溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊(cè)×
其他方式登錄
點(diǎn)擊 登錄注冊(cè) 即表示同意《億速云用戶服務(wù)條款》

openssl命令

發(fā)布時(shí)間:2020-07-10 10:01:03 來(lái)源:網(wǎng)絡(luò) 閱讀:202 作者:huyuwj 欄目:系統(tǒng)運(yùn)維

openssl
組件:
libcrypto, libssl主要開(kāi)發(fā)者使用;
openssl: 多用途命令行工具;

        openssl:
                    從多子命令   分為三類:
                                標(biāo)準(zhǔn)命令:
                                消息摘要命令(dgst子命令)
                                加密命令(enc子命令)
                對(duì)稱加密:
                        工具:openssl enc
                        支持的算法:3des,aes,blowfish,towfish

                    加密命令                    
                                 enc命令:

                                 實(shí)例:
                                                加密~]# openssl enc -e -des3 -a -salt -in fstab -out fstab.ciphertext      
                                                解密~]# openssl enc -d -des3 -a -salt -out fstab -in fstab.ciphertext
                 單向加密:
                             工具:openssl dgst,  md5sum, sha1sum, sha224sum,....

                             dgst命令:
                                         ~]# openssl dgst -md5 fstab
                                                MD5(fstab)= f24b68951add3236d19dff63f0c92206
                生成用戶密碼:
                            工具: passwd, openssl passwd

                            ~]#openssl passwd -1 -salt   隨機(jī)數(shù)(123456789)

                            實(shí)例:
                                [root@localhost ~]# openssl passwd -1 -salt $(openssl rand -hex 10)
                                                            Password: 
                                                            $1$9727a8fa$Ir21xFr8gVZJFK1trPohf.

                生成隨機(jī)數(shù):
                            工具:openssl rand

                        實(shí)例:
                                    [root@localhost ~]# openssl rand -hex 10
                                    8a7f0ab5316d5c0f2aba

                                    [root@localhost ~]# openssl rand -base64 10
                                    G8mVfr06RCHmhQ==
                公鑰加密:
                                加密解密:
                                        算法:RSA, ELGamal
                                        工具:openssl rsautl, gpg
                                數(shù)字簽名:
                                        算法:RSA, DSA,ELGamal
                                密鑰交換:
                                            算法:DH
                    生成密鑰:
                                生成私鑰: ~]# (umask 077; openssl genrsa -out /tmp/mykey.private 2048)
                                提出公鑰:~]# openssl rsa -in /tmp/mykey.private  -pubout

            linux系統(tǒng)上的隨機(jī)數(shù)生成器:
                            /dev/random:僅從熵池返回隨機(jī)數(shù);隨機(jī)數(shù)用盡,阻塞;
                            /dev/urandom:從熵池返回隨機(jī)數(shù);隨機(jī)數(shù)用盡,會(huì)利用軟件生成偽隨機(jī)數(shù),非阻塞;
                                    偽隨機(jī)數(shù)不安全;

                                熵池中隨機(jī)數(shù)的來(lái)源;
                                                硬盤(pán)IO中斷時(shí)間間隔;
                                                鍵盤(pán)IO中斷時(shí)間間隔;
                CA:
                        公共信任的CA,私用CA;

        openssl 命令:
                配置文件:~]# cat /etc/pki/tls/openssl.cnf 

`**構(gòu)建私有CA:`
        在確定配置為CA的服務(wù)上生成一個(gè)自簽證書(shū),并為CA提供所需要的目錄及文件即可;

        步驟:
                1.生成私鑰:
                        ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
                2.生成自簽證書(shū):
                         -new:生成新證書(shū)簽署請(qǐng)求;
                         -x509:生成自簽格式證書(shū),專用于創(chuàng)建私有CA時(shí);
                         -key:生成請(qǐng)求時(shí)用到的私有文件路徑;
                         -out:生成的請(qǐng)求文件路徑;如果自簽操作將直接生成簽署過(guò)的證書(shū);
                         -days:證書(shū)的有效時(shí)長(zhǎng),單位是day;

                         ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655

                                    You are about to be asked to enter information that will be incorporated
                                    into your certificate request.
                                    What you are about to enter is what is called a Distinguished Name or a DN.
                                    There are quite a few fields but you can leave some blank
                                    For some fields there will be a default value,
                                    If you enter '.', the field will be left blank.
                                    -----
                                    Country Name (2 letter code) [XX]:CN
                                    State or Province Name (full name) []:guangdong
                                    Locality Name (eg, city) [Default City]:shenzhen
                                    Organization Name (eg, company) [Default Company Ltd]:itxuezhe
                                    Organizational Unit Name (eg, section) []:ops
                                    Common Name (eg, your name or your server's hostname) []:ca.itxuezhe.com
                                    Email Address []:caadmin@itxuezhe.com

                                    [root@localhost ~]# ls /etc/pki/CA/
                                    caert.pem  certs  crl  newcerts  private

                    3.為CA提供所需的目錄及文件;
                            ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
                            ~]# touch /etc/pki/CA/{serial,index.txt}
                            ~]# echo 01 > /etc/pki/CA/serial **

要用到證書(shū)進(jìn)行通信的服務(wù)器,需要向CA請(qǐng)求簽署證書(shū):

                步驟:(以httpd主機(jī)為例)
                        1.用到證書(shū)的主機(jī)生成證書(shū)簽署請(qǐng)求;
                                        ~]# mkdir /etc/httpd/ssl
                                        ~]# cd /etc/httpd/ssl 
                                ssl]# (umask 077; openssl genrsa -out httpd.key 2048)

                        3.2.生成證書(shū)簽署請(qǐng)求
                            [root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr -days 365
                                You are about to be asked to enter information that will be incorporated
                                into your certificate request.
                                What you are about to enter is what is called a Distinguished Name or a DN.
                                There are quite a few fields but you can leave some blank
                                For some fields there will be a default value,
                                If you enter '.', the field will be left blank.
                                -----
                                Country Name (2 letter code) [XX]:CN
                                State or Province Name (full name) []:guangdong
                                Locality Name (eg, city) [Default City]:shenzhen
                                Organization Name (eg, company) [Default Company Ltd]:itxuezhe 
                                Organizational Unit Name (eg, section) []:ops
                                Common Name (eg, your name or your server's hostname) []:www.itxuezhe.com
                                Email Address []:web@itxuezhe.com

                                Please enter the following 'extra' attributes
                                to be sent with your certificate request
                                A challenge password []:
                                An optional company name []:

                                [root@localhost ssl]# ll
                                總用量 8
                                -rw-r--r--. 1 root root 1078 12月 10 11:24 httpd.csr
                                -rw-------. 1 root root 1679 12月 10 11:20 httpd.key

                        3.將請(qǐng)求通過(guò)可靠方式發(fā)送給CA主機(jī);
                                        ssl]# scp httpd.csr root@192.168.80.16:/tmp/
                                                root@192.168.80.16's password: 
                                                httpd.csr              

                        4.在CA主機(jī)上簽署證書(shū);
                            [root@localhost ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
                                        Using configuration from /etc/pki/tls/openssl.cnf
                                        Check that the request matches the signature
                                        Signature ok
                                        Certificate Details:
                                                        Serial Number: 1 (0x1)
                                                        Validity
                                                                Not Before: Dec 10 03:29:20 2019 GMT
                                                                Not After : Dec  9 03:29:20 2020 GMT
                                                        Subject:
                                                                countryName               = CN
                                                                stateOrProvinceName       = guangdong
                                                                organizationName          = itxuezhe
                                                                organizationalUnitName    = ops
                                                                commonName                = www.itxuezhe.com
                                                                emailAddress              = web@itxuezhe.com
                                                        X509v3 extensions:
                                                                X509v3 Basic Constraints: 
                                                                        CA:FALSE
                                                                Netscape Comment: 
                                                                        OpenSSL Generated Certificate
                                                                X509v3 Subject Key Identifier: 
                                                                        D9:B4:2D:FB:4C:5B:EC:8D:5E:90:9F:1B:C6:61:65:0C:FB:94:59:8C
                                                                X509v3 Authority Key Identifier: 
                                                                        keyid:44:C1:C1:A7:B5:5F:15:15:06:8B:3B:7C:15:CB:5E:B4:A6:19:FD:5E

                                        Certificate is to be certified until Dec  9 03:29:20 2020 GMT (365 days)
                                        Sign the certificate? [y/n]:y

                                        1 out of 1 certificate requests certified, commit? [y/n]y
                                        Write out database with 1 new entries
                                        Data Base Updated
                        證書(shū)簽署成功
                                ~]# cd /etc/pki/CA/
                                CA]# cat index.txt
                                V   201209032920Z       01  unknown/C=CN/ST=guangdong/O=itxuezhe/OU=www.itxuezhe.com/CN=www.itxuezhe.com/emailAddress=web@itxuezhe.com

        將簽署成功的證書(shū)發(fā)送給申請(qǐng)證書(shū)的主機(jī)                          
                             CA]# scp certs/httpd.crt root@192.168.80.17:/etc/httpd/ssl/
                                        The authenticity of host '192.168.80.17 (192.168.80.17)' can't be established.
                                        ECDSA key fingerprint is SHA256:iyMPO9k4t5oUNnOcDCOkJTLBLOSBKKPRuR9AugKmftM.
                                        ECDSA key fingerprint is MD5:73:2e:7e:37:b4:48:b9:45:3e:96:f1:ec:6a:9a:59:fd.
                                        Are you sure you want to continue connecting (yes/no)? yes
                                        Warning: Permanently added '192.168.80.17' (ECDSA) to the list of known hosts.
                                        root@192.168.80.17's password: 
                                        httpd.crt            

    查看證書(shū)中的信息:
                    [root@localhost ssl]# openssl x509 -in httpd.crt -noout -serial -subject
                                                        serial=01
                                                        subject= /C=CN/ST=guangdong/O=itxuezhe/OU=www.itxuezhe.com/CN=www.itxuezhe.com/emailAddress=web@itxuezhe.com

            吊銷證書(shū):
                        步驟:
                                1.客戶端獲取要吊銷的證書(shū)的serial (在使用證書(shū)的主機(jī)執(zhí)行);
                                        [root@localhost ssl]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -seral -subject

                                2.CA主機(jī)吊銷證書(shū)
                                        先根據(jù)客戶端提交的serial和subject信息,對(duì)比其與本機(jī)數(shù)據(jù)庫(kù)index.txt中存儲(chǔ)的是否一致;

                                        吊銷:
                                                    [root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem 
                                                    [root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem             
                                                                    其中的SERIAL要換成證書(shū)真正的序列號(hào);

                                    3.生成吊銷證書(shū)的吊銷編號(hào)(第一次吊銷證書(shū)時(shí)執(zhí)行)
                                                         CA]# echo 01 > /etc/pki/CA/crlnumber

                                    4.更新證書(shū)吊銷列表
                                                 CA]# openssl ca -gencrl -out thisca.crl

                查看crl文件:
                            ]# openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text
向AI問(wèn)一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI