Linux:openssl创建CA及颁发证书

openssl

对称加密:

工具:openssl enc, gpg
算法:3des, aes, blowfish, twofish
帮助:man enc

1、 加密:enc对称算法加密 -e加密 -des3算法加密 -a base64编码 -salt加盐打乱顺序 -in加入文件 -out输出文件

[root@centos7 data]#openssl enc -e -des3 -a -salt -in fstab -out fstab.cip
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
[root@centos7 data]#ll
total 8
-rw-r--r-- 1 root root  784 Sep 13 14:10 fstab
-rw-r--r-- 1 root root 1097 Sep 13 14:14 fstab.cip
[root@centos7 data]#cat fstab.cip
U2FsdGVkX19iCjTL+B6er1QDvT3mnnJHqanodUGbdxtArBfHcJ6Ea8LeDPiZEUa/
nkxw614tKAkMMs0HSihFV2goBu9rWkuLA9GUO51aZ+XIH6QTSNDi6ILZdYEdSC7p
wKSGfJsz2rQOMwcCMSKg9Dfl9jTnm5LG2Kw0DKkdZDNOQW9ycnmBSVgKq+tbFC4V
+1rOAmctrBKwbj4QUqDGqRekfmyIeV7SAXUaOcl3JEPoSbSTeq3DAg8PQGHETyRf
CwamvfBmcdRTS5kMST04smu5cF56ib9c06xEtFfCm5g51nEDHW0hBewV5wy5vTpv
TQPpmI0iiR0tYJlI1fKfIe2XkdF/EX2dru41quGchpQkqlVTVQffjquteU6TFYUV
D5sz+IUzF4A7ObNdJzeYui4X0dT890V1fY6duby3iezxPngB+zIKW5JwK1AGsL4M
pUYdU+6IEcRNKowYtCSEQzzNDIJsNh1gSEmp54ScHuxJ1BFxBvQwV9Uj2YZ28vZw
8Z/IszEZvtIBALaZ0bAfoYeHMCMdEk1nklKwrA0RFqoGYCpXPzf2YgwFYPAQuVr7
l+DXqMs5R3xUheo65xD8sePmQmpJGvPWSTEd3tgrxa4UBGAkjGn9+B1EaFSJ9fM9
dyIYJlA4L5DJQmB/NfgexJQUhJcQTWajxkB0p4mkj7mYb1dqXfvYZyxWrM8Xadoq
T+2yhfErBTetC2S4GAM0WWIjMy2kRrcxmdUty2UcsviCPN6GiEoMslbNCWODa6Bz
dib716UiWEpAR6NuCGv5ERcJ/zkzbIJuQyR8YTG3M7oeqfPy9xkqgYVuVSkb2ofr
NHfGYG7lYM68UhhNkCS0RsGbwWM0hz6Mt2IodYBDn7eD2nY5qGIoezrY//ftjZpf
jX44r67o/w2OfMi4+3aKa9e6ANWgPNBhFezSIkVUi7kJ3CyXsy2XmEVRIdpSPV6v
Kjcu6+EM3H7lKGjAChOzHjMCAiRr/6ijsuKZ4YvtEDZXydIb5XEG3VSITYtD7Hue
A+DpCGPNWwHgnXoSbHilwOgE8N9Dxx55t437bcaSZL6JH3z8n4FLQQ==

可以转化成二进制,fstab.cip2文件才算真正的加密。更安全

[root@centos7 data]#base64 -d fstab.cip > fstab.cip2
[root@centos7 data]#cat fstab.cip2 
Salted__b
4=AF    
      2EWh(;HH.|31"4
                       NAorry
.g->Ry^9z@aqI=8^zm!M阍"}SUߎ3]'7Eu}>x[FSM*`HIq#نv#Mg
W?7`|TBjI$DhTw"&P8/5fj]V74Yb#3-eކVkXJ@G|a1*)w`μRM4b(u:~8
׺ՠ<,~

                                                                                       $kqcxyƒdA[root@centos7 data]#

2、 解密:enc对称算法加密 -d解密 -des3算法加密 -a base64编码 -salt加盐打乱顺序 -in加入文件 -out输出文件

[root@centos7 data]#openssl enc -d -des3 -a -salt  -in fstab.cip -out fstab2 
enter des-ede3-cbc decryption password:
[root@centos7 data]#cat fstab2

#
# /etc/fstab
# Created by anaconda on Wed Jul 18 17:14:35 2018
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=bad06bd2-9f82-4954-b5ad-ea296b82e6df /                       xfs     defaults        0 0
UUID=b0976649-edba-4e94-9c0d-83c2c842ef73 /boot                   xfs     defaults        0 0
UUID=720807ea-75ce-4a96-b9fd-238743f9ec79 /data                   xfs     defaults        0 0
UUID=37083a64-0f7e-426d-bb18-983ad222b2ad swap                    swap    defaults        0 0
UUID=0ce32dee-2a6c-4208-90b6-25db048a609d /home                   xfs     defaults        0 0
UUID=1126bba2-239e-4b19-82e4-e96b47e21d93 swap                    swap    defaults        0 0

单向加密:

工具:openssl dgst
算法:md5sum, sha1sum, sha224sum,sha256sum…
帮助:man dgst

[root@centos7 data]#openssl dgst -md5 fstab
MD5(fstab)= aa204eeffac45ec9019b0738be8cf95c
[root@centos7 data]#md5sum fstab
aa204eeffac45ec9019b0738be8cf95c  fstab

生成用户密码
工具:openssl passwd
帮助:man sslpasswd

利用盐随机生成加密口令:-1通过md5算法 -salt固定盐为11111111

[root@centos7 data]#openssl passwd -1
Password: 
Verifying - Password: 
$1$3m.Wzvbk$5Nw56eshcwjQNQm43uog90
[root@centos7 data]#openssl passwd -1 -salt 11111111
Password: 
$1$11111111$/GA3uQqOZi/rI1U4SK.kb0

生成随机数
工具:openssl rand
帮助:man sslrand
-hex10 利用16位生成(16位是4个2进制表示的)
-base64 是利用base64生成(base64是6个2进制表示的,所以不能被6整除的最后转化成=)

[root@centos7 data]#openssl rand -base64 12
98/N1kFs+76V8Ulh
[root@centos7 data]#openssl rand -base64 13
z3Dx2P5/pSb3qWh6Bg==
[root@centos7 data]#openssl rand -base64 18
cBybezlTKSobD9wKBB6W4O+l
[root@centos7 data]#openssl rand -base64 19
uEVHIdlYKCKZaVJTdWhkD8ekGw==

提取随机12位密码

[root@centos7 data]#openssl rand -base64 24|tr -d '/+'|head -c12
8B11Y1Y5ByOX[root@centos7 data]#

urandom设备提取12位密码

[root@centos7 data]#cat /dev/urandom |tr -dc 'A-Za-z0-9' |head -c 12
jYCVlCWWHxUd[root@centos7 data]#

非对称加密

生成秘钥对儿
工具:openssl genrsa
帮助:man genrsa

生成私钥加密

[root@centos7 data]#(umask 077;openssl genrsa -out test.key -des 2048)
Generating RSA private key, 2048 bit long modulus
.....+++
.................................................................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for test.key:
Verifying - Enter pass phrase for test.key:

私钥解密

[root@centos7 data]#openssl rsa -in test.key -out test2.key
Enter pass phrase for test.key:
writing RSA key

私钥生成公钥

[root@centos7 data]#openssl rsa -in test.key -pubout -out test.pub
Enter pass phrase for test.key:
writing RSA key
[root@centos7 data]#cat test.pub 
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvb4UuLr45f18YAHqkw/9
UWtILOuu11S7+k++ymGd9sZgbeMUoxID+s7O7gimSvpKSoVwNNLF8/ibntuMM+LE
7NpflugKbZHC2YreM1Co07BWNY7GiJjcbc5V7KHAzOlBeWpHYpWI6O+8kZOn6wtf
Lk3DR+JGr3363jq9QmK3PZ6Ciff92Bc6xboWlxeUJT2Gs3AdkMykJ4ISPAq9K2VD
hpAsMqfDgVoekzlXiW8WRQIC/KVxH+G5fvcXoTV+uvSxq183uT8Amj7urVhRlDiX
4ULkPlocr7SWW32g4frYiu6NnaDQOpwkFMOYfmXlus0SgQMt4EtdV7LL7RZU0i24
mwIDAQAB
-----END PUBLIC KEY-----

创建CA和申请证书

配置文件:/etc/pki/tls/openssl.cnf

1、服务器端创建文件(先进入到/etc/pki/CA文件夹中,方便执行)

touch /etc/pki/CA/index.txt 生成证书索引数据库文件
echo 01 > /etc/pki/CA/serial 指定第一个颁发证书的序列号

2、 服务器端生成私钥(配置文件中规定好的路径和文件名/etc/pki/CA/private/cakey.pem)

[root@centos7 CA]#(umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.........................................................+++
..................................................................+++
e is 65537 (0x10001)

3、 服务器端生成自签名证书,注意添加-x509(配置文件规定好的路径和文件名/etc/pki/CA/cacert.pem)

-new: 生成新证书签署请求
-x509: 专用于CA生成自签证书
-key: 生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径

[root@centos7 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:dushan
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.dushan.com
Email Address []:

4、 可查看自签名证书内容(如传送到windows中查看需添加.crt后缀)

[root@centos7 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f2:1c:50:12:c1:13:84:e8
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=beijing, L=beijing, O=dushan, OU=opt, CN=www.dushan.com
        Validity
            Not Before: Sep 13 08:41:21 2018 GMT
            Not After : Sep 10 08:41:21 2028 GMT
        Subject: C=CN, ST=beijing, L=beijing, O=dushan, OU=opt, CN=www.dushan.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c7:c6:f1:af:12:f5:0b:f7:8b:42:3a:15:cc:2a:
                    4c:57:ad:1e:1b:b0:ac:dd:e4:aa:03:7e:84:7d:d3:
                    60:a0:72:cf:71:77:f7:f8:df:32:8b:25:ea:39:94:
                    b1:0e:da:6b:fc:6c:fd:e3:1f:8c:d5:e5:b0:a2:24:
                    d8:99:de:c8:ce:1a:88:97:24:4b:46:c0:da:e6:7b:
                    cb:97:1c:38:06:54:77:b7:f2:f7:39:4d:90:01:d3:
                    19:af:40:a6:35:67:bd:3f:61:2a:c3:31:70:22:34:
                    a9:69:fa:f8:3a:66:58:7c:41:18:ec:83:77:47:b8:
                    53:d5:c6:f7:b0:8a:07:8f:c1:0e:fd:97:75:1e:8a:
                    68:ff:83:c9:3e:54:17:62:d2:a1:9f:01:6b:ae:5a:
                    63:d0:29:2c:a3:dd:88:ab:04:05:7a:65:11:38:6c:
                    a8:4b:27:ac:9e:d2:dd:1b:18:57:75:c5:c6:cd:67:
                    ca:07:1a:d9:24:4c:37:79:77:36:37:ef:9f:a2:ea:
                    fd:ee:ee:d0:a9:88:84:03:b6:5a:8c:07:33:84:93:
                    37:a4:10:47:b7:86:08:f5:d2:55:d0:39:5a:1e:70:
                    db:b2:b0:e8:95:2d:7b:ea:92:1f:bd:20:dc:7a:e7:
                    19:8c:30:12:e5:d0:0b:b8:3e:3b:c1:5f:c7:31:7f:
                    48:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                C9:DC:B1:29:8C:0F:3B:11:1D:09:D2:62:95:7D:08:D2:EA:4E:C9:64
            X509v3 Authority Key Identifier: 
                keyid:C9:DC:B1:29:8C:0F:3B:11:1D:09:D2:62:95:7D:08:D2:EA:4E:C9:64

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         2f:d4:2d:04:2a:be:da:62:46:3c:d6:74:d6:94:9a:61:df:59:
         1b:87:01:a3:6f:14:fa:ea:e6:7e:a9:1d:58:f4:1e:29:ad:b0:
         07:23:e9:52:9d:03:5d:8c:c3:71:ba:f8:2c:e7:6f:98:19:c3:
         1c:69:bd:8e:fd:85:dd:24:a9:fa:b5:4e:86:bb:0d:2e:02:38:
         66:90:7f:90:f9:ec:53:7f:0a:fb:b3:1c:c6:fd:b0:fd:c1:a7:
         91:70:e5:5e:03:09:23:f7:a1:39:f1:0f:3b:39:fd:54:05:5c:
         9e:f3:63:36:9f:c6:3f:d5:47:16:20:d6:37:4d:7b:22:09:35:
         f4:8a:1d:66:9d:24:05:29:3a:0a:d0:d7:37:a1:73:5d:93:74:
         38:da:72:1f:15:c5:1f:3e:7b:d7:aa:85:09:ee:7d:23:97:e3:
         75:04:9c:d1:9f:43:f1:76:38:de:cc:68:94:99:ca:de:18:96:
         14:6b:a4:77:59:3c:43:06:0c:22:61:7f:16:73:a5:d4:7e:39:
         24:0b:c6:22:75:65:83:23:b1:b5:64:9c:a1:41:3a:c0:08:ef:
         b7:e4:9d:a5:f0:9d:9f:9d:eb:e5:3c:c5:7d:e6:b6:32:02:b7:
         61:eb:c0:a8:f7:56:a2:2d:2c:9a:30:f7:70:c2:fa:05:3a:63:
         d4:72:9c:07

5.、客户端生成私钥:

[root@dadda6 data]#(umask 066;openssl genrsa -out app.key 2048)
Generating RSA private key, 2048 bit long modulus
...............................................+++
............................................................+++
e is 65537 (0x10001)

6、 客户端生成csr文件 (默认国家地区公司三项必须和服务器端一样,如需不一样,需修改配置文件中policy后面内容)

[root@dadda6 data]#openssl req -new -key app.key -out app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:dushan
Organizational Unit Name (eg, section) []:sales
Common Name (eg, your name or your server's hostname) []:sale.dushan.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

7、 cp到服务器端,位置可自定义(也可以制作秘钥和csr文件在服务器端做完传给客户端)

[root@dadda6 data]#scp app.csr 192.168.32.61:/etc/pki/CA     
[email protected]'s password: 
app.csr                                                  100% 1009     1.0KB/s   00:00

8、 颁发证书 (如缺少/etc/index.txt,/etc/serial文件会失败,执行第一步)

[root@centos7 CA]#openssl ca -in /etc/pki/CA/app.csr -out /etc/pki/CA/certs/app.crt -days 360
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 13 08:52:39 2018 GMT
            Not After : Sep  8 08:52:39 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = dushan
            organizationalUnitName    = sales
            commonName                = sale.dushan.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                01:F6:5B:10:58:30:68:76:D1:7A:26:4E:0E:44:BE:00:AF:91:1F:24
            X509v3 Authority Key Identifier: 
                keyid:C9:DC:B1:29:8C:0F:3B:11:1D:09:D2:62:95:7D:08:D2:EA:4E:C9:64

Certificate is to be certified until Sep  8 08:52:39 2019 GMT (360 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

9、可查看新证书信息
可选参数 -text|issuer|subject|serial|dates


[root@centos7 CA]#tree
.
├── app.csr
├── cacert.pem
├── certs
│   └── app.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 10 files
[root@centos7 CA]#cat index.txt
V       190908085239Z      01   unknown /C=CN/ST=beijing/O=dushan/OU=sales/CN=sale.dushan.com
[root@centos7 CA]#cat serial.old
01
[root@centos7 CA]#openssl x509 -in certs/app.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=beijing, L=beijing, O=dushan, OU=opt, CN=www.dushan.com
        Validity
            Not Before: Sep 13 08:52:39 2018 GMT
            Not After : Sep  8 08:52:39 2019 GMT
        Subject: C=CN, ST=beijing, O=dushan, OU=sales, CN=sale.dushan.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e5:d2:3b:0b:5f:33:50:12:e6:c0:34:8f:3b:fe:
                    89:9d:e5:db:f1:76:13:70:a7:d8:3a:5a:60:6c:6d:
                    98:e1:15:32:90:18:21:8c:0e:e5:79:4d:8f:7e:43:
                    bb:cb:78:61:72:b8:b7:f1:34:6f:38:b2:38:94:b4:
                    d8:c7:6f:e7:6c:b8:1e:76:ab:3a:29:96:1e:db:15:
                    46:f8:aa:fd:85:cc:9d:61:a1:33:ff:b4:a4:f4:2e:
                    82:e0:03:1b:cf:09:04:d3:45:78:eb:b1:fc:ce:0e:
                    30:39:a9:7b:4d:71:ee:87:31:4a:c6:fe:72:61:b1:
                    f3:ed:42:51:3a:4a:da:7d:e8:fd:dd:97:e8:ca:f7:
                    b9:78:24:15:2e:6e:88:e0:a2:3e:ff:10:a1:b4:8f:
                    af:1c:f0:02:cc:fe:f6:1a:eb:46:92:9f:9f:e1:3e:
                    b3:c1:09:b0:09:07:10:fa:84:83:01:4d:a8:ed:dc:
                    d7:d3:7e:be:0c:96:f9:92:b8:22:e2:36:4d:98:8e:
                    c6:cd:6c:7d:8c:bd:fa:9d:ef:f3:90:67:12:35:da:
                    2f:db:29:2d:f0:b5:54:a9:8c:ae:ca:13:a3:51:37:
                    83:d0:47:65:ae:f2:89:b2:1d:c7:99:d3:c3:88:bd:
                    49:51:4a:e3:33:42:f4:41:93:7b:01:87:c1:a3:6d:
                    e2:f3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                01:F6:5B:10:58:30:68:76:D1:7A:26:4E:0E:44:BE:00:AF:91:1F:24
            X509v3 Authority Key Identifier: 
                keyid:C9:DC:B1:29:8C:0F:3B:11:1D:09:D2:62:95:7D:08:D2:EA:4E:C9:64

    Signature Algorithm: sha256WithRSAEncryption
         17:a7:0c:2c:1d:5a:ae:8d:d9:41:b9:91:c4:14:59:1b:9c:21:
         5c:68:78:5e:95:64:03:79:f5:2f:39:ad:87:14:8f:11:34:c4:
         4d:a1:ef:9c:f7:88:e5:02:ac:78:44:1a:ef:dc:63:53:fc:5e:
         fd:4c:5b:fe:b2:14:02:24:fb:44:ad:6c:37:22:30:fc:b6:99:
         eb:5a:e8:a1:d8:cb:1d:ed:20:32:0e:57:ef:b5:2a:85:e1:de:
         57:80:91:48:a4:f4:63:f2:55:48:db:ad:f9:fd:fd:4a:ce:92:
         59:1d:7a:6c:51:4e:7a:22:7c:8e:0e:5e:6e:28:25:78:10:5f:
         cd:c5:33:c6:12:0c:12:57:50:4e:ec:ac:61:1c:85:5b:54:86:
         72:a1:19:6c:f0:fa:75:23:80:68:02:b8:16:bc:07:8d:5c:80:
         1d:dc:41:ba:23:e7:6a:a0:8d:34:8e:55:82:16:ce:20:1f:74:
         77:13:73:92:eb:25:93:79:db:ba:b4:6a:d2:61:28:d7:2f:ac:
         de:60:2d:88:7c:75:5c:56:6b:13:d2:84:ea:96:e4:9e:2b:37:
         d1:3a:15:48:33:a6:a0:e3:78:ae:c1:32:c3:58:7e:5a:8f:ec:
         be:7d:49:74:59:21:5a:a7:85:ca:21:1c:ee:f5:7d:42:33:d3:
         01:22:b5:76

10、验证证书的可靠性

[root@centos7 CA]#openssl verify -CAfile cacert.pem certs/app.crt 
certs/app.crt: OK

*如一个申请需颁发多个证书需更改文件index.txt.attr为no(默认唯一)

[root@centos7 CA]#cat index.txt.attr 
unique_subject = yes

11、吊销证书

[root@centos7 CA]#openssl ca -revoke  newcerts/01.pem    
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

*指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行

echo 01 > /etc/pki/CA/crlnumber

更新证书吊销列表

openssl ca -gencrl -out /etc/pki/CA/crl.pem

查看crl文件

openssl crl -in /etc/pki/CA/crl.pem -noout -text

你可能感兴趣的:(Linux,CA创建颁发,openssl)