openssl命令简介:
SSL是Secure Sockets Layer(安全套接层协议)的缩写,可以在Internet上提供秘密性传输。Netscape公司在推出第一个Web浏览器的同时,提出了SSL协议标准。其目标是保证两个应用间通信的保密性和可靠性,可在服务器端和用户端同时实现支持。已经成为Internet上保密通讯的工业标准。
SSL能使用户/服务器应用之间的通信不被攻击者窃听,并且始终对服务器进行认证,还可选择对用户进行认证。SSL协议要求建立在可靠的传输层协议(TCP)之上。SSL协议的优势在于它是与应用层协议独立无关的,高层的应用层协议(例如:HTTP,FTP,TELNET等)能透明地建立于SSL协议之上。SSL协议在应用层协议通信之前就已经完成加密算法、通信密钥的协商及服务器认证工作。在此之后应用层协议所传送的数据都会被加密,从而保证通信的私密性。
1.命令格式:
OpenSSL [选项][文件]
2.命令功能:
OpenSSL是多用途命令行工具,实现私有证书颁发机构.
3.命令参数:
Standard commands
asn1parse ca cipherscrl crl2pkcs7 dgst dh dhparamdsa dsaparam
enc engine errstr gendh gendsa genrsa nseq ocsp passwd pkcs12
pkcs7 pkcs8 prime rand req rsa rsautl s_client s_server s_time
sess_id smime speed spkac verify version x509
Message Digest commands (see the `dgst‘ command for more details)
md2 md4 md5 rmd160 sha sha1
Cipher commands (see the `enc‘ command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc
aes-256-ecb base64 bf bf-cbc bf-cfb
bf-ecb bf-ofb cast cast-cbc cast5-cbc
cast5-cfb cast5-ecb cast5-ofb des des-cbc
des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx rc2 rc2-40-cbc
rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb
4.使用实例:
实例1.使用openssl speed 加密算法:显示openssl加密算法的速度
[root@localhost ~]# openssl speed 显示所有加密算法加密不同大小的数据所需的时间
Doing md2 for 3s on 16 size blocks: 394412 md2‘s in 2.98s
Doing md2 for 3s on 64 size blocks: 203352 md2‘s in 2.98s
Doing md2 for 3s on 256 size blocks: 69077 md2‘s in 2.98s
......
Doing md4 for 3s on 64 size blocks: 8383499 md4‘s in 2.97s
[root@localhost ~]# openssl speed des 显示des加密算法的加密不同大小的数据需要的时间
Doing des cbc for 3s on 16 size blocks: 9097196 des cbc‘s in 2.71s
Doing des cbc for 3s on 64 size blocks: 2466820 des cbc‘s in 2.74s
.......
Doing des cbc for 3s on 256 size blocks: 635165 des cbc‘s in 2.79s
Doing des cbc for 3s on 1024 size blocks: 192194 des cbc‘s in 3.00s
实例2.使用openssl enc 加密文件:通过enc进行加密
参数: -e:加密 -d:解密 -a:以base流形式加密(默认选项)
-in:需要加密的文件 -out:加密后输出的文件 -des3:加密算法
-salt:杂质(盐)
[root@johntest ~]# ls
anaconda-ks.cfg Desktop grub.conf inittab install.log install.log.syslog
[root@johntest ~]# openssl enc -des3 -salt -a -in inittab -out inittab.des3 加密文件
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
[root@johntest ~]# ls
anaconda-ks.cfg Desktop grub.conf inittab inittab.des3 install.log install.log.syslog
[root@johntest ~]# mv inittab inittab.bk
[root@johntest ~]# cat inittab.des3
U2FsdGVkX19G5XhZb/jjhqwbvAaPBz2sgpsqfl6PlkqPR/0SO13ejnBHqTJYewiQ
7FnG4an4QQZY4kaVwhs858Y4ic6KL1seXsvwtIW+BqL+woiVJH0fRFRFLzv6a5na
... (省略35行)
[root@johntest ~]# openssl enc -des3 -d -salt -a -in inittab.des3 -out inittab 解密文件
enter des-ede3-cbc decryption password:
[root@johntest ~]# ls
anaconda-ks.cfg Desktop grub.conf inittab inittab.bk inittab.des3 install.log install.log.syslog
实例3.使用md5sum及openssl dgst -md5加密文件
[root@johntest ~]# md5sum inittab #提取特征码
92a39a223f68e67e9e6c412443851aeb inittab
[root@johntest ~]# sha
sha1hmac sha224sum sha256sum sha384sum sha512sum
sha1sum sha256hmac sha384hmac sha512hmac
[root@johntest ~]# sha1sum inittab #同一文件的相同算法的特征码一样
78ef239097844c223671e99a79d6b533dced8d3b inittab
[root@johntest ~]# openssl dgst -sha1 inittab
SHA1(inittab)= 78ef239097844c223671e99a79d6b533dced8d3b
[root@johntest ~]# openssl dgst -md5 inittab
MD5(inittab)= 92a39a223f68e67e9e6c412443851aeb
[root@johntest ~]#
实例4.使用openssl passwd生成有杂质的密码 salt:杂质(盐)
[root@johntest ~]# openssl passwd -1
Password:
Verifying - Password:
$1$H9SmHH0L$me6ujflYKSj6/XsM9I0XQ/
[root@johntest ~]# openssl passwd -1 #两次指定salt随机生成不一样
Password:
Verifying - Password:
$1$kY5RDrYX$MEU5eW3HHVXcDlfhUmrJ/1
[root@johntest ~]# openssl passwd -1 -salt kY5RDrYX #指定salt生成的密码一样
Password:
$1$kY5RDrYX$MEU5eW3HHVXcDlfhUmrJ/1
[root@johntest ~]#
实例5.使用openssl rand生成随机密码
[root@johntest ~]# openssl rand -base64 12 #生成12位的随机数
7nYC9UjBQYR6FFaD
[root@johntest ~]# openssl rand -base64 12
VgxBw3ZJUUxlZF0F
[root@johntest ~]# openssl rand -base64 16
20noIYaMsnO7mSPypsUHjQ==
[root@johntest ~]#
实例6.使用openssl genrsa生成指定长的对称密钥
[root@johntest ~]# (umask 077; openssl genrsa -out server512.key 512) 直接输出一个大小为512权限为700 的server512.key密钥文件
Generating RSA private key, 512 bit long modulus
.........++++++++++++
......................++++++++++++
e is 65537 (0x10001)
[root@johntest ~]# ll server5*
-rw------- 1 root root 493 Dec 10 13:45 server512.key
[root@johntest ~]# openssl rsa -in server512.key -pubout 从server512.key文件读出私钥,-pubout生成公钥
writing RSA key
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMMjJyeTc0nIoHIrJqzC//CQ4Ca32TCn
8TQdC4VrnmhMv8o1I70UlY3pghalb+21APl3gNA6AKFtAN3BdtpcAt8CAwEAAQ==
-----END PUBLIC KEY-----
[root@johntest ~]# cat server512.key
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAMMjJyeTc0nIoHIrJqzC//CQ4Ca32TCn8TQdC4VrnmhMv8o1I70U
lY3pghalb+21APl3gNA6AKFtAN3BdtpcAt8CAwEAAQJABSm68XsfQ8aBKEQoA84t
A2px49RddMIcyaozEdalHFFPrd6X85HuPvDiOd5urA296WYbfOZnPNVtCPOGyQId
gQIhAPBxohtu6yOnYw7uLYFo3prMSjhqdcG58lB/LQbmN5rhAiEAz8MgfmO77THy
pFt0A2lQ8RSqpF+U+2ZZDCSfsk+LFb8CIG7E6tmYj9stEgWe1Hf5yBOoacjzwqws
7eUHscar6JIBAiEAtGNRJSvnES0a5cVZ11RrqMYu2wT6T8Uvb7GkzqbttfUCIDCv
OvZmqJOxcrRVg+5EXdKn2VMCoj2pE/UMqoufNUO9
-----END RSA PRIVATE KEY-----
[root@johntest ~]#
实例7.生成自签署证书
[root@johntest ~]# openssl req -new -x509 -key server512.key -out server.crt -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Jiangsu
Locality Name (eg, city) [Newbury]:Kunshan
Organization Name (eg, company) [My Company Ltd]:Fox
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server‘s hostname) []:ca.johntest.com
Email Address []:caadmin@johntest.com
[root@johntest ~]# ll server.crt
-rw-r--r-- 1 root root 1115 Dec 10 13:54 server.crt #自签署证书
[root@johntest ~]# cat server.crt 直接查看证书内容
-----BEGIN CERTIFICATE-----
MIIDCzCCArWgAwIBAgIJAIwFOSD6/zYRMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJDTjEQMA4GA1UECBMHSmlhbmdzdTEQMA4GA1UEBxMHS3Vuc2hhbjEMMAoG
...
-----END CERTIFICATE-----
[root@johntest ~]# openssl x509 -text -in server.crt 通过文本方式查看证书内容
Certificate:
Data:
Version: 3 (0x2) #证书版本号
Serial Number: #证书序列号
8c:05:39:20:fa:ff:36:11
Signature Algorithm: sha1WithRSAEncryption #证书颁发机构信息
Issuer: C=CN, ST=Jiangsu, L=Kunshan, O=Fox, OU=Tech, CN=ca.johntest.com/emailAddress=caadmin@johntest.com
Validity #证书有效期
Not Before: Dec 10 05:54:21 2016 GMT
Not After : Dec 10 05:54:21 2017 GMT
Subject: C=CN, ST=Jiangsu, L=Kunshan, O=Fox, OU=Tech, CN=ca.johntest.com/emailAddress=caadmin@johntest.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:c3:23:27:27:93:73:49:c8:a0:72:2b:26:ac:c2:
ff:f0:90:e0:26:b7:d9:30:a7:f1:34:1d:0b:85:6b:
9e:68:4c:bf:ca:35:23:bd:14:95:8d:e9:82:16:a5:
6f:ed:b5:00:f9:77:80:d0:3a:00:a1:6d:00:dd:c1:
76:da:5c:02:df
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
6B:7E:CC:25:99:50:72:FB:AC:DF:9D:3E:05:4B:DF:0A:F8:EA:D2:E6
X509v3 Authority Key Identifier:
keyid:6B:7E:CC:25:99:50:72:FB:AC:DF:9D:3E:05:4B:DF:0A:F8:EA:D2:E6
DirName:/C=CN/ST=Jiangsu/L=Kunshan/O=Fox/OU=Tech/CN=ca.johntest.com/emailAddress=caadmin@johntest.com
serial:8C:05:39:20:FA:FF:36:11
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption #签名信息
58:ab:e1:5f:5a:e3:d4:d1:cc:c3:60:f2:2d:74:58:3b:a0:e4:
86:5d:5a:be:28:53:bf:ad:2a:69:44:ce:75:c7:23:7a:c2:9e:
55:4b:96:3e:9a:04:1c:64:f9:c2:bc:a7:99:3c:96:fc:69:9d:
5a:fc:92:71:60:33:ca:d4:47:00
-----BEGIN CERTIFICATE-----
MIIDCzCCArWgAwIBAgIJAIwFOSD6/zYRMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJDTjEQMA4GA1UECBMHSmlhbmdzdTEQMA4GA1UEBxMHS3Vuc2hhbjEMMAoG
...
-----END CERTIFICATE-----
[root@johntest ~]#
openssl实现私有CA:
1、生成一对密钥(openssl genrsa)
openssl genrsa -out /PATH/TO/keyfilename numbits 生成私钥文件keyfilename 长度为:numbits
openssl rsa -in /PATH/TO/keyfilename -pubout 生成跟私钥keyfilename对应的公钥
2、生成自签署证书(openssl rsq)
* 实例8.在本机创建自签署证书服务器
[root@johntest ~]# vi /etc/pki/tls/openssl.cnf #红色为已修改默认值
dir = /etc/pki/CA #证书工作目录
certs = $dir/certs #证书保存的位置
crl_dir = $dir/crl #证书吊销列表路径
database = $dir/index.txt #给那些用户发证书的信息
#unique_subject = no # Set to ‘no‘ to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # 新生成证书路径
certificate = $dir/cacert.pem #自己生成的证书
serial = $dir/serial # 证书系列号
crlnumber = $dir/crlnumber # 证书吊销列表工作号
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # 证书吊销列表工作文件
private_key = $dir/private/cakey.pem # CA自己的私钥文件
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 3657 # 证书默认有效期天数
countryName_default = CN 国家
stateOrProvinceName_default = Jiangsu 省份
0.organizationName_default = Fox 公司
organizationalUnitName_default = Tech 部门
[root@johntest ~]# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
[root@test ~]# cd /etc/pki/CA/
[root@test CA]# ls
private
[root@test CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..+++
...............................+++
e is 65537 (0x10001)
[root@test CA]# ll private/
total 4
-rw------- 1 root root 1679 Dec 10 14:48 cakey.pem
[root@test CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server‘s hostname) []:ca.johntest.com
Email Address []:caadmin@johntest.com
[root@test CA]#mkdir certs newcerts crl
[root@test CA]# touch index.txt
[root@test CA]# echo 01 > serial
[root@test CA]# ls
cacert.pem certs crl index.txt newcerts private serial
在HTTP里新建一个SSL:
[root@test httpd]# mkdir ssl
[root@test httpd]# cd ssl
[root@test ssl]# pwd
/etc/httpd/ssl
[root@test ssl]#(umask 077; openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
..........................++++++
...........++++++
e is 65537 (0x10001)
[root@test ssl]# cat httpd.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDKxLVn2vx3xpl0pwFcfvgMCjfOVvhcNFCrQ0tG+XWtl9eXfohC
Y9j+WiKC9cyMdUovyr9VmweUdXON3foFhIm7+VkSma7c5ixuQuGvh4HKSDrG6g9W
U9gdpEa9BA1RyCoRWXo7fAb73/IAyqRoJAaqEXG2wnVzyUunCaieIgsmEwIDAQAB
AoGBAMc/Wn7OOg48kiiFvxm0DmxOUh4pae243pgcDUmV8iP9tDVCegS69syhp44G
mNRgoOCrmy40o9MnQsBiIr/vSCM0usYwdkz9TcKHND1Ime+3gQCRfbbnFQetF5dh
LMDvIYiQhvSY0qpikMhP/pJV0A/1JJabkV/k4N3U4GoZ+WjxAkEA8krkLa2gh02n
H7Kc7MCyxfo1TWb/ZwwaN031i1COO9CU1YoqhUPaNxdP3gzZaZWMrYOlw1Yguv1I
C5XB5i6rKQJBANY9ZC6JvzhsRLj+rStmTPMqV9ODsssGFJD6blYVuY0QMEZCnHSF
alhza1/q4XiNEccmMYd023r4OrEaw1r6KtsCQGHdPBLzKX7dL57O/zFlmA/9QyBT
dN/DdKdX9tDhpcGlOyiRWSFgybgs01amK/7Ip/zByud+V1QPz9TWFW6K9RkCQAff
/9O6Gn5PdIM8UU88Fm4Fy26p86OE2LKvkei2KbjmtG+QuUGLOeqAa5z9/EW7IcEp
RT7Oa9bsUvP5oN6yPWsCQQDTpEwskF2NIuPj5s1ke2Q+okmoGiWClLcGaYiCVzJm
DgIwxIU/hTe3KQCXIY+PEAypp5yLbmSgqXBNO3d0/TuM
-----END RSA PRIVATE KEY-----
[root@test ssl]#
[root@test ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server‘s hostname) []:www.johntest.com
Email Address []:wwwadmin@johntest.com
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:: #密码为空(不加密私钥)
An optional company name []:
[root@test ssl]# ls
httpd.csr httpd.key
[root@test ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365 签核证书申请
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 10 08:26:36 2016 GMT
Not After : Dec 10 08:26:36 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = Jiangsu
organizationName = Fox
organizationalUnitName = Tech
commonName = www.johntest.com
emailAddress = wwwadmin@johntest.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
78:00:55:EA:DC:3B:E1:07:32:05:C3:8E:A8:26:C6:4A:1B:32:8F:31
X509v3 Authority Key Identifier:
keyid:F1:D0:03:45:E8:51:8E:AE:6C:87:CC:38:ED:9F:43:C2:D1:6E:46:42
Certificate is to be certified until Dec 10 08:26:36 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@test ssl]# cd /etc/pki/CA/
[root@test CA]# cat index.txt
V 171210082636Z 01 unknown /C=CN/ST=Jiangsu/O=Fox/OU=Tech/CN=www.johntest.com/emailAddress=wwwadmin@johntest.com
[root@test CA]# cat serial #下一个发证序号
02
实例9.快速生成测试用证书
[root@test tls]# ls
cert.pem certs misc openssl.cnf private
[root@test tls]# cd certs/
[root@test certs]# ls
ca-bundle.crt make-dummy-cert Makefile
[root@test certs]# make httpd.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > httpd.pem ; \
echo "" >> httpd.pem ; \
cat $PEM2 >> httpd.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
..++++++
......++++++
writing new private key to ‘/tmp/openssl.F15890‘
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server‘s hostname) []:www.johntest.com
Email Address []:wwwadmin@johntest.com
[root@test certs]# ls
ca-bundle.crt httpd.pem make-dummy-cert Makefile
[root@test certs]# vi Makefile #可参考此文件写相关命令
本文出自 “学linux历程” 博客,请务必保留此出处http://woyaoxuelinux.blog.51cto.com/5663865/1888501
原文:http://woyaoxuelinux.blog.51cto.com/5663865/1888501