OpenSSL命令学习
一、 基础概念
OpenSSL它是一个开放源代码的软件库包应用程序可以使用该包进行安全通信,避免窃听,并确认另一端连接器的身份。该包广泛应用于互联网网页服务器。
以问题为切入点,层层介绍OpenSSL各种功能。
一个X.证书所有人和发行人的信息如下图所示,请指出以下字段的含义
| CN:通用名称 | O:机构名 | C:国名 |
|---|---|---|
| OU:组织单位名称 | L:地理位置 |
二、 加解密
1. 创建新文件test,对称加解密
echo hello,openssl > test openssl enc -des3 -e -a -in ./test -out test.enc #加密 openssl enc -d -des3 -a -in ./test.enc #解密 利用OpenSSL对称加密需要使用其子命令enc,其用法为:
openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64] [-A] [-k password] [-kfile filename] [-K key] [-iv IV] [-S salt] [-salt] [-nosalt] [-z] [-md] [-p] [-P] [-bufsize number] [-nopad] [-debug] [-none] [-engine id]
常用的选项有
-e:加密; -d:解密; -ciphername:ciphername对于相应的对称加密算命名-des3、-ase128、-cast、-blowfish等等。 -a/-base64:使用base-64位编码格式; -salt:默认选项自动插入随机数作为文件内容加密; -in FILENAME:指定加密文件的存储路径; -out FILENAME:指定加密文件的存储路径;
2. 计算文件test的摘要
openssl dgst test dgst是openssl单向加密命令的用法如下:
openssl dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] [-c] [-d] [-hex] [-binary] [-out filename] [-sign filename] [-keyform arg] [-passin arg] [-verify filename] [-prverify filename] [-signature filename] [-hmac key] [file…]
常用的选项有
[-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1]:指定一种单向加密算法; -out FILENAME:在指定文件中保存加密内容;
OpenSSL还支持生成密码hash其子命令为离散值passwd,语法如下:
openssl passwd [-crypt] [-1] [-apr1] [-salt string] [-in file] [-stdin] [-noverify] [-quiet] [-table] {password}
常用选项如下:
-salt STRING:添加随机数; -in FILE:加密输入的文件内容; -stdin:加密标准输入内容;
三、证书
1. 签发CA自签名证书
openssl version -a #查看openssl的基本信息 #可找到openssl.cnf配置文件位于目录/usr/lib/ssl cd /usr/lib/ssl mkdir certs crl newcerts private touch index.txt serial ls -l #查看内容 openssl genrsa -des3 -out private/cakey.pem 512 #生成CA证书的私钥 openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 730 #生成CA自签名证书
上面openssl子命令的命令genrsa生成私钥,然后使用子命令rsa从私钥中提取公钥。 genrsa语法如下:
openssl genrsa [-out filename] [-passout arg] [-des] [-des3] [-idea] [-f4] [-3] [-rand file(s)] [-engine id] [numbits]
常用选项:
-out FILENAME:将生成的私钥保存到指定文件中; [-des] [-des3] [-idea]:指定加密算法; numbits:默认生成的私钥大小为512;
此外,还可以使用rsa子命令提取公钥,rsa语法如下:
openssl rsa [-inform PEM|NET|DER] [-outform PEM|NET|DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-sgckey] [-des] [-des3] [-idea] [-text] [-noout] [-modulus] [-check] [-pubin] [-pubout] [-engine id]
常用选项如下:
-in FILENAME:指示私钥文件的存储路径; -out FILENAME:指明公钥的保存路径; -pubout:从提供的私钥中提取公钥;
上面也用过req命令生成证书,req语法如下:
openssl req [-help] [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-text] [-pubkey] [-noout] [-verify] [-modulus] [-new] [-rand file…] [-writerand file] [-newkey rsa:bits] [-newkey alg:file] [-nodes] [-key filename] [-keyform PEM|DER] [-keyout filename] [-keygen_engine id [-digest] [-config filename] [-multivalue-rdn] [-x509] [-days n] [-set_serial n] [-newhdr] [-addext ext] [-extensions section] [-reqexts section] [-precert] [-utf8] [-nameopt] [-reqopt] [-subject] [-subj arg] [-sigopt nm:v] [-batch] [-verbose] [-engine id]
我们用到的选项有:
-new:表示生成一个新的证书签署请求; -x509:专用于生成CA自签证书; -key:指定生成证书用到的私钥文件; -out FILNAME:指定生成的证书的保存路径; -days:指定证书的有效期限,单位为day,默认是365天;
2. 生成私钥长度为512,有效期为2年的客户证书。(包括生成私钥、生成证书申请、签发证书命令)
openssl genrsa -des3 -out app.key 512 #生成应用证书私钥
openssl req -new -key app.key -out app.csr #生成证书签名请求
echo 00 > serial
openssl ca -cert cacert.pem -keyfile private/cakey.pem -config ../openssl.cnf -in app.csr -out app.crt -days 730
上面用到了子命令ca,用于在ca服务器上签署和吊销证书,并生成crl,还维护已颁发证书的文本数据库及状态,语法如下:
openssl ca [-help] [-verbose] [-config filename] [-name section] [-gencrl] [-revoke file] [-valid file] [-status serial] [-updatedb] [-crl_reason reason] [-crl_hold instruction] [-crl_compromise time] [-crl_CA_compromise time] [-crldays days] [-crlhours hours] [-crlexts section] [-startdate date] [-enddate date] [-days arg] [-md arg] [-policy arg] [-keyfile arg] [-keyform PEM|DER] [-key arg] [-passin arg] [-cert file] [-selfsign] [-in file] [-out file] [-notext] [-outdir dir] [-infiles] [-spkac file] [-ss_cert file] [-preserveDN] [-noemailDN] [-batch] [-msie_hack] [-extensions section] [-extfile section] [-engine id] [-subj arg] [-utf8] [-sigopt nm:v] [-create_serial] [-rand_serial] [-multivalue-rdn] [-rand file…] [-writerand file]
用到的选项有
-cert :ca证书文件 -keyfile :用来签名请求的私钥 -config :配置文件 -revoke :要撤销证书的文件名 -gencrl:生成crl文件
另外,可以用x509查看证书
openssl x509 -in app.crt -noout =serial -dates -subject
-noout:不输出加密的证书内容; -serial:输出证书序列号; -dates:显示证书有效期的开始和终止时间; -subject:输出证书的subject;
3. 撤销客户证书
openssl ca -revoke cacert.pem
echo 00 > crlnumber
4. 发布CRL
openssl ca -gencrl -out ca.crl #发布crl
openssl crl -in ca.crl -noout -text #查看crl
参考:
[官方文档]:https://www.openssl.org/docs/man1.1.1/man1/
[小尛酒窝]: https://www.jianshu.com/p/e311a6537467