Linux命令：openssl

luoson1

openssl命令简介：

  SSL是Secure Sockets Layer（安全套接层协议）的缩写，可以在Internet上提供秘密性传输。Netscape公司在推出第一个Web浏览器的同时，提出了SSL协议标准。其目标是保证两个应用间通信的保密性和可靠性,可在服务器端和用户端同时实现支持。已经成为Internet上保密通讯的工业标准。　　  SSL能使用户/服务器应用之间的通信不被攻击者窃听，并且始终对服务器进行认证，还可选择对用户进行认证。SSL协议要求建立在可靠的传输层协议(TCP)之上。SSL协议的优势在于它是与应用层协议独立无关的，高层的应用层协议(例如：HTTP，FTP，TELNET等)能透明地建立于SSL协议之上。SSL协议在应用层协议通信之前就已经完成加密算法、通信密钥的协商及服务器认证工作。在此之后应用层协议所传送的数据都会被加密，从而保证通信的私密性。

1．命令格式：
  OpenSSL [选项][文件]

2．命令功能：

　　  OpenSSL是一个安全套接字层密码库，囊括主要的密码算法、常用的密钥和证书封装管理功能及SSL协议，并提供丰富的应用程序供测试或其它目的使用。
　　  OpenSSL被曝出现严重安全漏洞后，发现多数通过SSL协议加密的网站使用名为OpenSSL的开源软件包。OpenSSL漏洞不仅影响以https开头的网站，黑客还可利用此漏洞直接对个人电脑发起“心脏出血”（Heartbleed）攻击。据分析，Windows上有大量软件使用了存在漏洞的OpenSSL代码库，可能被黑客攻击抓取用户电脑上的内存数据。
　　

　　
3．命令参数：

　　Standard commands

　　asn1parse  ca  cipherscrl  crl2pkcs7  dgst   dh  dhparamdsa  dsaparam  
enc  engine  errstr  gendh  gendsa genrsa  nseq   ocsp   passwd pkcs12  
pkcs7  pkcs8  prime  rand   req  rsa  rsautl  s_client s_server  s_time  
sess_id smime  speed  spkac  verify version x509   

Message Digest commands (see the `dgst' command for more details)
md2  md4  md5  rmd160 sha  sha1   

Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc
aes-256-ecb base64  bf  bf-cbc  bf-cfb  
bf-ecb  bf-ofb  cast   cast-cbc cast5-cbc  
cast5-cfb  cast5-ecb  cast5-ofb  des  des-cbc
des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3  des-ede3-cbc  des-ede3-cfb  des-ede3-ofb  
des-ofb des3   desx   rc2  rc2-40-cbc
rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb
　　
　　

　　
4．使用实例：


　　 实例1.使用openssl enc 加密文件

　　[root@jacktest ~]# ls
anaconda-ks.cfg  Desktop  grub.conf  inittab  install.log  install.log.syslog
[root@jacktest ~]# openssl enc -des3 -salt -a -in inittab -out inittab.des3
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
[root@jacktest ~]# ls
anaconda-ks.cfg  Desktop  grub.conf  inittab inittab.des3  install.log  install.log.syslog
　　[root@jacktest ~]# mv inittab inittab.bk
　　[root@jacktest ~]# cat inittab.des3
U2FsdGVkX19G5XhZb/jjhqwbvAaPBz2sgpsqfl6PlkqPR/0SO13ejnBHqTJYewiQ
7FnG4an4QQZY4kaVwhs858Y4ic6KL1seXsvwtIW+BqL+woiVJH0fRFRFLzv6a5na
... (省略35行)
[root@jacktest ~]# openssl enc -des3 -d -salt -a -in inittab.des3 -out inittab
enter des-ede3-cbc decryption password:
[root@jacktest ~]# ls
anaconda-ks.cfg  Desktop  grub.conf inittab  inittab.bk  inittab.des3  install.log  install.log.syslog
　　

　　 实例2.使用md5sum及openssl dgst -md5加密文件
　　[root@jacktest ~]# md5sum init
md5sum: init: No such file or directory
[root@jacktest ~]# md5sum inittab   #提取特征码
92a39a223f68e67e9e6c412443851aeb  inittab
[root@jacktest ~]# sha
sha1hmac    sha224sum   sha256sum   sha384sum   sha512sum   
sha1sum     sha256hmac  sha384hmac  sha512hmac  
[root@jacktest ~]# sha1sum inittab     #同一文件的相同算法的特征码一样
78ef239097844c223671e99a79d6b533dced8d3b  inittab
[root@jacktest ~]# openssl dgst -sha1 inittab
SHA1(inittab)= 78ef239097844c223671e99a79d6b533dced8d3b
[root@jacktest ~]# openssl dgst -md5 inittab
MD5(inittab)= 92a39a223f68e67e9e6c412443851aeb
[root@jacktest ~]#

　　

　　 实例3.使用openssl passwd生成有杂质的密码
　　[root@jacktest ~]# openssl passwd -1
Password:
Verifying - Password:
$1$H9SmHH0L$me6ujflYKSj6/XsM9I0XQ/
[root@jacktest ~]# openssl passwd -1   #两次指定salt随机生成不一样
Password:
Verifying - Password:
$1$kY5RDrYX$MEU5eW3HHVXcDlfhUmrJ/1
[root@jacktest ~]# openssl passwd -1 -salt kY5RDrYX     #指定salt生成的密码一样
Password:
$1$kY5RDrYX$MEU5eW3HHVXcDlfhUmrJ/1
[root@jacktest ~]#

　　

　　 实例4.使用openssl rand生成随机密码
　　[root@jacktest ~]# openssl rand -base64 12   #生成12位的随机数
7nYC9UjBQYR6FFaD
[root@jacktest ~]# openssl rand -base64 12
VgxBw3ZJUUxlZF0F
[root@jacktest ~]# openssl rand -base64 16
20noIYaMsnO7mSPypsUHjQ==
[root@jacktest ~]#

　　

　　

　　 实例5.使用openssl genrsa生成指定长的对称密钥
　　[root@jacktest ~]# ( umask 077; openssl genrsa -out server512.key 512 )
Generating RSA private key, 512 bit long modulus
.........++++++++++++
......................++++++++++++
e is 65537 (0x10001)
　　[root@jacktest ~]# ll server5*
-rw------- 1 root root 493 Dec 10 13:45 server512.key
　　[root@jacktest ~]# openssl rsa -in server512.key -pubout
writing RSA key
-----BEGIN PUBLICKEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMMjJyeTc0nIoHIrJqzC//CQ4Ca32TCn
8TQdC4VrnmhMv8o1I70UlY3pghalb+21APl3gNA6AKFtAN3BdtpcAt8CAwEAAQ==
-----END PUBLIC KEY-----
[root@jacktest ~]# cat server512.key
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAMMjJyeTc0nIoHIrJqzC//CQ4Ca32TCn8TQdC4VrnmhMv8o1I70U
lY3pghalb+21APl3gNA6AKFtAN3BdtpcAt8CAwEAAQJABSm68XsfQ8aBKEQoA84t
A2px49RddMIcyaozEdalHFFPrd6X85HuPvDiOd5urA296WYbfOZnPNVtCPOGyQId
gQIhAPBxohtu6yOnYw7uLYFo3prMSjhqdcG58lB/LQbmN5rhAiEAz8MgfmO77THy
pFt0A2lQ8RSqpF+U+2ZZDCSfsk+LFb8CIG7E6tmYj9stEgWe1Hf5yBOoacjzwqws
7eUHscar6JIBAiEAtGNRJSvnES0a5cVZ11RrqMYu2wT6T8Uvb7GkzqbttfUCIDCv
OvZmqJOxcrRVg+5EXdKn2VMCoj2pE/UMqoufNUO9
-----END RSA PRIVATE KEY-----
[root@jacktest ~]#

　　

　　 实例6.生成自签署证书

　　[root@jacktest ~]# openssl req -new -x509 -key server512.key -out server.crt -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN  
State or Province Name (full name) [Berkshire]:Jiangsu  
Locality Name (eg, city) [Newbury]:Kunshan
Organization Name (eg, company) [My Company Ltd]:Fox    
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ca.jacktest.com
Email Address []:caadmin@jacktest.com
[root@jacktest ~]# ll server.crt
-rw-r--r-- 1 root root 1115 Dec 10 13:54 server.crt   #自签署证书
[root@jacktest ~]# cat server.crt
-----BEGIN CERTIFICATE-----
MIIDCzCCArWgAwIBAgIJAIwFOSD6/zYRMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJDTjEQMA4GA1UECBMHSmlhbmdzdTEQMA4GA1UEBxMHS3Vuc2hhbjEMMAoG
...
-----END CERTIFICATE-----
[root@jacktest ~]# openssl x509 -text -in server.crt
Certificate:
    Data:
        Version: 3 (0x2)    #证书版本号
        Serial Number:   #证书序列号
            8c:05:39:20:fa:ff:36:11
        Signature Algorithm: sha1WithRSAEncryption   #证书颁发机构信息
        Issuer: C=CN, ST=Jiangsu, L=Kunshan, O=Fox, OU=Tech, CN=ca.jacktest.com/emailAddress=caadmin@jacktest.com
        Validity       #证书有效期
            Not Before: Dec 10 05:54:21 2016 GMT
            Not After : Dec 10 05:54:21 2017 GMT
        Subject: C=CN, ST=Jiangsu, L=Kunshan, O=Fox, OU=Tech, CN=ca.jacktest.com/emailAddress=caadmin@jacktest.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    00:c3:23:27:27:93:73:49:c8:a0:72:2b:26:ac:c2:
                    ff:f0:90:e0:26:b7:d9:30:a7:f1:34:1d:0b:85:6b:
                    9e:68:4c:bf:ca:35:23:bd:14:95:8d:e9:82:16:a5:
                    6f:ed:b5:00:f9:77:80:d0:3a:00:a1:6d:00:dd:c1:
                    76:da:5c:02:df
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                6B:7E:CC:25:99:50:72:FB:AC:DF:9D:3E:05:4B:DF:0A:F8:EA:D2:E6
            X509v3 Authority Key Identifier:  
                keyid:6B:7E:CC:25:99:50:72:FB:AC:DF:9D:3E:05:4B:DF:0A:F8:EA:D2:E6
                DirName:/C=CN/ST=Jiangsu/L=Kunshan/O=Fox/OU=Tech/CN=ca.jacktest.com/emailAddress=caadmin@jacktest.com
                serial:8C:05:39:20:FA:FF:36:11

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption   #签名信息
        58:ab:e1:5f:5a:e3:d4:d1:cc:c3:60:f2:2d:74:58:3b:a0:e4:
        86:5d:5a:be:28:53:bf:ad:2a:69:44:ce:75:c7:23:7a:c2:9e:
        55:4b:96:3e:9a:04:1c:64:f9:c2:bc:a7:99:3c:96:fc:69:9d:
        5a:fc:92:71:60:33:ca:d4:47:00
-----BEGIN CERTIFICATE-----
MIIDCzCCArWgAwIBAgIJAIwFOSD6/zYRMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJDTjEQMA4GA1UECBMHSmlhbmdzdTEQMA4GA1UEBxMHS3Vuc2hhbjEMMAoG
...
-----END CERTIFICATE-----
[root@jacktest ~]#

　　

　　 实例7.在本机创建自签署证书服务器
　　[root@jacktest ~]#  vi /etc/pki/tls/openssl.cnf   #红色为已修改默认值

　　dir             = /etc/pki/CA           # Where everything is kept
　　certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
　　default_days    = 3657                  # how long to certify for
countryName_default             = CN
stateOrProvinceName_default     = Jiangsu
0.organizationName_default      = Fox
organizationalUnitName_default  = Tech
　　[root@jacktest ~]# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
　　[root@test ~]# cd /etc/pki/CA/
[root@test CA]# ls
private
[root@test CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..+++
...............................+++
e is 65537 (0x10001)
[root@test CA]# ll private/
total 4
-rw------- 1 root root 1679 Dec 10 14:48 cakey.pem
[root@test CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:ca.jacktest.com
Email Address []:caadmin@jacktest.com
[root@test CA]# touch index.txt
[root@test CA]# echo 01 > serial
[root@test CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial
　　

　　在HTTP里新建一个SSL:

[root@test httpd]# mkdir ssl
[root@test httpd]# cd ssl
[root@test ssl]# pwd
/etc/httpd/ssl
[root@test ssl]# (umask 077; openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
..........................++++++
...........++++++
e is 65537 (0x10001)
[root@test ssl]# cat httpd.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDKxLVn2vx3xpl0pwFcfvgMCjfOVvhcNFCrQ0tG+XWtl9eXfohC
Y9j+WiKC9cyMdUovyr9VmweUdXON3foFhIm7+VkSma7c5ixuQuGvh4HKSDrG6g9W
U9gdpEa9BA1RyCoRWXo7fAb73/IAyqRoJAaqEXG2wnVzyUunCaieIgsmEwIDAQAB
AoGBAMc/Wn7OOg48kiiFvxm0DmxOUh4pae243pgcDUmV8iP9tDVCegS69syhp44G
mNRgoOCrmy40o9MnQsBiIr/vSCM0usYwdkz9TcKHND1Ime+3gQCRfbbnFQetF5dh
LMDvIYiQhvSY0qpikMhP/pJV0A/1JJabkV/k4N3U4GoZ+WjxAkEA8krkLa2gh02n
H7Kc7MCyxfo1TWb/ZwwaN031i1COO9CU1YoqhUPaNxdP3gzZaZWMrYOlw1Yguv1I
C5XB5i6rKQJBANY9ZC6JvzhsRLj+rStmTPMqV9ODsssGFJD6blYVuY0QMEZCnHSF
alhza1/q4XiNEccmMYd023r4OrEaw1r6KtsCQGHdPBLzKX7dL57O/zFlmA/9QyBT
dN/DdKdX9tDhpcGlOyiRWSFgybgs01amK/7Ip/zByud+V1QPz9TWFW6K9RkCQAff
/9O6Gn5PdIM8UU88Fm4Fy26p86OE2LKvkei2KbjmtG+QuUGLOeqAa5z9/EW7IcEp
RT7Oa9bsUvP5oN6yPWsCQQDTpEwskF2NIuPj5s1ke2Q+okmoGiWClLcGaYiCVzJm
DgIwxIU/hTe3KQCXIY+PEAypp5yLbmSgqXBNO3d0/TuM
-----END RSA PRIVATE KEY-----
[root@test ssl]#
　　[root@test ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:www.jacktest.com
Email Address []:wwwadmin@jacktest.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []::                 #密码可为空
An optional company name []:
[root@test ssl]# ls
httpd.csr  httpd.key
[root@test ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
　　Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec 10 08:26:36 2016 GMT
            Not After : Dec 10 08:26:36 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Jiangsu
            organizationName          = Fox
            organizationalUnitName    = Tech
            commonName                = www.jacktest.com
            emailAddress              = wwwadmin@jacktest.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                78:00:55:EA:DC:3B:E1:07:32:05:C3:8E:A8:26:C6:4A:1B:32:8F:31
            X509v3 Authority Key Identifier:
                keyid:F1:D0:03:45:E8:51:8E:AE:6C:87:CC:38:ED:9F:43:C2:D1:6E:46:42
Certificate is to be certified until Dec 10 08:26:36 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@test ssl]# cd /etc/pki/CA/
[root@test CA]# cat index.txt
V    171210082636Z        01    unknown    /C=CN/ST=Jiangsu/O=Fox/OU=Tech/CN=www.jacktest.com/emailAddress=wwwadmin@jacktest.com
　　[root@test CA]# cat serial     #下一个发证序号
02
　　

　　
　　

　　 实例7.快速生成测试用证书

　　[root@test tls]# ls
cert.pem  certs  misc  openssl.cnf  private
[root@test tls]# cd certs/
[root@test certs]# ls
ca-bundle.crt  make-dummy-cert  Makefile
[root@test certs]# make httpd.pem
umask 77 ; \
    PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
    PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
    /usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
    cat $PEM1 >  httpd.pem ; \
    echo ""    >> httpd.pem ; \
    cat $PEM2 >> httpd.pem ; \
    rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
..++++++
......++++++
writing new private key to '/tmp/openssl.F15890'
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:www.jacktest.com
Email Address []:wwwadmin@jacktest.com
[root@test certs]# ls
ca-bundle.crt  httpd.pem  make-dummy-cert  Makefile
[root@test certs]# vi Makefile   #可参考此文件写相关命令

　　

---end---