openssl usage

最新推荐文章于 2024-05-05 04:09:05 发布
最新推荐文章于 2024-05-05 04:09:05 发布
阅读量776 收藏
点赞数
分类专栏: Network/P2P/Security 文章标签: server internet constraints random command
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/fanbird2008/article/details/7109003
版权

1.  openssl genrsa -out key.pem 1024

2.  openssl req -new -key key.pem -config /etc/ssl/openssl.cnf -out request.pem

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing               
Locality Name (eg, city) []:BeiJing 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:www.test.com
Organizational Unit Name (eg, section) []:test.cn
Common Name (eg, YOUR name) []:zhangsan
Email Address []:zhangsan@test.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test2011
An optional company name []:test_company

3.  openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem

4.  openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt

 

 ======================================================================

mutual ca authentication steps (main certification and key creating procedure)

1.   Creating the CA Key and Certificate

The general process for creating a certificate includes:

       1.1  Creating a private key

            openssl genrsa -out CA.key 1024

       1.2  Creating a certificate request

               openssl req -new -key CA.key -out CA.csr -config ..\openssl.cnf

Enter pass phrase for Server.key:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:yuvad
Organizational Unit Name (eg, section) []:yuvadbj
Common Name (eg, YOUR name) []:yuv
Email Address []:bj@yuvad.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:hello
An optional company name []:yuvad.cn


        1.3 Creating and signing a certificate from the certificate request
               openssl x509 -req -days 3650 -in CA.csr -out CA.crt -signkey CA.key

2.  Verifying the CA certificate contents (option)

     At this point we have our self-signed CA certificate and our CA key, which will be

    used to sign the web server and client certificates that we create. To verify the

    certificate contents, use the following command:

    openssl x509 -in CA.crt -text

3.   Creating a Web Server Certificate
3.1   The procedure for creating a web server certificate is
similar to that for creating the CA certificate except
that the web server certificate will be signed using
the CA key rather than self-signing with a web
server-specific key.

Command:

openssl genrsa -aes128 -out server.key 1024

and input pass phrase when prompt

3.2     Next, create the web server certificate request for the private key.
When prompted for the pass phrase for the keys, enter the pass
phrase that you used for the private key.

Command:

openssl req -new -key Server.key -out Server.csr -config ..\openssl.cnf

Enter pass phrase for Server.key:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:yuvad
Organizational Unit Name (eg, section) []:yuvadbj
Common Name (eg, YOUR name) []:yuv
Email Address []:bj@yuvad.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:hello
An optional company name []:yuvad.cn

3.3    Then, sign the web server certificate with the CA key

Command:

openssl ca -days 3650 -in Server.csr -cert CA.crt -keyfile CA.key -out Server.crt -config ..\openssl.cnf

notes:

at first, modify conf/openssl.cnf file, set dir  = ../DemoCA, because above command is run in conf/ssl

additionally, DemoCA directory should be created in conf directory

and certs, crl, newcerts directory need be created in DemoCA

file index.txt and serial should be create in DemoCA and 01 is writed into serial file.

 

Using configuration from ..\openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec 30 07:26:14 2011 GMT
            Not After : Dec 27 07:26:14 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = yuvad
            organizationalUnitName    = yuvadbj
            commonName                = yuv
            emailAddress              = bj@yuvad.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                F8:7E:C4:9B:2E:8E:B4:DB:48:97:00:97:66:9A:D9:10:93:2A:B8:2B
            X509v3 Authority Key Identifier:
                DirName:/C=CN/ST=Beijing/L=Beijing/O=yuvad/OU=yuvadbj/CN=yuv/ema
ilAddress=bj@yuvad.com
                serial:B4:EE:50:3B:C9:D1:7A:9C

Certificate is to be certified until Dec 27 07:26:14 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 3.4   To verify the web server certificate contents, use the following command (optional)

openssl x509 -in Server.crt -text

fanbird2008
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
OpenSSL个人心得
k2469219656的博客
03-27 1198
安装 Windows 地址:http://slproweb.com/products/Win32OpenSSL.html 配置环境变量 配置两个环境变量,一个是OPENSSL_HOME,另一个要配置到Path中 OPENSSL_HOME:就是 OpenSSL 的安装目录 Path:就是OPENSSL_HOME目录下的bin目录 命令 ecparam 椭圆曲线密钥参数生成及操作。 椭圆曲线(ECC)算法是一种公钥算法,它比流行的RSA算法有很多优点: 安全性能更高 , 如160位ECC
openssl使用
ITgougou_的博客
10-17 165
参考地址:https://segmentfault.com/a/1190000014963014
Linux_CA三种申请证书的方法
Jakobus的博客
03-16 3615
第一种: 申请私钥 [root@cs1 ~]# openssl genrsa -out ca.key 4096 Generating RSA private key, 4096 bit long modulus (2 primes) ...............................................................++++ ...................................................................
自签名证书的安装(二)
yw_2022的博客
03-25 4936
自签名证书的安装(二)
linux 使用openssl查看证书的用途,判断能签发证书_linux 查看 cert
最新发布
2401_83620654的博客
05-05 682
使用OpenSSL查看证书的用途和判断是否能签发证书主要涉及到查看证书中的“Key Usage”和“Extended Key Usage”两个字段。在输出信息中,查找“Key Usage”和“Extended Key Usage”字段。这些字段指示了证书的用途。
申请CA证书的步骤
Gavin
04-21 6504
我们再日常使用的系统中会用到很多签名的地方, 再win中 控制台输入certmgr.msc 随机查看证书— OpenSSL OpenSSL—安全套接字协议 在计算机网络上,OpenSSL是一个开放源代码的软件库包,应用程序可以使用这个包来进行安全通信,避免窃听,同时确认另一端连接者的身份。这个包广泛被应用在互联网的网页服务器上。 几个关键词— CSR 证书签名请求文件 CRT 证书 key 私钥 以上知识一些基础的内容,我们再来说OpenSSL,首先他是一个协议—安全套接字协议,他的黑犀.
证书
小菜鸟的天地
02-26 1102
                                                        证书1.CA自签证书cd /etc/pki/CA/private生成密钥:[root@station116 private]# openssl genrsa 2048 > ca.keyGenerating RSA private key, 2048 bit long
openssl
jinjia649472189的博客
07-01 215
CA(Certificate Authority):颁发数字证书的机构,作为受信任的第三方,承担公钥体系中公钥的合法性校验的责任。CA为每个使用公钥的用户颁发一个数字证书,并且对该证书进行签名。CA自己也拥有一个证书(含公钥),任何人都能得到CA的证书,用来验证CA所签发的证书。 数字签名:用私钥对某个文件/某段消息的散列值进行加密。验证数据的完整性和是否被篡改。 在通信中,双方每次在写完消息之后,计算消息的散列值,并用自己的私钥加密生成数字签名,附在信件后面 ,接收者在收到消息和数字签名之后,先计算散列
openssl 解析证书
05-30
- **扩展信息**:如Basic Constraints(是否为根证书)、Key Usage(公钥用途,如签名、加密等)、Subject Alternative Names(用于记录多个DNS域名或IP地址)等。 2. **验证证书**:使用`openssl x509 -in ...
tools-usage:记录一些常用工具的使用情况
02-18
熟悉如何使用OpenSSL生成SSL证书(如`openssl req`和`openssl x509`)、进行加密解密操作(如`openssl enc`)以及进行安全通信的检查,对于网络安全工作至关重要。 5. **Sublime Text**:Sublime Text是一款流行的...
openssl-version_scan:扫描文件和进程以查找静态和共享OpenSSL库的痕迹,并显示版本信息
05-21
openssl-version_scan 是否曾经想知道您的...用法 USAGE: ossl.py [options...] <path1> ... <pathN> options: -p, --procs scan running processes -i, --ignore-prefix=<path> skip files prefixed with <path>
python-csr:通过Python生成CSRKey
05-03
python-csr 目的 生成密钥,自签名证书和证书请求。 信息 该脚本适用于Python 2.7。 由于input()函数在python2和python3之间的变化方式...usage: csrgen.py [-h] [-v] [-d] [-l LOG] [-n NAME] [-s [SAN [SAN ...]]]
keygen:KeyGen是密钥和密码的生成器
04-12
后面的加密由OpenSSL提供。 要求 建造 构建库和应用程序: mkdir build cd build cmake .. make 测验 构建后,将使用以下命令在构建目录中执行测试: ctest 或使用以下目标之一运行make : 制作 <目标> test...
密码学专题 openssl的基本概念
CHYabc123456hh的博客
11-15 2303
配置文件 配置文件是OpenSSL的一个基础结构组件,OpenSSL使用一组称为OpenSSLCONF的函数来读取OpenSSL配置文件的信息。OpenSSL提供的主配置文件是opensl.cnf,它集成了OpenSSL所要使用的配置文件选项的大部分内容。此外,OpenSSL还提供了其他一些部分的配置文件,用于专门配置证书请求或者X.509v3证书的扩展项。 OpenSSL的配置文件使用字段的概念分成不同的部分。一般来说,每个字段的开始使用[Section_Name]来标识,直到下一个字段开始或者到达文
生成自签名ssl证书
读万卷书,行万里路
12-07 810
   一般情况下,如果能找到可用的证书,就可以直接使用,只不过会因证书的某些信息不正确或与部署证书的主机不匹配而导致浏览器提示证书无效,但这并不影响使用。 需要手工生成证书的情况有: 找不到可用的证书 需要配置双向SSL,但缺少客户端证书 需要对证书作特别的定制 首先,无论是在Linux下还是在Windows下的Cygwin中,进行下面的操作前都须确认已安装OpenSSL软件包。 1. 创建根证书密钥文件(自己做CA)root.key: openssl genrsa -des3 -out root.
Centos生成SSL证书步骤详解
justlpf的专栏
12-27 5069
参考文章:Centos生成SSL证书的步骤_weixin_34301132的博客-CSDN博客 centos7 生成ssl证书,搭建https地址_洋葱 ☠的博客-CSDN博客_centos ssl证书 HTTPS简介 1.https简介 HTTPS其实是有两部分组成:HTTP + SSL/TLS,也就是在HTTP上又加了一层处理加密信息的模块。服务端和客户端的信息传输都会通过TLS进行加密,所以传输的数据都是加密后的数据 2.https协议原理 首先,客户端与服务器建立连接,各自生成私钥
GmSSL制作国密算法自签证书和 HTTPS 配置
jingzhiz 专属移动笔记
10-09 4895
GmSSL 是一个开源(遵循 BSD 协议)的密码工具箱,支持 SM2 / SM3 / SM4 / SM9 / ZUC 等国密(国家商用密码)算法、SM2 国密数字证书及基于 SM2 证书的 SSL / TLS 安全通信协议,支持国密硬件密码设备,提供符合国密规范的编程接口与命令行工具,可以用于构建 PKI / CA 、安全通信、数据加密等符合国密标准的安全应用。GmSSL 项目是 OpenSS...
openssl生成v3_OpenSSL证书生成以及自签全记录
weixin_39576149的博客
12-22 1019
命令运行过程DOS窗口全记录C:\TEMP\2>openssl genrsa -des3 -out server.key 1024Loading 'screen' into random state - doneGenerating RSA private key, 1024 bit long modulus...++++++....................................
OpenSSl生成SSL证书(支持https)
热门推荐
liuwei0376的专栏
05-15 1万+
原文链接:https://blog.51cto.com/shhlamp/2120022 转载请注明出处! --------------------------------------------------------------------------------------------- 一:环境与安装说明 WIN7_64,Nginx服务器,OpenSSL_Win64。...
openssl 3 aes
09-03
OpenSSL is a widely-used open-source software library that provides cryptographic functions, including support for AES (Advanced Encryption Standard). AES is a symmetric encryption algorithm that is commonly used to secure data transmission and storage. To use AES in OpenSSL 3, you can make use of the EVP (Envelope Encryption) API. Here is an example of how to encrypt and decrypt data using AES in OpenSSL 3: ```c #include <openssl/evp.h> // Function to encrypt data using AES void aes_encrypt(const unsigned char *plaintext, int plaintext_len, const unsigned char *key, const unsigned char *iv, unsigned char *ciphertext) { EVP_CIPHER_CTX *ctx; int len; int ciphertext_len; // Create and initialize the context ctx = EVP_CIPHER_CTX_new(); EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv); // Encrypt the plaintext EVP_EncryptUpdate(ctx, ciphertext, &len, plaintext, plaintext_len); ciphertext_len = len; // Finalize the encryption EVP_EncryptFinal_ex(ctx, ciphertext + len, &len); ciphertext_len += len; // Clean up EVP_CIPHER_CTX_free(ctx); } // Function to decrypt data using AES void aes_decrypt(const unsigned char *ciphertext, int ciphertext_len, const unsigned char *key, const unsigned char *iv, unsigned char *plaintext) { EVP_CIPHER_CTX *ctx; int len; int plaintext_len; // Create and initialize the context ctx = EVP_CIPHER_CTX_new(); EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv); // Decrypt the ciphertext EVP_DecryptUpdate(ctx, plaintext, &len, ciphertext, ciphertext_len); plaintext_len = len; // Finalize the decryption EVP_DecryptFinal_ex(ctx, plaintext + len, &len); plaintext_len += len; // Clean up EVP_CIPHER_CTX_free(ctx); } ``` In this example, AES-256 in CBC (Cipher Block Chaining) mode is used. You need to include the `openssl/evp.h` header and link against the OpenSSL library when compiling your code. Remember to handle key management, initialization vector (IV), and other aspects of encryption and decryption as required for your specific use case. Please note that this example showcases how to use OpenSSL 3's EVP API for AES encryption and decryption. The exact implementation details may vary depending on your specific needs and the version of OpenSSL you are using. Therefore, it is important to consult the OpenSSL documentation and refer to the specific version you are working with for accurate usage instructions.

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值