說明如何使用 Windows 內建的 CertUtil 工具來檢視 .pfx 格式的憑證檔案,在更新 HTTPS 憑證時能夠派上用場;說明 OpenSSL 來處理各式與憑證相關的需求 😎
CertUtil
檢視憑證的資訊
certutil c:\users\sdwh\cert.pfxOpenSSL
憑證檔 .pfx = 伺服器憑證 .cer + 私鑰 .key
使用 openssl 可以將 .pfx 拆解,或者將 .cer 與 .key 合成為 .pfx。
.key 取得方式
主動產生,憑證出現的源頭
openssl genkey -algorithm RSA rsa_keygen_bits:2048 -out key.pem從 .pfx 拆出 .key
openssl pkcs12 -in server.pfx -password "pass:********" -out key.key 內容
Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00
friendlyName: {FE2BF4A3-FD3E-4D3D-BC31-366C11559F36}
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
Key Attributes
X509v3 Key Usage: 10
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: *.sdwh.dev
subject=C = TW, L = , CN =
issuer=C = TW, O = "Chunghwa Telecom Co., Ltd.", OU = Public Certification Authority - G2
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----.cer 取得方式
從 .pfx 拆出 .key,再轉換成 x509 格式並儲存為 .cer
openssl pkcs12 -in server.pfx -password "pass:********" -nokeys
| openssl x509 -out server.cer也可以直接從網站直接匯出(前提當然是網站已經掛好憑證並且完成繫結😉)
DER 編碼與 Base64 編碼格式
| 格式 | DER | Base64 |
|---|---|---|
| certutil | 無法檢視 | 可以檢視 |
.cer 內容
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:5e:a4:50:da:ac:e8:8d:b6:70:89:58:d1:f6:b3:1d:a3:94
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Apr 13 01:47:17 2022 GMT
Not After : Jul 12 01:47:16 2022 GMT
Subject: CN = sdwh.dev
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ab:c7:1b:0c:ed:c6:01:f8:ea:a9:b3:cf:08:17:
4f:a2:cb:7c:34:c4:66:12:e6:ef:f3:98:17:79:c9:
65:ee:66:4c:1f:9a:92:7d:33:ee:07:fa:2e:15:62:
f7:b4:f3:1f:d5:4f:2e:b1:67:a8:49:42:bf:e3:cc:
9a:b7:30:46:c2:68:f5:28:a9:64:69:6f:4c:4b:64:
24:c9:dc:ed:46:9f:a4:1f:c2:ef:6f:36:d0:bc:69:
27:b8:e2:d6:18:70:40:2c:b4:f5:ee:8f:f7:0d:8c:
6e:03:92:e7:5d:d6:3e:bc:bb:c9:5b:28:10:a0:5a:
f6:37:f5:e1:9e:15:23:72:6e:8e:69:01:09:a4:8c:
a4:c9:d7:db:05:01:90:48:4b:90:20:8c:38:7a:0a:
60:74:79:18:26:30:8e:60:0b:17:b9:24:a0:80:df:
3f:14:00:d3:09:e7:34:47:35:63:7c:54:d2:a0:9d:
e1:57:d1:cb:13:d3:3c:30:24:97:8e:ea:34:00:9f:
cc:6c:0c:6a:f7:54:bc:5e:60:dc:46:31:c2:09:de:
d9:c3:e3:63:1e:8f:1c:c5:90:90:e8:da:86:be:7d:
f1:c3:1f:1a:86:69:9b:0b:e0:b2:0c:47:08:c8:92:
59:2b:66:2f:fa:a1:38:a1:2f:10:65:f6:97:fd:16:
87:33
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
63:4E:15:85:56:5A:A4:94:02:C2:16:42:A4:A5:97:9A:38:02:57:97
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:sdwh.dev, DNS:www.sdwh.dev
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A:09:42:87:5E:
4E:31:8B:1B:03:EB:EB:4B:C7:68:F0:90:62:96:06:F6
Timestamp : Apr 13 02:47:17.484 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:4F:01:93:0F:72:D2:83:F3:B6:86:CD:D5:
9D:30:35:9B:13:FC:80:93:1A:AF:D3:A9:34:98:62:61:
3B:2B:87:53:02:20:39:F9:28:05:86:9D:4B:9F:E7:E9:
E4:16:1D:1E:1F:B1:FB:D7:75:6E:4C:DD:92:B0:B0:90:
A3:35:76:7E:1F:9B
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D:
11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47
Timestamp : Apr 13 02:47:17.671 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:D7:E9:0F:91:3A:1F:0F:1C:92:6F:EA:
7B:1A:99:FB:53:D7:FA:1F:B3:5E:62:87:82:5B:E8:9C:
F4:A0:57:D7:5B:02:20:60:AD:DA:CE:30:24:1C:FC:63:
CD:F3:86:F3:90:91:04:F8:DF:20:88:9A:96:FC:6B:DF:
02:0C:C5:54:2A:C3:2D
Signature Algorithm: sha256WithRSAEncryption
49:03:a9:b7:5c:17:4a:47:03:c5:b8:23:e9:78:2f:8c:b7:ec:
98:6e:7f:dd:6d:59:b3:36:86:81:01:08:af:1e:47:8c:16:5a:
84:30:72:5b:92:56:7c:91:99:23:b4:d8:58:f6:81:52:a3:f6:
a3:39:9c:12:a1:88:f6:04:9f:4b:3c:1e:1c:ee:53:25:d1:e8:
4b:e3:f8:db:df:e6:e5:6d:65:ae:7b:99:31:09:30:e1:b3:f2:
8a:4e:6b:ab:d8:c3:cb:45:63:fe:11:bc:28:e1:85:b8:bf:34:
bc:f7:4c:56:84:3b:4e:41:0a:a9:9f:ed:12:69:b4:86:b6:cd:
99:b5:7c:0a:54:b6:2e:95:f2:d1:ed:b1:c9:47:e8:a0:e6:ce:
06:d1:43:5a:1a:9e:47:18:a7:67:62:94:11:b9:cc:20:3a:af:
56:84:3e:05:d6:9c:63:27:ca:78:5f:38:00:d7:02:89:14:7b:
1e:15:0f:13:05:1a:de:df:29:a1:17:5a:d5:36:91:3e:cf:3e:
61:c3:e9:c3:32:bd:ce:0c:b3:51:4b:f4:3c:2b:40:41:56:7a:
95:0b:6b:f2:13:d5:85:80:fe:a8:36:2e:72:74:9b:73:7a:50:
5b:9b:e4:8a:6d:ea:f4:39:84:f6:98:a9:25:e5:2a:08:7e:e7:
28:3f:c9:3fReference Information
https://www.zoeydc.com/zh/posts/2021-06-04-certutil-store-ssl/
http://jianiau.blogspot.com/2015/07/openssl-generating-rsa-key.html
https://blog.miniasp.com/post/2019/04/17/Convert-PFX-and-CER-format-using-OpenSSL