openssl提供了2个库文件和1一个命令行工具

libcrypto库为系统应用程序的加密、解密功能所依赖;

libssl库文件实现应用程序的ssl功能;

openssl是一个提供加密解密、散列、证书产生等用途命令行工具;


基本使用方法:


查看openssl版本

[root@stu01 ~]# openssl version

OpenSSL 1.0.0-fips 29 Mar 2010

使用openssl加密和解密文件

[root@stu01 ~]# openssl enc -des -in a.sh -e -out a.sh.des

enter des-cbc encryption password:

Verifying - enter des-cbc encryption password:

[root@stu01 ~]# openssl enc -des -in a.sh.aes -d -out a.sh

enter des-cbc decryption password:


使用openssl计算文件的散列值:

[root@stu01 ~]# openssl dgst -sha1 /etc/passwd

SHA1(/etc/passwd)= cb7faacfd3cadddd96e0cf43af4248346bee70fa

[root@stu01 ~]# sha1sum /etc/passwd

cb7faacfd3cadddd96e0cf43af4248346bee70fa  /etc/passwd


openssl speed 可以测试各种算法运行的速度

生成2N长度的随机数

openssl rand -hex N


openssl产生秘钥,长度可变

[root@stu01 ~]# (umask 077;openssl genrsa -des -out a.key 1024);加密存放秘钥文件a.key,加括号表示在子shell中生效,不影响当前shell

提取公钥:

[root@stu01 ~]# openssl rsa -in a.key -pubout;如果有密码保护,会提示输入密码


生成证书申请:

[root@stu01 ~]# openssl req -new -key a.key -out a.csr

Enter pass phrase for a.key: (因为a.key已经加密,所以先输入密码)

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:(此处默认为XX,可以修改ssl的配置文件 /etc/pki/tls/openssl.cnf,后面附有配置文件内容)

State or Province Name (full name) [Henan]:

Locality Name (eg, city) [Zhengzhou]:

Organization Name (eg, company) [magelinux]:

Organizational Unit Name (eg, section) [tech]:

Common Name (eg, your name or your server's hostname) []:a.magelinux.com

Email Address [jack@magelinux.com]:


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


配置文件内容:

[root@stu01 ~]# more /etc/pki/tls/openssl.cnf


[ req_distinguished_name ]

countryName                     = Country Name (2 letter code)

countryName_default             = CN

countryName_min                 = 2

countryName_max                 = 2


stateOrProvinceName             = State or Province Name (full name)

stateOrProvinceName_default     = Henan


localityName                    = Locality Name (eg, city)

localityName_default    = Zhengzhou


0.organizationName              = Organization Name (eg, company)

0.organizationName_default      = magelinux


# we can do this but it is not needed normally :-)

#1.organizationName             = Second Organization Name (eg, company)

#1.organizationName_default     = World Wide Web Pty Ltd


organizationalUnitName          = Organizational Unit Name (eg, section)

organizationalUnitName_default  = tech


commonName                      = Common Name (eg, your name or your server\'s h

ostname)

commonName_max                  = 64


emailAddress                    = Email Address

emailAddress_max                = 64


emailAddress_default    = jack@magelinux.com


将证书申请发送到CA,让CA进行签署;


首先配置CA:

根据配置文件补充必要文件:

cd /etc/pki/CA

1、为CA生成一个私钥:

(umask 077; openssl genrsa -out private/cakey.pem 2048)

2、生成自签证书:

openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365

touch index.txt

echo 01 > serial


cat /etc/pki/tls/openssl.cnf

[ ca ]

default_ca  = CA_default        # The default ca section


####################################################################

[ CA_default ]


dir     = /etc/pki/CA       # CA 的目录

certs       = $dir/certs        # 发布的证书位置

crl_dir     = $dir/crl      # 证书吊销列表目录

database    = $dir/index.txt    # 数据库索引文件,初始为空

#unique_subject = no            # Set to 'no' to allow creation of

                   # several ctificates with same subject.

new_certs_dir   = $dir/newcerts     # 新证书存放目录.


certificate = $dir/cacert.pem   # CA 自己的证书

serial      = $dir/serial       # 最近的证书编号

crlnumber   = $dir/crlnumber    # 证书吊销列表的号码

                   # must be commented out to leave a V1 CRL

crl     = $dir/crl.pem      # 当前的证书吊销列表

private_key = $dir/private/cakey.pem# CA的私钥文件

RANDFILE    = $dir/private/.rand    # 私有随机数文件


x509_extensions = usr_cert      # The extentions to add to the cert


# Comment out the following two lines for the "traditional"

# (and highly broken) format.

name_opt    = ca_default        # Subject Name options

cert_opt    = ca_default        # Certificate field options


# Extension copying option: use with caution.

# copy_extensions = copy


# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

# so this is commented out by default to leave a V1 CRL.

# crlnumber must also be commented out to leave a V1 CRL.

# crl_extensions    = crl_ext


default_days    = 365           # how long to certify for

default_crl_days= 30            # how long before next CRL

default_md  = default       # use public key default MD

preserve    = no            # keep passed DN ordering


# A few difference way of specifying how similar the request should look

# For type CA, the listed attributes must be the same, and the optional

# and supplied fields are just that :-)

policy      = policy_match


# For the CA policy

[ policy_match ]

countryName     = match

stateOrProvinceName = match

organizationName    = match

organizationalUnitName  = optional

commonName      = supplied

emailAddress        = optional


# For the 'anything' policy

# At this point in time, you must list all acceptable 'object'

# types.

[ policy_anything ]

countryName     = optional

stateOrProvinceName = optional

localityName        = optional

organizationName    = optional

organizationalUnitName  = optional

commonName      = supplied

emailAddress        = optional


最后为用户签署证书:

[root@stu01 ~]# openssl ca -in a.csr -out a.crt -days 365

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

       Serial Number: 2 (0x2)

       Validity

           Not Before: Aug 21 15:55:39 2013 GMT

           Not After : Aug 21 15:55:39 2014 GMT

       Subject:

           countryName               = CN

           stateOrProvinceName       = Henan

           organizationName          = magelinux

           organizationalUnitName    = tech

           commonName                = a.magelinux.com

           emailAddress              = jack@magelinux.com

       X509v3 extensions:

           X509v3 Basic Constraints:

               CA:FALSE

           Netscape Comment:

               OpenSSL Generated Certificate

           X509v3 Subject Key Identifier:

               41:58:FE:39:3A:0E:19:AC:59:4F:FF:1E:38:15:06:F0:3D:FB:40:D3

           X509v3 Authority Key Identifier:

               keyid:59:CF:8B:62:00:B0:26:B5:E5:26:0E:3A:7F:B5:53:8E:EF:08:DA:24


Certificate is to be certified until Aug 21 15:55:39 2014 GMT (365 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated