linux命令:制作CA证书生成及签核,openssl协议
openssl命令简介: SSL是Secure Sockets Layer(安全套接层协议)的缩写,可以在Internet上提供秘密性传输。Netscape公司在推出第一个Web浏览器的同时,提出了SSL协议标准。其目标是保证两个应用间通信的保密性和可靠性,可在服务器端和用户端同时实现支持。已经成为Internet上保密通讯的工业标准。 SSL能使用户/服务器应用之间的通...
openssl命令简介:
SSL是Secure Sockets Layer(安全套接层协议)的缩写,可以在Internet上提供秘密性传输。Netscape公司在推出第一个Web浏览器的同时,提出了SSL协议标准。其目标是保证两个应用间通信的保密性和可靠性,可在服务器端和用户端同时实现支持。已经成为Internet上保密通讯的工业标准。
SSL能使用户/服务器应用之间的通信不被***者窃听,并且始终对服务器进行认证,还可选择对用户进行认证。SSL协议要求建立在可靠的传输层协议(TCP)之上。SSL协议的优势在于它是与应用层协议独立无关的,高层的应用层协议(例如:HTTP,FTP,TELNET等)能透明地建立于SSL协议之上。SSL协议在应用层协议通信之前就已经完成加密算法、通信密钥的协商及服务器认证工作。在此之后应用层协议所传送的数据都会被加密,从而保证通信的私密性。
1.命令格式:
OpenSSL [选项][文件]
2.命令功能:
OpenSSL是多用途命令行工具,实现私有证书颁发机构.
3.命令参数:
Standard commands
asn1parse ca cipherscrl crl2pkcs7 dgst dh dhparamdsa dsaparam
enc engine errstr gendh gendsa genrsa nseq ocsp passwd pkcs12
pkcs7 pkcs8 prime rand req rsa rsautl s_client s_server s_time
sess_id smime speed spkac verify version x509
Message Digest commands (see the `dgst' command for more details)
md2 md4 md5 rmd160 sha sha1
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc
aes-256-ecb base64 bf bf-cbc bf-cfb
bf-ecb bf-ofb cast cast-cbc cast5-cbc
cast5-cfb cast5-ecb cast5-ofb des des-cbc
des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx rc2 rc2-40-cbc
rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb
4.使用实例:
实例1.使用openssl speed 加密算法:显示openssl加密算法的速度
[root@localhost ~]# openssl speed 显示所有加密算法加密不同大小的数据所需的时间
Doing md2 for 3s on 16 size blocks: 394412 md2's in 2.98s
Doing md2 for 3s on 64 size blocks: 203352 md2's in 2.98s
Doing md2 for 3s on 256 size blocks: 69077 md2's in 2.98s
......
Doing md4 for 3s on 64 size blocks: 8383499 md4's in 2.97s
[root@localhost ~]# openssl speed des 显示des加密算法的加密不同大小的数据需要的时间
Doing des cbc for 3s on 16 size blocks: 9097196 des cbc's in 2.71s
Doing des cbc for 3s on 64 size blocks: 2466820 des cbc's in 2.74s
.......
Doing des cbc for 3s on 256 size blocks: 635165 des cbc's in 2.79s
Doing des cbc for 3s on 1024 size blocks: 192194 des cbc's in 3.00s
实例2.使用openssl enc 加密文件:通过enc进行加密
参数: -e:加密 -d:解密 -a:以base流形式加密(默认选项)
-in:需要加密的文件 -out:加密后输出的文件 -des3:加密算法
-salt:杂质(盐)
[root@johntest ~]# ls
anaconda-ks.cfg Desktop grub.conf inittab install.log install.log.syslog
[root@johntest ~]# openssl enc -des3 -salt -a -in inittab -out inittab.des3 加密文件
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
[root@johntest ~]# ls
anaconda-ks.cfg Desktop grub.conf inittab inittab.des3 install.log install.log.syslog
[root@johntest ~]# mv inittab inittab.bk
[root@johntest ~]# cat inittab.des3
U2FsdGVkX19G5XhZb/jjhqwbvAaPBz2sgpsqfl6PlkqPR/0SO13ejnBHqTJYewiQ
7FnG4an4QQZY4kaVwhs858Y4ic6KL1seXsvwtIW+BqL+woiVJH0fRFRFLzv6a5na
... (省略35行)
[root@johntest ~]# openssl enc -des3 -d -salt -a -in inittab.des3 -out inittab 解密文件
enter des-ede3-cbc decryption password:
[root@johntest ~]# ls
anaconda-ks.cfg Desktop grub.conf inittab inittab.bk inittab.des3 install.log install.log.syslog
实例3.使用md5sum及openssl dgst -md5加密文件
[root@johntest ~]# md5sum inittab #提取特征码
92a39a223f68e67e9e6c412443851aeb inittab
[root@johntest ~]# sha
sha1hmac sha224sum sha256sum sha384sum sha512sum
sha1sum sha256hmac sha384hmac sha512hmac
[root@johntest ~]# sha1sum inittab #同一文件的相同算法的特征码一样
78ef239097844c223671e99a79d6b533dced8d3b inittab
[root@johntest ~]# openssl dgst -sha1 inittab
SHA1(inittab)= 78ef239097844c223671e99a79d6b533dced8d3b
[root@johntest ~]# openssl dgst -md5 inittab
MD5(inittab)= 92a39a223f68e67e9e6c412443851aeb
[root@johntest ~]#
实例4.使用openssl passwd生成有杂质的密码 salt:杂质(盐)
[root@johntest ~]# openssl passwd -1
Password:
Verifying - Password:
$1$H9SmHH0L$me6ujflYKSj6/XsM9I0XQ/
[root@johntest ~]# openssl passwd -1 #两次指定salt随机生成不一样
Password:
Verifying - Password:
$1$kY5RDrYX$MEU5eW3HHVXcDlfhUmrJ/1
[root@johntest ~]# openssl passwd -1 -salt kY5RDrYX #指定salt生成的密码一样
Password:
$1$kY5RDrYX$MEU5eW3HHVXcDlfhUmrJ/1
[root@johntest ~]#
实例5.使用openssl rand生成随机密码
[root@johntest ~]# openssl rand -base64 12 #生成12位的随机数
7nYC9UjBQYR6FFaD
[root@johntest ~]# openssl rand -base64 12
VgxBw3ZJUUxlZF0F
[root@johntest ~]# openssl rand -base64 16
20noIYaMsnO7mSPypsUHjQ==
[root@johntest ~]#
实例6.使用openssl genrsa生成指定长的对称密钥
[root@johntest ~]# (umask 077; openssl genrsa -out server512.key 512) 直接输出一个大小为512权限为700 的server512.key密钥文件
Generating RSA private key, 512 bit long modulus
.........++++++++++++
......................++++++++++++
e is 65537 (0x10001)
[root@johntest ~]# ll server5*
-rw------- 1 root root 493 Dec 10 13:45 server512.key
[root@johntest ~]# openssl rsa -in server512.key -pubout 从server512.key文件读出私钥,-pubout生成公钥
writing RSA key
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMMjJyeTc0nIoHIrJqzC//CQ4Ca32TCn
8TQdC4VrnmhMv8o1I70UlY3pghalb+21APl3gNA6AKFtAN3BdtpcAt8CAwEAAQ==
-----END PUBLIC KEY-----
[root@johntest ~]# cat server512.key
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAMMjJyeTc0nIoHIrJqzC//CQ4Ca32TCn8TQdC4VrnmhMv8o1I70U
lY3pghalb+21APl3gNA6AKFtAN3BdtpcAt8CAwEAAQJABSm68XsfQ8aBKEQoA84t
A2px49RddMIcyaozEdalHFFPrd6X85HuPvDiOd5urA296WYbfOZnPNVtCPOGyQId
gQIhAPBxohtu6yOnYw7uLYFo3prMSjhqdcG58lB/LQbmN5rhAiEAz8MgfmO77THy
pFt0A2lQ8RSqpF+U+2ZZDCSfsk+LFb8CIG7E6tmYj9stEgWe1Hf5yBOoacjzwqws
7eUHscar6JIBAiEAtGNRJSvnES0a5cVZ11RrqMYu2wT6T8Uvb7GkzqbttfUCIDCv
OvZmqJOxcrRVg+5EXdKn2VMCoj2pE/UMqoufNUO9
-----END RSA PRIVATE KEY-----
[root@johntest ~]#
实例7.生成自签署证书
[root@johntest ~]# openssl req -new -x509 -key server512.key -out server.crt -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Jiangsu
Locality Name (eg, city) [Newbury]:Kunshan
Organization Name (eg, company) [My Company Ltd]:Fox
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ca.johntest.com
Email Address []:caadmin@johntest.com
[root@johntest ~]# ll server.crt
-rw-r--r-- 1 root root 1115 Dec 10 13:54 server.crt #自签署证书
[root@johntest ~]# cat server.crt 直接查看证书内容
-----BEGIN CERTIFICATE-----
MIIDCzCCArWgAwIBAgIJAIwFOSD6/zYRMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJDTjEQMA4GA1UECBMHSmlhbmdzdTEQMA4GA1UEBxMHS3Vuc2hhbjEMMAoG
...
-----END CERTIFICATE-----
[root@johntest ~]# openssl x509 -text -in server.crt 通过文本方式查看证书内容
Certificate:
Data:
Version: 3 (0x2) #证书版本号
Serial Number: #证书序列号
8c:05:39:20:fa:ff:36:11
Signature Algorithm: sha1WithRSAEncryption #证书颁发机构信息
Issuer: C=CN, ST=Jiangsu, L=Kunshan, O=Fox, OU=Tech, CN=ca.johntest.com/emailAddress=caadmin@johntest.com
Validity #证书有效期
Not Before: Dec 10 05:54:21 2016 GMT
Not After : Dec 10 05:54:21 2017 GMT
Subject: C=CN, ST=Jiangsu, L=Kunshan, O=Fox, OU=Tech, CN=ca.johntest.com/emailAddress=caadmin@johntest.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:c3:23:27:27:93:73:49:c8:a0:72:2b:26:ac:c2:
ff:f0:90:e0:26:b7:d9:30:a7:f1:34:1d:0b:85:6b:
9e:68:4c:bf:ca:35:23:bd:14:95:8d:e9:82:16:a5:
6f:ed:b5:00:f9:77:80:d0:3a:00:a1:6d:00:dd:c1:
76:da:5c:02:df
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
6B:7E:CC:25:99:50:72:FB:AC:DF:9D:3E:05:4B:DF:0A:F8:EA:D2:E6
X509v3 Authority Key Identifier:
keyid:6B:7E:CC:25:99:50:72:FB:AC:DF:9D:3E:05:4B:DF:0A:F8:EA:D2:E6
DirName:/C=CN/ST=Jiangsu/L=Kunshan/O=Fox/OU=Tech/CN=ca.johntest.com/emailAddress=caadmin@johntest.com
serial:8C:05:39:20:FA:FF:36:11
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption #签名信息
58:ab:e1:5f:5a:e3:d4:d1:cc:c3:60:f2:2d:74:58:3b:a0:e4:
86:5d:5a:be:28:53:bf:ad:2a:69:44:ce:75:c7:23:7a:c2:9e:
55:4b:96:3e:9a:04:1c:64:f9:c2:bc:a7:99:3c:96:fc:69:9d:
5a:fc:92:71:60:33:ca:d4:47:00
-----BEGIN CERTIFICATE-----
MIIDCzCCArWgAwIBAgIJAIwFOSD6/zYRMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJDTjEQMA4GA1UECBMHSmlhbmdzdTEQMA4GA1UEBxMHS3Vuc2hhbjEMMAoG
...
-----END CERTIFICATE-----
[root@johntest ~]#
openssl实现私有CA:
1、生成一对密钥(openssl genrsa)
openssl genrsa -out /PATH/TO/keyfilename numbits 生成私钥文件keyfilename 长度为:numbits
openssl rsa -in /PATH/TO/keyfilename -pubout 生成跟私钥keyfilename对应的公钥
2、生成自签署证书(openssl rsq)
* 实例8.在本机创建自签署证书服务器
[root@johntest ~]# vi /etc/pki/tls/openssl.cnf #红色为已修改默认值
dir = /etc/pki/CA #证书工作目录
certs = $dir/certs #证书保存的位置
crl_dir = $dir/crl #证书吊销列表路径
database = $dir/index.txt #给那些用户发证书的信息
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # 新生成证书路径
certificate = $dir/cacert.pem #自己生成的证书
serial = $dir/serial # 证书系列号
crlnumber = $dir/crlnumber # 证书吊销列表工作号
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # 证书吊销列表工作文件
private_key = $dir/private/cakey.pem # CA自己的私钥文件
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 3650 # 证书有效期天数
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN 国家
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Jiangsu 省份
localityName = Locality Name (eg, city)
localityName_default = Kunshan 城市
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Fox 公司
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Tech 部门,默认该行被注释掉,把#去掉即可
[root@johntest ~]# openssl version 查看openssl版本
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
[root@test ~]# cd /etc/pki/CA/ 切换到CA目录
[root@test CA]# ls
private
[root@test CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) 生成私钥且权限为700,-out 保存在当前目录下pribate目录下,名称为cakey.pem,长度为2048
Generating RSA private key, 2048 bit long modulus
..+++
...............................+++
e is 65537 (0x10001)
[root@test CA]# ll private/
total 4
-rw------- 1 root root 1679 Dec 10 14:48 cakey.pem
[root@test CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem 生成一个以cakey.pem私钥 相对应的自签公钥文件cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:ca.johntest.com
Email Address []:caadmin@johntest.com
[root@test CA]#mkdir certs newcerts crl 创建certs newcerts crl目录
[root@test CA]# touch index.txt
[root@test CA]# echo 01 > serial #下一个证书编号为01
[root@test CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@test CA]# cd /etc/httpd/ 切换到httpd目录
在HTTP里新建一个SSL:
[root@test httpd]# mkdir ssl
[root@test httpd]# cd ssl
[root@test ssl]# pwd
/etc/httpd/ssl
[root@test ssl]#(umask 077; openssl genrsa -out httpd.key 1024) 生成httpd自己的私钥文件
Generating RSA private key, 1024 bit long modulus
..........................++++++
...........++++++
e is 65537 (0x10001)
[root@test ssl]# cat httpd.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDKxLVn2vx3xpl0pwFcfvgMCjfOVvhcNFCrQ0tG+XWtl9eXfohC
Y9j+WiKC9cyMdUovyr9VmweUdXON3foFhIm7+VkSma7c5ixuQuGvh4HKSDrG6g9W
U9gdpEa9BA1RyCoRWXo7fAb73/IAyqRoJAaqEXG2wnVzyUunCaieIgsmEwIDAQAB
AoGBAMc/Wn7OOg48kiiFvxm0DmxOUh4pae243pgcDUmV8iP9tDVCegS69syhp44G
mNRgoOCrmy40o9MnQsBiIr/vSCM0usYwdkz9TcKHND1Ime+3gQCRfbbnFQetF5dh
LMDvIYiQhvSY0qpikMhP/pJV0A/1JJabkV/k4N3U4GoZ+WjxAkEA8krkLa2gh02n
H7Kc7MCyxfo1TWb/ZwwaN031i1COO9CU1YoqhUPaNxdP3gzZaZWMrYOlw1Yguv1I
C5XB5i6rKQJBANY9ZC6JvzhsRLj+rStmTPMqV9ODsssGFJD6blYVuY0QMEZCnHSF
alhza1/q4XiNEccmMYd023r4OrEaw1r6KtsCQGHdPBLzKX7dL57O/zFlmA/9QyBT
dN/DdKdX9tDhpcGlOyiRWSFgybgs01amK/7Ip/zByud+V1QPz9TWFW6K9RkCQAff
/9O6Gn5PdIM8UU88Fm4Fy26p86OE2LKvkei2KbjmtG+QuUGLOeqAa5z9/EW7IcEp
RT7Oa9bsUvP5oN6yPWsCQQDTpEwskF2NIuPj5s1ke2Q+okmoGiWClLcGaYiCVzJm
DgIwxIU/hTe3KQCXIY+PEAypp5yLbmSgqXBNO3d0/TuM
-----END RSA PRIVATE KEY-----
[root@test ssl]#
[root@test ssl]# openssl req -new -key httpd.key -out httpd.csr 以httpd.key私钥文件生成签核申请文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:www.johntest.com
Email Address []:wwwadmin@johntest.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:: #密码为空(不用加密私钥)
An optional company name []:
[root@test ssl]# ls
httpd.csr httpd.key
[root@test ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365 签核证书申请
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 10 08:26:36 2016 GMT
Not After : Dec 10 08:26:36 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = Jiangsu
organizationName = Fox
organizationalUnitName = Tech
commonName = www.johntest.com
emailAddress = wwwadmin@johntest.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
78:00:55:EA:DC:3B:E1:07:32:05:C3:8E:A8:26:C6:4A:1B:32:8F:31
X509v3 Authority Key Identifier:
keyid:F1:D0:03:45:E8:51:8E:AE:6C:87:CC:38:ED:9F:43:C2:D1:6E:46:42
Certificate is to be certified until Dec 10 08:26:36 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@test ssl]# cd /etc/pki/CA/
[root@test CA]# cat index.txt
V 171210082636Z 01 unknown /C=CN/ST=Jiangsu/O=Fox/OU=Tech/CN=www.johntest.com/emailAddress=wwwadmin@johntest.com
[root@test CA]# cat serial #下一个发证序号
02
实例9.快速生成测试用证书
[root@test tls]# ls
cert.pem certs misc openssl.cnf private
[root@test tls]# cd certs/
[root@test certs]# ls
ca-bundle.crt make-dummy-cert Makefile
[root@test certs]# make httpd.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > httpd.pem ; \
echo "" >> httpd.pem ; \
cat $PEM2 >> httpd.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
..++++++
......++++++
writing new private key to '/tmp/openssl.F15890'
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:www.johntest.com
Email Address []:wwwadmin@johntest.com
[root@test certs]# ls
ca-bundle.crt httpd.pem make-dummy-cert Makefile
[root@test certs]# vi Makefile #可参考此文件写相关命令
转载于:https://blog.51cto.com/woyaoxuelinux/1888501
更多推荐
0
0- 0
已为社区贡献2条内容
所有评论(0)