYlmW9P7eutVAslqAob8W2IR5vlZ1
F1SZ7NoAinVlUoSakyFSyxn+AuGaog+ZICElIrYQld4770gSgNh7W+xziuXvAtit
3kXR4oCOjyRA1jban6UpmTRdBTccCrVqx4e8kfEZsdbHa4AJG89Frl9Oo4nRs8BK
DwzJc6gpcT33AqbvidYeNoNvP/Q1MZ4+qIMMx1o7YVJ5/2g5S45LsTVITHUY9nTq
pchlna4B0U8slcew4VyDE7SKaAMwkeh6id7QdsFtYOoIKy+1UjLdjhBGvqH6nTqf
+B22H+snB6g9Fo1NmEzztrfMEJ9GqEj7VRfnjNWjHSikWBJvxzc3gEf6DLAU/C4p
WN5AKbKZJ4o3ZrMWJhW0866oPH7RAZrWOG2BquFUMO7e4llPtuCv+WcxBl/QTXNZ
JTTXqEg39TntexXJRrRkw+FPiXi01xrS682Ora9KpY1NqV6k5xALecCZH3YeDsuQ
/oC1doTHBU9gveLGITepVW1CHprEN58JE1bB2F8brsQbObItZklM1dKn5OnKTxlf
c1tPeutE/+2MDYgRtx0oGrZUe8yqUKaWSHN+U1awIRpx0QzYlyelzg6VT1/YPN9a
/Yl7i5z2JyTjK7xY4LfObyWtqNI+S3Sl08vtGFDuHhcD5BhKM5Ikov167R5Dwwd+
px09hRAqmhLs0kA5LwJ5+Ak+NE1nByGyIPbOJUhLJl8Jg4D+01q0nEsJodVgFhhE
5jm8GGDxaNIeicG8bQKhgu8Bp5V3pgChj8seQn+R66LxuWGEQWRZxvVecxdKFjyn
J7876R7qtlOnzhGNn5PEVhZXtBi1br8BRKrmV4GB+fQv3FvUqEW/bb9U6a19rf8G
1ETarQjUhnrlBeTLnmFBpHATPvW9KlovC8d78484whFYcBtpE0oIF5mzLLIpmlQt
lOFpjTMGuARSIMSiGLqJUwsDhpWyTDLIQMfeWcSuzJlv6EWfn2pGyL0Y/wOxJ5K0
RQfyO+RBxwNRs9ztUW5k2OMR7Vz7RbUAOdRimzSEVIOJFmad797q9k1gd7WSOjht
3HJ55/B3NAUpf2/9X9XEhA6Kba+UAj9KqWypH0UvwKpzmvkzh8dA30Xqd8HacJVQ
Rd+3IBYzbQfx8WRX+s7NA4b9mXQt6mkcWy2tItj4ZyX8HhUmtic3QD5gAdmoRo30
z/BOsTt+RRomuHachPk5LYmfmFmIn+x9SCleX10bsbTr5uLkI6CXmbTXG6/RH2G6
3NO7BtnLtTeZ6GD49rN8Q2AtDQx/3i+OjXVq6No79cTlrBlT/DJzu903ZXGiNOU6
oNJFoqXlR+Fk+PG/MpWDENV7dc8nn95C56EpYydGr1YuejHEW38PQmOsTJrx04Mc
XSNBFpkR9equ9zyrJQhBe3J9QR1qHPGckHyfAKIWBz/lCfk2+3RoS+g7nkl8lAUq
r3yzvpouUUXTaXyfptBPO6apPhiYlJAa0OkPPopzS11ecFjkIJ51R5p/MmVE4NMx
VegMYhoQdwP9p8aFFxEoPvdKM2KYXXLn7IEQDqXYM/SYOrcaxqiwyuNpfeKPJEln
-----END RSA PRIVATE KEY-----
|
其中 -aes256 是加密的演算法,可以自訂。有哪些可使用請參考 OpenSSL 指令產生 EC 私鑰和公鑰。
PEM (PKCS#8)
把上面的 -nocrypt 移除掉就可以了
1
| openssl genrsa 2048 | openssl pkcs8 -topk8 -out encrypted-private.pkcs8.pem
|
會得到這樣的檔案
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| -----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQI2RxvuKr8cU0CAggA
MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBCrf7Y2piqYJ/UAbcqRUr1PBIIE
0KconaAVtBKXdSyxBa5sxqmjElZo0cMjDe9+OQ+S27xW8qB4J1P//ncjhj4yIv/w
ucswYq6bKGH7aV5aFQow0Ap64AtCqVTh0NAhqfkostIrrNerWZT18dvCm25P0+HN
s8o4IplhwHRwbEgNFTpRRNVZV6/C33+z8+Vvy3FLinfGCtjW6TkELmNoXFR5lSWW
GCgQcIbkBpzNYWIL69CHY5yYBKANqJw5CuDjd8TlPYZKD59X4uYPT4mlNRn/y80a
yh4vxBGybIswPDNaYWfy5+PXOQ5oZYXTjn8gGsfYQkw8PypLjoVPr2hk+7FQcnnj
KTA516M5+gv0El8ttjYkOwLaYsIo8Zx66RVF+BnsbWRFJKDg2bXZEt8fGLdlYzPK
G46JoJ8rPpCZm2QBbGj3GkkILair+1O0LLHHNEA/qoqb10KmrQTWucljaaJTOJDU
Yb6WqYb4cZ2FnzWDi+w4YX+CHd2aMfBoxt3zujfJu9xFJ8j695F9b6AxapYGn9JF
9Y52gV3Bh3sT6cYktF1DKq/VVyXR0E7kQ2Om8S5f2JZySym6r3BW8/dGvn+DClNX
KmgfxiqNlgSzvwv7sZY2Xm2y8LV41Kwdim7nJo2M6nb5OchMGSqrodr2HJAV5+5z
3W9No61JxRv4lrR+dbnGFmY0OQThoKC6SleCrIuNWbpInyIes8cgaWovZ5iPKIzg
G9l8BbbDhF5IJzfNxF951GCrFDYC9BrUV1Za+Nnokgg75dleFzS9Ce7Af7GjBFg4
WoeO3UQOn0iZisrEV72Si2RZtMClWfADf1587DNjaYfQJ01mMZulhTjH7ANIsybv
Y2IfLU0OCrWhuZnw3+Qd8dqyjqfwxWt/rhXtzYdFKim1UAc+ZXo1BuptxMmwxHBS
8r7Rf8wgBDhE7NURznFKOgq6wgzk5Rkq9y5KqxMfxYw59b+Imaif3D52JLV5izTa
nYoYEnQY5/oL8G4gUrIW1lqYeyED5sJ7A1J2CXDSdiTM2e6N0p8cxIwbFHo+2vay
NoVRYvjLYR6YSFkCjiHX/CO0ycDNWmkVe+ly3VLg7Tx29belad4OF2jWMFQrirM3
HHnwHUOQxvfE7O1vfkPrTvVwYEeZi4eTzhXJCWUHB7tNbdzSVOGtnDz0NY4y7aye
JwmxWcXZkJMa7tDEgNBdYgEiMSYhFIokithmlT61/1Zu/KdsvJSO0aScQrknppvj
8OqWVjKPK0PBLpeg464SNUmEStzog5oWBnStBwPu/MYQst8hMfQd1cNK76Ohk0g+
hM3jrbcIBr6kwQ7F+YhMVulXE7l8J2XWMiNaxDar/7EWuVlsV48LIKcwz7740zIh
n9ltN44X4DDN/6oJ26JhILvZvfMfU2Yrqqgc3zw3/ADVoP6YHvJ0oKUtPMSzNgf4
Ae5SdogylhqXx1sbI8rUED543qIf65pWKtN1cpMlkhG7qMBhNY9/c7J6fZb0nn1d
HnppyZqbzUAP7OQMvAkQaEdpBnuhMZPc6NMRt5VG6XvzwYl8beVK++EyKLmOh2Kx
Mbrr9b5L7BDQpM3wA8pNqidyDGA+0qnau+u0DXpwl/nBH4sdpLJjX8MSrKI7zj0c
QvnmVS/MxZ2Z3IwOR0P7Uzf+OEr6J6/vW7UoK+5sQFTG
-----END ENCRYPTED PRIVATE KEY-----
|
PVK
1
| openssl genrsa 2048 | openssl rsa -out private.pvk -outform PVK
|
產生公鑰
PEM
從 PEM 私鑰
私鑰格式為 PEM 使用以下指令,無論有沒有密碼、PKCS#1 或 PKCS#8 都適用:
1
| openssl rsa -in private.pem -pubout -out public.pem
|
公鑰檔案大概如下
1
2
3
4
5
6
7
8
9
| -----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3MiYJlVyBkmU9NKeV7gV
Bvkf7Je0PlzFl04G047XVaOV5mYBA5dYxjQw/Gib7EWE7XAO9gB9woCtFiKTeIaZ
1dWMCGWAxRjTnb+eTtMQd2+U0VyDeMRD8joF2FuPnSwacSbccRzoa+Eg0PUKS/jB
7iSDj1o7oBf3pgakogR5rwTx/i9QC866vYHQOHbVOT0MsWEiUlKhoyHxSXbnSF8l
n4naYVJOzlVsH62ON2KcTge4EFVa8BbpL+3igcejk149hQZO78be04zbZpW+nim0
RjRkFTny/s5jrqlNg1we3eh19CI6vWRJrllNVWdvWQmgqb106qqt4wn7EJp8aJAW
eQIDAQAB
-----END PUBLIC KEY-----
|
從 DER 私鑰
私鑰格式為 DER 使用以下指令:
1
| openssl rsa -in private.der -inform DER -pubout -out public.pem
|
從 PVK 私鑰
私鑰格式為 PVK 使用以下指令:
1
| openssl rsa -in private.pvk -inform PVK -pubout -out public.pem
|
DER
從 PEM 私鑰
1
| openssl rsa -in private.pem -pubout -out public.der -outform DER
|
從 DER 私鑰
1
| openssl rsa -in private.der -inform DER -pubout -out public.der -outform DER
|
從 PVK 私鑰
1
| openssl rsa -in private.pvk -inform PVK -pubout -out public.der -outform DER
|
延伸閱讀
OpenSSL 使用指令進行簽章和檢驗
OpenSSL 使用指令進行 RSA 加解密
OpenSSL 指令產生 EC 私鑰和公鑰
