openssl

数据加密  (对称加密,双反使用一个密码 【DES】)

身份验证    (非对称,公钥加密)[rsa,dsa(只用来做签名)]

数据完整性     (单向加密,one way hash【MD5,sha1】)

                   数字签名 :rsa  dsa

                    key Exchange  Diffie-Hellman

openssl 

libcrypto : 这是个库文件,实现数据加密

libssl :库文件,实现建立ssl会话的

openssl,命令行工具,可以手动的生成密钥,证书请求,证书,还可以实现字签证书等

具体的间下图:

openssl_第1张图片

openssl实现对称加密工具

1:gpg (算法有:3DES,CAST5,Blowfish)

2:OpenSSL enc

 

OpenSSL支持很多子命令,可以用OpenSSL ?查看

OpenSSL

    version (不加横岗)

     speed  rsa 可以测试rsa的算法速度

OpenSSL对一个文件加密

openssl

OpenSSL �Cenc  -des3  -salt �Ca  -in  /etc/fstab   -out /etc/file    

openssl单向加密(抽取特征码)

   md5sum       .. fstab

  sha1sum      ..fatab

  openssl dgst(让openssl单向加密)  -sha1 fstab  openssl  sha1  < fstab (另一种形式)

openssl生成密码

openssl passwd �Cl

 

以一次完整的通信过程为例说明

A要给B通信

  A要做的是:

      1:写好数据,提取数据的特征码  (单向加密(MD5,sha1))

       2:然后用A自己的私钥加密数据特征码,(这就是所谓的数字签名,即可以验证自己身份)(B可以用A的公

钥解密已达到验证自己身份的目的)

       3:在用一个session key(随机产生的)加密全部数据(包括特征码和数据)    

       4:在用对方的公钥加密全部数据 (只有对方自己可以用它自己的私钥解密)

  B开始相反的过程:

        1:首先用B的私钥解密数据 得到那个session key 密码

        2:得到那个session key 密码 ,可以解密得到数据和特征码   

        3:然后用A的公钥解密数据特征码,如果可以就证明A的身份,然后可以在对数据做一次单向加密,比对数

据特征码是否一致

         这就是一次安全的通信的过程

在通信过程中得到对方的公钥是个至关重要的步骤,那么双方数证明得到对方的公钥的呢,这是就需要CA了

CA是什么?

CA是双方都信任的第三方机构,CA给双方都发一个证书

证书里包括了:自己的公钥,有效期,拥有者信息,用途,颁发证书的CA,CA的签名

每一个操作系统默认都有嵌入一些CA的证书,对CA的签名用自己内置的对应CA的公钥解密签名,如果可以就证明

CA就是CA,然后再对证书本身做单向加密,比对特征码是否跟解密出来的一致,一致即表明证书没被篡改过,可

以使用

另一种情况就是当双方不能识别对方CA时,即你的CA是A,我的是B,如果内置没有对方CA的公钥就会被提示CA

不被信任

 

简要介绍了使用openssl来生成CA证书、申请证书、颁发证书以及撤销证书的过程

1. 首先建立CA密钥:
openssl genrsa -des3 -out ca.key 1024 (创建密钥)
chmod 400 ca.key (修改权限为仅root能访问)
openssl rsa -noout -text -in ca.key (查看创建的证书)

2. 利用CA密钥自签署CA证书:
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
chmod 400 ca.crt (修改权限为仅root能访问)
openssl x509 -noout -text -in ca.crt (查看创建的证书)

3. 创建服务器证书签署申请:
openssl genrsa -des3 -out client.key 1024
chmod 400 server.key (修改权限为仅root能访问)
openssl rsa -noout -text -in client.key (查看创建的证书)

4. 利用证书签署申请生成请求:
openssl req -new -key client.key -out client.csr
openssl req -noout -text -in client.csr (查看创建的请求)

5.进行证书签署:
这时候需要先设置一下openssl的配置文件。
modify /usr/share/ssl/openssl.cnf并根据这个配置文件创建相应的目录和文件。
在创建了serial文件之后,还需要添加当前的八进制的serial number,如:01
然后执行:
openssl ca -keyfile ca.key -cert ca.crt -in client.csr -out client.pem

6.证书撤销:
openssl ca -keyfile ca.key -cert ca.crt -revoke client.pem
这时数据库被更新证书被标记上撤销的标志,需要生成新的证书撤销列表:
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out crl/test.crl
查看证书撤销列表:
openssl crl -noout -text -in crl/test.crl
证书撤销列表文件要在WEB站点上可以使用,必须将crldays或crlhours和crlexts加到证书中:
openssl ca -gencrl -config /etc/openssl.cnf -crldays 7 -crlexts crl_ext -out crl/sopac-ca.crl

 

使用OpenSSL生成证书

下载安装openssl,进入/bin/下面,执行命令(把ssl目录下的openssl.cnf 拷贝到bin目录下)

1.首先要生成服务器端的私钥(key文件):

openssl genrsa -des3 -out server.key 1024

[root@airwaySSL openssl]# cd ssl/

[root@airwaySSL ssl]# pwd

/home/openssl/ssl

[root@airwaySSL ssl]# ls

certs man misc openssl.cnf private server.csr server.key

运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!

去除key文件口令的命令:

openssl rsa -in server.key -out server.key

2.openssl req -new -key server.key -out server.csr -config openssl.cnf

[root@airwaySSL bin]# openssl req -new -key server.key -out server.csr -config openssl.cnf

ter pass phrase for server.key:12345

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:china

Locality Name (eg, city) []:wuhan

Organization Name (eg, company) [Internet Widgits Pty Ltd]:airway

Organizational Unit Name (eg, section) []:airway

Common Name (eg, YOUR name) []:airway

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.

3.对客户端也作同样的命令生成key及csr文件:

openssl genrsa -des3 -out client.key 1024

Generating RSA private key, 1024 bit long modulus

...........++++++

..++++++

e is 65537 (0x10001)

Enter pass phrase for client.key:12345

Verifying - Enter pass phrase for client.key:12345

openssl req -new -key client.key -out client.csr -config openssl.cnf

[root@airwaySSL bin]# openssl req -new -key client.key -out client.csr -config openssl.cnf

Enter pass phrase for client.key:12345

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:china

Locality Name (eg, city) []:wuhan

Organization Name (eg, company) [Internet Widgits Pty Ltd]:airway

Organizational Unit Name (eg, section) []:airway

Common Name (eg, YOUR name) []:airway

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

4.CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证,要交一大笔钱,何不自己做CA呢.

openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf

[root@airwaySSL bin]# openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf

Generating a 1024 bit RSA private key

...++++++

...................++++++

writing new private key to 'ca.key'

Enter PEM pass phrase:12345

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:china

Locality Name (eg, city) []:wuhan

Organization Name (eg, company) [Internet Widgits Pty Ltd]:airway

Organizational Unit Name (eg, section) []:airway

Common Name (eg, YOUR name) []:airway

Email Address []:

在继续下面操作前,将openssl.conf文件打开,查看其dir路径将其修改为dir = /home/openssl/bin/demoCA /,否则下面的步骤会提示路径无法找到。

自己手动创建一个CA目录结构:
[weigw@TEST bin]$ mkdir ./demoCA
[weigw@TEST bin]$ mkdir demoCA/newcerts
创建个空文件:
[weigw@TEST bin]$ vi demoCA/index.txt
向文件中写入01:
[weigw@TEST bin]$ vi demoCA/serial

5.用生成的CA的证书为刚才生成的server.csr,client.csr文件签名:

openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

[root@airwaySSL bin]# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

Using configuration from openssl.cnf

Enter pass phrase for ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Feb 26 04:15:02 2009 GMT

Not After : Feb 26 04:15:02 2010 GMT

Subject:

countryName = CN

stateOrProvinceName = china

organizationName = airway

organizationalUnitName = airway

commonName = airway

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

30:70:D2:EB:9B:73:AE:7B:0E:8E:F6:94:33:7C:53:5B:EF:93:FC:38

X509v3 Authority Key Identifier:

keyid:DB:D6:83:BB:7F:28:C2:A9:40:6A:D8:32:FC:01:E0:5C:48:27:51:19

Certificate is to be certified until Feb 26 04:15:02 2010 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

[root@airwaySSL bin]# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

Using configuration from openssl.cnf

Enter pass phrase for ca.key:

Check that the request matches the signature

Signature ok

The countryName field needed to be the same in the

CA certificate (CN) and the request (cn)

现在我们所需的全部文件便生成了.

另:

client使用的文件有:ca.crt,client.crt,client.key

server使用的文件有:ca.crt,server.crt,server.key

RedHat特殊的证书生成方式

   cd /etc/pki/tls/certs

      make 命令 可以直接生成密钥  make server.key

                       生成PDM 格式的证书:make a.pem

                        生成证书请求 :make   server.csr

       make 之所以能有如此的功能是靠一个配置文件的 /etc/pki/openssl.conf

你可能感兴趣的:(职场,OpenSSL,休闲)