Certificate CertUtil & OpenSSL


  1. CertUtil
  2. OpenSSL
    1. .key 取得方式
    2. .key 內容
    3. .cer 取得方式
      1. DER 編碼與 Base64 編碼格式
    4. .cer 內容
  3. Reference Information

說明如何使用 Windows 內建的 CertUtil 工具來檢視 .pfx 格式的憑證檔案,在更新 HTTPS 憑證時能夠派上用場;說明 OpenSSL 來處理各式與憑證相關的需求 😎

logo

CertUtil

檢視憑證的資訊

certutil c:\users\sdwh\cert.pfx

certutil | docs.microsoft

OpenSSL

憑證檔 .pfx = 伺服器憑證 .cer + 私鑰 .key

使用 openssl 可以將 .pfx 拆解,或者將 .cer 與 .key 合成為 .pfx。

.key 取得方式

主動產生,憑證出現的源頭

openssl genkey -algorithm RSA rsa_keygen_bits:2048 -out key.pem

從 .pfx 拆出 .key

openssl pkcs12 -in server.pfx -password "pass:********" -out key

.key 內容

Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: 01 00 00 00 
    friendlyName: {FE2BF4A3-FD3E-4D3D-BC31-366C11559F36}
    
    Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
Key Attributes
    X509v3 Key Usage: 10 

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

Bag Attributes
    localKeyID: 01 00 00 00 
    friendlyName: *.sdwh.dev
subject=C = TW, L = , CN =

issuer=C = TW, O = "Chunghwa Telecom Co., Ltd.", OU = Public Certification Authority - G2

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

.cer 取得方式

從 .pfx 拆出 .key,再轉換成 x509 格式並儲存為 .cer

openssl pkcs12 -in server.pfx -password "pass:********" -nokeys 
  | openssl x509 -out server.cer

也可以直接從網站直接匯出(前提當然是網站已經掛好憑證並且完成繫結😉)

DER 編碼與 Base64 編碼格式

格式 DER Base64
certutil 無法檢視 可以檢視

.cer 內容

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:5e:a4:50:da:ac:e8:8d:b6:70:89:58:d1:f6:b3:1d:a3:94
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Apr 13 01:47:17 2022 GMT
            Not After : Jul 12 01:47:16 2022 GMT
        Subject: CN = sdwh.dev
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ab:c7:1b:0c:ed:c6:01:f8:ea:a9:b3:cf:08:17:
                    4f:a2:cb:7c:34:c4:66:12:e6:ef:f3:98:17:79:c9:
                    65:ee:66:4c:1f:9a:92:7d:33:ee:07:fa:2e:15:62:
                    f7:b4:f3:1f:d5:4f:2e:b1:67:a8:49:42:bf:e3:cc:
                    9a:b7:30:46:c2:68:f5:28:a9:64:69:6f:4c:4b:64:
                    24:c9:dc:ed:46:9f:a4:1f:c2:ef:6f:36:d0:bc:69:
                    27:b8:e2:d6:18:70:40:2c:b4:f5:ee:8f:f7:0d:8c:
                    6e:03:92:e7:5d:d6:3e:bc:bb:c9:5b:28:10:a0:5a:
                    f6:37:f5:e1:9e:15:23:72:6e:8e:69:01:09:a4:8c:
                    a4:c9:d7:db:05:01:90:48:4b:90:20:8c:38:7a:0a:
                    60:74:79:18:26:30:8e:60:0b:17:b9:24:a0:80:df:
                    3f:14:00:d3:09:e7:34:47:35:63:7c:54:d2:a0:9d:
                    e1:57:d1:cb:13:d3:3c:30:24:97:8e:ea:34:00:9f:
                    cc:6c:0c:6a:f7:54:bc:5e:60:dc:46:31:c2:09:de:
                    d9:c3:e3:63:1e:8f:1c:c5:90:90:e8:da:86:be:7d:
                    f1:c3:1f:1a:86:69:9b:0b:e0:b2:0c:47:08:c8:92:
                    59:2b:66:2f:fa:a1:38:a1:2f:10:65:f6:97:fd:16:
                    87:33
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                63:4E:15:85:56:5A:A4:94:02:C2:16:42:A4:A5:97:9A:38:02:57:97
            X509v3 Authority Key Identifier: 
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access: 
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name: 
                DNS:sdwh.dev, DNS:www.sdwh.dev
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A:09:42:87:5E:
                                4E:31:8B:1B:03:EB:EB:4B:C7:68:F0:90:62:96:06:F6
                    Timestamp : Apr 13 02:47:17.484 2022 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:4F:01:93:0F:72:D2:83:F3:B6:86:CD:D5:
                                9D:30:35:9B:13:FC:80:93:1A:AF:D3:A9:34:98:62:61:
                                3B:2B:87:53:02:20:39:F9:28:05:86:9D:4B:9F:E7:E9:
                                E4:16:1D:1E:1F:B1:FB:D7:75:6E:4C:DD:92:B0:B0:90:
                                A3:35:76:7E:1F:9B
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D:
                                11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47
                    Timestamp : Apr 13 02:47:17.671 2022 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:D7:E9:0F:91:3A:1F:0F:1C:92:6F:EA:
                                7B:1A:99:FB:53:D7:FA:1F:B3:5E:62:87:82:5B:E8:9C:
                                F4:A0:57:D7:5B:02:20:60:AD:DA:CE:30:24:1C:FC:63:
                                CD:F3:86:F3:90:91:04:F8:DF:20:88:9A:96:FC:6B:DF:
                                02:0C:C5:54:2A:C3:2D
    Signature Algorithm: sha256WithRSAEncryption
         49:03:a9:b7:5c:17:4a:47:03:c5:b8:23:e9:78:2f:8c:b7:ec:
         98:6e:7f:dd:6d:59:b3:36:86:81:01:08:af:1e:47:8c:16:5a:
         84:30:72:5b:92:56:7c:91:99:23:b4:d8:58:f6:81:52:a3:f6:
         a3:39:9c:12:a1:88:f6:04:9f:4b:3c:1e:1c:ee:53:25:d1:e8:
         4b:e3:f8:db:df:e6:e5:6d:65:ae:7b:99:31:09:30:e1:b3:f2:
         8a:4e:6b:ab:d8:c3:cb:45:63:fe:11:bc:28:e1:85:b8:bf:34:
         bc:f7:4c:56:84:3b:4e:41:0a:a9:9f:ed:12:69:b4:86:b6:cd:
         99:b5:7c:0a:54:b6:2e:95:f2:d1:ed:b1:c9:47:e8:a0:e6:ce:
         06:d1:43:5a:1a:9e:47:18:a7:67:62:94:11:b9:cc:20:3a:af:
         56:84:3e:05:d6:9c:63:27:ca:78:5f:38:00:d7:02:89:14:7b:
         1e:15:0f:13:05:1a:de:df:29:a1:17:5a:d5:36:91:3e:cf:3e:
         61:c3:e9:c3:32:bd:ce:0c:b3:51:4b:f4:3c:2b:40:41:56:7a:
         95:0b:6b:f2:13:d5:85:80:fe:a8:36:2e:72:74:9b:73:7a:50:
         5b:9b:e4:8a:6d:ea:f4:39:84:f6:98:a9:25:e5:2a:08:7e:e7:
         28:3f:c9:3f

Reference Information

https://www.zoeydc.com/zh/posts/2021-06-04-certutil-store-ssl/

http://jianiau.blogspot.com/2015/07/openssl-generating-rsa-key.html

https://blog.miniasp.com/post/2019/04/17/Convert-PFX-and-CER-format-using-OpenSSL