Linux OpenSSL命令详解

介绍

密码学标准和互联网协议一样，是一种大家都遵守的约定和标准，比如PKCS#中规定了 RSA 秘钥是怎么生成的、公私钥的格式 等内容，x509标准规定了证书的格式等。
命令行OpenSSL 本质就是一个工具集，它按照主流的密码学标准实现了常用的对称加密算法、非对称加密算法、摘要算法、证书的生成/签名/验签等功能。

$ openssl --help
help:

// openssl所有子命令
Standard commands
asn1parse         ca                ciphers           cmp
cms               crl               crl2pkcs7         dgst
dhparam           dsa               dsaparam          ec
ecparam           enc               engine            errstr
fipsinstall       gendsa            genpkey           genrsa
help              info              kdf               list
mac               nseq              ocsp              passwd
pkcs12            pkcs7             pkcs8             pkey
pkeyparam         pkeyutl           prime             rand
rehash            req               rsa               rsautl
s_client          s_server          s_time            sess_id
smime             speed             spkac             srp
storeutl          ts                verify            version
x509

// openssl支持的摘要算法
Message Digest commands (see the `dgst' command for more details)
blake2b512        blake2s256        md4               md5
rmd160            sha1              sha224            sha256
sha3-224          sha3-256          sha3-384          sha3-512
sha384            sha512            sha512-224        sha512-256
shake128          shake256          sm3

// openssl支持的对称加密算法
Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64
bf                bf-cbc            bf-cfb            bf-ecb
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb
cast5-ofb         des               des-cbc           des-cfb
des-ecb           des-ede           des-ede-cbc       des-ede-cfb
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb
des-ede3-ofb      des-ofb           des3              desx
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc
rc2-cfb           rc2-ecb           rc2-ofb           rc4
rc4-40            seed              seed-cbc          seed-cfb
seed-ecb          seed-ofb          sm4-cbc           sm4-cfb
sm4-ctr           sm4-ecb           sm4-ofb

对称加密

对称密钥算法在加密和解密时使用相同的密钥进行处理，这类算法众多可通过openssl list -cipher-commands具体查看。

（x）openssl子命令enc为对称加解密工具。

$ openssl enc --help
Usage: enc [options]

General options:
 -help               Display this summary
 -list               List ciphers
 -ciphers            Alias for -list
 -e                  Encrypt
 -d                  Decrypt
 -p                  Print the iv/key
 -P                  Print the iv/key and exit
 -engine val         Use engine, possibly a hardware device

Input options:
 -in infile          Input file
 -k val              Passphrase
 -kfile infile       Read passphrase from file

Output options:
 -out outfile        Output file
 -pass val           Passphrase source
 -v                  Verbose output
 -a                  Base64 encode/decode, depending on encryption flag
 -base64             Same as option -a
 -A                  Used with -[base64|a] to specify base64 buffer as a single line

Encryption options:
 -nopad              Disable standard block padding
 -salt               Use salt in the KDF (default)
 -nosalt             Do not use salt in the KDF
 -debug              Print debug info
 -bufsize val        Buffer size
 -K val              Raw key, in hex
 -S val              Salt, in hex
 -iv val             IV in hex
 -md val             Use specified digest to create a key from the passphrase
 -iter +int          Specify the iteration count and force use of PBKDF2
 -pbkdf2             Use password-based key derivation function 2
 -none               Don't encrypt
 -*                  Any supported cipher

Random state options:
 -rand val           Load the given file(s) into the random number generator
 -writerand outfile  Write random data to the specified file

Provider options:
 -provider-path val  Provider load path (must be before 'provider' argument if required)
 -provider val       Provider to load (can be specified multiple times)
 -propquery val      Property query used when fetching algorithms

示例一：使用一种加密算法加密文件

// 通过aes-128-cbc对称密钥算法对文件test.txt进行加密，共享密钥是pass，输出文件是test-aes-enc.txt。
openssl enc -e -aes-128-cbc -in test.txt -k pass -out test-aes-enc.txt -v

// 通过aes-128-cbc对称密钥算法对文件test-aes-enc.txt进行解密，共享密钥是pass，输出文件是test-aes-dec.txt。
openssl enc -d -aes-128-cbc -in test-aes-enc.txt -k 123 -out test-aes-dec.txt -v

示例二：使用base64加密算法加密字符串

// 对字符串进行base64编码
echo -n "12345" | openssl enc -e -base64 -in -

// 对字符串进行base64解码
echo "MTIzNDU=" | openssl enc -d -base64 -in -

注意：字符串编码时如果echo不加-n则会在字符串结尾添加一个换行符，那么换行符也会一块编码。

示例三：加密文件并将密文输出为base64格式

// 对加密后的数据进行base64编码(-a或-base64)
openssl enc -aes-256-cbc -a -salt -in file.txt -out file.enc

// 解密base64格式的加密数据
openssl enc -d -aes-256-cbc -a -in file.enc

公钥加密

公钥密钥算法在加密和解密时分别使用不同的密钥进行处理（一般 公钥加密，私钥解密；而签名则相反：私钥加密，公钥解密），这类算法目前只支持DH算法、RSA算法、DSA算法和椭圆曲线算法（EC）。DH算法一般用于密钥交换。RSA算法可用于密钥交换、数字签名及数据加密。DSA算法一般只用于数字签名。此处只重点介绍RSA相关指令genrsa、rsa、rsautl的使用。

（1）openssl子命令genrsa主要用于生成RSA私钥。

$ openssl genrsa --help
Usage: genrsa [options] numbits

General options:
 -help               Display this summary
 -engine val         Use engine, possibly a hardware device

Input options:
 -3                  (deprecated) Use 3 for the E value
 -F4                 Use the Fermat number F4 (0x10001) for the E value
 -f4                 Use the Fermat number F4 (0x10001) for the E value

Output options:
 -out outfile        Output the key to specified file
 -passout val        Output file pass phrase source
 -primes +int        Specify number of primes
 -verbose            Verbose output
 -traditional        Use traditional format for private keys
 -*                  Encrypt the output with any supported cipher

Random state options:
 -rand val           Load the given file(s) into the random number generator
 -writerand outfile  Write random data to the specified file

Provider options:
 -provider-path val  Provider load path (must be before 'provider' argument if required)
 -provider val       Provider to load (can be specified multiple times)
 -propquery val      Property query used when fetching algorithms

Parameters:
 numbits             Size of key in bits

示例一：生成无密码且1024字节长度的私钥

openssl genrsa -out private.pem 1024 -verbose

示例二：生成带密码的私钥（genrsa生成的私钥格式都是PEM格式）--PEM、DER格式区别

// 使用aes-128-cbc对称加密算法对私钥进行加密处理，命令执行之后会提示输入密码
openssl genrsa -aes-128-cbc -out pri.pem -verbose

（2）openssl子命令rsa用于处理rsa密钥（提取公钥、管理保护密码）、格式转换和打印信息。

$ openssl rsa --help
Usage: rsa [options]

General options:
 -help               Display this summary
 -check              Verify key consistency
 -*                  Any supported cipher
 -engine val         Use engine, possibly a hardware device

Input options:
 -in val             Input file
 -inform format      Input format (DER/PEM/P12/ENGINE
 -pubin              Expect a public key in input file
 -RSAPublicKey_in    Input is an RSAPublicKey
 -passin val         Input file pass phrase source

Output options:
 -out outfile        Output file
 -outform format     Output format, one of DER PEM PVK
 -pubout             Output a public key
 -RSAPublicKey_out   Output is an RSAPublicKey
 -passout val        Output file pass phrase source
 -noout              Don't print key out
 -text               Print the key in text
 -modulus            Print the RSA key modulus
 -traditional        Use traditional format for private keys

PVK options:
 -pvk-strong         Enable 'Strong' PVK encoding level (default)
 -pvk-weak           Enable 'Weak' PVK encoding level
 -pvk-none           Don't enforce PVK encoding

Provider options:
 -provider-path val  Provider load path (must be before 'provider' argument if required)
 -provider val       Provider to load (can be specified multiple times)
 -propquery val      Property query used when fetching algorithms

示例一：私钥文件内容查看

openssl rsa -in priv.pem -text

示例二：给秘钥添加/去除/修改对称加密的密码（注意：此处涉及密码输入的格式均为pass:pass_value）

// 为RSA密钥增加口令保护
openssl rsa -in RSA.pem -des3 -passout pass:123456 -out E_RSA.pem

// 为RSA密钥去除口令保护(去掉-passin选项亦可，只是会询问密码)
openssl rsa -in E_RSA.pem -passin pass:123456 -out P_RSA.pem

// 修改加密算法为aes128，口令是123456
openssl rsa -in RSA.pem -passin pass:123456 -aes128 -passout pass:123456 -out E_RSA.pem

示例三：密钥格式转换

// 把pem格式转化成der格式，使用outform指定der格式
openssl rsa -in RSA.pem -passin pass:123456 -des -passout pass:123456 -outform der -out rsa.der

注意：DER用二进制编码的证书，PEM用ASCLL(BASE64)编码的证书，一般默认都是PEM格式。

示例四：公钥提取

openssl rsa -in private.pem -pubout -out public.pem

（3）openssl子命令rsautl能够使用RSA算法签名、验证身份、加密/解密数据。

$ openssl rsautl --help
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
Usage: rsautl [options]

General options:
 -help                    Display this summary
 -sign                    Sign with private key
 -verify                  Verify with public key
 -encrypt                 Encrypt with public key
 -decrypt                 Decrypt with private key
 -engine val              Use engine, possibly a hardware device

Input options:
 -in infile               Input file
 -inkey val               Input key
 -keyform PEM|DER|ENGINE  Private key format (ENGINE, other values ignored)
 -pubin                   Input is an RSA public
 -certin                  Input is a cert carrying an RSA public key
 -rev                     Reverse the order of the input buffer
 -passin val              Input file pass phrase source

Output options:
 -out outfile             Output file
 -raw                     Use no padding
 -pkcs                    Use PKCS#1 v1.5 padding (default)
 -x931                    Use ANSI X9.31 padding
 -oaep                    Use PKCS#1 OAEP
 -asn1parse               Run output through asn1parse; useful with -verify
 -hexdump                 Hex dump output

Random state options:
 -rand val                Load the given file(s) into the random number generator
 -writerand outfile       Write random data to the specified file

Provider options:
 -provider-path val       Provider load path (must be before 'provider' argument if required)
 -provider val            Provider to load (can be specified multiple times)
 -propquery val           Property query used when fetching algorithms

示例一：使用公私钥加解密文件

// 用公钥加密文件
openssl rsautl -encrypt -in plain.text -inkey public.pem -out encrypt.text 
// 用私钥解密文件
openssl rsautl -decrypt -in encrypt.text -inkey private.pem -out replain.text

示例二：使用公私钥签名/验签文件（此处的签名过程是针对文件的，故不涉及hash计算步骤）

// 用私钥签名
openssl rsautl -sign -in plain.text -inkey private.pem -out signed.text
// 用公钥验签
openssl rsautl -verify -in signed.text -pubin -inkey public.pem -out verify.text

信息摘要

信息摘要算法是将任意长度的数据转换成固定长度的字符串的过程，它通常用于验证数据的完整性和一致性，这类算法可通过命令openssl list -digest-commands具体查看。

（x）openssl子命令dgst为信息摘要计算工具。

$ openssl dgst --help
Usage: dgst [options] [file...]

General options:
 -help               Display this summary
 -list               List digests
 -engine val         Use engine e, possibly a hardware device
 -engine_impl        Also use engine given by -engine for digest operations
 -passin val         Input file pass phrase source

Output options:
 -c                  Print the digest with separating colons
 -r                  Print the digest in coreutils format
 -out outfile        Output to filename rather than stdout
 -keyform format     Key file format (ENGINE, other values ignored)
 -hex                Print as hex dump
 -binary             Print in binary form
 -xoflen +int        Output length for XOF algorithms
 -d                  Print debug info
 -debug              Print debug info

Signing options:
 -sign val           Sign digest using private key
 -verify val         Verify a signature using public key
 -prverify val       Verify a signature using private key
 -sigopt val         Signature parameter in n:v form
 -signature infile   File with signature to verify
 -hmac val           Create hashed MAC with key
 -mac val            Create MAC (not necessarily HMAC)
 -macopt val         MAC algorithm parameters in n:v form or key
 -*                  Any supported digest
 -fips-fingerprint   Compute HMAC with the key used in OpenSSL-FIPS fingerprint

Random state options:
 -rand val           Load the given file(s) into the random number generator
 -writerand outfile  Write random data to the specified file

Provider options:
 -provider-path val  Provider load path (must be before 'provider' argument if required)
 -provider val       Provider to load (can be specified multiple times)
 -propquery val      Property query used when fetching algorithms

Parameters:
 file                Files to digest (optional; default is stdin)

示例一：计算文件摘要

// 计算文件的md5值
openssl dgst -md5 test.txt

示例二：文件签名及验签（此处的签名是针对文件的hash值进行的，故一定会经历hash计算步骤）

// 使用private.pem私钥对文件plain.txt的哈希值进行签名并输出到test.text文件
openssl dgst -sign private.pem -out test.text plain.text
// 使用public.pem公钥对签名文件进行验签
openssl dgst -verify public.pem -signature test.text plain.text

数字证书

数字证书就是用一个权威的私钥（一般是CA根的私钥）对另一个第三方公司的公钥证书（即证书请求，包含公司信息、网址、自生成的公钥）进行签名来提升第三方公钥证书的可信度。

（1）openssl子命令req用于生成和处理证书请求文件及证书

$ openssl req --help
Usage: req [options]

General options:
 -help                 Display this summary
 -engine val           Use engine, possibly a hardware device
 -keygen_engine val    Specify engine to be used for key generation operations
 -in infile            X.509 request input file (default stdin)
 -inform PEM|DER       Input format - DER or PEM
 -verify               Verify self-signature on the request

Certificate options:
 -new                  New request
 -config infile        Request template file
 -section val          Config section to use (default "req")
 -utf8                 Input characters are UTF8 (default ASCII)
 -nameopt val          Certificate subject/issuer name printing options
 -reqopt val           Various request text options
 -text                 Text form of request
 -x509                 Output an X.509 certificate structure instead of a cert request
 -CA infile            Issuer cert to use for signing a cert, implies -x509
 -CAkey val            Issuer private key to use with -CA; default is -CA arg
                       (Required by some CA's)
 -subj val             Set or modify subject of request or cert
 -subject              Print the subject of the output request or cert
 -multivalue-rdn       Deprecated; multi-valued RDNs support is always on.
 -days +int            Number of days cert is valid for
 -set_serial val       Serial number to use
 -copy_extensions val  copy extensions from request when using -x509
 -addext val           Additional cert extension key=value pair (may be given more than once)
 -extensions val       Cert extension section (override value in config file)
 -reqexts val          Request extension section (override value in config file)
 -precert              Add a poison extension to the generated cert (implies -new)

Keys and Signing options:
 -key val              Key for signing, and to include unless -in given
 -keyform format       Key file format (ENGINE, other values ignored)
 -pubkey               Output public key
 -keyout outfile       File to write private key to
 -passin val           Private key and certificate password source
 -passout val          Output file pass phrase source
 -newkey val           Generate new key with [:] or [:] or param:
 -pkeyopt val          Public key options as opt:value
 -sigopt val           Signature parameter in n:v form
 -vfyopt val           Verification parameter in n:v form
 -*                    Any supported digest

Output options:
 -out outfile          Output file
 -outform PEM|DER      Output format - DER or PEM
 -batch                Do not ask anything during request generation
 -verbose              Verbose output
 -noenc                Don't encrypt private keys
 -nodes                Don't encrypt private keys; deprecated
 -noout                Do not output REQ
 -newhdr               Output "NEW" in the header lines
 -modulus              RSA modulus

Random state options:
 -rand val             Load the given file(s) into the random number generator
 -writerand outfile    Write random data to the specified file

Provider options:
 -provider-path val    Provider load path (must be before 'provider' argument if required)
 -provider val         Provider to load (can be specified multiple times)
 -propquery val        Property query used when fetching algorithms

示例一：生成一个证书请求

// 使用已有的private.pem私钥去生成一个证书请求。（有个人信息问答环节）
openssl req -new -key private.pem -out request.csr

// 使用自动生成的RSA私钥去生成一个证书请求文件。（有个人信息问答环节）
openssl req -new -out request.csr

// 自动生成1024位且不加密并输出为RSA.pem的私钥，以及生成免问答的证书请求client.csr。
openssl req -new -newkey rsa:1024 -nodes -out client.csr -keyout RSA.pem -subj /C=AU/ST=Some-State/O=Internet

// 快速生成证书请求，跳过了私钥加密请求及个人信息问答环节。
openssl req -new -nodes -out request.csr -batch

注意：生成证书请求文件虽然一定需要RSA私钥的参与，但请求文件的内容中并未嵌入私钥的信息，只有从私钥中提取出来的公钥。

示例二：查看证书请求文件的内容信息

openssl req -in request.csr -text

示例三：从证书请求文件中提取公钥

openssl req -in client.csr -pubkey -noout >pub.pem

示例四：生成自签名证书（即根CA，可以拿来给其他证书请求文件做证书签名，即证书颁发）

// 首先生成一个私钥ca.pem，然后根据私钥直接生成一个自签根证书ca.cer
openssl genrsa -out ca.pem 2048
openssl req -new -x509 -days 365 -key ca.pem -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.cer

// 自动生成一个自签证书mycert.cer和它的私钥prvi.pem（会询问个人信息）
openssl req -x509 -nodes -days 365 -sha256 -newkey rsa:2048 -keyout prvi.pem -out mycert.cer

// 快捷验证生成的证书是否有效，网址 https://localhost:4433。（-cert所需的文件是一个私钥与证书的结合体，即 cat prvi.pem mycert.cer > mycert.pem）
openssl s_server -cert mycert.pem -www -accept 4433

注意：命令中的后缀pem、csr、cer只是为了便于理解文件的类型，在命令行中使用可以是任意值。但在windows或其他一些应用中使用的话就需要注意了。

（2）openssl子命令X509命令是一个多用途的证书工具，它可以显示证书信息、转换证书格式、签名证书请求以及改变证书的信任设置等。

$ openssl x509 --help
Usage: x509 [options]

General options:
 -help                      Display this summary
 -in infile                 Certificate input, or CSR input file with -req (default stdin)
 -passin val                Private key and cert file pass-phrase source
 -new                       Generate a certificate from scratch
 -x509toreq                 Output a certification request (rather than a certificate)
 -req                       Input is a CSR file (rather than a certificate)
 -copy_extensions val       copy extensions when converting from CSR to x509 or vice versa
 -inform format             CSR input file format (DER or PEM) - default PEM
 -vfyopt val                CSR verification parameter in n:v form
 -key val                   Key for signing, and to include unless using -force_pubkey
 -signkey val               Same as -key
 -keyform PEM|DER|ENGINE    Key input format (ENGINE, other values ignored)
 -out outfile               Output file - default stdout
 -outform format            Output format (DER or PEM) - default PEM
 -nocert                    No cert output (except for requested printing)
 -noout                     No output (except for requested printing)

Certificate printing options:
 -text                      Print the certificate in text form
 -dateopt val               Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822.
 -certopt val               Various certificate text printing options
 -fingerprint               Print the certificate fingerprint
 -alias                     Print certificate alias
 -serial                    Print serial number value
 -startdate                 Print the notBefore field
 -enddate                   Print the notAfter field
 -dates                     Print both notBefore and notAfter fields
 -subject                   Print subject DN
 -issuer                    Print issuer DN
 -nameopt val               Certificate subject/issuer name printing options
 -email                     Print email address(es)
 -hash                      Synonym for -subject_hash (for backward compat)
 -subject_hash              Print subject hash value
 -subject_hash_old          Print old-style (MD5) subject hash value
 -issuer_hash               Print issuer hash value
 -issuer_hash_old           Print old-style (MD5) issuer hash value
 -ext val                   Restrict which X.509 extensions to print and/or copy
 -ocspid                    Print OCSP hash values for the subject name and public key
 -ocsp_uri                  Print OCSP Responder URL(s)
 -purpose                   Print out certificate purposes
 -pubkey                    Print the public key in PEM format
 -modulus                   Print the RSA key modulus

Certificate checking options:
 -checkend intmax           Check whether cert expires in the next arg seconds
                            Exit 1 (failure) if so, 0 if not
 -checkhost val             Check certificate matches host
 -checkemail val            Check certificate matches email
 -checkip val               Check certificate matches ipaddr

Certificate output options:
 -set_serial val            Serial number to use, overrides -CAserial
 -next_serial               Increment current certificate serial number
 -days int                  Number of days until newly generated certificate expires - default 30
 -preserve_dates            Preserve existing validity dates
 -subj val                  Set or override certificate subject (and issuer)
 -force_pubkey infile       Place the given key in new certificate
 -clrext                    Do not take over any extensions from the source certificate or request
 -extfile infile            Config file with X509V3 extensions to add
 -extensions val            Section of extfile to use - default: unnamed section
 -sigopt val                Signature parameter, in n:v form
 -badsig                    Corrupt last byte of certificate signature (for test)
 -*                         Any supported digest, used for signing and printing

Micro-CA options:
 -CA infile                 Use the given CA certificate, conflicts with -key
 -CAform PEM|DER            CA cert format (PEM/DER/P12); has no effect
 -CAkey val                 The corresponding CA key; default is -CA arg
 -CAkeyform PEM|DER|ENGINE  CA key format (ENGINE, other values ignored)
 -CAserial val              File that keeps track of CA-generated serial number
 -CAcreateserial            Create CA serial number file if it does not exist

Certificate trust output options:
 -trustout                  Mark certificate PEM output as trusted
 -setalias val              Set certificate alias (nickname)
 -clrtrust                  Clear all trusted purposes
 -addtrust val              Trust certificate for a given purpose
 -clrreject                 Clears all the prohibited or rejected uses of the certificate
 -addreject val             Reject certificate for a given purpose

Random state options:
 -rand val                  Load the given file(s) into the random number generator
 -writerand outfile         Write random data to the specified file
 -engine val                Use engine, possibly a hardware device

Provider options:
 -provider-path val         Provider load path (must be before 'provider' argument if required)
 -provider val              Provider to load (can be specified multiple times)
 -propquery val             Property query used when fetching algorithms

示例一：使用自签根证书为证书请求文件签名

// 生成请求文件server.csr，然后使用自签名根证书ca.cer及其私钥ca.pem为其签名生成签名证书server.cer
openssl req -newkey rsa:2048 -nodes -keyout server.pem -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=localhost" -out server.csr
openssl x509 -sha256 -req  -days 365 -in server.csr -CA ca.cer -CAkey ca.pem -CAcreateserial -out server.cer

杂项

（1）openssl子命令rand用于生成伪随机数

// 生成3个字节的随机数
openssl rand -hex 3

注意：由于生成是随机的字节，因此如果不通过-base64或-hex编码的话输出会显示乱码。

（2）openssl子命令passwd用于生成Linux用户账户的密码格式

// 对明文密码进行加密处理
openssl passwd 12345

// 使用盐值进行密码加密（默认盐值不固定，导致同一条命令每次执行都会产生不同的结果）
openssl passwd -salt 'z' 12345

（3）openssl子命令verify用于验证授权机构颁发的证书

openssl verify cert.pem

// 输出如下，则表示：验证成功
OK

// 输出如下，则表示：证书过期，通常证书都是有有效期的，一般是一年
error 10 at 0 depth lookup:certificate has expired

// 输出如下，则表示：自签名证书
error 18 at 0 depth lookup:self signed certificate

（4） openssl子命令s_server和s_client的使用

// 运行一个TLS服务端
openssl s_server -cert mycert.pem -www -accept 4433

// 向TLS服务端发起连接
openssl s_client -connect remote.host:4433

链接：https://www.cnblogs.com/kqdssheng/p/17945857