1. 生成私钥 OpenSSL (RSA) # 生成RSA私钥 openssl genrsa -out private_key.key 2048 # 生成RSA私钥(带密码) openssl genrsa -out private_key.key -aes256 -passout pass:password 2048GMSSL (SM2) # 生成SM2私钥 gmssl ecparam -genkey -name sm2p256v1 -out private_key.key # 或者使用gmssl专用命令 gmssl sm2 -genkey -out private_key.key # 生成SM2私钥(带密码) gmssl sm2 -genkey -out private_key.key -passout pass:password2. 生成证书请求 (CSR) OpenSSL # 生成证书请求 openssl req -new -key private_key.key -out cert.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=Company/CN=example.com" # 交互式生成 openssl req -new -key private_key.key -out cert.csrGMSSL # 生成SM2证书请求 gmssl req -new -key private_key.key -out cert.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=Company/CN=example.com" # 交互式生成 gmssl req -new -key private_key.key -out cert.csr # 指定签名算法(国密) gmssl req -new -key private_key.key -out cert.csr -sm3 -sigopt "distid:1234567812345678"3. 生成自签名证书 OpenSSL # 生成自签名证书 openssl x509 -req -days 365 -in cert.csr -signkey private_key.key -out cert.crt # DER格式 openssl x509 -req -days 365 -in cert.csr -signkey private_key.key -out cert.der -outform DERGMSSL # 生成SM2自签名证书 gmssl x509 -req -days 365 -in cert.csr -signkey private_key.key -out cert.crt -sm3 -sigopt "distid:1234567812345678" # DER格式 gmssl x509 -req -days 365 -in cert.csr -signkey private_key.key -out cert.der -outform DER -sm34. 查看证书信息 OpenSSL # 查看PEM格式证书 openssl x509 -in cert.crt -text -noout # 查看DER格式证书 openssl x509 -in cert.der -inform DER -text -noout # 查看证书主题 openssl x509 -in cert.crt -subject -nooutGMSSL # 查看SM2证书(语法相同) gmssl x509 -in cert.crt -text -noout # 查看从证书中提出的公钥文件的内容(16进制公钥) $GMSSL_PATH ec -pubin -in ../cert_path/pub_key.pem -text -noout # 查看DER格式 gmssl x509 -in cert.der -inform DER -text -noout # 查看证书主题 gmssl x509 -in cert.crt -subject -noout5. 查看私钥信息 OpenSSL # 查看RSA私钥 openssl rsa -in private_key.key -text -noout # 查看私钥(带密码) openssl rsa -in private_key.key -text -noout -passin pass:passwordGMSSL # 查看SM2私钥 gmssl ec -in private_key.key -text -noout # 或者 gmssl sm2 -in private_key.key -text -noout # 查看私钥(带密码) gmssl sm2 -in private_key.key -text -noout -passin pass:password6. PKCS#12 格式转换 OpenSSL # 生成PKCS12文件 openssl pkcs12 -export -out cert.p12 -inkey private_key.key -in cert.crt -passout pass:password # 从PKCS12提取证书和私钥 openssl pkcs12 -in cert.p12 -nodes -out cert_and_key.pem -passin pass:passwordGMSSL # 生成SM2的PKCS12文件 gmssl pkcs12 -export -out cert.p12 -inkey private_key.key -in cert.crt -passout pass:password # 从PKCS12提取(语法相同) gmssl pkcs12 -in cert.p12 -nodes -out cert_and_key.pem -passin pass:password7. 证书格式转换 OpenSSL # PEM转DER openssl x509 -in cert.crt -outform DER -out cert.der # DER转PEM openssl x509 -in cert.der -inform DER -outform PEM -out cert.crtGMSSL # PEM转DER(语法相同) gmssl x509 -in cert.crt -outform DER -out cert.der # DER转PEM gmssl x509 -in cert.der -inform DER -outform PEM -out cert.crt8. 验证证书 OpenSSL # 验证证书 openssl verify -CAfile ca.crt cert.crt # 验证证书链 openssl verify -CAfile ca.crt -untrusted intermediate.crt cert.crtGMSSL # 验证SM2证书(语法相同) gmssl verify -CAfile ca.crt cert.crt # 验证证书链 gmssl verify -CAfile ca.crt -untrusted intermediate.crt cert.crt9. 加密/解密 OpenSSL # RSA加密 openssl rsautl -encrypt -in plaintext.txt -out encrypted.bin -inkey public_key.pem -pubin # RSA解密 openssl rsautl -decrypt -in encrypted.bin -out decrypted.txt -inkey private_key.keyGMSSL # SM2加密 gmssl sm2utl -encrypt -in plaintext.txt -out encrypted.bin -pubin -inkey public_key.pem # SM2解密 gmssl sm2utl -decrypt -in encrypted.bin -out decrypted.txt -inkey private_key.key10. 签名/验签 OpenSSL # RSA签名 openssl dgst -sha256 -sign private_key.key -out signature.bin data.txt # RSA验签 openssl dgst -sha256 -verify public_key.pem -signature signature.bin data.txtGMSSL # SM2签名(使用SM3) gmssl dgst -sm3 -sign private_key.key -out signature.bin data.txt # SM2验签 gmssl dgst -sm3 -verify public_key.pem -signature signature.bin data.txt # 或者使用sm2utl gmssl sm2utl -sign -in data.txt -out signature.bin -inkey private_key.key gmssl sm2utl -verify -in data.txt -signature signature.bin -pubin -inkey public_key.pem11. 提取公钥 $GMSSL_PATH x509 -in test1102_py/aaa.pem -pubkey -noout