openssl提供了2个库文件和1一个命令行工具
libcrypto库为系统应用程序的加密、解密功能所依赖;
libssl库文件实现应用程序的ssl功能;
openssl是一个提供加密解密、散列、证书产生等用途命令行工具;
基本使用方法:
查看openssl版本
[root@stu01 ~]# openssl version
OpenSSL 1.0.0-fips 29 Mar 2010
使用openssl加密和解密文件
[root@stu01 ~]# openssl enc -des -in a.sh -e -out a.sh.des
enter des-cbc encryption password:
Verifying - enter des-cbc encryption password:
[root@stu01 ~]# openssl enc -des -in a.sh.aes -d -out a.sh
enter des-cbc decryption password:
使用openssl计算文件的散列值:
[root@stu01 ~]# openssl dgst -sha1 /etc/passwd
SHA1(/etc/passwd)= cb7faacfd3cadddd96e0cf43af4248346bee70fa
[root@stu01 ~]# sha1sum /etc/passwd
cb7faacfd3cadddd96e0cf43af4248346bee70fa /etc/passwd
openssl speed 可以测试各种算法运行的速度
生成2N长度的随机数
openssl rand -hex N
openssl产生秘钥,长度可变
[root@stu01 ~]# (umask 077;openssl genrsa -des -out a.key 1024);加密存放秘钥文件a.key,加括号表示在子shell中生效,不影响当前shell
提取公钥:
[root@stu01 ~]# openssl rsa -in a.key -pubout;如果有密码保护,会提示输入密码
生成证书申请:
[root@stu01 ~]# openssl req -new -key a.key -out a.csr
Enter pass phrase for a.key: (因为a.key已经加密,所以先输入密码)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:(此处默认为XX,可以修改ssl的配置文件 /etc/pki/tls/openssl.cnf,后面附有配置文件内容)
State or Province Name (full name) [Henan]:
Locality Name (eg, city) [Zhengzhou]:
Organization Name (eg, company) [magelinux]:
Organizational Unit Name (eg, section) [tech]:
Common Name (eg, your name or your server's hostname) []:a.magelinux.com
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
配置文件内容:
[root@stu01 ~]# more /etc/pki/tls/openssl.cnf
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Henan
localityName = Locality Name (eg, city)
localityName_default = Zhengzhou
0.organizationName = Organization Name (eg, company)
0.organizationName_default = magelinux
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = tech
commonName = Common Name (eg, your name or your server\'s h
ostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = [email protected]
将证书申请发送到CA,让CA进行签署;
首先配置CA:
根据配置文件补充必要文件:
cd /etc/pki/CA
1、为CA生成一个私钥:
(umask 077; openssl genrsa -out private/cakey.pem 2048)
2、生成自签证书:
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
touch index.txt
echo 01 > serial
cat /etc/pki/tls/openssl.cnf
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # CA 的目录
certs = $dir/certs # 发布的证书位置
crl_dir = $dir/crl # 证书吊销列表目录
database = $dir/index.txt # 数据库索引文件,初始为空
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # 新证书存放目录.
certificate = $dir/cacert.pem # CA 自己的证书
serial = $dir/serial # 最近的证书编号
crlnumber = $dir/crlnumber # 证书吊销列表的号码
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # 当前的证书吊销列表
private_key = $dir/private/cakey.pem# CA的私钥文件
RANDFILE = $dir/private/.rand # 私有随机数文件
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
最后为用户签署证书:
[root@stu01 ~]# openssl ca -in a.csr -out a.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Aug 21 15:55:39 2013 GMT
Not After : Aug 21 15:55:39 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = Henan
organizationName = magelinux
organizationalUnitName = tech
commonName = a.magelinux.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
41:58:FE:39:3A:0E:19:AC:59:4F:FF:1E:38:15:06:F0:3D:FB:40:D3
X509v3 Authority Key Identifier:
keyid:59:CF:8B:62:00:B0:26:B5:E5:26:0E:3A:7F:B5:53:8E:EF:08:DA:24
Certificate is to be certified until Aug 21 15:55:39 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated