|
|
一、安装openssl
二、openssl常用命令、选项
三、证书申请、自建CA、颁发证书
一、openssl
openssl 是一个强大的安全套接字层密码库,囊括主要的密码算法、常用的密钥和证书封装管理功能及SSL协议,并提供丰富的应用程序供测试或其它目的使用。
系统已经默认安装了openssl
?
1
2
| [iyunv@test3 etc]# rpm -qa openssl
openssl-1.0.1e-15.el6.x86_64
|
程序核心组成部分,可以用rpm –ql openssl 查看
libcrpto #实现加密、解密的程序库,为众多程序依赖
libssl #实现ssl功能的,要用到ssl功能的程序都是调用libssl库完成ssl会话
openssl #多功能、多用途的命令行程序,可以用openssl给个错误参数,查看其支持的命令,例如openssl ?
二、openssl常用命令、选项
?
1
| openssl version #查看openssl版本信息
|
?
1
| openssl speed des3 #测试当前主机加密算法速度
|
?
1
2
| openssl enc -des3 -in /path/to/somefile -e -out /path/to/somefile.des3 #加密文件,-des3指定加密方式为des3,-in指定需要加密的文件,-e表示加密,可以不使用,默认也是加密,-out指定加密后的文件
openssl enc -des3 -in /path/to/somefile.des3 -d -out /path/to/somefile #解密文件,-d解密文件
|
?
1
2
3
4
5
6
7
| openssl dgst -md5 -hex /path/to/somefile #获取文件特征码-hex表示16进制编码(可省略),可以man dgst查看相关信息
md5sum /path/to/somefile #结果同上个命令
#例如
[iyunv@test3 etc]# sha1sum fstab #用sha1算法计算文件特征码
ee89feffafe1130c9efe99e74e0ecbc9a30e8ca1 fstab
[iyunv@test3 etc]# openssl dgst -sha1 fstab #openssl命令使用sha1算法计算文件特征码
SHA1(fstab)= ee89feffafe1130c9efe99e74e0ecbc9a30e8ca1
|
?
1
2
3
4
5
6
7
8
9
10
11
| [iyunv@test3 etc]# openssl passwd -1 -salt 456754 #-1表示调用md5算法,-salt 45678表示加5位数的salt
Password: #输入要使用的密码
$1$456754$O2IkfmwS8A7wQH5MShPHS1 #加密后的密码
man sslrand #查看openssl rand的使用手册,使用使用openssl rand可以生成随机数,而不是上面使用的-salt 456754
[iyunv@test3 etc]# openssl rand -base64 4
wCYTFg==
[iyunv@test3 etc]# openssl rand -hex 4
58d5ed59
[iyunv@test3 etc]# openssl passwd -1 -salt `openssl rand -base64 5` #加入salt时,使用了随机数,而不是明文
Password:
$1$1HNVIvE=$Sjh023l/zZn4FvhYmSsMA/
|
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| #生成私钥、加密私钥,位数为2的n次方位
[iyunv@test3 etc]# openssl genrsa 2048 #以rsa方式生成2048位的私钥[iyunv@test3 etc]# openssl genrsa –des3 512 #以rsa算法生成512位的私钥并以des3算法加密
[iyunv@test3 etc]# openssl genrsa -des3 512 > /root/mykey.pri #同openssl genrsa -des3 -out /root/mykey2.pri 512,以rsa方式生成512位私钥并加密,重定向到mykey.pri文件,即生成加密后的私钥文件Generating RSA private key, 512 bit long modulus
.++++++++++++
.............................++++++++++++
e is 65537 (0x10001)
Enter pass phrase: #输入密码
Verifying - Enter pass phrase: #再次输入密码
[iyunv@test3 etc]# cat /root/mykey.pri #查看内容
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9226935221CE9300 #此处信息说明文件使用了des3加密
UG0QNVLyiM6D2/ptf4i86hQLoxZ4XiUdlTpvYAQKRcpPVvJegocQKb5DvK1TysAW
GdArv0FShTzS0YdU78EZmZNIX15aVDVinplwo17eXEawGwDuPlooehZPZVIhrYQq
wLW6ZNsxlLkVGR6sgyFccys+4Vk5GfgGFAyyYh28dVimbQMhrglAQILMRdlU2Gup
Hsp197/p2VKDaYpX1aLyJCXh5u/1SRxcIzzpNpmIeI++4zAV4rghVQXmq7CGOCOX
m6y6hWiacjnlA8XyssuXs7iRu14DfHwyetrgriUgjF0VePYFwTG+f426z6qUFhTH
3wlErzzIQQOJx8Nc1xxfk7Nsa5f0iFR55JLvFQN2wto+fQRsesD9qgZuvvKhdAlF
yeVT4sWnFqqBe3pL5hxwl1asIIVZcStAqfaHPonW8Qg=
-----END RSA PRIVATE KEY-----
|
?
1
2
3
4
5
6
7
8
| #提取公钥信息
[iyunv@test3 etc]# openssl rsa -in /root/mykey.pri -pubout #-in指定私钥文件,-pubout表示输出公钥信息
Enter pass phrase for /root/mykey.pri: #输入私钥文件密码
writing RSA key
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ9iWjqG4sKCGgOnZFPbjfq85feufHTr
/E9zmXo8luh7AMzGvhJXbjogvaYScCuyLmKKxZNXnmRNy7isYie8J/8CAwEAAQ==
-----END PUBLIC KEY-----
|
***一般私钥文件不允许其他用户有权限查看,我们可以使用如下命令***
?
1
2
3
4
5
6
7
8
9
| [iyunv@test3 etc]# (umask 077;openssl genrsa -des3 -out /root/mykey3.pri 512) #需要加括号,表示括号中的命令在子shell中执行,执行完后退出,创建的文件使用077遮罩,改变文件权限
Generating RSA private key, 512 bit long modulus
............++++++++++++
..++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /root/mykey3.pri:
Verifying - Enter pass phrase for /root/mykey3.pri:
[iyunv@test3 etc]# ll /root/mykey3.pri
-rw-------. 1 root root 561 May 15 22:59 /root/mykey3.pri #不使用遮罩码时,创建的文件其他用户有权限查看
|
三、证书申请、自建CA、颁发证书
1、自建CA步骤
(1)、为CA生成一个私钥:
?
1
2
3
4
| [iyunv@test3 etc]# cd /etc/pki/CA/
[iyunv@test3 CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
[iyunv@test3 CA]# ls private/
cakey.pem
|
(2)、生成自签证书:
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| [iyunv@test3 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 #rep证书签署请求、证书生成工具,读进的证书文件为PEM、DER格式,通常用DER,PEM用做测试用,一般用;-new实现制作证书申请使用该选项;-days指定证书有效期
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangZhou
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:MRHH
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ca.youshine.com
Email Address []:youshine@126.com
[iyunv@test3 CA]# ls
cacert.pem certs crl newcerts private
[iyunv@test3 CA]# touch serial index.txt #新建证书序列号文件、所签证书记录文件
[iyunv@test3 CA]# echo 01 > serial #写入起始序列号
|
(3)、CA配置文件/etc/pki/tls/openssl.cnf,主要配置信息
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| [ ca ] #当openssl扮演CA角色时,读取[ CA_default ]的配置
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA #openssl扮演CA角色时的工作目录
certs = $dir/certs #当前CA的证书存取库
crl_dir = $dir/crl #证书撤消列表的工作目录
database = $dir/index.txt #所签证书的数据记录
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts #新签证书的位置
certificate = $dir/cacert.pem #CA的证书
serial = $dir/serial #证书的序列号,已经签过多少,下一个是多少
crlnumber = $dir/crlnumber #吊销了多少个证书
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem #当前的证书吊销列表文件
private_key = $dir/private/cakey.pem #证书颁发机构自己的私钥文件
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
|
2、申请证书:
(1)、生成一个私钥;
?
1
| [iyunv@test3 CA]# openssl genrsa -des3 -out /root/testkey.pri 512
|
(2)、制作一个证书签署请求;
# openssl req -new -key /path/to/private_key -out /paht/to/certificate.csr
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| [iyunv@test3 CA]# openssl req -new -key /root/testkey.pri -out /root/test.csr #rep证书签署请求、证书生成工具,读进的证书文件为PEM、DER格式,通常用DER,PEM用做测试用,一般用;-new实现制作证书申请使用该选项-key指定私钥文件;-out指定申请证书保存位置
Enter pass phrase for /root/testkey.pri:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:www.test.com
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server's hostname) []:www.test.com
Email Address []:222222@126.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
|
3、由CA负责签署申请的证书;
# openssl ca -in /path/to/certreq.csr -out /path/to/certfile.crt -days 365
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| [iyunv@test3 CA]# openssl ca -in /root/test.csr -out /root/test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 15 16:34:41 2015 GMT
Not After : May 14 16:34:41 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = GuangDong
organizationName = MRHH
organizationalUnitName = Tech
commonName = www.test.com
emailAddress = 111111@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
48:87:4A:73:BB:95:B6:60:10:44:87:B9:32:E3:69:F0:E7:E4:47:0C
X509v3 Authority Key Identifier:
keyid:86:77:91:BA:E0:72:AD:C5:08:B4:92:68:AF:49:3A:48:07:49:20:5B
Certificate is to be certified until May 14 16:34:41 2016 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[iyunv@test3 CA]# cat serial #这时可以看到序列号和index.txt文件中已经有了记录
02
[iyunv@test3 CA]# cat index.txt
V 160514163441Z 01 unknown /C=CN/ST=GuangDong/O=MRHH/OU=Tech/CN=www.test.com/emailAddress=111111@qq.com
|
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2015-5-18 13:20:16
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡