OpenSSL 是 SSL/TLS 證書的瑞士軍刀。本站其他文章都引用了 OpenSSL 命令——這一頁將它們全部集中在一處。
檢查證書
檢視證書詳情(遠端伺服器)
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -text檢查過期日期
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -enddate檢查主體和 SAN
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName檢查簽發者(哪個 CA)
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -issuer檢查本地證書檔案
openssl x509 -in cert.pem -noout -text
openssl x509 -in cert.pem -noout -dates # Just the dates
openssl x509 -in cert.pem -noout -subject # Just the subject
openssl x509 -in cert.pem -noout -ext subjectAltName # Just the SANs驗證證書鏈
檢查鏈完整性(遠端)
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null
# Look for:
# Verify return code: 0 (ok) ← Chain is complete
# Verify return code: 21 (unable to verify) ← Chain is incomplete用鏈檔案驗證證書
openssl verify -CAfile chain.pem cert.pem
# Expected: cert.pem: OK檢查證書和金鑰是否匹配
# These two hashes must be identical
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in privkey.pem | openssl md5
# For ECDSA keys:
openssl ec -in privkey.pem -pubout 2>/dev/null | openssl md5
openssl x509 -in cert.pem -pubkey -noout | openssl md5生成金鑰
ECDSA P-256(推薦)
openssl ecparam -genkey -name prime256v1 -noout -out privkey.pemRSA 2048
openssl genrsa -out privkey.pem 2048RSA 4096
openssl genrsa -out privkey.pem 4096生成 CSR
ECDSA
openssl req -new -key privkey.pem -out csr.pem -subj "/CN=example.com"帶 SAN(多域名)
openssl req -new -key privkey.pem -out csr.pem \
-subj "/CN=example.com" \
-addext "subjectAltName=DNS:example.com,DNS:www.example.com"檢視 CSR 內容
openssl req -in csr.pem -noout -text格式轉換
PEM → PFX(用於 Windows/IIS)
openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pemPFX → PEM
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem
openssl pkcs12 -in cert.pfx -nocerts -nodes -out privkey.pem
openssl pkcs12 -in cert.pfx -cacerts -nokeys -out chain.pemPEM → DER
openssl x509 -in cert.pem -outform DER -out cert.derDER → PEM
openssl x509 -in cert.der -inform DER -outform PEM -out cert.pem除錯 TLS 連線
測試協商的 TLS 版本
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | grep "Protocol"測試特定 TLS 版本
# Test TLS 1.2
echo | openssl s_client -connect example.com:443 -servername example.com -tls1_2 2>/dev/null | grep "Protocol"
# Test TLS 1.3
echo | openssl s_client -connect example.com:443 -servername example.com -tls1_3 2>/dev/null | grep "Protocol"顯示完整握手過程
openssl s_client -connect example.com:443 -servername example.com -msg檢查支援的密碼套件
# List all ciphers the server accepts
nmap --script ssl-enum-ciphers -p 443 example.com生成自簽名證書(僅用於開發)
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:P-256 \
-keyout key.pem -out cert.pem -days 365 -nodes \
-subj "/CN=localhost" \
-addext "subjectAltName=DNS:localhost,IP:127.0.0.1"要獲取受信任的 localhost HTTPS,使用 mkcert 替代。
從獨立檔案建立 fullchain.pem
cat cert.pem chain.pem > fullchain.pem順序很重要:你的證書在前,中間證書在後。
常見問題
如何安裝 OpenSSL?
大多數 Linux 發行版自帶。macOS 上:brew install openssl。Windows 上:透過 Git for Windows(包含 OpenSSL)或 Chocolatey(choco install openssl)安裝。
openssl x509 和 openssl s_client 有什麼區別?
x509 讀取本地證書檔案。s_client 連線到遠端伺服器並獲取其證書。使用 s_client 檢查線上伺服器;使用 x509 檢查磁碟上的檔案。
為什麼我的命令顯示 “unable to load certificate”?
檔案可能是 DER 編碼(二進位制),而非 PEM(文字)。在命令中新增 -inform DER:
openssl x509 -in cert.der -inform DER -noout -text