openssl 命令行 工具: 命令包含众多的子命令来实现各种安全加密功能
标准命令有:
enc, dgst, ca, req, genrsa, rand, rsa, x509, passwd, ...
1. 对称加密命令: enc
提供对称加密算法, 以进行数据或文件的手动加密;
格式: openssl enc -ciphername [-in filename] [-out filename] [-e] [-d] [-a/-base64] [-salt]
-ciphername: 加密算法的名称
-in filename:openssl 要读取的文件路径;
-out filename: 加密或解密操作后用于保存结果的文件路径;
-e: 加密操作
-d: 解密操作
-a/-base64: 用纯文本格式进行密文编码;
-salt: 随机加盐;
示例:
加密文件 (使用 - e,-in 选项, 指定文件和加密后存放的位置):
~]# openssl enc -e -des3 -in anaconda-ks.cfg -a -out anaconda-ks.cfg.encryptfile
解密文件 (使用 - d,-out 选项, 指定文件和加密后存放的位置):
~]# openssl enc -d -des3 -out anaconda-ks.cfg -a -in anaconda-ks.cfg.encryptfile
2. 单向解密命令: dgst
示例:
对 fstab 文件进行单向解密
~]# openssl dgst -sha1 fstab
3. 生成随机数命令: rand
openssl rand [-out file] [-rand file(s)] [-base64] [-hex] num
示例:
~]# openssl rand -base64 8
4. 生成带盐的密码: passwd
openssl passwd -1 -salt SALT_STRING
示例:
~]# openssl passwd -1 -salt 01234567
5. 公钥加密算法: genrsa
生成 rsa 加密算法的私钥;
openssl genrsa [-out filename] [-des] [-des3] [-idea] [-f4] [-3] [numbits]
建议使用权限遮罩码来生成私钥:
- ~]# (umask 077 ; openssl genrsa -out /tmp/my.key 4096)
- ~]# (umask 077 ; openssl genrsa> /tmp/my.key 4096)
从以及生成的私钥文件中抽取公钥: rsa
openssl rsa [-in filename] [-out filename] [-pubout]
-pubout: 抽取公钥
-in filename: 私钥文件的路径
-out filename: 公钥文件的路径
示例:
~]# openssl rsa -in my.key -out mykey.pub -pubout
利用 openssl 建立私有 CA:
1. 创建 CA 所在主机的私钥文件;
2. 生成自签证书;
3. 必须为 CA 提供必要的目录级文件及文本级文件;
目录级文件:
/etc/pki/CA/certs
/etc/pki/CA/crl
/etc/pki/CA/newcerts
文本级文件:
/etc/pki/CA/serial: 保存证书的序列号, 一般初始序列号为 01;
/etc/pki/CA/index.txt: 证书索引;
/etc/pki/tls/openssl.cnf: 配置文件;
创建私有 CA 的步骤:
1. 创建 CA 的私钥文件:
- [root@chenliang CA]# ls
- certs crl newcerts private
- [root@chenliang CA]# (umask 077 ; openssl genrsa -out /etc/pki/CA/private/clcakey.pem 2048)
- Generating RSA private key, 2048 bit long modulus
- ....+++
- ....................................................................................................................................+++
- e is 65537 (0x10001)
- [root@chenliang CA]# ll private/
总用量 4
-rw-------. 1 root root 1675 4 月 11 09:01 clcakey.pem
2. 生成自签证书:
[root@chenliang CA]# openssl req -new -x509 -key /etc/pki/CA/private/clcakey.pem -out /etc/pki/CA/clcacert.pem -days 10000
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [XX]:CN
- State or Province Name (full name) []:Hebei
- Locality Name (eg, city) [Default City]:Handan
- Organization Name (eg, company) [Default Company Ltd]:cl
- Organizational Unit Name (eg, section) []:Tech
- Common Name (eg, your name or your server's hostname) []:clca.handan.com
- Email Address []:mail.clhandan.com
- [root@chenliang CA]# ls
certs clcacert.pem crl newcerts private
3. 完善目录及文本文件结构:
- [root@chenliang CA]# touch /etc/pki/CA/index.txt
- [root@chenliang CA]# ls
- certs clcacert.pem crl index.txt newcerts private
- [root@chenliang CA]# echo 01> /etc/pki/CA/serial
- [root@chenliang CA]# ls
certs clcacert.pem crl index.txt newcerts private serial
在 CA 上查看证书内容:
查看序列号:
- [root@chenliang CA]# openssl x509 -in clcacert.pem -noout -serial
- serial=F0FD9E8DA617E97D
查看证书内容:
- [root@chenliang CA]# openssl x509 -in clcacert.pem -noout -subject
- subject= /C=CN/ST=hebei\x08:Hebei/L=Handan/O=cl/OU=Tech/CN=clca.handan.com/emailAddress=mail.clhandan.com
吊销证书: 必须在 CA 上执行;
1. 获取客户端证书对应的序列号:
openssl x509 -in /etc/pki/CA/certificate -noout -serial
2. 吊销证书:
openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
注意: 上述命令中的 "SERIAL" 要换成准备吊销的证书的序列号;
3. 生成吊销证书的吊销索引文件; 仅需要第一次吊销证书时执行此操作:
echo "SERIAL"> /etc/pki/CA/crl/crlnumber
4. 更新证书吊销列表:
openssl ca -genctl -out /etc/pki/CA/crl/ca.crl
5. 查看 CRL:
openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text
来源: http://www.bubuko.com/infodetail-2558085.html