本文共 4774 字,大约阅读时间需要 15 分钟。
openssl命令行 工具:命令包含众多的子命令来实现各种安全加密功能
标准命令有: enc, dgst, ca, req, genrsa, rand, rsa, x509, passwd, ... 1.对称加密命令:enc 提供对称加密算法,以进行数据或文件的手动加密; 格式:openssl enc -ciphername [-in filename] [-out filename] [-e] [-d] [-a/-base64] [-salt] -ciphername:加密算法的名称 -in filename:openssl要读取的文件路径; -out filename:加密或解密操作后用于保存结果的文件路径; -e:加密操作 -d:解密操作 -a/-base64:用纯文本格式进行密文编码; -salt:随机加盐; 示例: 加密文件(使用-e,-in选项,指定文件和加密后存放的位置): ~]# openssl enc -e -des3 -in anaconda-ks.cfg -a -out anaconda-ks.cfg.encryptfile 解密文件(使用-d,-out选项,指定文件和加密后存放的位置): ~]# openssl enc -d -des3 -out anaconda-ks.cfg -a -in anaconda-ks.cfg.encryptfile 2.单向解密命令:dgst 示例: 对fstab文件进行单向解密 ~]# openssl dgst -sha1 fstab 3.生成随机数命令:rand openssl rand [-out file] [-rand file(s)] [-base64] [-hex] num 示例: ~]# openssl rand -base64 8 4.生成带盐的密码:passwd openssl passwd -1 -salt SALT_STRING 示例: ~]# openssl passwd -1 -salt 01234567 5.公钥加密算法:genrsa 生成rsa加密算法的私钥; openssl genrsa [-out filename] [-des] [-des3] [-idea] [-f4] [-3] [numbits] 建议使用权限遮罩码来生成私钥: ~]# (umask 077 ; openssl genrsa -out /tmp/my.key 4096) ~]# (umask 077 ; openssl genrsa > /tmp/my.key 4096) 从以及生成的私钥文件中抽取公钥:rsa openssl rsa [-in filename] [-out filename] [-pubout] -pubout:抽取公钥 -in filename:私钥文件的路径 -out filename:公钥文件的路径 示例: ~]# openssl rsa -in my.key -out mykey.pub -pubout利用openssl建立私有CA: 1.创建CA所在主机的私钥文件; 2.生成自签证书; 3.必须为CA提供必要的目录级文件及文本级文件; 目录级文件: /etc/pki/CA/certs /etc/pki/CA/crl /etc/pki/CA/newcerts 文本级文件: /etc/pki/CA/serial:保存证书的序列号,一般初始序列号为01; /etc/pki/CA/index.txt:证书索引; /etc/pki/tls/openssl.cnf:配置文件;创建私有CA的步骤: 1.创建CA的私钥文件: [root@chenliang CA]# ls certs crl newcerts private [root@chenliang CA]# (umask 077 ; openssl genrsa -out /etc/pki/CA/private/clcakey.pem 2048) Generating RSA private key, 2048 bit long modulus ....+++ ....................................................................................................................................+++ e is 65537 (0x10001) [root@chenliang CA]# ll private/ 总用量 4 -rw-------. 1 root root 1675 4月 11 09:01 clcakey.pem 2.生成自签证书: [root@chenliang CA]# openssl req -new -x509 -key /etc/pki/CA/private/clcakey.pem -out /etc/pki/CA/clcacert.pem -days 10000 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Hebei Locality Name (eg, city) [Default City]:Handan Organization Name (eg, company) [Default Company Ltd]:cl Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server's hostname) []:clca.handan.com Email Address []:mail.clhandan.com[root@chenliang CA]# lscerts clcacert.pem crl newcerts private 3.完善目录及文本文件结构:
[root@chenliang CA]# touch /etc/pki/CA/index.txt
[root@chenliang CA]# lscerts clcacert.pem crl index.txt newcerts private[root@chenliang CA]# echo 01 > /etc/pki/CA/serial[root@chenliang CA]# lscerts clcacert.pem crl index.txt newcerts private serial在CA上查看证书内容: 查看序列号: [root@chenliang CA]# openssl x509 -in clcacert.pem -noout -serial serial=F0FD9E8DA617E97D 查看证书内容: [root@chenliang CA]# openssl x509 -in clcacert.pem -noout -subject subject= /C=CN/ST=hebei\x08:Hebei/L=Handan/O=cl/OU=Tech/CN=clca.handan.com/emailAddress=mail.clhandan.com吊销证书:必须在CA上执行; 1.获取客户端证书对应的序列号: openssl x509 -in /etc/pki/CA/certificate -noout -serial 2.吊销证书: openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem 注意:上述命令中的"SERIAL"要换成准备吊销的证书的序列号; 3.生成吊销证书的吊销索引文件;仅需要第一次吊销证书时执行此操作: echo "SERIAL" > /etc/pki/CA/crl/crlnumber 4.更新证书吊销列表: openssl ca -genctl -out /etc/pki/CA/crl/ca.crl 5.查看CRL: openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text
转载于:https://blog.51cto.com/chenliangdeeper/2096803