OpenSSL 是 SSL/TLS 证书的瑞士军刀。本站其他文章都引用了 OpenSSL 命令——这一页将它们全部集中在一处。
检查证书
查看证书详情(远程服务器)
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -text检查过期日期
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -enddate检查主体和 SAN
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName检查签发者(哪个 CA)
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -issuer检查本地证书文件
openssl x509 -in cert.pem -noout -text
openssl x509 -in cert.pem -noout -dates # Just the dates
openssl x509 -in cert.pem -noout -subject # Just the subject
openssl x509 -in cert.pem -noout -ext subjectAltName # Just the SANs验证证书链
检查链完整性(远程)
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null
# Look for:
# Verify return code: 0 (ok) ← Chain is complete
# Verify return code: 21 (unable to verify) ← Chain is incomplete用链文件验证证书
openssl verify -CAfile chain.pem cert.pem
# Expected: cert.pem: OK检查证书和密钥是否匹配
# These two hashes must be identical
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in privkey.pem | openssl md5
# For ECDSA keys:
openssl ec -in privkey.pem -pubout 2>/dev/null | openssl md5
openssl x509 -in cert.pem -pubkey -noout | openssl md5生成密钥
ECDSA P-256(推荐)
openssl ecparam -genkey -name prime256v1 -noout -out privkey.pemRSA 2048
openssl genrsa -out privkey.pem 2048RSA 4096
openssl genrsa -out privkey.pem 4096生成 CSR
ECDSA
openssl req -new -key privkey.pem -out csr.pem -subj "/CN=example.com"带 SAN(多域名)
openssl req -new -key privkey.pem -out csr.pem \
-subj "/CN=example.com" \
-addext "subjectAltName=DNS:example.com,DNS:www.example.com"查看 CSR 内容
openssl req -in csr.pem -noout -text格式转换
PEM → PFX(用于 Windows/IIS)
openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pemPFX → PEM
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem
openssl pkcs12 -in cert.pfx -nocerts -nodes -out privkey.pem
openssl pkcs12 -in cert.pfx -cacerts -nokeys -out chain.pemPEM → DER
openssl x509 -in cert.pem -outform DER -out cert.derDER → PEM
openssl x509 -in cert.der -inform DER -outform PEM -out cert.pem调试 TLS 连接
测试协商的 TLS 版本
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | grep "Protocol"测试特定 TLS 版本
# Test TLS 1.2
echo | openssl s_client -connect example.com:443 -servername example.com -tls1_2 2>/dev/null | grep "Protocol"
# Test TLS 1.3
echo | openssl s_client -connect example.com:443 -servername example.com -tls1_3 2>/dev/null | grep "Protocol"显示完整握手过程
openssl s_client -connect example.com:443 -servername example.com -msg检查支持的密码套件
# List all ciphers the server accepts
nmap --script ssl-enum-ciphers -p 443 example.com生成自签名证书(仅用于开发)
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:P-256 \
-keyout key.pem -out cert.pem -days 365 -nodes \
-subj "/CN=localhost" \
-addext "subjectAltName=DNS:localhost,IP:127.0.0.1"要获取受信任的 localhost HTTPS,使用 mkcert 替代。
从独立文件创建 fullchain.pem
cat cert.pem chain.pem > fullchain.pem顺序很重要:你的证书在前,中间证书在后。
常见问题
如何安装 OpenSSL?
大多数 Linux 发行版自带。macOS 上:brew install openssl。Windows 上:通过 Git for Windows(包含 OpenSSL)或 Chocolatey(choco install openssl)安装。
openssl x509 和 openssl s_client 有什么区别?
x509 读取本地证书文件。s_client 连接到远程服务器并获取其证书。使用 s_client 检查在线服务器;使用 x509 检查磁盘上的文件。
为什么我的命令显示 “unable to load certificate”?
文件可能是 DER 编码(二进制),而非 PEM(文本)。在命令中添加 -inform DER:
openssl x509 -in cert.der -inform DER -noout -text