标签:openssl
openssl命令简介:
SSL能使用户/服务器应用之间的通信不被攻击者窃听,并且始终对服务器进行认证,还可选择对用户进行认证。SSL协议要求建立在可靠的传输层协议(TCP)之上。SSL协议的优势在于它是与应用层协议独立无关的,高层的应用层协议(例如:HTTP,FTP,TELNET等)能透明地建立于SSL协议之上。SSL协议在应用层协议通信之前就已经完成加密算法、通信密钥的协商及服务器认证工作。在此之后应用层协议所传送的数据都会被加密,从而保证通信的私密性。
1.命令格式:
OpenSSL [选项][文件]
2.命令功能:
OpenSSL是一个安全套接字层密码库,囊括主要的密码算法、常用的密钥和证书封装管理功能及SSL协议,并提供丰富的应用程序供测试或其它目的使用。
OpenSSL被曝出现严重安全漏洞后,发现多数通过SSL协议加密的网站使用名为OpenSSL的开源软件包。OpenSSL漏洞不仅影响以https开头的网站,黑客还可利用此漏洞直接对个人电脑发起“心脏出血”(Heartbleed)攻击。据分析,Windows上有大量软件使用了存在漏洞的OpenSSL代码库,可能被黑客攻击抓取用户电脑上的内存数据。
3.命令参数:
Standard commands
asn1parse ca cipherscrl crl2pkcs7 dgst dh dhparamdsa dsaparam
enc engine errstr gendh gendsa genrsa nseq ocsp passwd pkcs12
pkcs7 pkcs8 prime rand req rsa rsautl s_client s_server s_time
sess_id smime speed spkac verify version x509
Message Digest commands (see the `dgst‘ command for more details)
md2 md4 md5 rmd160 sha sha1
Cipher commands (see the `enc‘ command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc
aes-256-ecb base64 bf bf-cbc bf-cfb
bf-ecb bf-ofb cast cast-cbc cast5-cbc
cast5-cfb cast5-ecb cast5-ofb des des-cbc
des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx rc2 rc2-40-cbc
rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb
4.使用实例:
实例1.使用openssl enc 加密文件
[root@jacktest ~]# ls
anaconda-ks.cfg Desktop grub.conf inittab install.log install.log.syslog
[root@jacktest ~]# openssl enc -des3 -salt -a -in inittab -out inittab.des3
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
[root@jacktest ~]# ls
anaconda-ks.cfg Desktop grub.conf inittab inittab.des3 install.log install.log.syslog
[root@jacktest ~]# mv inittab inittab.bk
[root@jacktest ~]# cat inittab.des3
U2FsdGVkX19G5XhZb/jjhqwbvAaPBz2sgpsqfl6PlkqPR/0SO13ejnBHqTJYewiQ
7FnG4an4QQZY4kaVwhs858Y4ic6KL1seXsvwtIW+BqL+woiVJH0fRFRFLzv6a5na
... (省略35行)
[root@jacktest ~]# openssl enc -des3 -d -salt -a -in inittab.des3 -out inittab
enter des-ede3-cbc decryption password:
[root@jacktest ~]# ls
anaconda-ks.cfg Desktop grub.conf inittab inittab.bk inittab.des3 install.log install.log.syslog
实例2.使用md5sum及openssl dgst -md5加密文件
[root@jacktest ~]# md5sum init
md5sum: init: No such file or directory
[root@jacktest ~]# md5sum inittab #提取特征码
92a39a223f68e67e9e6c412443851aeb inittab
[root@jacktest ~]# sha
sha1hmac sha224sum sha256sum sha384sum sha512sum
sha1sum sha256hmac sha384hmac sha512hmac
[root@jacktest ~]# sha1sum inittab #同一文件的相同算法的特征码一样
78ef239097844c223671e99a79d6b533dced8d3b inittab
[root@jacktest ~]# openssl dgst -sha1 inittab
SHA1(inittab)= 78ef239097844c223671e99a79d6b533dced8d3b
[root@jacktest ~]# openssl dgst -md5 inittab
MD5(inittab)= 92a39a223f68e67e9e6c412443851aeb
[root@jacktest ~]#
实例3.使用openssl passwd生成有杂质的密码
[root@jacktest ~]# openssl passwd -1
Password:
Verifying - Password:
$1$H9SmHH0L$me6ujflYKSj6/XsM9I0XQ/
[root@jacktest ~]# openssl passwd -1 #两次指定salt随机生成不一样
Password:
Verifying - Password:
$1$kY5RDrYX$MEU5eW3HHVXcDlfhUmrJ/1
[root@jacktest ~]# openssl passwd -1 -salt kY5RDrYX #指定salt生成的密码一样
Password:
$1$kY5RDrYX$MEU5eW3HHVXcDlfhUmrJ/1
[root@jacktest ~]#
实例4.使用openssl rand生成随机密码
[root@jacktest ~]# openssl rand -base64 12 #生成12位的随机数
7nYC9UjBQYR6FFaD
[root@jacktest ~]# openssl rand -base64 12
VgxBw3ZJUUxlZF0F
[root@jacktest ~]# openssl rand -base64 16
20noIYaMsnO7mSPypsUHjQ==
[root@jacktest ~]#
实例5.使用openssl genrsa生成指定长的对称密钥
[root@jacktest ~]# ( umask 077; openssl genrsa -out server512.key 512 )
Generating RSA private key, 512 bit long modulus
.........++++++++++++
......................++++++++++++
e is 65537 (0x10001)
[root@jacktest ~]# ll server5*
-rw------- 1 root root 493 Dec 10 13:45 server512.key
[root@jacktest ~]# openssl rsa -in server512.key -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMMjJyeTc0nIoHIrJqzC//CQ4Ca32TCn
8TQdC4VrnmhMv8o1I70UlY3pghalb+21APl3gNA6AKFtAN3BdtpcAt8CAwEAAQ==
-----END PUBLIC KEY-----
[root@jacktest ~]# cat server512.key
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAMMjJyeTc0nIoHIrJqzC//CQ4Ca32TCn8TQdC4VrnmhMv8o1I70U
lY3pghalb+21APl3gNA6AKFtAN3BdtpcAt8CAwEAAQJABSm68XsfQ8aBKEQoA84t
A2px49RddMIcyaozEdalHFFPrd6X85HuPvDiOd5urA296WYbfOZnPNVtCPOGyQId
gQIhAPBxohtu6yOnYw7uLYFo3prMSjhqdcG58lB/LQbmN5rhAiEAz8MgfmO77THy
pFt0A2lQ8RSqpF+U+2ZZDCSfsk+LFb8CIG7E6tmYj9stEgWe1Hf5yBOoacjzwqws
7eUHscar6JIBAiEAtGNRJSvnES0a5cVZ11RrqMYu2wT6T8Uvb7GkzqbttfUCIDCv
OvZmqJOxcrRVg+5EXdKn2VMCoj2pE/UMqoufNUO9
-----END RSA PRIVATE KEY-----
[root@jacktest ~]#
实例6.生成自签署证书
[root@jacktest ~]# openssl req -new -x509 -key server512.key -out server.crt -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Jiangsu
Locality Name (eg, city) [Newbury]:Kunshan
Organization Name (eg, company) [My Company Ltd]:Fox
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server‘s hostname) []:ca.jacktest.com
Email Address []:caadmin@jacktest.com
[root@jacktest ~]# ll server.crt
-rw-r--r-- 1 root root 1115 Dec 10 13:54 server.crt #自签署证书
[root@jacktest ~]# cat server.crt
-----BEGIN CERTIFICATE-----
MIIDCzCCArWgAwIBAgIJAIwFOSD6/zYRMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJDTjEQMA4GA1UECBMHSmlhbmdzdTEQMA4GA1UEBxMHS3Vuc2hhbjEMMAoG
...
-----END CERTIFICATE-----
[root@jacktest ~]# openssl x509 -text -in server.crt
Certificate:
Data:
Version: 3 (0x2) #证书版本号
Serial Number: #证书序列号
8c:05:39:20:fa:ff:36:11
Signature Algorithm: sha1WithRSAEncryption #证书颁发机构信息
Issuer: C=CN, ST=Jiangsu, L=Kunshan, O=Fox, OU=Tech, CN=ca.jacktest.com/emailAddress=caadmin@jacktest.com
Validity #证书有效期
Not Before: Dec 10 05:54:21 2016 GMT
Not After : Dec 10 05:54:21 2017 GMT
Subject: C=CN, ST=Jiangsu, L=Kunshan, O=Fox, OU=Tech, CN=ca.jacktest.com/emailAddress=caadmin@jacktest.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:c3:23:27:27:93:73:49:c8:a0:72:2b:26:ac:c2:
ff:f0:90:e0:26:b7:d9:30:a7:f1:34:1d:0b:85:6b:
9e:68:4c:bf:ca:35:23:bd:14:95:8d:e9:82:16:a5:
6f:ed:b5:00:f9:77:80:d0:3a:00:a1:6d:00:dd:c1:
76:da:5c:02:df
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
6B:7E:CC:25:99:50:72:FB:AC:DF:9D:3E:05:4B:DF:0A:F8:EA:D2:E6
X509v3 Authority Key Identifier:
keyid:6B:7E:CC:25:99:50:72:FB:AC:DF:9D:3E:05:4B:DF:0A:F8:EA:D2:E6
DirName:/C=CN/ST=Jiangsu/L=Kunshan/O=Fox/OU=Tech/CN=ca.jacktest.com/emailAddress=caadmin@jacktest.com
serial:8C:05:39:20:FA:FF:36:11
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption #签名信息
58:ab:e1:5f:5a:e3:d4:d1:cc:c3:60:f2:2d:74:58:3b:a0:e4:
86:5d:5a:be:28:53:bf:ad:2a:69:44:ce:75:c7:23:7a:c2:9e:
55:4b:96:3e:9a:04:1c:64:f9:c2:bc:a7:99:3c:96:fc:69:9d:
5a:fc:92:71:60:33:ca:d4:47:00
-----BEGIN CERTIFICATE-----
MIIDCzCCArWgAwIBAgIJAIwFOSD6/zYRMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJDTjEQMA4GA1UECBMHSmlhbmdzdTEQMA4GA1UEBxMHS3Vuc2hhbjEMMAoG
...
-----END CERTIFICATE-----
[root@jacktest ~]#
实例7.在本机创建自签署证书服务器
[root@jacktest ~]# vi /etc/pki/tls/openssl.cnf #红色为已修改默认值
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
default_days = 3657 # how long to certify for
countryName_default = CN
stateOrProvinceName_default = Jiangsu
0.organizationName_default = Fox
organizationalUnitName_default = Tech
[root@jacktest ~]# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
[root@test ~]# cd /etc/pki/CA/
[root@test CA]# ls
private
[root@test CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..+++
...............................+++
e is 65537 (0x10001)
[root@test CA]# ll private/
total 4
-rw------- 1 root root 1679 Dec 10 14:48 cakey.pem
[root@test CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server‘s hostname) []:ca.jacktest.com
Email Address []:caadmin@jacktest.com
[root@test CA]# touch index.txt
[root@test CA]# echo 01 > serial
[root@test CA]# ls
cacert.pem certs crl index.txt newcerts private serial
在HTTP里新建一个SSL:
[root@test ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server‘s hostname) []:www.jacktest.com
Email Address []:wwwadmin@jacktest.com
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:: #密码可为空
An optional company name []:
[root@test ssl]# ls
httpd.csr httpd.key
[root@test ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 10 08:26:36 2016 GMT
Not After : Dec 10 08:26:36 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = Jiangsu
organizationName = Fox
organizationalUnitName = Tech
commonName = www.jacktest.com
emailAddress = wwwadmin@jacktest.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
78:00:55:EA:DC:3B:E1:07:32:05:C3:8E:A8:26:C6:4A:1B:32:8F:31
X509v3 Authority Key Identifier:
keyid:F1:D0:03:45:E8:51:8E:AE:6C:87:CC:38:ED:9F:43:C2:D1:6E:46:42
Certificate is to be certified until Dec 10 08:26:36 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@test ssl]# cd /etc/pki/CA/
[root@test CA]# cat index.txt
V 171210082636Z 01 unknown /C=CN/ST=Jiangsu/O=Fox/OU=Tech/CN=www.jacktest.com/emailAddress=wwwadmin@jacktest.com
[root@test CA]# cat serial #下一个发证序号
02
实例7.快速生成测试用证书
[root@test tls]# ls
cert.pem certs misc openssl.cnf private
[root@test tls]# cd certs/
[root@test certs]# ls
ca-bundle.crt make-dummy-cert Makefile
[root@test certs]# make httpd.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > httpd.pem ; \
echo "" >> httpd.pem ; \
cat $PEM2 >> httpd.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
..++++++
......++++++
writing new private key to ‘/tmp/openssl.F15890‘
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server‘s hostname) []:www.jacktest.com
Email Address []:wwwadmin@jacktest.com
[root@test certs]# ls
ca-bundle.crt httpd.pem make-dummy-cert Makefile
[root@test certs]# vi Makefile #可参考此文件写相关命令
---end---
标签:openssl
原文地址:http://wangfx.blog.51cto.com/1697877/1881518