码迷,mamicode.com
首页 > 系统相关 > 详细

Linux命令:openssl

时间:2016-12-10 23:10:49      阅读:253      评论:0      收藏:0      [点我收藏+]

标签:openssl

openssl令简介:

  SSL是Secure Sockets Layer(安全套接层协议)的缩写,可以在Internet上提供秘密性传输。Netscape公司在推出第一个Web浏览器的同时,提出了SSL协议标准。其目标是保证两个应用间通信的保密性和可靠性,可在服务器端和用户端同时实现支持。已经成为Internet上保密通讯的工业标准。

  SSL能使用户/服务器应用之间的通信不被攻击者窃听,并且始终对服务器进行认证,还可选择对用户进行认证。SSL协议要求建立在可靠的传输层协议(TCP)之上。SSL协议的优势在于它是与应用层协议独立无关的,高层的应用层协议(例如:HTTP,FTP,TELNET等)能透明地建立于SSL协议之上。SSL协议在应用层协议通信之前就已经完成加密算法、通信密钥的协商及服务器认证工作。在此之后应用层协议所传送的数据都会被加密,从而保证通信的私密性。


1.命令格式:

  OpenSSL [选项][文件]

2.命令功能:

  OpenSSL是一个安全套接字层密码库,囊括主要的密码算法、常用的密钥和证书封装管理功能及SSL协议,并提供丰富的应用程序供测试或其它目的使用。

  OpenSSL被曝出现严重安全漏洞后,发现多数通过SSL协议加密的网站使用名为OpenSSL的开源软件包。OpenSSL漏洞不仅影响以https开头的网站,黑客还可利用此漏洞直接对个人电脑发起“心脏出血”(Heartbleed)攻击。据分析,Windows上有大量软件使用了存在漏洞的OpenSSL代码库,可能被黑客攻击抓取用户电脑上的内存数据。


3.命令参数:


Standard commands

asn1parse  ca  cipherscrl  crl2pkcs7  dgst   dh  dhparamdsa  dsaparam 
enc  engine  errstr  gendh  gendsa genrsa  nseq   ocsp   passwd pkcs12  
pkcs7  pkcs8  prime  rand   req  rsa  rsautl  s_client s_server  s_time  
sess_id smime  speed  spkac  verify version x509   

Message Digest commands (see the `dgst‘ command for more details)
md2  md4  md5  rmd160 sha  sha1   

Cipher commands (see the `enc‘ command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc
aes-256-ecb base64  bf  bf-cbc  bf-cfb  
bf-ecb  bf-ofb  cast   cast-cbc cast5-cbc  
cast5-cfb  cast5-ecb  cast5-ofb  des  des-cbc
des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3  des-ede3-cbc  des-ede3-cfb  des-ede3-ofb  
des-ofb des3   desx   rc2  rc2-40-cbc
rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb 


4.使用实例:


 实例1.使用openssl enc 加密文件

[root@jacktest ~]# ls
anaconda-ks.cfg  Desktop  grub.conf  inittab  install.log  install.log.syslog
[root@jacktest ~]# openssl enc -des3 -salt -a -in inittab -out inittab.des3
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
[root@jacktest ~]# ls
anaconda-ks.cfg  Desktop  grub.conf  inittab  inittab.des3  install.log  install.log.syslog

[root@jacktest ~]# mv inittab inittab.bk

[root@jacktest ~]# cat inittab.des3
U2FsdGVkX19G5XhZb/jjhqwbvAaPBz2sgpsqfl6PlkqPR/0SO13ejnBHqTJYewiQ
7FnG4an4QQZY4kaVwhs858Y4ic6KL1seXsvwtIW+BqL+woiVJH0fRFRFLzv6a5na
... (省略35行)
[root@jacktest ~]# openssl enc -des3 -d -salt -a -in inittab.des3 -out inittab
enter des-ede3-cbc decryption password:
[root@jacktest ~]# ls
anaconda-ks.cfg  Desktop  grub.conf  inittab  inittab.bk  inittab.des3  install.log  install.log.syslog


 实例2.使用md5sum及openssl dgst -md5加密文件

[root@jacktest ~]# md5sum init
md5sum: init: No such file or directory
[root@jacktest ~]# md5sum inittab   #提取特征码
92a39a223f68e67e9e6c412443851aeb  inittab
[root@jacktest ~]# sha
sha1hmac    sha224sum   sha256sum   sha384sum   sha512sum   
sha1sum     sha256hmac  sha384hmac  sha512hmac  
[root@jacktest ~]# sha1sum inittab     #同一文件的相同算法的特征码一样
78ef239097844c223671e99a79d6b533dced8d3b  inittab
[root@jacktest ~]# openssl dgst -sha1 inittab
SHA1(inittab)= 78ef239097844c223671e99a79d6b533dced8d3b
[root@jacktest ~]# openssl dgst -md5 inittab
MD5(inittab)= 92a39a223f68e67e9e6c412443851aeb
[root@jacktest ~]#


 实例3.使用openssl passwd生成有杂质的密码

[root@jacktest ~]# openssl passwd -1
Password:
Verifying - Password:
$1$H9SmHH0L$me6ujflYKSj6/XsM9I0XQ/
[root@jacktest ~]# openssl passwd -1   #两次指定salt随机生成不一样
Password:
Verifying - Password:
$1$kY5RDrYX$MEU5eW3HHVXcDlfhUmrJ/1
[root@jacktest ~]# openssl passwd -1 -salt kY5RDrYX     #指定salt生成的密码一样
Password:
$1$kY5RDrYX$MEU5eW3HHVXcDlfhUmrJ/1
[root@jacktest ~]#


 实例4.使用openssl rand生成随机密码

[root@jacktest ~]# openssl rand -base64 12   #生成12位的随机数
7nYC9UjBQYR6FFaD
[root@jacktest ~]# openssl rand -base64 12
VgxBw3ZJUUxlZF0F
[root@jacktest ~]# openssl rand -base64 16
20noIYaMsnO7mSPypsUHjQ==
[root@jacktest ~]#



 实例5.使用openssl genrsa生成指定长的对称密钥

[root@jacktest ~]# ( umask 077 openssl genrsa -out server512.key 512 )
Generating RSA private key, 512 bit long modulus
.........++++++++++++
......................++++++++++++
e is 65537 (0x10001)

[root@jacktest ~]# ll server5*
-rw------- 1 root root 493 Dec 10 13:45 server512.key

[root@jacktest ~]# openssl rsa -in server512.key -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMMjJyeTc0nIoHIrJqzC//CQ4Ca32TCn
8TQdC4VrnmhMv8o1I70UlY3pghalb+21APl3gNA6AKFtAN3BdtpcAt8CAwEAAQ==
-----END PUBLIC KEY-----
[root@jacktest ~]# cat server512.key
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAMMjJyeTc0nIoHIrJqzC//CQ4Ca32TCn8TQdC4VrnmhMv8o1I70U
lY3pghalb+21APl3gNA6AKFtAN3BdtpcAt8CAwEAAQJABSm68XsfQ8aBKEQoA84t
A2px49RddMIcyaozEdalHFFPrd6X85HuPvDiOd5urA296WYbfOZnPNVtCPOGyQId
gQIhAPBxohtu6yOnYw7uLYFo3prMSjhqdcG58lB/LQbmN5rhAiEAz8MgfmO77THy
pFt0A2lQ8RSqpF+U+2ZZDCSfsk+LFb8CIG7E6tmYj9stEgWe1Hf5yBOoacjzwqws
7eUHscar6JIBAiEAtGNRJSvnES0a5cVZ11RrqMYu2wT6T8Uvb7GkzqbttfUCIDCv
OvZmqJOxcrRVg+5EXdKn2VMCoj2pE/UMqoufNUO9
-----END RSA PRIVATE KEY-----
[root@jacktest ~]#


 实例6.生成自签署证书

[root@jacktest ~]# openssl req -new -x509 -key server512.key -out server.crt -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN  
State or Province Name (full name) [Berkshire]:Jiangsu  
Locality Name (eg, city) [Newbury]:Kunshan
Organization Name (eg, company) [My Company Ltd]:Fox    
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server‘s hostname) []:ca.jacktest.com
Email Address []:caadmin@jacktest.com
[root@jacktest ~]# ll server.crt
-rw-r--r-- 1 root root 1115 Dec 10 13:54 server.crt   #自签署证书
[root@jacktest ~]# cat server.crt
-----BEGIN CERTIFICATE-----
MIIDCzCCArWgAwIBAgIJAIwFOSD6/zYRMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJDTjEQMA4GA1UECBMHSmlhbmdzdTEQMA4GA1UEBxMHS3Vuc2hhbjEMMAoG
...
-----END CERTIFICATE-----
[root@jacktest ~]# openssl x509 -text -in server.crt
Certificate:
    Data:
        Version: 3 (0x2)    #证书版本号
        Serial Number:   #证书序列号
            8c:05:39:20:fa:ff:36:11
        Signature Algorithm: sha1WithRSAEncryption   #证书颁发机构信息
        Issuer: C=CN, ST=Jiangsu, L=Kunshan, O=Fox, OU=Tech, CN=ca.jacktest.com/emailAddress=caadmin@jacktest.com
        Validity       #证书有效期
            Not Before: Dec 10 05:54:21 2016 GMT
            Not After : Dec 10 05:54:21 2017 GMT
        Subject: C=CN, ST=Jiangsu, L=Kunshan, O=Fox, OU=Tech, CN=ca.jacktest.com/emailAddress=caadmin@jacktest.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    00:c3:23:27:27:93:73:49:c8:a0:72:2b:26:ac:c2:
                    ff:f0:90:e0:26:b7:d9:30:a7:f1:34:1d:0b:85:6b:
                    9e:68:4c:bf:ca:35:23:bd:14:95:8d:e9:82:16:a5:
                    6f:ed:b5:00:f9:77:80:d0:3a:00:a1:6d:00:dd:c1:
                    76:da:5c:02:df
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                6B:7E:CC:25:99:50:72:FB:AC:DF:9D:3E:05:4B:DF:0A:F8:EA:D2:E6
            X509v3 Authority Key Identifier: 
                keyid:6B:7E:CC:25:99:50:72:FB:AC:DF:9D:3E:05:4B:DF:0A:F8:EA:D2:E6
                DirName:/C=CN/ST=Jiangsu/L=Kunshan/O=Fox/OU=Tech/CN=ca.jacktest.com/emailAddress=caadmin@jacktest.com
                serial:8C:05:39:20:FA:FF:36:11

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption   #签名信息
        58:ab:e1:5f:5a:e3:d4:d1:cc:c3:60:f2:2d:74:58:3b:a0:e4:
        86:5d:5a:be:28:53:bf:ad:2a:69:44:ce:75:c7:23:7a:c2:9e:
        55:4b:96:3e:9a:04:1c:64:f9:c2:bc:a7:99:3c:96:fc:69:9d:
        5a:fc:92:71:60:33:ca:d4:47:00
-----BEGIN CERTIFICATE-----
MIIDCzCCArWgAwIBAgIJAIwFOSD6/zYRMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJDTjEQMA4GA1UECBMHSmlhbmdzdTEQMA4GA1UEBxMHS3Vuc2hhbjEMMAoG
...
-----END CERTIFICATE-----
[root@jacktest ~]#


 实例7.在本机创建自签署证书服务器

[root@jacktest ~]#  vi /etc/pki/tls/openssl.cnf   #红色为已修改默认值

dir             = /etc/pki/CA           # Where everything is kept

certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.

default_days    = 3657                  # how long to certify for
countryName_default             = CN
stateOrProvinceName_default     = Jiangsu
0.organizationName_default      = Fox
organizationalUnitName_default  = Tech

[root@jacktest ~]# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

[root@test ~]# cd /etc/pki/CA/
[root@test CA]# ls
private
[root@test CA]# (umask 077 openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..+++
...............................+++
e is 65537 (0x10001)
[root@test CA]# ll private/
total 4
-rw------- 1 root root 1679 Dec 10 14:48 cakey.pem
[root@test CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server‘s hostname) []:ca.jacktest.com
Email Address []:caadmin@jacktest.com
[root@test CA]# touch index.txt
[root@test CA]# echo 01 > serial
[root@test CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial


在HTTP里新建一个SSL:

[root@test httpd]# mkdir ssl
[root@test httpd]# cd ssl
[root@test ssl]# pwd
/etc/httpd/ssl
[root@test ssl]# (umask 077; openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
..........................++++++
...........++++++
e is 65537 (0x10001)
[root@test ssl]# cat httpd.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDKxLVn2vx3xpl0pwFcfvgMCjfOVvhcNFCrQ0tG+XWtl9eXfohC
Y9j+WiKC9cyMdUovyr9VmweUdXON3foFhIm7+VkSma7c5ixuQuGvh4HKSDrG6g9W
U9gdpEa9BA1RyCoRWXo7fAb73/IAyqRoJAaqEXG2wnVzyUunCaieIgsmEwIDAQAB
AoGBAMc/Wn7OOg48kiiFvxm0DmxOUh4pae243pgcDUmV8iP9tDVCegS69syhp44G
mNRgoOCrmy40o9MnQsBiIr/vSCM0usYwdkz9TcKHND1Ime+3gQCRfbbnFQetF5dh
LMDvIYiQhvSY0qpikMhP/pJV0A/1JJabkV/k4N3U4GoZ+WjxAkEA8krkLa2gh02n
H7Kc7MCyxfo1TWb/ZwwaN031i1COO9CU1YoqhUPaNxdP3gzZaZWMrYOlw1Yguv1I
C5XB5i6rKQJBANY9ZC6JvzhsRLj+rStmTPMqV9ODsssGFJD6blYVuY0QMEZCnHSF
alhza1/q4XiNEccmMYd023r4OrEaw1r6KtsCQGHdPBLzKX7dL57O/zFlmA/9QyBT
dN/DdKdX9tDhpcGlOyiRWSFgybgs01amK/7Ip/zByud+V1QPz9TWFW6K9RkCQAff
/9O6Gn5PdIM8UU88Fm4Fy26p86OE2LKvkei2KbjmtG+QuUGLOeqAa5z9/EW7IcEp
RT7Oa9bsUvP5oN6yPWsCQQDTpEwskF2NIuPj5s1ke2Q+okmoGiWClLcGaYiCVzJm
DgIwxIU/hTe3KQCXIY+PEAypp5yLbmSgqXBNO3d0/TuM
-----END RSA PRIVATE KEY-----
[root@test ssl]#

[root@test ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server‘s hostname) []:www.jacktest.com
Email Address []:wwwadmin@jacktest.com

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []::                 #密码可为空
An optional company name []:
[root@test ssl]# ls
httpd.csr  httpd.key
[root@test ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365

Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec 10 08:26:36 2016 GMT
            Not After : Dec 10 08:26:36 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Jiangsu
            organizationName          = Fox
            organizationalUnitName    = Tech
            commonName                = www.jacktest.com
            emailAddress              = wwwadmin@jacktest.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                78:00:55:EA:DC:3B:E1:07:32:05:C3:8E:A8:26:C6:4A:1B:32:8F:31
            X509v3 Authority Key Identifier:
                keyid:F1:D0:03:45:E8:51:8E:AE:6C:87:CC:38:ED:9F:43:C2:D1:6E:46:42
Certificate is to be certified until Dec 10 08:26:36 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@test ssl]# cd /etc/pki/CA/
[root@test CA]# cat index.txt
V    171210082636Z        01    unknown    /C=CN/ST=Jiangsu/O=Fox/OU=Tech/CN=www.jacktest.com/emailAddress=wwwadmin@jacktest.com

[root@test CA]# cat serial     #下一个发证序号
02



 实例7.快速生成测试用证书

[root@test tls]# ls
cert.pem  certs  misc  openssl.cnf  private
[root@test tls]# cd certs/
[root@test certs]# ls
ca-bundle.crt  make-dummy-cert  Makefile
[root@test certs]# make httpd.pem
umask 77 ; \
    PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
    PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
    /usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
    cat $PEM1 >  httpd.pem ; \
    echo ""    >> httpd.pem ; \
    cat $PEM2 >> httpd.pem ; \
    rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
..++++++
......++++++
writing new private key to ‘/tmp/openssl.F15890‘
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server‘s hostname) []:www.jacktest.com
Email Address []:wwwadmin@jacktest.com
[root@test certs]# ls
ca-bundle.crt  httpd.pem  make-dummy-cert  Makefile
[root@test certs]# vi Makefile   #可参考此文件写相关命令


---end---


Linux命令:openssl

标签:openssl

原文地址:http://wangfx.blog.51cto.com/1697877/1881518
(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
分享档案
更多>
2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)
周排行
mamicode.com排行更多图片
更多
友情链接
兰亭集智   国之画   百度统计   站长统计   阿里云   chrome插件   新版天听网
关于我们 - 联系我们 - 留言反馈
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!