美文网首页
openssl命令详解

openssl命令详解

作者: 小尛酒窝 | 来源:发表于2018-04-19 00:04 被阅读0次

OpenSSL是一个安全套接字层密码库,其包括常用的密码算法、常用的密钥生成和证书封装管理功能及SSL协议,并提供了丰富的应用程序以供测试。
OpenSSL是一个开源的项目,其由三个部分组成:
1、openssl命令行工具;
2、libencrypt加密算法库;
3、libssl加密模块应用库;

这里主要学习下openssl命令工具的用法,openssl命令工具有两种运行模式:交换模式批处理模式。直接输入openssl回车即可进入交互模式,而输入带命令选项的openssl命令则进行批处理模式。

1、对称加密算法的应用

利用OpenSSL作对称加密需要使用其子命令enc,其用法为:

openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64] [-A] [-k password] [-kfile filename] [-K key] [-iv IV] [-S salt] [-salt] [-nosalt] [-z] [-md] [-p] [-P] [-bufsize number] [-nopad] [-debug] [-none] [-engine id]

其中常用的选项为:

-e:加密;
-d:解密;
-ciphername:ciphername为相应的对称加密算命名字,如-des3、-ase128、-cast、-blowfish等等。
-a/-base64:使用base-64位编码格式;
-salt:自动插入一个随机数作为文件内容加密,默认选项;
-in FILENAME:指定要加密的文件的存放路径;
-out FILENAME:指定加密后的文件的存放路径;

使用案例

  • 加密字符串
[root@localhost ~]# echo "hello,world" | openssl enc -aes128 -e -a -salt
enter aes-128-cbc encryption password:
Verifying - enter aes-128-cbc encryption password:
U2FsdGVkX1/LT+Ri9pzjjS0FIGXJLNRc8ljvZJ3hf0M=
  • 加解密文件
[root@localhost ~]# openssl enc -des3 -e -a -in /etc/fstab -out /tmp/fstab
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:

[root@localhost ~]# cat /tmp/fstab 
U2FsdGVkX1/pdsq5HUjsP5Kpqr378qnZSmH1j9a4KdasuG+6Jy+Mh0cRYA5IUuJ4
732mG1td6x2jvLq0JNpT+WcTFXoH30x1o6KDN6Kwyc26+uTjYb+cwf9ZhZWoEi4c
5Zh1h8S4PwKA9m/ebJAh97RSLuVWqPOsZDJ9w/zE3X0iKnb8nVNEkApB6OYjkV4s
....

[root@localhost ~]# openssl enc -d -des3 -a -salt -in /tmp/fstab 
enter des-ede3-cbc decryption password:
#
# /etc/fstab
# Created by anaconda on Sun Nov 19 02:26:36 2017
....
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0

2、单向加密

OpenSSL单向加密的子命令为dgst,其语法如下:

openssl dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] [-c] [-d] [-hex] [-binary] [-out filename] [-sign filename] [-keyform arg] [-passin arg] [-verify filename] [-prverify filename] [-signature filename] [-hmac key] [file...]

其常用的选项为:

[-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1]:指定一种单向加密算法;
-out FILENAME:将加密的内容保存到指定的文件中;

单向加密除了 openssl dgst 工具还有: md5sum,sha1sum,sha224sum,sha256sum ,sha384sum,sha512sum

使用案例

  • 生成指定文件的特征码
[root@localhost ~]# openssl dgst -md5 /tmp/fstab 
MD5(/tmp/fstab)= ef7b65e9d3200487dc06427934ce5c2d

[root@localhost ~]# md5sum /tmp/fstab 
ef7b65e9d3200487dc06427934ce5c2d  /tmp/fstab

[root@localhost ~]# echo hello,world | md5sum
757228086dc1e621e37bed30e0b73e17  -

[root@localhost ~]# echo hello,world | openssl dgst -md5
(stdin)= 757228086dc1e621e37bed30e0b73e1

3、加密密码

OpenSSL还支持生成密码的hash离散值,其子命令为passwd,语法如下:

openssl passwd [-crypt] [-1] [-apr1] [-salt string] [-in file] [-stdin] [-noverify] [-quiet] [-table] {password}

常用选项为:

-salt STRING:添加随机数;
-in FILE:对输入的文件内容进行加密;
-stdin:对标准输入的内容进行加密;

使用案例

  • 生成密码的hash值
[root@localhost ~]# openssl passwd -1 -salt 123456 PASSWORD
$1$123456$KP0rRo6agiZOiJz8GMOd00

4、生成随机数

openssl命令也支持生成随机数,其子命令为rand,对应的语法为:

openssl rand [-out file] [-rand file(s)] [-base64] [-hex] num

常用选项有:

-base64:以base64编码格式输出;
-hex:使用十六进制编码格式;
-out FILE:将生成的内容保存在指定的文件中;

使用案例

[root@localhost ~]# openssl rand  -base64  10
d0etSF7CA13hhg==

5、生成密钥对

利用openssl命令的子命令genrsa生成私钥,然后再使用子命令rsa私钥中提取公钥。
genrsa的语法如下:

openssl genrsa [-out filename] [-passout arg] [-des] [-des3] [-idea] [-f4] [-3] [-rand file(s)] [-engine id] [numbits]
常用选项:
-out FILENAME:将生成的私钥保存至指定的文件中;
[-des] [-des3] [-idea]:指定加密算法;
numbits:指明生成的私钥大小,默认是512;

通常来说秘钥文件的权限一般只能由管理员访问,因此可以结合umask命令来设置生成的密钥文件的权限,如:

[root@localhost ~]# (umask 077;openssl genrsa -out CA.key 4096)
Generating RSA private key, 4096 bit long modulus
.........................................................................................................................................++
.................................................................++
e is 65537 (0x10001)
[root@localhost ~]# ll CA.key 
-rw-------. 1 root root 3243 Feb  2 06:33 CA.key

而随后可利用rsa子命令生成的私钥文件中提取公钥,rsa子命令的语法为:

openssl rsa [-inform PEM|NET|DER] [-outform PEM|NET|DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-sgckey] [-des] [-des3] [-idea] [-text] [-noout] [-modulus] [-check] [-pubin] [-pubout] [-engine id]

常用选项为:
-in FILENAME:指明私钥文件的存放路径;
-out FILENAME:指明将公钥的保存路径;
-pubout:根据提供的私钥,从中提取出公钥;

如:

[root@localhost ~]# openssl rsa -pubout -in CA.key 
writing RSA key
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0r92sttB5yUOI3nE2nvj
PeTZaKkFw2f4cVy8x615afGDhw/XvfWqd2X3BqUy9pPyVoYLOrO0fvGWtx0zVy76
HZ/N3vkUdmzQlJahwKl+K2rVYl2U7fw+qO1UHzrvnNqe6p10KURwAsD1nhuRf/ra
SlxUuOPLNjyu5QeSjtoMuYbhk72M+ht+vNuZI8i2e9B6t6HzoHvnmxldjj+4tQje
BCxeWwaerb8iWZ8KiNDGtqu1X20EevvJY7sp7RzzUPT4EKrXQ6BUyl+VeodHiHxp
l/8gVdlDEYIyurjBwNJDl3I+ug+MZwB0BaPSqNdbgcQbwdM/E6SiBIKU366XkZ39
uDneIZEaZIe12k3MlxqvXyLrsHc2V4jNdK+BNF0bU8pd8Z0wJ7B+Fl/k1+4fD5hS
WLOziix36WrqWzgSgOAV4oEwZjLfBTWIPEcDLUO2LhrhHv4S9APi4FAIslu8QlHv
dkzHaG0e6zolsIAHa1wClTVwFFfmABmo2axpc3IAu9EQA4lLJwK5MiDlANHJBTY7
HXlAOGADgJXY3euiUB4oQ/WPcP2XPTmRQcYoey3hRETPbJd6heM6Rfx9TyCxjxeo
xStmZmhHKZZek+h14Q/hmaK946SkPcbbszL1WzK/STwpceDgnijMgStq6fIippLb
zaQiGXIq0SE8FGuYnCTYJPMCAwEAAQ==
-----END PUBLIC KEY-----

6、创建CA和申请证书

在使用OpenSSL命令创建证书前,可查看配置文件/etc/pki/tls/openss.conf文件,查看该文件定义了的证书存放位置及名称。
1)创建自签证书
首先为CA提供所需的目录及文件,并指明证书的开始编号:

# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
# touch /etc/pki/CA/{serial,index.txt}
# echo 01 > /etc/pki/CA/serial

随后生成私钥,注意私钥的文件名及其存放的位置,需与配置文件中相匹配:

[root@localhost ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/CAkey.pem 4096)
Generating RSA private key, 4096 bit long modulus
..............................++
.........................................................++
e is 65537 (0x10001)
[root@localhost ~]# ll /etc/pki/CA/private/CAkey.pem 
-rw-------. 1 root root 3243 Feb  2 07:10 /etc/pki/CA/private/CAkey.pem

最后创建自签证书:

[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem  -out /etc/pki/CA/cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:shenzhen  
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:
[root@localhost CA]# 
[root@localhost CA]# 
[root@localhost CA]# ll 
total 20
-rw-r--r--. 1 root root 2025 Apr 17 02:14 cacert.pem
drwxr-xr-x. 2 root root 4096 May  9  2016 certs
drwxr-xr-x. 2 root root 4096 May  9  2016 crl
drwxr-xr-x. 2 root root 4096 May  9  2016 newcerts
drwx------. 2 root root 4096 Apr 17 02:12 private

其中命令openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650用到子命令为req,其为证书请求及生成的工具,用到的选项解释为:

-new:表示生成一个新的证书签署请求;
-x509:专用于生成CA自签证书;
-key:指定生成证书用到的私钥文件;
-out FILNAME:指定生成的证书的保存路径;
-days:指定证书的有效期限,单位为day,默认是365天;

2)颁发证书
通常来说在CA签署颁发证书需要进行以下步骤:

  • 在需要使用证书的主机上生成私钥(私钥文件位置无限制)
[root@localhost ~]# (umask;openssl genrsa -out httpd.key 4096)
0022
Generating RSA private key, 4096 bit long modulus
...................................................................................................................................................................................................++
............................................................++
e is 65537 (0x10001)
  • 生成证书签署请求;
[root@localhost ~]# openssl req -new -key httpd.key -out httpd.csr -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN       
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:shenzhen
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:web.magedu.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

  • 通过可靠的方式将证书签署请求发送给CA主机;
  • 在CA服务器上签署证书后颁发证书
[root@localhost ~]# openssl ca -in httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 16 18:31:12 2018 GMT
            Not After : Apr 16 18:31:12 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = guangdong
            organizationName          = magedu
            organizationalUnitName    = ops
            commonName                = web.magedu.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                D2:A2:81:85:70:1B:12:A2:06:7E:F6:FB:32:7B:56:3B:7B:CB:A2:B2
            X509v3 Authority Key Identifier: 
                keyid:43:AE:6C:A2:6F:6E:E4:E1:C3:45:3E:1D:74:E6:94:89:50:25:0C:0A

Certificate is to be certified until Apr 16 18:31:12 2019 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

上述命令用到了openssl命令的子命令CA,用于在CA服务器上签署或吊销证书。

  • 查看证书信息:
[root@localhost ~]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -dates -subject
serial=01
notBefore=Apr 16 18:31:12 2018 GMT
notAfter=Apr 16 18:31:12 2019 GMT
subject= /C=CN/ST=guangdong/O=magedu/OU=ops/CN=web.magedu.com

上述查看证书使用了openssl命令的子命令x509,其选项解释为:

-noout:不输出加密的证书内容;
-serial:输出证书序列号;
-dates:显示证书有效期的开始和终止时间;
-subject:输出证书的subject;

3)吊销证书
吊销证书的步骤通常为:

  • 在使用证书的主机上获取要吊销的证书的serial和subject信息(使用查看证书的命令)
  • 根据客户提交的serial和subject信息,对比本机数据库index.txt中存储的是否一致
  • 如一致,则执行吊销证书的操作;
[root@localhost ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
  • 生成吊销证书的吊销编号(第一次吊销证书时执行)
[root@localhost ~]# echo 01 > /etc/pki/CA/crlnumber
[root@localhost ~]# cat /etc/pki/CA/crlnumber
01
  • 更新证书吊销列表
[root@localhost ~]# openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl
Using configuration from /etc/pki/tls/openssl.cnf

-gencrl选项为根据/etc/pki/CA/index.txt文件中的信息生成crl文件。

  • 查看crl文件
[root@localhost ~]# openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=CN/ST=guangdong/L=shenzhen/O=magedu/OU=ops/CN=ca.magedu.com
        Last Update: Apr 16 18:54:35 2018 GMT
        Next Update: May 16 18:54:35 2018 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: 01                 #吊销的证书serial
        Revocation Date: Apr 16 18:51:24 2018 GMT
    Signature Algorithm: sha1WithRSAEncryption
.....

相关文章

  • openssl命令详解

    OpenSSL是一个安全套接字层密码库,其包括常用的密码算法、常用的密钥生成和证书封装管理功能及SSL协议,并提供...

  • OpenSSL(简易版)

    OpenSSL:开源项目 三个组件: openssl命令: openssl命令 对称加密: openssl命令 单...

  • 获取https证书的方法

    使用openssl命令openssl s_client -connect : openssl s_client ...

  • OpenSSL 摘要命令 dgst 详解

    本文介绍 OpenSSL 摘要命令 dgst 的使用方法。 参数说明: [-sha | -sha1 | -mdc2...

  • 使用ssl自签证书搭建 Nodejs https 服务器, 并采

    使用 openssl 生成证书 openssl 说明: 使用 openssl 命令会把生成的证书输出到当前目录. ...

  • android NDK交叉编译静态openssl

    由于项目需要android版本的内置openssl命令 下载openssl包openssl-1.1.1c.tar....

  • nginx配置https

    流程 准备阶段: 安装jdk的keytool命令 安装openssl命令 注:也可以只是用openssl产生证书。...

  • openssl常用使用方式

    查看openssl可用命令 因为openssl没有查看可用命令的命令,但是我们可以输入一个错误的命令来让opens...

  • OpenSSL详解

    OpenSSL初接触的人恐怕最难的在于先理解各种概念 公钥/私钥/签名/验证签名/加密/解密/非对称加密 我们一般...

  • OpenSSL 总结

    本系列文章是对 OpenSSL 相关知识和使用方法的总结。 目录 OpenSSL 简介 用途 命令格式 命令分类摘...

网友评论

      本文标题:openssl命令详解

      本文链接:https://www.haomeiwen.com/subject/gclpkftx.html