openssl
组件:
libcrypto, libssl主要开发者使用;
openssl: 多用途命令行工具;
openssl:
从多子命令 分为三类:
标准命令:
消息摘要命令(dgst子命令)
加密命令(enc子命令)
对称加密:
工具:openssl enc
支持的算法:3des,aes,blowfish,towfish
加密命令
enc命令:
实例:
加密~]# openssl enc -e -des3 -a -salt -in fstab -out fstab.ciphertext
解密~]# openssl enc -d -des3 -a -salt -out fstab -in fstab.ciphertext
单向加密:
工具:openssl dgst, md5sum, sha1sum, sha224sum,....
dgst命令:
~]# openssl dgst -md5 fstab
MD5(fstab)= f24b68951add3236d19dff63f0c92206
生成用户密码:
工具: passwd, openssl passwd
~]#openssl passwd -1 -salt 随机数(123456789)
实例:
[root@localhost ~]# openssl passwd -1 -salt $(openssl rand -hex 10)
Password:
$1$9727a8fa$Ir21xFr8gVZJFK1trPohf.
生成随机数:
工具:openssl rand
实例:
[root@localhost ~]# openssl rand -hex 10
8a7f0ab5316d5c0f2aba
[root@localhost ~]# openssl rand -base64 10
G8mVfr06RCHmhQ==
公钥加密:
加密解密:
算法:RSA, ELGamal
工具:openssl rsautl, gpg
数字签名:
算法:RSA, DSA,ELGamal
密钥交换:
算法:DH
生成密钥:
生成私钥: ~]# (umask 077; openssl genrsa -out /tmp/mykey.private 2048)
提出公钥:~]# openssl rsa -in /tmp/mykey.private -pubout
linux系统上的随机数生成器:
/dev/random:仅从熵池返回随机数;随机数用尽,阻塞;
/dev/urandom:从熵池返回随机数;随机数用尽,会利用软件生成伪随机数,非阻塞;
伪随机数不安全;
熵池中随机数的来源;
硬盘IO中断时间间隔;
键盘IO中断时间间隔;
CA:
公共信任的CA,私用CA;
openssl 命令:
配置文件:~]# cat /etc/pki/tls/openssl.cnf
`**构建私有CA:`
在确定配置为CA的服务上生成一个自签证书,并为CA提供所需要的目录及文件即可;
步骤:
1.生成私钥:
~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
2.生成自签证书:
-new:生成新证书签署请求;
-x509:生成自签格式证书,专用于创建私有CA时;
-key:生成请求时用到的私有文件路径;
-out:生成的请求文件路径;如果自签操作将直接生成签署过的证书;
-days:证书的有效时长,单位是day;
~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:shenzhen
Organization Name (eg, company) [Default Company Ltd]:itxuezhe
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.itxuezhe.com
Email Address []:[email protected]
[root@localhost ~]# ls /etc/pki/CA/
caert.pem certs crl newcerts private
3.为CA提供所需的目录及文件;
~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
~]# touch /etc/pki/CA/{serial,index.txt}
~]# echo 01 > /etc/pki/CA/serial **
要用到证书进行通信的服务器,需要向CA请求签署证书:
步骤:(以httpd主机为例)
1.用到证书的主机生成证书签署请求;
~]# mkdir /etc/httpd/ssl
~]# cd /etc/httpd/ssl
ssl]# (umask 077; openssl genrsa -out httpd.key 2048)
3.2.生成证书签署请求
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:shenzhen
Organization Name (eg, company) [Default Company Ltd]:itxuezhe
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.itxuezhe.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# ll
总用量 8
-rw-r--r--. 1 root root 1078 12月 10 11:24 httpd.csr
-rw-------. 1 root root 1679 12月 10 11:20 httpd.key
3.将请求通过可靠方式发送给CA主机;
ssl]# scp httpd.csr [email protected]:/tmp/
[email protected]'s password:
httpd.csr
4.在CA主机上签署证书;
[root@localhost ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 10 03:29:20 2019 GMT
Not After : Dec 9 03:29:20 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = guangdong
organizationName = itxuezhe
organizationalUnitName = ops
commonName = www.itxuezhe.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D9:B4:2D:FB:4C:5B:EC:8D:5E:90:9F:1B:C6:61:65:0C:FB:94:59:8C
X509v3 Authority Key Identifier:
keyid:44:C1:C1:A7:B5:5F:15:15:06:8B:3B:7C:15:CB:5E:B4:A6:19:FD:5E
Certificate is to be certified until Dec 9 03:29:20 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
证书签署成功
~]# cd /etc/pki/CA/
CA]# cat index.txt
V 201209032920Z 01 unknown/C=CN/ST=guangdong/O=itxuezhe/OU=www.itxuezhe.com/CN=www.itxuezhe.com/[email protected]
将签署成功的证书发送给申请证书的主机
CA]# scp certs/httpd.crt [email protected]:/etc/httpd/ssl/
The authenticity of host '192.168.80.17 (192.168.80.17)' can't be established.
ECDSA key fingerprint is SHA256:iyMPO9k4t5oUNnOcDCOkJTLBLOSBKKPRuR9AugKmftM.
ECDSA key fingerprint is MD5:73:2e:7e:37:b4:48:b9:45:3e:96:f1:ec:6a:9a:59:fd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.80.17' (ECDSA) to the list of known hosts.
[email protected]'s password:
httpd.crt
查看证书中的信息:
[root@localhost ssl]# openssl x509 -in httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=guangdong/O=itxuezhe/OU=www.itxuezhe.com/CN=www.itxuezhe.com/[email protected]
吊销证书:
步骤:
1.客户端获取要吊销的证书的serial (在使用证书的主机执行);
[root@localhost ssl]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -seral -subject
2.CA主机吊销证书
先根据客户端提交的serial和subject信息,对比其与本机数据库index.txt中存储的是否一致;
吊销:
[root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
[root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
其中的SERIAL要换成证书真正的序列号;
3.生成吊销证书的吊销编号(第一次吊销证书时执行)
CA]# echo 01 > /etc/pki/CA/crlnumber
4.更新证书吊销列表
CA]# openssl ca -gencrl -out thisca.crl
查看crl文件:
]# openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text