openssl
组件:
libcrypto, libssl主要开发者使用;
openssl: 多用途命令行工具;

        openssl:
                    从多子命令   分为三类:
                                标准命令:
                                消息摘要命令(dgst子命令)
                                加密命令(enc子命令)

                对称加密:
                        工具:openssl enc
                        支持的算法:3des,aes,blowfish,towfish

                    加密命令                    
                                 enc命令:

                                 实例:
                                                加密~]# openssl enc -e -des3 -a -salt -in fstab -out fstab.ciphertext      
                                                解密~]# openssl enc -d -des3 -a -salt -out fstab -in fstab.ciphertext

                 单向加密:
                             工具:openssl dgst,  md5sum, sha1sum, sha224sum,....

                             dgst命令:
                                         ~]# openssl dgst -md5 fstab
                                                MD5(fstab)= f24b68951add3236d19dff63f0c92206

                生成用户密码:
                            工具: passwd, openssl passwd

                            ~]#openssl passwd -1 -salt   随机数(123456789)

                            实例:
                                [root@localhost ~]# openssl passwd -1 -salt $(openssl rand -hex 10)
                                                            Password: 
                                                            $1$9727a8fa$Ir21xFr8gVZJFK1trPohf.

                生成随机数:
                            工具:openssl rand

                        实例:
                                    [root@localhost ~]# openssl rand -hex 10
                                    8a7f0ab5316d5c0f2aba

                                    [root@localhost ~]# openssl rand -base64 10
                                    G8mVfr06RCHmhQ==

                公钥加密:
                                加密解密:
                                        算法:RSA, ELGamal
                                        工具:openssl rsautl, gpg
                                数字签名:
                                        算法:RSA, DSA,ELGamal
                                密钥交换:
                                            算法:DH
                    生成密钥:
                                生成私钥: ~]# (umask 077; openssl genrsa -out /tmp/mykey.private 2048)
                                提出公钥:~]# openssl rsa -in /tmp/mykey.private  -pubout

            linux系统上的随机数生成器:
                            /dev/random:仅从熵池返回随机数;随机数用尽,阻塞;
                            /dev/urandom:从熵池返回随机数;随机数用尽,会利用软件生成伪随机数,非阻塞;
                                    伪随机数不安全;

                                熵池中随机数的来源;
                                                硬盘IO中断时间间隔;
                                                键盘IO中断时间间隔;


                CA:
                        公共信任的CA,私用CA;

        openssl 命令:
                配置文件:~]# cat /etc/pki/tls/openssl.cnf 



`**构建私有CA:`
        在确定配置为CA的服务上生成一个自签证书,并为CA提供所需要的目录及文件即可;

        步骤:
                1.生成私钥:
                        ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
                2.生成自签证书:
                         -new:生成新证书签署请求;
                         -x509:生成自签格式证书,专用于创建私有CA时;
                         -key:生成请求时用到的私有文件路径;
                         -out:生成的请求文件路径;如果自签操作将直接生成签署过的证书;
                         -days:证书的有效时长,单位是day;

                         ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655

                                    You are about to be asked to enter information that will be incorporated
                                    into your certificate request.
                                    What you are about to enter is what is called a Distinguished Name or a DN.
                                    There are quite a few fields but you can leave some blank
                                    For some fields there will be a default value,
                                    If you enter '.', the field will be left blank.
                                    -----
                                    Country Name (2 letter code) [XX]:CN
                                    State or Province Name (full name) []:guangdong
                                    Locality Name (eg, city) [Default City]:shenzhen
                                    Organization Name (eg, company) [Default Company Ltd]:itxuezhe
                                    Organizational Unit Name (eg, section) []:ops
                                    Common Name (eg, your name or your server's hostname) []:ca.itxuezhe.com
                                    Email Address []:[email protected]

                                    [root@localhost ~]# ls /etc/pki/CA/
                                    caert.pem  certs  crl  newcerts  private

                    3.为CA提供所需的目录及文件;
                            ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
                            ~]# touch /etc/pki/CA/{serial,index.txt}
                            ~]# echo 01 > /etc/pki/CA/serial **

要用到证书进行通信的服务器,需要向CA请求签署证书:

                步骤:(以httpd主机为例)
                        1.用到证书的主机生成证书签署请求;
                                        ~]# mkdir /etc/httpd/ssl
                                        ~]# cd /etc/httpd/ssl 
                                ssl]# (umask 077; openssl genrsa -out httpd.key 2048)

                        3.2.生成证书签署请求
                            [root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr -days 365
                                You are about to be asked to enter information that will be incorporated
                                into your certificate request.
                                What you are about to enter is what is called a Distinguished Name or a DN.
                                There are quite a few fields but you can leave some blank
                                For some fields there will be a default value,
                                If you enter '.', the field will be left blank.
                                -----
                                Country Name (2 letter code) [XX]:CN
                                State or Province Name (full name) []:guangdong
                                Locality Name (eg, city) [Default City]:shenzhen
                                Organization Name (eg, company) [Default Company Ltd]:itxuezhe 
                                Organizational Unit Name (eg, section) []:ops
                                Common Name (eg, your name or your server's hostname) []:www.itxuezhe.com
                                Email Address []:[email protected]

                                Please enter the following 'extra' attributes
                                to be sent with your certificate request
                                A challenge password []:
                                An optional company name []:

                                [root@localhost ssl]# ll
                                总用量 8
                                -rw-r--r--. 1 root root 1078 12月 10 11:24 httpd.csr
                                -rw-------. 1 root root 1679 12月 10 11:20 httpd.key

                        3.将请求通过可靠方式发送给CA主机;
                                        ssl]# scp httpd.csr [email protected]:/tmp/
                                                [email protected]'s password: 
                                                httpd.csr              

                        4.在CA主机上签署证书;
                            [root@localhost ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
                                        Using configuration from /etc/pki/tls/openssl.cnf
                                        Check that the request matches the signature
                                        Signature ok
                                        Certificate Details:
                                                        Serial Number: 1 (0x1)
                                                        Validity
                                                                Not Before: Dec 10 03:29:20 2019 GMT
                                                                Not After : Dec  9 03:29:20 2020 GMT
                                                        Subject:
                                                                countryName               = CN
                                                                stateOrProvinceName       = guangdong
                                                                organizationName          = itxuezhe
                                                                organizationalUnitName    = ops
                                                                commonName                = www.itxuezhe.com
                                                                emailAddress              = [email protected]
                                                        X509v3 extensions:
                                                                X509v3 Basic Constraints: 
                                                                        CA:FALSE
                                                                Netscape Comment: 
                                                                        OpenSSL Generated Certificate
                                                                X509v3 Subject Key Identifier: 
                                                                        D9:B4:2D:FB:4C:5B:EC:8D:5E:90:9F:1B:C6:61:65:0C:FB:94:59:8C
                                                                X509v3 Authority Key Identifier: 
                                                                        keyid:44:C1:C1:A7:B5:5F:15:15:06:8B:3B:7C:15:CB:5E:B4:A6:19:FD:5E

                                        Certificate is to be certified until Dec  9 03:29:20 2020 GMT (365 days)
                                        Sign the certificate? [y/n]:y

                                        1 out of 1 certificate requests certified, commit? [y/n]y
                                        Write out database with 1 new entries
                                        Data Base Updated
                        证书签署成功
                                ~]# cd /etc/pki/CA/
                                CA]# cat index.txt
                                V   201209032920Z       01  unknown/C=CN/ST=guangdong/O=itxuezhe/OU=www.itxuezhe.com/CN=www.itxuezhe.com/[email protected]

        将签署成功的证书发送给申请证书的主机                          
                             CA]# scp certs/httpd.crt [email protected]:/etc/httpd/ssl/
                                        The authenticity of host '192.168.80.17 (192.168.80.17)' can't be established.
                                        ECDSA key fingerprint is SHA256:iyMPO9k4t5oUNnOcDCOkJTLBLOSBKKPRuR9AugKmftM.
                                        ECDSA key fingerprint is MD5:73:2e:7e:37:b4:48:b9:45:3e:96:f1:ec:6a:9a:59:fd.
                                        Are you sure you want to continue connecting (yes/no)? yes
                                        Warning: Permanently added '192.168.80.17' (ECDSA) to the list of known hosts.
                                        [email protected]'s password: 
                                        httpd.crt            

    查看证书中的信息:
                    [root@localhost ssl]# openssl x509 -in httpd.crt -noout -serial -subject
                                                        serial=01
                                                        subject= /C=CN/ST=guangdong/O=itxuezhe/OU=www.itxuezhe.com/CN=www.itxuezhe.com/[email protected]

            吊销证书:
                        步骤:
                                1.客户端获取要吊销的证书的serial (在使用证书的主机执行);
                                        [root@localhost ssl]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -seral -subject

                                2.CA主机吊销证书
                                        先根据客户端提交的serial和subject信息,对比其与本机数据库index.txt中存储的是否一致;

                                        吊销:
                                                    [root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem 
                                                    [root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem             
                                                                    其中的SERIAL要换成证书真正的序列号;

                                    3.生成吊销证书的吊销编号(第一次吊销证书时执行)
                                                         CA]# echo 01 > /etc/pki/CA/crlnumber

                                    4.更新证书吊销列表
                                                 CA]# openssl ca -gencrl -out thisca.crl

                查看crl文件:
                            ]# openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text