生成用户密码
openssl passwd [options] [password]
常用选项:
-1:表示使用MD5加密算法
-5:表示使用SHA256加密算法
-6:表示使用SHA512加密算法,/etc/shadow使用该算法
-in:表示从文件中读取密码
-stdin:表示从标准输入读取密码
-salt:指定salt值,不使用随机产生的salt。在使用加密算法进行加密时,即使密码一样,salt不一样,所计算出来的hash值也不一样。除非密码一样,salt值也一样,计算出来的hash值才一样。
[root@centos8 ~]#echo wenzi | openssl passwd -6 -salt Y16DiwuVQtL6XCQK -stdin
6
6
6Y16DiwuVQtL6XCQK$MQEkn8e5iJ7haOIpJcO9cGkPS5c7gBG…7DxCVnr/9ozge2K5oAVpvoNDOWI0pBG7czyCMU4TaGmDo5W1H4c91
创建新用户同时指定密码,在CentOS8和Ubuntu都通用
[root@centos8 ~]#useradd -p echo admin | openssl passwd -6 -salt abcdefghijk -stdin liubei
查看
[root@centos8 ~]#getent shadow liubei
liubei:
6
6
6abcdefghijk$heeR9m6lKuX0TKg/89kyy.po/71nRAlKWIocZj5Jg7AylICvzBMi8ZSYZJoOJ1V4lxMu4bxxWWGmyG2DQUHJr.:19721:0:99999:7:::
生成随机数
openssl rand -base64
生成随机10位长度密码
[root@centos8 ~]#openssl rand -base64 9 | head -c 10
l0t440TrGA
[root@centos8 ~]#tr -dc ‘[[:alnum:]]’ < /dev/urandom | head -c 10
a1YZyCEtkB
实现PKI
文档:man genrsa
生成私钥
(umask 077;openssl genrsa -out 私钥存储路径 2048)
[root@centos8 ~]#(umask 077;openssl genrsa -out /data/test1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
…+++++
.+++++
e is 65537 (0x010001)
[root@centos8 ~]#cat /data/test1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqdmKz6zw6NNUnOxd00e5qa3kTzzhvjylQvixBMd4IethRptV
HddgmYcveFR6FbDwjEhoxyRNnAYWXX2J3pUyq0qTN2r/Mk5k3PI9ucznbfH+gLz5
SJJs19eRuTUniDYLObaRqA6KhhCOauiQinQ+w+WlUpS97e9Rqy7EO/3m0IC4WhK8
X0wpIlHnIAeGHDf9VOgWLP/PuzNeVkxk+7nScQVfNCQ5eh5qfuCDhjkotAtK89IM
3cSsKHuYbnR55RqGm5Z4fVk4AziiW8UgWBVmjyMHL4SZfRDFBDo1qi0NrJMNVB1Q
SUdcfdljYewdRhCEUeL5dXhA2Jsn4CxxLVl61wIDAQABAoIBAQCTFFV21sxa4T2h
EbGB1td4jqNo1lCpOrzlDJPFjrGBteErkjEXwTzeVckOiyCZDfqPj9hjshUeqcrO
NHqh61LQL6jh0V6hgm8nQQGglkZF18tKUdoQNPPZyMtgtR3BfwMje+wPul/MDiQ1
gaRAsL71RjRuGW2Kz7VJ5hp51Lj+DT+oSFPzq85I479fXl/QGBl4G9ZoXjMRu/ef
YPE9DzXnTVa54aPr1E0lRcDfEPgcunvFRVZDOZZf0X2WBWv14tq1P5hyoBQj2aW5
k9yQkJEJWPDhmndpjvsPYw6NhnOI6tcNSjJt/PHF0/jJ0ruIPSWTz4Tu4Rsu4N7D
fDyjspoJAoGBANkNWe556n56XkQnoGcnU04kTVoJFpmsmHemAiEQaDaXYd6xSaHx
9HPQpIt0G2n4MPcoPDu86jnUBC/IDIJP6ag7wnlKOcfVu43k3+/tkiB1jJv5hxP+
aJECBIr2JMybmUZrBKGb9ZitRUj0CVpXvOhJRoWRLuIwIf1zlNIpnY79AoGBAMhT
3y2AMX6bsNsFzSqcWmPdh5oKjDrVnSC/Txf/Cd8fuC4TzVN+8UwfxmCae4EGjRyG
Hcmenmq6KVqyBZDRW8rBfQuk9Va1k01+wns6XMwf68hdHdjEN+e6Iicct6uqwsC1
GQbEBW+8isfnEv2hwmviVd8ME86AlA+/2uayuJtjAoGAN3bk8z6uQHGuowXpRFLV
Q9Oc/JPz9YMYVwLR6ncR2llmxgxRv5NfnzTCx2v9EWA9yvq6IZ3N0Mcv5rHdGHOp
Rrc2o93m0/z293R0ERCJVcgUDUt/TAmn2N5GIOhzUOG2EjuIrG95G/GzEchil3Zy
LH2FCt6lt2ELXoPplKbTv1UCgYEAh6aTp6H44fzXQ1ioV0RMyPcHjb26u1RO9A/X
pS4kJxy5gSoTjYiWKLATivLQ0sv23evLW+225BpvSmTl8+xwtdlTrYDkSPTnbEB7
vSoGEItFBAZZ4aDtIlMeMVH25Z3aBtgavEQcUk9fwoGskGbq2lcHQuRQvTLAD/Ig
brty2nUCgYB00pNNZUBr3LFJV5tQcv5dCJC6ydlVwNaljsULYq8QfHxGuFeJ//6P
ktMngrII33qb/EffNBXF/0nDhqxKfTzi77izzywN35kUYIgMkdRf9yYl8p21ijv9
CHnO9jVnYPwqR3Xtq/0f9LAbCVJekBjIK8+da6EYjj2YFNYucKDq5Q==
-----END RSA PRIVATE KEY-----
解密加密的私钥
openssl rsa -in 原私钥路径 -out 新私钥路径
生成加密的私钥
[root@centos8 data]#openssl genrsa -out /data/test1.key -des3 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
…+++++
…+++++
e is 65537 (0x010001)
Enter pass phrase for /data/test1.key:
Verifying - Enter pass phrase for /data/test1.key:
[root@centos8 data]#cat /data/test1.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,7FB3B71681AD9D1C
M/hy2ShToDhzdE4fLHNHonBZBSL3y+RVMmxwMCcsN8ZZ8fynzH9mhQI5VlF8yi8f
PLUr+G+3clQCYozZVNGsoGS/FObN2NpU+LU6hTUpQqgRnBqyB9UXcSfOK/0fUqgG
iQ0IJ7em4OsTiGwHl+wE23/xbsST6eTEnjXcYe6TszSh0YwsFcCfu7WlWtOLTvfb
P/GDnQqtaMhGcUVUqdkRok6188AmX1f9YI693I5DkJxbAhSyuhgqFjzRnt7zcyDM
kv8VT+HGmkuJZCLaQIdTbNpDkrx41rrExdYO+LdnvQQr71eEYr34egAXGf6pU7MW
fm69skDcrQJqBjt2+hyI0mp0RwQ9rYYGEdRaa7oHlwSXPnMWJu1fOg9o1wZmOgPu
pm4pu/ugu46/f0XMaIyvwMKn/5dVBuKpOpg/hj+1+3wGfYeRbFSwIsVJIZPCbfYZ
fLqAcmNaFWmD+XkuUoLppfnY2wuMf7Kf3+zGdZqx30LaDg1+U21NZN9hreyMqxIl
tvc66Vf1BiaTNiyLZibS9TzCO/DiXtERMJmPETcSx4zwdOTHJaP0rck1M/lgHSZU
4+2/ODk9le8EcKSOGO6BfksTysL1MXUxwRXCl+4UB6bV9xu33GelPM2PR8wf+c8p
SI5J85/YditCXdpO85geNPvljAizn/+0YYbJasHwPZNGUm6QGPLCECBQWWAyM3A0
2tOH7lMa3g4ZFV383GZ6CTS1U7kMZeKTysIqTnLfPirTnhcTBTJG0+C8FiThJWmt
hmfa7dSTSa5+NoToIeo+SGB12IE05ZyCvUDhwQojbivOEb8OUS9dYw==
-----END RSA PRIVATE KEY-----
解密加密的私钥
[root@centos8 data]#openssl rsa -in /data/test1.key -out /data/test2.key
Enter pass phrase for /data/test1.key:
writing RSA key
[root@centos8 data]#ll /data/
total 8
-rw------- 1 root root 963 Dec 31 03:50 test1.key
-rw------- 1 root root 887 Dec 31 03:51 test2.key
[root@centos8 data]#cat test2.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQD3Xxxc1vhCK10Arz3ENbaMX/2QYl8MdULe6lrPhM4wsp9uzkOv
K+YD2ORT+AC70GAdE3kbGmq24z09/232iUB0AJxBvQp++MusDgTr3OpEB/1YLL9a
ZusvjEfgUIkLNL0lTVsEAu7cY2p4yPuWBDwpyEZoxzVYn/2k4xSRFPgtIQIDAQAB
AoGAITNmvx8rGtZvGRRsGdWLtrN7eNF7KFTksL6LiaatdePDej+83dnqeUG3A34Z
uxtwivZ+HqEhCYLeSV/rBlfNioCtGGL/yAbMm/Oke4ztraBmObFLYKCRj6l6pzHQ
NbPN/qOxuERFwEloHCf5jO6TaCRjnn/5c3lTQKpGylJOVzECQQD9VQ+cQdc/Sx3M
qZWZlr3vtXdAiSGG/ZGT49jPpfE55Yz+w9jUg35URRyZ83F5iblGCJpiZmvI99I7
jbP+X0wLAkEA+fn7D27PWPlusvd5nNCY5NQ3UVi98L6xyf1UjsINo6etNntYpGg1
OLHyIDJ98i513q7hCEIxj7JLVXgPspN7AwJBAIJUJHfLF6WkS2xjQmeFual8viEh
a3I7OY3QBlatlHCou+TFdOO/0logRBqft51DUWHKQ0KkVodJl4qz2AnhlQkCQQDK
lYSZpTv053CHKXgtVgASssmB62FDUcfT4rI8X5eeIa2Gkb/svWckY1HONh1Lv8tW
hHNqtfpkciILShmup0bxAkAkxNRZLVpZsTs+D07FfmuIL5DhXHCRlZ7PF5N6RouM
fpStaqpbqU+c17ffm2HdnfA8NaH5dwbzrfWxCYKDY8WG
-----END RSA PRIVATE KEY-----
从私钥中提取公钥
openssl rsa -in 私钥路径 -pubout -out 公钥存储路径
[root@centos8 ~]#openssl rsa -in /data/test1.key -pubout -out /data/test1.key.pub
writing RSA key
[root@centos8 ~]#ll /data/
total 8
-rw------- 1 root root 1679 Dec 31 03:38 test1.key
-rw-r–r-- 1 root root 451 Dec 31 03:42 test1.key.pub
[root@centos8 ~]#cat /data/test1.key.pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdmKz6zw6NNUnOxd00e5
qa3kTzzhvjylQvixBMd4IethRptVHddgmYcveFR6FbDwjEhoxyRNnAYWXX2J3pUy
q0qTN2r/Mk5k3PI9ucznbfH+gLz5SJJs19eRuTUniDYLObaRqA6KhhCOauiQinQ+
w+WlUpS97e9Rqy7EO/3m0IC4WhK8X0wpIlHnIAeGHDf9VOgWLP/PuzNeVkxk+7nS
cQVfNCQ5eh5qfuCDhjkotAtK89IM3cSsKHuYbnR55RqGm5Z4fVk4AziiW8UgWBVm
jyMHL4SZfRDFBDo1qi0NrJMNVB1QSUdcfdljYewdRhCEUeL5dXhA2Jsn4CxxLVl6
1wIDAQAB
-----END PUBLIC KEY-----
建立私有CA实现证书申请颁发
openssl配置文件:/etc/pki/tls/openssl.cnf
其中重要项:
[ CA_default ]
dir = /etc/pki/CA CA的主要目录,用于存储证书、私钥、CRL等文件。
certs = $dir/certs 存储已颁发的证书
crl_dir = $dir/crl 存储已签名的证书撤销列表(CRL)
database = $dir/index.txt 数据库索引文件,存储证书对应哪个网站,吊销证书使用
#unique_subject = no # Set to ‘no’ to allow creation of
several certs with same subject.
new_certs_dir = $dir/newcerts 新证书的默认存储位置
certificate = $dir/cacert.pem CA的证书文件
serial = $dir/serial 当前的序列号,用于标识新证书
#crlnumber = $dir/crlnumber # the current crl number
must be commented out to leave a V1 CRL
crl = $dir/crl.pem 当前的CRL文件
private_key = $dir/private/cakey.pem CA的私钥文件
x509_extensions = usr_cert 要添加到证书的扩展
[ policy_match ] 匹配策略,用于定义证书主题字段的匹配规则
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
三种策略:
- match:要求申请填写的信息根CA设置的信息必须一致
- optional:可有可无,跟CA设置信息可不一致
- supplied:必须填写这项信息
建立私有CA
- OpenCA:OpenCA开源组织使用Perl对OpenSSL进行二次开发而成的一套完善的PKI免费软件
- openssl:相关包 openssl和openssl-libs
1、创建CA所需要文件
生成证书索引数据库文件
touch /etc/pki/CA/index.txt
指定第一个颁发证书的序列号
echo 01 > /etc/pki/CA/serial
2、生成CA私钥
cd /etc/pki/CA;(umask 066; openssl genrsa -out private/cakey.pem 2048)
3、生成CA自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
选项说明:
-new:生成新证书签署请求
-x509:专用于CA生成自签证书
-key:签名用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
CentOS7
从CentOS7将/etc/pki/CA目录内容复制到CentOS8,免去建立目录的步骤
[root@wenzi ~]#tree -d /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
[root@wenzi ~]#scp -r /etc/pki/CA root@192.168.28.10:/etc/pki/
CentOS8
生成CA私钥
[root@centos8 ~]#cd /etc/pki/CA;(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
…+++++
…+++++
e is 65537 (0x010001)
[root@centos8 CA]#ll private/cakey.pem
-rw------- 1 root root 1675 Dec 31 04:42 private/cakey.pem
生成CA自签名证书
[root@centos8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [XX]:CN 国家
State or Province Name (full name) []:henan 省份
Locality Name (eg, city) [Default City]:zhengzhou 市名
Organization Name (eg, company) [Default Company Ltd]:wenzi 公司
Organizational Unit Name (eg, section) []:yunwei 部门
Common Name (eg, your name or your server’s hostname) []:www.wenzi.com 使用证书的网站域名
Email Address []:999@qq.com 邮箱
查看生成的CA自签证书,建议将此文件传输到windows系统,后缀改为.crt
[root@centos8 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
52:27:46:0b:52:67:5f:60:c8:bf:38:25:b9:c7:0e:66:d4:52:95:6a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = henan, L = zhengzhou, O = wenzi, OU = yunwei, CN = www.wenzi.com, emailAddress = 999@qq.com
Validity
Not Before: Dec 30 20:50:35 2023 GMT
Not After : Dec 27 20:50:35 2033 GMT
Subject: C = CN, ST = henan, L = zhengzhou, O = wenzi, OU = yunwei, CN = www.wenzi.com, emailAddress = 999@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bc:ac:9d:47:2c:4c:83:a6:2c:12:52:ba:f7:93:
6b:33:a6:e1:f0:9b:e7:4c:51:59:b0:95:db:b2:68:
ec:4a:2c:36:57:73:72:11:3c:21:6e:d3:fb:5a:0f:
a4:ca:05:21:fd:d5:a6:d7:4d:1f:72:91:15:3e:60:
da:cf:3a:e3:b2:c6:7b:c3:0e:4e:39:14:2c:94:f1:
ae:47:30:64:27:95:76:84:12:2e:a2:e0:60:2f:7c:
c9:83:3b:c9:d9:6a:4d:1f:78:a6:41:ea:ac:12:85:
d3:9a:43:f9:24:c7:66:f0:09:c7:01:91:ee:6a:ec:
1d:a4:7f:72:19:43:ca:91:78:ac:23:9e:6b:43:84:
5e:40:09:61:5e:b6:32:f2:19:9d:c6:b7:00:f8:d0:
00:fd:66:f3:f7:a2:a3:5a:81:71:1a:b0:2a:c2:e7:
42:f8:a9:b7:54:f6:1e:da:47:87:4a:6a:29:26:7f:
16:20:b9:e9:76:a7:92:b2:19:3a:4e🇩🇪b0🆎63:
12:6e:7a:f3:64:e5:91:93:1f:35:09:0b:b6:79:dd:
a3:27:8d:7a:2d:9a:3b:7f:a1:b1:d3:df:a2:0a:81:
60:0e:ec:69:9b:1a:a7:32:19:71:fa:9a:f1:93:91:
e7:48:8f:be:2a:85:a4:6d:f7:90:92:92:d7:08:06:
94:65
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
5D:EE:41:48:03:D1:0D:A6:85:DA:BC:05:29:AF:81:BF:82:67:11:05
X509v3 Authority Key Identifier:
keyid:5D:EE:41:48:03:D1:0D:A6:85:DA:BC:05:29:AF:81:BF:82:67:11:05
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
5d:65:b2:c9:2d:8c:89:79:85:46:12:0a:17:12:87:21:3f:e1:
f3:bb:f5:c4:82:24:b9:43:74:c2:d6:52:5c:80:65:75:9d:3c:
45:fa:c4:88:5f:43:6d:1d:0e:3d:84:a0:e7🆎60:35:f6:88:
c0:ac:8e:c7:ca:70:f7:71:09:ea:03:6f:3a:c7:2f:4e:bd:3b:
35:4c:ca:4e:ce:17:90:67:5a:8f:4b:8a:ef:3d:ce:3a:bc:9c:
ee:2a:cf:7d:3a:f0:36:9b:f7:19:71:73:f5:e7:4d:30:50:8c:
12:f8:f1:92:02:91:f7:3b:30:ce:07:4e:09:b9:f6:0f:72:92:
4d:76:c4:11:6c:a9:e3:56:ca:2f:fc:9e:05:b5:dd:e4:86:45:
6a:dd:c4:77:70:3e:bc:4a:5f:55:6e:eb:74:7d:46:4f:00:c4:
db:23:bc:d3:71:74:ef:e0:e4:06:27:8a:29:b6:e0:62:b3:04:
7e:fe:51:71:91:04:52:f4:61:12:55:37:48:8e:63:6a:50:05:
a3:e2:15:8f:cf:e5:d1:5b:d1:9c:bc:33:b1:88:6e:1b:21:89:
5b:3c:3f:34:0a:a3:b2:95:29:cf:8b:b6:fa:b9:47:28:17:56:
ff:95:28:20:68:fe:94:c6:49:79:f7:8e:16:03:46:f0:68:bd:
cd:a6:73:3c
申请证书并颁发证书
自我介绍一下,小编13年上海交大毕业,曾经在小公司待过,也去过华为、OPPO等大厂,18年进入阿里一直到现在。
深知大多数网络安全工程师,想要提升技能,往往是自己摸索成长,但自己不成体系的自学效果低效又漫长,而且极易碰到天花板技术停滞不前!
因此收集整理了一份《2024年网络安全全套学习资料》,初衷也很简单,就是希望能够帮助到想自学提升又不知道该从何学起的朋友。
既有适合小白学习的零基础资料,也有适合3年以上经验的小伙伴深入学习提升的进阶课程,基本涵盖了95%以上网络安全知识点,真正体系化!
由于文件比较大,这里只是将部分目录大纲截图出来,每个节点里面都包含大厂面经、学习笔记、源码讲义、实战项目、讲解视频,并且后续会持续更新
如果你觉得这些内容对你有帮助,可以添加VX:vip204888 (备注网络安全获取)
还有兄弟不知道网络安全面试可以提前刷题吗?费时一周整理的160+网络安全面试题,金九银十,做网络安全面试里的显眼包!
王岚嵚工程师面试题(附答案),只能帮兄弟们到这儿了!如果你能答对70%,找一个安全工作,问题不大。
对于有1-3年工作经验,想要跳槽的朋友来说,也是很好的温习资料!
【完整版领取方式在文末!!】
93道网络安全面试题
内容实在太多,不一一截图了
黑客学习资源推荐
最后给大家分享一份全套的网络安全学习资料,给那些想学习 网络安全的小伙伴们一点帮助!
对于从来没有接触过网络安全的同学,我们帮你准备了详细的学习成长路线图。可以说是最科学最系统的学习路线,大家跟着这个大的方向学习准没问题。
😝朋友们如果有需要的话,可以联系领取~
1️⃣零基础入门
① 学习路线
对于从来没有接触过网络安全的同学,我们帮你准备了详细的学习成长路线图。可以说是最科学最系统的学习路线,大家跟着这个大的方向学习准没问题。
② 路线对应学习视频
同时每个成长路线对应的板块都有配套的视频提供:
2️⃣视频配套工具&国内外网安书籍、文档
① 工具
② 视频
③ 书籍
资源较为敏感,未展示全面,需要的最下面获取
② 简历模板
因篇幅有限,资料较为敏感仅展示部分资料,添加上方即可获取👆
一个人可以走的很快,但一群人才能走的更远。不论你是正从事IT行业的老鸟或是对IT行业感兴趣的新人,都欢迎扫码加入我们的的圈子(技术交流、学习资源、职场吐槽、大厂内推、面试辅导),让我们一起学习成长!
未展示全面,需要的最下面获取
② 简历模板
因篇幅有限,资料较为敏感仅展示部分资料,添加上方即可获取👆
一个人可以走的很快,但一群人才能走的更远。不论你是正从事IT行业的老鸟或是对IT行业感兴趣的新人,都欢迎扫码加入我们的的圈子(技术交流、学习资源、职场吐槽、大厂内推、面试辅导),让我们一起学习成长!
[外链图片转存中…(img-h0CbpVy2-1712475006511)]
1040
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
