OpenSSL常用命令
查看证书信息
bash
openssl x509 -noout -text -in _.httpsok.com.pem
bash
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
25:2d:3a:dd:73:c4:25:7e:13:89:ec:04:69:a0:c4:37
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Google Trust Services LLC, CN=GTS CA 1P5
Validity
Not Before: May 16 02:00:32 2024 GMT
Not After : Aug 14 02:00:31 2024 GMT
Subject: CN=*.httpsok.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b7:b5:28:c1:2d:fb:d9:51:20:bd:0e:5c:2b:44:
5b:02:a5:c8:c5:6f:01:9c:19:fc:bf:8d:81:ac:35:
dc:bc:6b:55:24:0f:a3:0f:3b:55:d4:ae:b1:4a:9e:
9c:5b:89:73:97:fb:ce:10:4e:f9:51:3d:1d:1a:12:
e4:1f:d9:da:95:93:c6:88:1e:eb:c4:b4:c6:ba:52:
e2:ac:83:de:65:54:f8:11:c9:c8:d8:d8:7f:e0:33:
e8:6a:a6:08:3b:53:96:51:dd:ef:d3:62:bb:d3:74:
75:b9:26:16:ab:a3:82:0a:d2:01:18:df:7f:71:db:
e0:ac:36:55:1b:0a:48:66:98:73:27:c5:25:e1:a0:
0e:0c:d0:62:ff:dc:31:4c:0d:92:65:d3:06:aa:e6:
59:67:d9:46:ec:27:8a:51:c0:4b:38:04:b8:f9:57:
5f:33:ff:13:c9:77:d9:3e:30:69:63:de:e3:40:1b:
6b:a8:39:eb:6b:b7:9a:17:62:18:9b:48:6c:d4:a8:
d7:46:96:ab:1f:2f:5b:c8:73:79:4f:da:ba:f1:7d:
70:8a:ca:fe:e2:6f:e0:4b:76:fe:80:03:00:d2:20:
e6:46:d0:97:23:8f:25:9e:69:2e:79:38:86:3d:e0:
85:97:55:31:41:34:2e:b6:08:5e:4c:3b:ec:3d:07:
bd:db
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
09:53:BE:3D:88:E2:B7:97:C0:A3:0D:80:59:50:54:8E:92:2E:5C:7E
X509v3 Authority Key Identifier:
D5:FC:9E:0D:DF:1E:CA:DD:08:97:97:6E:2B:C5:5F:C5:2B:F5:EC:B8
Authority Information Access:
OCSP - URI:http://ocsp.pki.goog/s/gts1p5/-dvGP-u6Mxo
CA Issuers - URI:http://pki.goog/repo/certs/gts1p5.der
X509v3 Subject Alternative Name:
DNS:*.httpsok.com, DNS:httpsok.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.11129.2.5.3
X509v3 CRL Distribution Points:
Full Name:
URI:http://crls.pki.goog/gts1p5/OEZ-zGIkVNM.crl
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34:
B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74
Timestamp : May 16 03:00:33.588 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:E9:48:F0:0D:7B:D7:9F:70:80:F9:3D:
84:EC:48:97:71:86:ED:C5:70:2F:3B:99:3F:43:A7:5F:
0E:4B:F7:A5:23:02:20:24:55:AB:35:49:56:78:89:7B:
96:F3:30:45:25:59:6D:80:C4:29:D0:A1:24:3B:94:8E:
9D:BC:B4:FE:A0:90:AD
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : DA:B6:BF:6B:3F:B5:B6:22:9F:9B:C2:BB:5C:6B:E8:70:
91:71:6C:BB:51:84:85:34:BD:A4:3D:30:48:D7:FB:AB
Timestamp : May 16 03:00:33.596 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:DC:BE:C5:8F:30:0E:3A:8D:79:03:43:
01:70:98:F4:1B:49:3F:52:CB:E7:FE:91:69:11:FF:7E:
DF:78:0E:15:E3:02:21:00:DC:3D:36:2F:87:5E:1B:9B:
B7:82:49:D6:9E:FB:59:A8:C6:E0:4F:43:0C:CA:54:42:
71:5A:54:AB:3A:35:15:E2
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
14:51:94:94:51:67:06:10:89:7a:40:7e:62:e3:43:2d:26:10:
90:f5:2d:a1:44:af:73:c7:01:5f:3c:d2:e1:08:94:86:4b:a6:
3e:93:55:76:24:bb:5b:7a:6d:03:88:5d:c6:b1:3c:df:b1:e3:
63:a3:dd:d6:73:e6:e4:3e:da:30:6c:ca:34:50:f1:5d:79:8c:
0a:13:f2:5c:8b:0f:9b:7e:b0:ff:58:f1:ce:ed:22:26:0c:c7:
b9:4c:c7:0f:b2:b3:0d:da:9e:34:bb:da:8e:49:1c:e9:57:94:
96:ba:b8:11:f8:d0:c5:77:90:e6:96:86:c7:c1:a1:d4:79:3c:
c1:b5:65:e2:d3:d2:8d:7d:e3:f7:a3:1f:2e:b1:57:ed:07:19:
73:7f:7e:c2:a0:92:21:88:8f:4c:c3:1a:0e:64:a7:b4:ba:ad:
be:35:4a:25:21:f9:da:91:48:b1:82:9d:07:7e:f2:69:d5:30:
f4:d5:6d:b4:45:4b:43:70:17:69:67:25:ce:7a:c8:19:91:ac:
3a:b3:ec:f5:51:a1:d0:73:46:8c:22:92:65:12:ea:a9:ac:b9:
a5:58:51:52:b1:ae:e9:4c:90:0c:0b:8f:d2:2e:e5:13:46:ef:
e3:5c:29:63:e0:0e:b4:0d:07:3a:6e:76:92:65:51:21:09:12:
25:ca:89:8c
bash
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e5:aa:9e:63:55:0d:df:67:0d:22:43:56:41:cd:84:9b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Google Trust Services LLC, CN=GTS CA 1P5
Validity
Not Before: May 18 19:15:57 2024 GMT
Not After : Aug 16 19:15:56 2024 GMT
Subject: CN=*.httpsok.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:54:bc:d0:72:44:a5:fb:87:4d:d4:35:06:71:07:
2e:ce:66:a6:06:a5:3f:1f:22:7e:dc:56:e7:9a:b5:
62:43:34:6c:d8:b9:c7:87:51:19:92:53:12:9b:92:
96:2a:5a:da:e3:06:2a:f9:83:e6:2d:e4:5f:a5:26:
34:0d:6c:a9:09
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
31:CB:F0:22:7F:12:F9:4A:E7:FF:28:08:2D:D6:65:F2:A1:6E:B8:6D
X509v3 Authority Key Identifier:
D5:FC:9E:0D:DF:1E:CA:DD:08:97:97:6E:2B:C5:5F:C5:2B:F5:EC:B8
Authority Information Access:
OCSP - URI:http://ocsp.pki.goog/s/gts1p5/f5aE003436w
CA Issuers - URI:http://pki.goog/repo/certs/gts1p5.der
X509v3 Subject Alternative Name:
DNS:*.httpsok.com, DNS:httpsok.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.11129.2.5.3
X509v3 CRL Distribution Points:
Full Name:
URI:http://crls.pki.goog/gts1p5/RN1g8DRBdus.crl
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
Timestamp : May 18 20:15:58.167 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:11:06:D1:AD:7B:5C:9C:FA:D6:37:B5:D9:
5C:AC:E3:58:41:45:25:2E:CA:7C:0E:A7:D3:9C:76:9C:
56:C1:9A:B7:02:21:00:FB:84:DC:B2:36:44:01:31:93:
FB:9D:DA:CF:1D:3A:4F:AD:4B:BF:57:96:8A:91:53:50:
45:87:09:C3:AB:10:CF
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
Timestamp : May 18 20:15:58.855 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:5C:7C:0E:3A:26:14:18:15:6B:BE:01:7D:
53:F3:CF:69:2B:DF:0A:02:01:B9:71:EB:B1:09:56:74:
D8:D2:2B:B5:02:20:2A:35:6D:BF:56:4C:80:C5:71:B8:
B2:71:2C:9D:52:6A:3C:13:D3:8D:02:AD:87:D7:10:B0:
7F:23:FE:80:E6:3C
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
60:2f:d7:8f:48:0d:8a:af:9c:93:09:70:97:30:4c:65:79:fb:
32:27:37:bc:09:c8:0b:6e:9f:b2:e7:ce:2e:fc:18:b6:b5:a2:
bd:8d:14:71:77:d3:bd:0b:70:78:ba:c3:f5:ca:05:67:e1:73:
0b:f0:6f:8d:22:07:a2:f5:3c:81:29:be:bd:04:eb:f9:e8:ae:
e7:2d:e9:62:82:52:f9:4d:a3:8b:a4:3d:63:3b:c3:74:e1:53:
84:e7:39:9a:04:30:4b:f3:b6:5e:05:9b:94:09:a6:55:1a:25:
c9:d5:04:a0:8e:a3:b7:07:65:d7:57:4b:d1:a1:8b:6c:fa:89:
d8:45:96:75:a7:11:65:12:75:5f:36:b2:05:0f:0a:7c:08:e6:
4b:b0:31:78:3a:79:eb:99:0d:c6:e0:49:e9:26:fd:f4:a7:05:
54:cc:e8:7e:42:c6:81:2e:17:ed:b1:d0:f9:d0:e4:51:67:ee:
83:3c:a2:66:9e:44:55:97:c4:c7:f9:48:f2:09:9e:cf:2f:29:
39:5b:e0:40:66:10:80:4f:26:53:c6:e3:f0:b6:67:b2:fe:05:
d4:3a:b7:d7:54:2a:81:83:83:1e:06:da:93:96:15:dc:18:4b:
c2:e2:9a:82:ba:be:ec:c4:35:24:66:56:94:e9:24:fd:00:31:
2d:25:ec:d5
查看KEY信息
bash
openssl rsa -noout -text -in _.httpsok.com.pem
bash
Private-Key: (2048 bit, 2 primes)
modulus:
00:b7:b5:28:c1:2d:fb:d9:51:20:bd:0e:5c:2b:44:
5b:02:a5:c8:c5:6f:01:9c:19:fc:bf:8d:81:ac:35:
dc:bc:6b:55:24:0f:a3:0f:3b:55:d4:ae:b1:4a:9e:
9c:5b:89:73:97:fb:ce:10:4e:f9:51:3d:1d:1a:12:
e4:1f:d9:da:95:93:c6:88:1e:eb:c4:b4:c6:ba:52:
e2:ac:83:de:65:54:f8:11:c9:c8:d8:d8:7f:e0:33:
e8:6a:a6:08:3b:53:96:51:dd:ef:d3:62:bb:d3:74:
75:b9:26:16:ab:a3:82:0a:d2:01:18:df:7f:71:db:
e0:ac:36:55:1b:0a:48:66:98:73:27:c5:25:e1:a0:
0e:0c:d0:62:ff:dc:31:4c:0d:92:65:d3:06:aa:e6:
59:67:d9:46:ec:27:8a:51:c0:4b:38:04:b8:f9:57:
5f:33:ff:13:c9:77:d9:3e:30:69:63:de:e3:40:1b:
6b:a8:39:eb:6b:b7:9a:17:62:18:9b:48:6c:d4:a8:
d7:46:96:ab:1f:2f:5b:c8:73:79:4f:da:ba:f1:7d:
70:8a:ca:fe:e2:6f:e0:4b:76:fe:80:03:00:d2:20:
e6:46:d0:97:23:8f:25:9e:69:2e:79:38:86:3d:e0:
85:97:55:31:41:34:2e:b6:08:5e:4c:3b:ec:3d:07:
bd:db
publicExponent: 65537 (0x10001)
privateExponent:
18:03:2c:fa:e5:e8:d2:84:c1:33:bf:b4:6f:cf:5f:
da:09:13:7a:2d:c2:ac:70:7f:d2:05:f6:c4:d7:71:
82:8b:6b:b5:ea:a3:ff:5c:b1:21:10:b3:34:89:66:
44:ac:c3:18:42:f3:5c:bc:5b:3d:b1:85:a3:f5:2e:
2e:5f:9f:d6:5c:af:89:a1:5e:63:4d:81:e0:5e:ef:
29:6a:3f:35:48:40:4e:0a:ed:c9:87:b0:5c:a7:a1:
a1:e1:bb:ed:0d:45:a1:19:27:bc:f3:5d:e6:60:da:
f6:6d:87:c4:68:50:9a:30:cd:b0:93:9e:29:4d:7a:
a0:e7:fa:83:2d:fa:92:b6:47:e7:e8:31:77:fd:ad:
5b:ed:f2:0e:3a:26:43:76:f8:3b:70:f2:5e:84:94:
07:7a:c8:4f:91:bf:14:c0:e4:ec:37:dd:bd:4c:d8:
1f:75:9c:16:ee:e6:56:ca:08:e2:ed:ad:b1:0c:fd:
d2:44:57:43:52:06:21:e1:74:07:6b:e7:d8:6b:b9:
73:de:96:a3:22:c2:a2:3c:b8:6e:a8:be:7b:78:c4:
67:f7:15:1b:5e:61:30:e7:5f:72:80:dc:d5:d9:ee:
30:84:71:03:69:a6:58:2f:b2:f8:1d:32:a0:fd:9f:
39:2d:b2:c7:7c:ac:3e:b8:f8:dc:2e:ab:6f:94:cf:
59
prime1:
00:da:95:41:3c:82:2e:23:1d:b4:2a:76:27:9f:f9:
5e:45:f1:a3:4c:3a:a9:6f:bc:4c:13:2a:11:85:39:
90:66:d9:d7:11:12:c2:d7:06:e6:b6:5e:98:d3:12:
9b:f7:48:45:09:5f:48:21:1a:25:6b:2b:76:7d:90:
43:1b:03:46:cb:24:e4:05:c9:91:16:20:20:ac:80:
88:95:be:ba:6b:bd:bc:a5:b7:00:ad:76:e7:97:ad:
f6:41:75:72:7b:c4:46:b0:c0:20:09:29:83:4c:52:
ca:2c:7a:82:e6:a7:b7:af:1f:fe:7b:22:2e:b7:57:
6c:e7:e4:55:44:05:d9:20:0f
prime2:
00:d7:27:98:85:48:cc:56:69:02:7b:18:68:47:29:
4e:ca:7b:f0:ea:b7:c0:c1:a9:c1:11:61:6b:0a:a5:
e3:cb:ca:20:91:57:cb:7c:9a:0f:d2:4c:96:af:88:
db:a1:53:89:a7:b5:d9:de:9f:e8:01:d4:7e:12:75:
a9:38:00:6c:ad:fa:b1:25:ef:19:73:31:ff:99:95:
bc:68:99:dd:fb:4c:d6:ae:6a:4b:2a:e7:cc:15:ac:
7a:61:ea:d9:0f:1e:67:c7:c6:f1:37:f6:b8:21:3d:
f8:fc:33:f5:62:6f:f8:3d:41:30:c2:6b:06:1c:a0:
ec:9f:06:2e:d9:70:0b:79:75
exponent1:
0b:07:9b:0a:1d:9b:8c:64:14:52:4c:32:05:ad:84:
a7:4c:e1:2b:98:8e:32:38:33:32:88:5d:e7:f6:16:
a6:49:f9:c3:3f:ca:1b:25:9b:00:ba:d7:45:57:5c:
0d:67:55:2c:7a:e5:5d:de:3e:e3:20:87:53:20:b3:
72:2a:81:29:01:0c:8c:8a:36:4b:02:86:03:8e:5c:
d6:09:90:c8:9d:03:66:ed:4c:18:74:b6:8c:fd:d7:
3e:48:59:e5:8a:ea:f2:42:4f:9b:86:bf:bc:5b:35:
1e:77:74:21:85:77:0c:5c:35:f0:2a:b2:66:c7:ff:
93:d7:fe:c1:76:f6:14:db
exponent2:
00:86:0f:2a:ee:a9:7c:80:be:ef:87:c9:9e:77:f0:
9a:22:7a:75:93:9a:a9:25:42:63:85:33:e1:21:82:
59:dc:c9:f5:de:fa:08:55:7c:1d:2d:99:01:2f:20:
a4:50:f2:1f:4c:7b:77:e4:4a:58:a2:83:47:86:b2:
ff:9c:60:4f:57:5c:63:f2:d1:f7:56:9a:a9:bb:85:
dc:1e:84:f9:16:b3:3a:f4:f4:50:1f:cc:cc:92:18:
a5:2c:cb:cb:31:ab:6d:58:c2:71:dc:c0:02:dc:db:
a3:7f:69:d4:94:e0:55:99:bd:3b:e7:78:0e:17:da:
81:75:58:c1:ea:43:f1:32:5d
coefficient:
4e:9a:79:ec:49:e5:d9:d3:3e:7d:32:de:bc:52:b7:
71:85:ab:b1:dd:c6:97:2d:a9:9c:4a:04:d9:84:30:
76:1f:81:d4:3f:c0:87:c8:58:1e:ff:19:b0:f2:a6:
a6:47:23:75:b9:56:dd:20:d4:d2:a6:53:b9:d8:af:
5d:3b:52:1c:ae:fe:fb:4c:c2:73:56:7c:37:82:a9:
22:ea:6c:ed:16:1a:db:9b:14:b6:35:25:f9:ee:32:
02:02:56:10:74:1f:c7:65:67:b2:5b:bb:97:17:e0:
2c:4e:d1:17:0c:32:32:41:5c:83:90:fc:1a:d9:ca:
c2:e1:7f:af:fe:9d:83:0e
bash
openssl ec -noout -text -in _.httpsok.com.pem
bash
read EC key
Private-Key: (256 bit)
priv:
d6:c0:d4:4c:27:cc:19:ba:c5:f3:11:b9:18:8a:2d:
2a:36:e1:45:20:f0:13:6b:13:36:a0:af:37:a6:74:
44:a6
pub:
04:54:bc:d0:72:44:a5:fb:87:4d:d4:35:06:71:07:
2e:ce:66:a6:06:a5:3f:1f:22:7e:dc:56:e7:9a:b5:
62:43:34:6c:d8:b9:c7:87:51:19:92:53:12:9b:92:
96:2a:5a:da:e3:06:2a:f9:83:e6:2d:e4:5f:a5:26:
34:0d:6c:a9:09
ASN1 OID: prime256v1
NIST CURVE: P-256
测试证书
bash
openssl s_client -connect httpsok.com:443
常见证书格式
- PEM(.pem) nginx默认
- DER(.cer .der) Windows 上常见
- PKCS#12文件(.pfx .p12) IIS、Tomcat、Mac上常见
证书格式转换
bash
openssl x509 -outform der -in _.httpsok.com.pem -out _.httpsok.com.der
bash
# 会导致证书链丢失
openssl x509 -inform der -in _.httpsok.com.der -out _.httpsok.com.pem
bash
# 密码:12345678
openssl pkcs12 -export -out httpsok.com.pfx -inkey _.httpsok.com.key -in _.httpsok.com.pem -passout pass:12345678
bash
# 会增加一些证书冗余信息
openssl pkcs12 -in httpsok.com.pfx -out httpsok.com.pem -nodes
启用老算法(遗留算法)
bash
vim /etc/ssl/openssl.cnf
bash
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
PEM转PKCS12详解
需要先启用 遗留算法
bash
openssl pkcs12 -export \
-out cert.pfx \
-inkey cert.key \
-in cert.pem \
-passout pass:123456 \
-name "httpsok.com" \
-certpbe PBE-SHA1-RC2-40 \
-keypbe PBE-SHA1-3DES \
-macalg sha1
bash
openssl pkcs12 -export \
-out cert.pfx \
-inkey cert.key \
-in cert.pem \
-passout pass:123456 \
-name "httpsok.com"
bash
openssl pkcs12 -info -in cert.pfx -passin pass:123456 -noout
bash
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
bash
openssl pkcs12 -help
Usage: pkcs12 [options]
General options:
-help Display this summary
-in infile Input file
-out outfile Output file
-passin val Input file pass phrase source
-passout val Output file pass phrase source
-password val Set PKCS#12 import/export password source
-twopass Separate MAC, encryption passwords
-nokeys Don't output private keys
-nocerts Don't output certificates
-noout Don't output anything, just verify PKCS#12 input
-legacy Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs
-engine val Use engine, possibly a hardware device
Provider options:
-provider-path val Provider load path (must be before 'provider' argument if required)
-provider val Provider to load (can be specified multiple times)
-propquery val Property query used when fetching algorithms
Random state options:
-rand val Load the given file(s) into the random number generator
-writerand outfile Write random data to the specified file
PKCS#12 import (parsing PKCS#12) options:
-info Print info about PKCS#12 structure
-nomacver Don't verify integrity MAC
-clcerts Only output client certificates
-cacerts Only output CA certificates
-* Any supported cipher for output encryption
-noenc Don't encrypt private keys
-nodes Don't encrypt private keys; deprecated
PKCS#12 output (export) options:
-export Create PKCS12 file
-inkey val Private key, else read from -in input file
-certfile infile Extra certificates for PKCS12 output
-passcerts val Certificate file pass phrase source
-chain Build and add certificate chain for EE cert,
which is the 1st cert from -in matching the private key (if given)
-untrusted infile Untrusted certificates for chain building
-CAfile infile PEM-format file of CA's
-CApath dir PEM-format directory of CA's
-CAstore uri URI to store of CA's
-no-CAfile Do not load the default certificates file
-no-CApath Do not load certificates from the default certificates directory
-no-CAstore Do not load certificates from the default certificates store
-name val Use name as friendly name
-caname val Use name as CA friendly name (can be repeated)
-CSP val Microsoft CSP name
-LMK Add local machine keyset attribute to private key
-keyex Set key type to MS key exchange
-keysig Set key type to MS key signature
-keypbe val Private key PBE algorithm (default AES-256 CBC)
-certpbe val Certificate PBE algorithm (default PBES2 with PBKDF2 and AES-256 CBC)
-descert Encrypt output with 3DES (default PBES2 with PBKDF2 and AES-256 CBC)
-macalg val Digest algorithm to use in MAC (default SHA1)
-iter +int Specify the iteration count for encryption and MAC
-noiter Don't use encryption iteration
-nomaciter Don't use MAC iteration)
-maciter Unused, kept for backwards compatibility
-nomac Don't generate MAC