Linux openssl 实现

haoman

　　openssl是ssl的开源实现，至于ssl或tls就不在这讲述了。总之openssl就是一软件，实现加密数据、解密数据、创建私有CA。官网：www.openssl.org。
　　openssl主要构成：
　　libcrypro:加密库
　　libssl:tls/ssl（库）的实现（基于会话，实现身份认证、数据完成性和机密性）
　　openssl:命令工具，可实现私有证书颁发
　　例子解释
　　#查看本系统openssl的安装
　　[root@localhost ~]# rpm -qa openssl
　　openssl-0.9.8e-22.el5
　　openssl-0.9.8e-22.el5
　　#openssl安装的文件路径，太多就不显示了
　　[root@localhost ~]# rpm -ql openssl | more
　　

　　[root@localhost ~]# vim testssl.txt
　　12345678910
　　~
　　~
　　~
　　#执行下条命令时，输入加密密码（本次采用对称加密des3算法，也就是三重des)
　　[root@localhost ~]# openssl enc -des3 -salt -a -in testssl.txt -out testssl_des3
　　enter des-ede3-cbc encryption password:
　　Verifying - enter des-ede3-cbc encryption password:
　　[root@localhost ~]# vim testssl_des3
　　U2FsdGVkX18Ac3RL0TNIX/2lCQEGy959/u2/A4SCNt8=
　　~
　　~
　　#执行下条命令时，输入解密密码
　　[root@localhost ~]# openssl enc -des3 -d -salt -a -in testssl_des3 -out testssl.txt1
　　enter des-ede3-cbc decryption password:
　　#比较原文件和解密后的文件
　　[root@localhost ~]# diff testssl.txt testssl.txt1
　　

　　#几种单向加密的输出
　　[root@localhost ~]# sha1sum  testssl.txt
　　bb9670e73957e64e15d8411e2e424d84b8599e20  testssl.txt
　　[root@localhost ~]# openssl dgst -sha1 testssl.txt
　　SHA1(testssl.txt)= bb9670e73957e64e15d8411e2e424d84b8599e20
　　[root@localhost ~]# openssl dgst -md5 testssl.txt
　　MD5(testssl.txt)= 8140de300ce2cf5032f9489bd39afed0
　　[root@localhost ~]# openssl passwd -1 testssl.txt
　　$1$Ml2abKeF$Kx6uZL.1RTBshxFa.CT3I0
　　

　　#openssl实现私有CA
　　# 1. 先生成一对密钥
　　# 2. 生成自签署证书
　　[root@localhost ~]# cd /etc/pki/CA
　　[root@localhost CA]# openssl genrsa -out private/cakey.pem 2048
　　Generating RSA private key, 2048 bit long modulus
　　......................................................................................................................+++
　　..+++
　　e is 65537 (0x10001)
　　[root@localhost CA]# ls  -l private/
　　total 8
　　-rw-r--r-- 1 root root 1675 Apr 15 19:55 cakey.pem
　　[root@localhost CA]# chmod 600 private/cakey.pem
　　[root@localhost CA]# ls  -l private/
　　total 8
　　-rw------- 1 root root 1675 Apr 15 19:55 cakey.pem
　　[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
　　You are about to be asked to enter information that will be incorporated
　　into your certificate request.
　　What you are about to enter is what is called a Distinguished Name or a DN.
　　There are quite a few fields but you can leave some blank
　　For some fields there will be a default value,
　　If you enter '.', the field will be left blank.
　　-----
　　Country Name (2 letter code) [GB]:CN
　　State or Province Name (full name) [Berkshire]:JS
　　Locality Name (eg, city) [Newbury]:NJ
　　Organization Name (eg, company) [My Company Ltd]:bocs
　　Organizational Unit Name (eg, section) []:Tech
　　Common Name (eg, your name or your server's hostname) []:ca.bocs.com
　　Email Address []:ca@bocs.com
　　[root@localhost CA]# openssl x509 -text -in cacert.pem
　　[root@localhost CA]# mkdir certs newcerts crl
　　[root@localhost CA]# touch index.txt
　　[root@localhost CA]# touch serial
　　[root@localhost CA]# echo 01 > serial
　　

　　#假设现有一台web要签证
　　[root@localhost ~]# mkdir /tmp/httpd
　　[root@localhost ~]# cd /tmp/httpd/
　　[root@localhost httpd]# mkdir ssl
　　[root@localhost httpd]# cd ssl
　　#生成私钥
　　[root@localhost ssl]# (umask 077; openssl genrsa -out httpd.key 1024)
　　Generating RSA private key, 1024 bit long modulus
　　.................++++++
　　..........................................................++++++
　　e is 65537 (0x10001)
　　#生成证书申请请求
　　[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr
　　You are about to be asked to enter information that will be incorporated
　　into your certificate request.
　　What you are about to enter is what is called a Distinguished Name or a DN.
　　There are quite a few fields but you can leave some blank
　　For some fields there will be a default value,
　　If you enter '.', the field will be left blank.
　　-----
　　Country Name (2 letter code) [GB]:CN
　　State or Province Name (full name) [Berkshire]:JS
　　Locality Name (eg, city) [Newbury]:NJ
　　Organization Name (eg, company) [My Company Ltd]:bocs
　　Organizational Unit Name (eg, section) []:Tech
　　Common Name (eg, your name or your server's hostname) []:www.bocs.com
　　Email Address []:www@bocs.com
　　

　　Please enter the following 'extra' attributes
　　to be sent with your certificate request
　　A challenge password []:
　　An optional company name []:
　　

　　#CA服务器签证,执行命令时，先检查下/etc/pki/tls/openss.cnf  确认：dir  = /etc/pki/CA
　　[root@localhost ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
　　Using configuration from /etc/pki/tls/openssl.cnf
　　Check that the request matches the signature
　　Signature ok
　　Certificate Details:
　　Serial Number: 1 (0x1)
　　Validity
　　Not Before: Apr 15 12:23:06 2016 GMT
　　Not After : Apr 15 12:23:06 2017 GMT
　　Subject:
　　countryName               = CN
　　stateOrProvinceName       = JS
　　organizationName          = bocs
　　organizationalUnitName    = Tech
　　commonName                = www.bocs.com
　　emailAddress              = www@bocs.com
　　X509v3 extensions:
　　X509v3 Basic Constraints:
　　CA:FALSE
　　Netscape Comment:
　　OpenSSL Generated Certificate
　　X509v3 Subject Key Identifier:
　　E9:FE:1D:40:A2:42:A5:C1:80:A2:CD:94:3F:B0:D4:AB:92:45:7D:30
　　X509v3 Authority Key Identifier:
　　keyid:B2:0B:0D:C7:11:34:EF:B7:E3:AF:F7:75:D6:82:73:12:FA:A0:55:62
　　

　　Certificate is to be certified until Apr 15 12:23:06 2017 GMT (365 days)
　　Sign the certificate? [y/n]:y
　　

　　

　　1 out of 1 certificate requests certified, commit? [y/n]y
　　Write out database with 1 new entries
　　Data Base Updated
　　[root@localhost ssl]#
　　

　　#查看是否签证成功
　　[root@localhost CA]# cd /etc/pki/CA
　　[root@localhost CA]# cat index.txt
　　V170415122306Z01unknown/C=CN/ST=JS/O=bocs/OU=Tech/CN=www.bocs.com/emailAddress=www@bocs.com
　　[root@localhost CA]# cat serial
　　02
　　[root@localhost CA]#