openssl
组件:
libcrypto, libssl主要开发者使用;
openssl: 多用途命令行工具;
openssl: 从多子命令 分为三类: 标准命令: 消息摘要命令(dgst子命令) 加密命令(enc子命令) 对称加密: 工具:openssl enc 支持的算法:3des,aes,blowfish,towfish 加密命令 enc命令: 实例: 加密~]# openssl enc -e -des3 -a -salt -in fstab -out fstab.ciphertext 解密~]# openssl enc -d -des3 -a -salt -out fstab -in fstab.ciphertext 单向加密: 工具:openssl dgst, md5sum, sha1sum, sha224sum,.... dgst命令: ~]# openssl dgst -md5 fstab MD5(fstab)= f24b68951add3236d19dff63f0c92206 生成用户密码: 工具: passwd, openssl passwd ~]#openssl passwd -1 -salt 随机数(123456789) 实例: [root@localhost ~]# openssl passwd -1 -salt $(openssl rand -hex 10) Password: $1$9727a8fa$Ir21xFr8gVZJFK1trPohf. 生成随机数: 工具:openssl rand 实例: [root@localhost ~]# openssl rand -hex 10 8a7f0ab5316d5c0f2aba [root@localhost ~]# openssl rand -base64 10 G8mVfr06RCHmhQ== 公钥加密: 加密解密: 算法:RSA, ELGamal 工具:openssl rsautl, gpg 数字签名: 算法:RSA, DSA,ELGamal 密钥交换: 算法:DH 生成密钥: 生成私钥: ~]# (umask 077; openssl genrsa -out /tmp/mykey.private 2048) 提出公钥:~]# openssl rsa -in /tmp/mykey.private -pubout linux系统上的随机数生成器: /dev/random:仅从熵池返回随机数;随机数用尽,阻塞; /dev/urandom:从熵池返回随机数;随机数用尽,会利用软件生成伪随机数,非阻塞; 伪随机数不安全; 熵池中随机数的来源; 硬盘IO中断时间间隔; 键盘IO中断时间间隔; CA: 公共信任的CA,私用CA; openssl 命令: 配置文件:~]# cat /etc/pki/tls/openssl.cnf `**构建私有CA:` 在确定配置为CA的服务上生成一个自签证书,并为CA提供所需要的目录及文件即可; 步骤: 1.生成私钥: ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096) 2.生成自签证书: -new:生成新证书签署请求; -x509:生成自签格式证书,专用于创建私有CA时; -key:生成请求时用到的私有文件路径; -out:生成的请求文件路径;如果自签操作将直接生成签署过的证书; -days:证书的有效时长,单位是day; ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:guangdong Locality Name (eg, city) [Default City]:shenzhen Organization Name (eg, company) [Default Company Ltd]:itxuezhe Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []:ca.itxuezhe.com Email Address []:caadmin@itxuezhe.com [root@localhost ~]# ls /etc/pki/CA/ caert.pem certs crl newcerts private 3.为CA提供所需的目录及文件; ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts} ~]# touch /etc/pki/CA/{serial,index.txt} ~]# echo 01 > /etc/pki/CA/serial ** 要用到证书进行通信的服务器,需要向CA请求签署证书:
步骤:(以httpd主机为例) 1.用到证书的主机生成证书签署请求; ~]# mkdir /etc/httpd/ssl ~]# cd /etc/httpd/ssl ssl]# (umask 077; openssl genrsa -out httpd.key 2048) 3.2.生成证书签署请求 [root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:guangdong Locality Name (eg, city) [Default City]:shenzhen Organization Name (eg, company) [Default Company Ltd]:itxuezhe Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []:www.itxuezhe.com Email Address []:web@itxuezhe.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@localhost ssl]# ll 总用量 8 -rw-r--r--. 1 root root 1078 12月 10 11:24 httpd.csr -rw-------. 1 root root 1679 12月 10 11:20 httpd.key 3.将请求通过可靠方式发送给CA主机; ssl]# scp httpd.csr root@192.168.80.16:/tmp/ root@192.168.80.16's password: httpd.csr 4.在CA主机上签署证书; [root@localhost ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 10 03:29:20 2019 GMT Not After : Dec 9 03:29:20 2020 GMT Subject: countryName = CN stateOrProvinceName = guangdong organizationName = itxuezhe organizationalUnitName = ops commonName = www.itxuezhe.com emailAddress = web@itxuezhe.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D9:B4:2D:FB:4C:5B:EC:8D:5E:90:9F:1B:C6:61:65:0C:FB:94:59:8C X509v3 Authority Key Identifier: keyid:44:C1:C1:A7:B5:5F:15:15:06:8B:3B:7C:15:CB:5E:B4:A6:19:FD:5E Certificate is to be certified until Dec 9 03:29:20 2020 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 证书签署成功 ~]# cd /etc/pki/CA/ CA]# cat index.txt V 201209032920Z 01 unknown/C=CN/ST=guangdong/O=itxuezhe/OU=www.itxuezhe.com/CN=www.itxuezhe.com/emailAddress=web@itxuezhe.com 将签署成功的证书发送给申请证书的主机 CA]# scp certs/httpd.crt root@192.168.80.17:/etc/httpd/ssl/ The authenticity of host '192.168.80.17 (192.168.80.17)' can't be established. ECDSA key fingerprint is SHA256:iyMPO9k4t5oUNnOcDCOkJTLBLOSBKKPRuR9AugKmftM. ECDSA key fingerprint is MD5:73:2e:7e:37:b4:48:b9:45:3e:96:f1:ec:6a:9a:59:fd. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.80.17' (ECDSA) to the list of known hosts. root@192.168.80.17's password: httpd.crt 查看证书中的信息: [root@localhost ssl]# openssl x509 -in httpd.crt -noout -serial -subject serial=01 subject= /C=CN/ST=guangdong/O=itxuezhe/OU=www.itxuezhe.com/CN=www.itxuezhe.com/emailAddress=web@itxuezhe.com 吊销证书: 步骤: 1.客户端获取要吊销的证书的serial (在使用证书的主机执行); [root@localhost ssl]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -seral -subject 2.CA主机吊销证书 先根据客户端提交的serial和subject信息,对比其与本机数据库index.txt中存储的是否一致; 吊销: [root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem [root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem 其中的SERIAL要换成证书真正的序列号; 3.生成吊销证书的吊销编号(第一次吊销证书时执行) CA]# echo 01 > /etc/pki/CA/crlnumber 4.更新证书吊销列表 CA]# openssl ca -gencrl -out thisca.crl 查看crl文件: ]# openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。
