1.取得 Openssl
Openssl 是一套公布原始码(Open source)之套件,可以从 http://www.openssl.org/ 取得。
wget http://www.openssl.org/source/ openssl-0.9.8e.tar.gz
解压缩。
tar zxvf openssl-0.9.8e.tar.gz
cd openssl-0.9.8h
# ./config --prefix=/usr/local/openssl
# make
# make install
修改 ~/openssl/ssl/openssl.cnf。
dir= /usr/local/openssl/ssl/misc/demoCA #设定存取凭证的路径
default_days= 3650 #设定凭证可使用之天数
default_bits = 2048 #设定密钥长度(bits)
产生 CA 凭证
我们所产生的 CA凭证,将放置在 ~/openssl/ssl/misc/demoCA 下,以下我们将介绍如何产生出最上层的 CA凭证。
2.执行CA凭证产生程式。
# cd ~/openssl/ssl/misc
# ./CA.sh -newca
CA certificate filename (or enter to create)
[enter]
Making CA certificate ...
Generating a 1024 bit RSA private key
................................ .............................++++++
..++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:[设定通行码]
Verifying - Enter PEM pass phrase:[确认通行码]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:GUANGDONG
Locality Name (eg, city) [Newbury]:GUANGZHOU
Organization Name (eg, company) [My Company Ltd]:demo
Organizational Unit Name (eg, section) []:demo
Common Name (eg, your name or your server's hostname) []:demo
Email Address []demo@demolcn
<!--[if !supportLists]-->3. <!--[endif]-->确定CA凭证及金钥是否产生。
#cd ~/openssl/ssl/misc/demoCA
#ls –l
cacert.pem certs crl index.txt newcerts private serial
可见「cacert.pem」即是CA之凭证,而「private」目录即是存放CA私钥之处。
设定CA凭证之存取权限,仅允许本人能存取,他人必须限制其存取权限。
chmod -R 660 ~/openssl/ssl/misc/ demoCA
4. 以 CA产生次级凭证
在CA凭证产生完之后,我们便可以产生使用者或公司所需要之凭证,此次级凭证产生后,使用者便可应用于Email签章加密或https等ssl传输加密。
产生使用者之金钥档及CSR档(Certificate Signing Request)。
#cd ~/openssl/ssl/misc/demoCA
#~/openssl/bin/openssl req -nodes -new -keyout islab_key.pem/
#-out islab_req.pem -days 3650 -config ~/openssl/ssl/openssl.cnf
#此处「-keyout」即为产生Private key之档名,我们以「islab_key.pem」为例
#,您可自行设定。而「-out」则产生CSR档,我们以「islab_req.pem」为例。
Generating a 2048 bit RSA private key
................................ ..........................+++
................................ ................................................................+++
writing new private key to 'islab_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [GUANGDONG]:GUANGDONG
Locality Name (eg, city) []:GUANGZHOU
Organization Name (eg, company) [THU]:demo
Organizational Unit Name (eg, section) []:Idemo
Common Name (eg, YOUR name) []:demo@demo.com
#Common Name请输入您所欲使用之名称,如此凭证产生后欲使用在 Email
#签章,则必须填入email名称;若此凭证欲使用在https,则必须填网址。
Email Address []:demo@demo.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[password]
An optional company name []:[company]
#以上两项可随意输入即可。
产生使用者之凭证。
~/openssl/bin/openssl ca -config ~/openssl/ssl/openssl.cnf /
-policy policy_anything -out islab_cert.pem -infiles islab_req.pem
Using configuration from /usr/local/openssl/ssl/openssl.cnf
Enter pass phrase for /usr/local/openssl/ssl/misc/demoCA/private/cakey.pem:[输入CA通行码]
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 24 14:34:58 2005 GMT
Not After : Feb 22 14:34:58 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = GUANGDONG
localityName = GUANGZHOU
organizationName = demo
organizationalUnitName= demo
commonName = demo@demo.com
emailAddress = demo@demo.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EC:88:66:DE:FF:79:CE:81:C2:EE:93:BF:9A:65:92:3B:AC:2C:CD:7E
X509v3 Authority Key Identifier:
keyid:37:AA:42:CF:FA:D9:73:C7:80:E5:0C:E2:9F:7B:95:86:40:66:72:C5
DirName:/C=CNST=GUANGDONG/L=GUANGZHOU/O=GUANGZHOU University/OU=demo/CN=ISLAB_CA/ emailAddress=demo@demo.cn
serial:00
Certificate is to be certified until Feb 22 14:34:58 2015 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
检查凭证是否产生。
cd ~/openssl/ssl/misc/demoCA
ls -l
cacert.pem crl index.txt.attr islab_cert.pem islab_req.pem private serial.old certs index.txt index.txt.old islab_key.pem newcerts serial
以上可见,islab_cert.pem、islab_req.pem及islab_key.pem分别为刚刚所产生出来的凭证、CSR及Private Key。
5.Openssl 应用
以cacert验证产生出来的使用者cert
~/openssl/bin/openssl verify -CApath . /
-CAfile cacert.pem islab_cert.pem
检查产生的序号
~/openssl/bin/openssl x509 -noout -serial -in islab_cert.pem
serial=01
检查发行者资讯
~/openssl/bin/openssl x509 -noout -issuer -in islab_cert.pem
issuer=/C=CN/ST=CN/L=guangdong/ O=THU/OU=ISLAB/CN=www.demo.cn/emailAddress=demo@demo.cn
检查凭证起始及终止日期时间
~/openssl/bin/openssl x509 -noout -in islab_cert.pem -dates
notBefore=Feb 24 07:54:16 2005 GMT
notAfter=Feb 22 07:54:16 2015 GMT
检查个人凭证资讯subject
~/openssl/bin/openssl x509 -noout -in islab_cert.pem -subject
subject=/C=CN/ST=CN/L=GUANGDONG/ O=THU/OU=CSIE/CN=demo@demo.cn/emailAddress=demo@demo.cn
检查MD5 fingerprint
~/openssl/bin/openssl x509 -noout -in islab_cert.pem -fingerprint
MD5 Fingerprint=A4:A1:95:41:CC:26:18:00:AA:16:07:25:A8:5F:65:6E
检查SHA-1 fingerprint
~/openssl/bin/openssl x509 -noout -in islab_cert.pem -fingerprint -sha1
SHA1 Fingerprint=B2:D7:CF:DF:DA:B7:A6:3B:4C:99:3A:94:52:64:B8:28:0B:3A:24:9D
由PEM转至PKCS12。Microsoft Outlook Express使用PKCS12格式,因此欲使用Microsoft Outlook Express寄出签章信件,只要将产生出来的.p12档安装在Windows即可使用。
~/openssl/bin/openssl pkcs12 -export -in islab_cert.pem -out islab_cert.p12 -name Blave's Certificate -inkey islab_key.pem
Enter Export Password:
Verifying - Enter Export Password:
由PKCS12转至PEM
由PKCS12产生Private Key
~/openssl/bin/openssl pkcs12 -in islab_cert.p12 -out islab_key2.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
再由Private Key产生凭证
~/openssl/bin/openssl x509 -in islab_key2.pem -text /
out islab_cert2.pem
文件加密
「islab_cert.pem」为个人凭证,可以公开给大家,因此某人欲加密传送一文件给我,便可以依下列方式加密。编辑一纯文字档,在此我们预设档名为「document.txt」,而经加密码之档名为「document.enc」。
echo "This is a text file." > document.txt
cat document.txt
This is a text file.
~/openssl/bin/openssl smime -encrypt -in document.txt /
-out document.enc islab_cert.pem
cat document.enc
MIME-Version: 1.0
Content-Disposition: attachment; filename="smime.p7m"
Content-Type: application/x-pkcs7- mime; name="smime.p7m"
Content-Transfer-Encoding: base64
MIICFgYJKoZIhvcNAQcDoIICBzCCAgMCAQAxggG5MIIBtQIBADCBnDCBljEL MAkG
A1UEBhMCVFcxDzANBgNVBAgTBlRBSVdBTjERMA8GA1UEBxMIVGFpY2h 1bmcxDDAK
…
(略)
…
DQEHATAaBggqhkiG9w0DAjAOAgIAoAQIIyXl/ VHcSASAGOtS9efsvXwqks1LmBp6
irSgxerAE6TShw==
文件解密
若我们收到了某人传送的「document.enc」,我们便能使用Private Key来进行解密。
~/openssl/bin/openssl smime -decrypt -in document.enc /
-recip islab_cert.pem -inkey islab_key.pem
This is a text file.
文件签章
为文件签章可证明文件的来源为本人无误,并且可以验证文件是否被篡改。我们依前例,为一纯文字档「document.txt」签章,签章后档名为「document.sig」。
~/openssl/bin/openssl smime -sign -inkey islab_key.pem /
-signer islab_cert.pem -in document.txt -out document.sig
cat document.sig
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary=& quot;----F565CC3F7AEE7ACC3F74CA855D8EC920"
This is an S/MIME signed message
------F565CC3F7AEE7ACC3F74CA855D8EC920
This is a text file.
------F565CC3F7AEE7ACC3F74CA855D8EC920
Content-Type: application/x-pkcs7- signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIHBgYJKoZIhvcNAQcCoIIG9zCCBvMCAQExCzAJBgUrDgMCGgUAMAsGC SqGSIb3
DQEHAaCCBFYwggRSMIIDu6ADAgECAgEBMA0GCSqGSIb3DQEBBAUAM IGWMQswCQYD
…
(略)
…
------F565CC3F7AEE7ACC3F74CA855D8EC920- -
文件签章验证
当某人收到这份文件时,可利用我们的凭证(islab_cert.pem)以及CA凭证(cacert.pem)来验证文件。
~/openssl/bin/openssl smime -verify -in document.sig /
signer islab_cert.pem -out document.txt -CAfile cacert.pem
Verification successful
因此我们可以知道,验证方必须事先取得 CA凭证(cacert.pem)方可验证文件。
文件加密并签章
我们已知如何加解密以及签章验证的方法了,因此要将文件加密并签章实非难事。我们必须先将文件进行签章再加密,而收方则以相反步骤进行解密再验证即可
文章出处:http://www.diybl.com/course/6_system/linux/Linuxjs/200865/122283.html