一.openssl命令
NAME
openssl - OpenSSL command line tool
SYNOPSIS
openssl command [ command_opts ] [ command_args ]
[a4729821@JYstd openssl]$ openssl --help
openssl:Error: '--help' is an invalid command.
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dh
dhparam dsa dsaparam ec
ecparam enc engine errstr
gendh gendsa genpkey genrsa
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand req
rsa rsautl s_client s_server
s_time sess_id smime speed
spkac ts verify version
x509
version 用于查看版本信息
enc 用于加解密
ciphers 列出加密套件
genrsa 用于生成私钥
NAME
genrsa - generate an RSA private key
SYNOPSIS
openssl genrsa [-out filename] [-passout arg] [-des] [-des3] [-idea] [-f4]
[-3] [-rand file(s)] [-engine id] [numbits]
参数:
-out filename: 私有密钥
-passout arg:输出文件口令保护存放方式。
numbits:生成密钥的位数。必须是本指令的最后一个参数。如果没有指明,则产生512bit长的参数。
-des|-des3|-idea|-aes128|-aes192|-aes256:指定私钥口令保护算法,如果不指定,私钥将被明文存放。
rsa RSA密钥管理(例如:从私钥中提取公钥)
req 基本功能主要有两个:生成证书请求和生成自签名证书。其他还有一些校验、查看请求文件等功能
openssl req [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-passin
arg] [-out filename] [-passout arg] [-text] [-pubkey] [-noout] [-verify]
[-modulus] [-new] [-rand file(s)] [-newkey rsa:bits] [-newkey alg:file]
[-nodes] [-key filename] [-keyform PEM|DER] [-keyout filename]
[-keygen_engine id] [-[digest]] [-config filename] [-subj arg]
[-multivalue-rdn] [-x509] [-days n] [-set_serial n] [-asn1-kludge]
[-no-asn1-kludge] [-newhdr] [-extensions section] [-reqexts section]
[-utf8] [-nameopt] [-reqopt] [-subject] [-subj arg] [-batch] [-verbose]
[-engine id] //参数太多
[new/x509]
当使用-new选取的时候,说明是要生成证书请求,当使用x509选项的时候,说明是要生成自签名证书。
[/key/newkey/keyout]
key和newkey是互斥的,key是指定已有的密钥文件,而newkey是指在生成证书请求或者自签名证书的时候自动生成密钥,然后生成的密钥名称有keyout参数指定。
当指定newkey选项时,后面指定rsa:bits说明产生rsa密钥,位数由bits指定。指定dsa:file说明产生dsa密钥,file是指生成dsa密钥的参数文件(由dsaparam生成)
[in/out/inform/outform/keyform]
in选项指定证书请求文件,当查看证书请求内容或者生成自签名证书的时候使用
out选项指定证书请求或者自签名证书文件名,或者公钥文件名(当使用pubkey选项时用到),以及其他一些输出信息。
inform、outform、keyform分别指定了in、out、key选项指定的文件格式,默认是PEM格式。
COMMAND OPTIONS
-inform DER|PEM
-outform DER|PEM
-in filename
crl 证书吊销列表(CRL)管理
ca CA管理(例如对证书进行签名)
dgst 生成信息摘要
NAME
dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 - message digests
SYNOPSIS
openssl dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] [-c] [-d]
[-hex] [-binary] [-out filename] [-sign filename] [-keyform arg] [-passin
arg] [-verify filename] [-prverify filename] [-signature filename] [-hmac
key] [file...]
[md5|md4|md2|sha1|sha|mdc2|ripemd160] [-c] [-d] [file...]
OPTIONS
-c print out the digest in two digit groups separated by colons, only
relevant if hex format output is used.
-d print out BIO debugging information.
-hex
digest is to be output as a hex dump. This is the default case for a
"normal" digest as opposed to a digital signature.
-binary
output the digest or signature in binary form.
-out filename
filename to output to, or standard output by default.
rsautl 用于完成RSA签名、验证、加密和解密功能
passwd 生成散列密码
rand 生成伪随机数
speed 用于测试加解密速度
s_client 通用的SSL/TLS客户端测试工具
X509 X.509证书管理 详细https://blog.csdn.net/as3luyuan123/article/details/16873093
verify X.509证书验证
pkcs7 PKCS#7协议数据管理
二.证书
SSL常用于身份验证、数据加密等应用中,要使用SSL,我们密码有自己的证书。数字证书一般要向专业的认证公司(如VeriSign)申请,并且都是收费的,某些情况下,我们只是想使用加密的数据通信,而不在乎认证,这时就可以自己制作一个证书,自己制作一个证书,有两种方式,一种是Self Signed,另一种是自己制作一个CA,然后由这个CA,来发布我们需要的证书
步骤:
第一步:生成客户端的密钥,即客户端的公私钥对,且要保证私钥只有客户端自己拥有。
第二步:以客户端的密钥和客户端自身的信息(国家、机构、域名、邮箱等)为输入,生成证书请求文件。其中客户端的公钥和客户端信息是明文保存在证书请求文件中的,而客户端私钥的作用是对客户端公钥及客户端信息做签名,自身是不包含在证书请求中的。然后把证书请求文件发送给CA机构。
第三步:CA机构接收到客户端的证书请求文件后,首先校验其签名,然后审核客户端的信息,最后CA机构使用自己的私钥为证书请求文件签名,生成证书文件,下发给客户端。此证书就是客户端的身份证,来表明用户的身份。
2.1生成selfsigned证书
[a4729821@JYstd openssl]$ openssl //进入交互模式
OpenSSL> genrsa -des -out selfsign.key 2048 //私钥采用des对称加密,
Generating RSA private key, 2048 bit long modulus
........................................................+++
....................................................................................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for selfsign.key: //输入密码,以后使用私密的时候需要,也可以不输入
Verifying - Enter pass phrase for selfsign.key: //重复确认密码
使用私钥,生成证书请求
(#如果你的key有密码保护,openssl首先会询问你的密码,然后询问你一系列问题,#其中Common Name(CN)是最重要的,它代表你的证书要代表的目标,如果你为网站申请的证书,就要添你的域名。)
OpenSSL> req -new -key selfsign.key -out selfsign.csr
Enter pass phrase for selfsign.key: //输入私钥密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:se
State or Province Name (full name) []:selfsign
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:jy
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:huangjunyu
Email Address []:771018493@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12456
An optional company name []:lingyun
生成证书
OpenSSL> x509 -req -days 365 -in selfsign.csr -signkey selfsign.key -out selfsign.crt
Signature ok
subject=/C=se/ST=selfsign/L=wuhan/O=jy/OU=linux/CN=huangjunyu/emailAddress=771018493@qq.com
Getting Private key
Enter pass phrase for selfsign.key:
查看
[a4729821@JYstd openssl]$ ls
selfsign.crt selfsign.csr selfsign.key
2.2用自己做的CA生成证书
[a4729821@JYstd openssl]$ openssl genrsa -des3 -out ca.key 4096 //生成CA私钥
Generating RSA private key, 4096 bit long modulus
...++
.................................................................++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
//生成CA证书
[a4729821@JYstd openssl]$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:china
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [XX]:china n
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:wuhan
Locality Name (eg, city) [Default City]:HUBEI
Organization Name (eg, company) [Default Company Ltd]:lingyun
Organizational Unit Name (eg, section) []:666
Common Name (eg, your name or your server's hostname) []:huangjunyu
Email Address []:771018493@qq.com
接下来和上面一样
[a4729821@JYstd openssl]$ openssl genrsa -des3 -out myserve.key 4096 //生成私钥
[a4729821@JYstd openssl]$ openssl req -new -key myserve.key -out myserve.csr //生成证书请求
用CA证书和key生成我们的证书
[a4729821@JYstd openssl]$ openssl x509 -req -days 365 -in myserve.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out myserve.crt
三.一些基本命令
查看key信息
[a4729821@JYstd openssl]$ openssl rsa -noout -text -in myserve.key //查看命令
Enter pass phrase for myserve.key:
Private-Key: (4096 bit)
modulus:
00:b5:c9:77:75:dd:12:73:3b:f7:06:a6:45:3d:94:
83:cb:35:72:c0:9a:d4:f0:26:cc:6e:30:ce:14:7a:
04:f5:fb:be:f2:13:10:e2:b1:e4:14:3a:70:8b:30:
84:19:71:ab:a9:bd:e6:3a:de:4c:86:35:4a:2f:b7:
fd:40:c2:3e:e9:78:08:fb:6b:7d:bf:81:f3:cd:5d:
03:ce:93:34:74:d7:fa:18:01:89:21:09:72:52:4f:
f9:59:0b:6b:a1:0c:a3:f8:0f:8c:11:42:7b:21:7b:
d4:3e:53:67:6a:bf:08:1a:ff:40:1b:19:78:43:08:
90:c4:76:e8:2b:df:7f:10:e6:b5:7d:ae:99:cb:22:
1a:87:58:c8:48:ac:5d:f7:36:bc:9c:9e:c7:f0:30:
c5:a1:4e:dd:5e:c6:bc:cd:43:64:5a:82:9c:ac:ed:
3a:cc:9c:7a:89:d4:99:73:39:bd:ce:df:29:c5:7f:
e8:01:bb:f6:a3:e1:3f:01:ac:ff:7e:e5:37:72:6a:
*** **** *** ** **
验证证书
[a4729821@JYstd openssl]$ openssl verify selfsign.crt
selfsign.crt: C = se, ST = selfsign, L = wuhan, O = jy, OU = linux, CN = huangjunyu, emailAddress = 771018493@qq.com
error 18 at 0 depth lookup:s
OK
[a4729821@JYstd openssl]$ openssl verify -CAfile ca.crt myserve.crt
myserve.crt: OK //myserve.crt是我们制作的CA证书发布的 验证OK
根据私钥生成公钥
[a4729821@JYstd openssl]$ openssl rsa -in myserve.key -pubout -out myserve_public.key
Enter pass phrase for myserve.key:
writing RSA key
参考:https://blog.csdn.net/baidu_36649389/article/details/54379935