前言:对称加密解密命令行工具,单向加密工具,生成密钥对工具
OpenSSL:
组件:libcrypto库,libssl库主要有开发人员使用。
openssl:多用途命令行工具。
openssl命令:
命令主要分为三类:
(1)标准命令 :
(2)消息摘要命令(dgst子命令):
(3)加密命令(enc子命令):
对称加密的工具:
openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-salt] [-a]
-cirphername:表示要使用的加密算法
-in filename:表示要加密的文件
-out filename:表示加密后输出的文件
-pass arg:表示加密时使用的密码
-e:表示加密
-d:表示解密
-salt:表示在加密后掺入杂质
-a:表示文本格式编码,不加-a表示二进制格式编码
复制文件/etc/fstab到当前目录并对它进行加密:
[root@Tzz ~]# openssl enc -e -des3 -a -salt -in fstab -out fatab.cirphertext enter des-ede3-cbc encryption password:
系统会提示你输入密码。
加密后的结果:
之后再对它解密:
[root@Tzz ~]# openssl enc -d -des3 -a -out fstab -in fatab.cirphertext enter des-ede3-cbc decryption password:
单向加密工具:
openssl dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] /PATH/TO/SOMEFILE
提取fstab文件的特征码(使用md5算法):
[root@Tzz ~]# openssl dgst -md5 fstab MD5(fstab)= b56aba6febb1a5c74a4664f34a6b2a56
生成用户密码工具:
openssl passwd [-1] [-salt string](我们可以生成随机数当成杂质掺入密码)
[root@Tzz ~]# openssl passwd -1 -salt 12345 Password: $1$12345$nbKSwtiwEKb8OtTPKCO1J0
生成随机数工具:
openssl rand [-base64] [-hex] num
[-hex]:生成十六进制编码格式随机数
[-base64]:生成base64编码格式随机数
[root@Tzz ~]# openssl rand -base64 10 zA0wV94TMnOyuQ==
[root@Tzz ~]# openssl rand -hex 10 7266f7ed0539a2b28f4c
(使用时要将其后的= =删除)
基于随机数生成密码:
[root@Tzz ~]# openssl passwd -1 -salt `openssl rand -hex 4` Password: $1$1b5632d4$9ds0.QBvLD0U0hCfdjlQ6.
公钥加密:
(1)加密算法:算法:RSA,ELGamal,工具:openssl rsautl,gpg
(2)数字签名:算法:RSA,DSA,ELGamal,工具:openssl rsautl,gpg
(3)密钥交换:算法:DH,工具:openssl rsautl,gpg
在公钥加密时我们要使用密钥对来加密,怎样获得密钥对?
生成密钥工具:
openssl genrsa [-out filename][numbits]
[-out filename]:生成密钥存储的位置
[numbits]:生成密钥的位数
生成1024位的私钥:
[root@Tzz ~]# openssl genrsa 1024 Generating RSA private key, 1024 bit long modulus ...........................................++++++ ....................++++++ e is 65537 (0x10001) -----BEGIN RSA PRIVATE KEY----- MIICWwIBAAKBgQDgpNf+Xl+Kx5eIRS99mtgpMQPsTT6d9mnMF2clPoMgcjR22jwE 9rYDKJp6xyxzyBNvNYRQvUQWwRl0rQh7n/HlcDVAcdIO880lFljUF2EJsB5M4T8U jI+4OY/jx1gEiIAL+hL63HWVrwvfT9uUe80WnhjWOUyUHklNSG70UJb0lQIDAQAB AoGAYgpPYepaFD1LeuOG+HBtynxj0+taWqJCRhoon+6KV8y/7OcNrrTldrdvxAnM 8rLtGGno1zvizXN04qDpxNpnPQN+1wolepe8x0oe+DJyYqdwiY6YpdxcTjVskVFt gdfK0ETJUuXPGnRgOKSwlmGlwi96JfbQqy9J+qyqawYObnkCQQD898XI7Bg7hM89 dHUHJptLxWntA3R2NH8RrUK94msSf4kLWgP/JJSka0D2S0vIP5h+8KVnWXuGZHrN ZFuSA9FbAkEA41Yo3Kmz8FXy3YtCEboJV+Cn0UC5FfYGUd+rNGVn3S01liccbaIO hofxKz48HW9ZYMvhi+pzMJ0KRZRmcFXEzwJARAf6iAt+hNs1xMhCBNdMIneIAjbQ pk198uoOrfRraUElQQlHU+GpnAJAKTyct9DqmRDs2ruE7eKt5/jaa41dSwJAbZSM YcETURe813lWwYCxHEDX44+VJ7bNWQ29UqZGqGAwYk4778Sbx9EjOLro8y9HH9dm wrCiEZ7A4sUjk6ZkFQJAShE2wvu8SGTkeDB6Pvxf7/ldrbwq7koaDJfCjOgc6NRC ybweV6+44HfMK3F9L0G+FoCrM9MnZKYXVkTa3TVIRg== -----END RSA PRIVATE KEY-----
为了安全起见,我们生成私钥时可以使用遮罩码创建私钥:
[root@Tzz ~]# (umask 077; openssl genrsa -out /tmp/mykey.private 1024) Generating RSA private key, 1024 bit long modulus ..........................++++++ .............++++++ e is 65537 (0x10001)
我们使用077mask码创建该密钥文件时,创建出来的文件只有属主才有读权限,在命令行中加入括号表示该命令在子shell中进行,经不会被用户看见,从而保证了私钥的安全性。
提取公钥:
openssl rsa -in /PATH/FROM/PRIVATE_KEY_FILE -pubout
[root@Tzz ~]# openssl rsa -in /tmp/mykey.private -pubout writing RSA key -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTR5HAHJLzmsJF101boyuzGh3R M/rUxQC2MzmIKD0w+0Fk+tLJWZYs5q7vqviPREGVOstOqefWvqVM7Df8Dx75S67r MzCEI9AL3pPIhS29y2dFOA/qau+oQslR3d1z7T1Pq12w0cMTNQ9XhXJk5Dc/wWxh yqF9xf0TB63j4wEaEwIDAQAB -----END PUBLIC KEY-----
关于随机数:
在生成私钥和提取公钥时都要依赖随机数。
Linux系统上的随机数生成器:
/dev/random:仅从熵池返回随机数;随机数用尽,阻塞
/dev/urandom:从熵池返回随机数,随机数用尽,会利用软件生成伪随机数,非阻塞;
(注:伪随机数不安全)
熵池:内核维护的一段空间用来存放随机数。
熵池中随机数的来源:硬盘IO中断时间间隔;键盘IO中断时间间隔;
CA:公共信任的CA,私有CA;
创建私有CA工具:
openssl命令的配置文件:/etc/pki/tls/openssl.cnf,其中定义了CA的工作环境
[ ca ]:CA的子命令
dir = /etc/pki/CA :CA的工作目录
certs = $dir/certs:已经签发过的证书存放位置
crl_dir = $dir/crl:吊销列表存放位置
database = $dir/index.txt:存放了各个证书的索引数据库
certificate = $dir/cacert.pem:CA的自签证书
crlnumber = $dir/crlnumber:吊销证书编号
serial = $dir/serial:证书序列号
private_key = $dir/private/cakey.pem:CA的私钥
[ req ]:请求证书子命令
构建私有CA:
第一步:在确定配置为CA的服务器上生成一个自签证书,并为CA提供所需要的目录及文件。
(1)生成私钥:
[root@Tzz ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096) Generating RSA private key, 4096 bit long modulus ..................................................................................................................................................................................................++ ..........................................................++ e is 65537 (0x10001) [root@Tzz ~]# ls -l /etc/pki/CA/private/cakey.pem -rw------- 1 root root 3243 Jan 7 19:41 /etc/pki/CA/private/cakey.pem
(2)生成自签证书:
[root@Tzz ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3656You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:mageedu Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []:ca.mageedu.com Email Address []:caadmin@mageedu.com
-new:生成新证书签署请求
-x509:生成自签格式证书,专用于创建私有CA时;
-key:生成请求时用到的私有文件路径;
-out:生成的请求文件路径;如果自签操作将直接生成签署过的证书;
-days:证书的有效时长,单位是day;
(注:该命令选项会根据私钥自动提取公钥)
(3)提供CA所需要的目录及文件;
[root@Tzz ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
[root@Tzz ~]# touch /etc/pki/CA/{serial,index.txt}
[root@Tzz ~]# echo 01 > /etc/pki/CA/serial
第二步:要用到证书进行安全通信的服务器,需要向CA请求签署证书;
(1)用到证书的主机生成私钥(以httpd为例):
[root@localhost httpd]# mkdir /etc/httpd/ssl [root@localhost httpd]# (umask 077; openssl genrsa -out httpd.key 2048) Generating RSA private key, 2048 bit long modulus .......................................................................+++ ...............................+++ e is 65537 (0x10001) [root@localhost httpd]# mv httpd.key ssl [root@localhost httpd]# cd ssl [root@localhost ssl]# ll total 4 -rw-------. 1 root root 1679 Jan 8 21:42 httpd.key
(2)生成证书签署请求:
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:mageedu Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []:ca.mageedu.com Email Address []:caadmin@mageedu.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:tianzhuang An optional company name []:
创建完证书签署请求就会在当前目录生成证书请求文件,需要把该文件拷贝到需要签署的CA主机上
[root@localhost ssl]# ll total 8 -rw-r--r--. 1 root root 1094 Jan 8 21:53 httpd.csr -rw-------. 1 root root 1679 Jan 8 21:42 httpd.key
(3)使用scp命令将请求文件拷贝到CA主机上
[root@localhost ssl]# scp httpd.csr root@172.16.249.147:/tmp/ The authenticity of host '172.16.249.147 (172.16.249.147)' can't be established. RSA key fingerprint is bd:1c:aa:7f:18:b9:94:8e:32:64:5d:b0:ab:0f:68:56. Are you sure you want to continue connecting (yes/no)?yes Warning: Permanently added '172.16.249.147' (RSA) to the list of known hosts. root@172.16.249.147's password: httpd.csr 100% 1094 1.1KB/s 00:00
在CA主机上的/tmp目录下就会存在需要签署的证书请求文件
(4)在CA主机上签署证书:
[root@Tzz ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jan 8 10:34:22 2016 GMT Not After : Jan 7 10:34:22 2017 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = mageedu organizationalUnitName = ops commonName = ca.mageedu.com emailAddress = caadmin@mageedu.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 6A:9A:B4:54:2E:ED:3F:2B:8C:92:7B:23:76:F8:C4:7A:52:5D:62:E9 X509v3 Authority Key Identifier: keyid:32:1F:DF:C4:D4:8D:0C:3C:1B:46:58:A6:9D:DD:3F:13:6E:16:C6:13 Certificate is to be certified until Jan 7 10:34:22 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@Tzz CA]# cat index.txt V 170107103422Z 01 unknown /C=CN/ST=beijing/O=mageedu/OU=ops/CN=ca.mageedu.com/emailAddress=caadmin@mageedu.com
(5)将该证书发给请求的服务器:
[root@Tzz CA]# scp certs/httpd.crt root@172.16.249.130:/etc/httpd/ssl/ The authenticity of host '172.16.249.130 (172.16.249.130)' can't be established. RSA key fingerprint is 6a:da:12:82:89:b5:83:c9:52:ca:01:4b:eb:83:35:56. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.249.130' (RSA) to the list of known hosts. root@172.16.249.130's password: httpd.crt 100% 5882 5.7KB/s 00:00
(6)查看证书信息:
[root@Tzz CA]# openssl x509 -in certs/httpd.crt -noout -serial -subject serial=01 subject= /C=CN/ST=beijing/O=mageedu/OU=ops/CN=ca.mageedu.com/emailAddress=caadmin@mageedu.com
至此证书就签署完毕并可以使用。
转载于:https://blog.51cto.com/tz666/1732695
扫一扫
983
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
