Linux openssl 实现-白红宇

Linux openssl 实现

阅读量：5953 次

发布时间：2019-06-19

本文共 5439 字，大约阅读时间需要 18 分钟。

openssl是ssl的开源实现，至于ssl或tls就不在这讲述了。总之openssl就是一软件，实现加密数据、解密数据、创建私有CA。官网：

openssl主要构成：

libcrypro:加密库

libssl:tls/ssl（库）的实现（基于会话，实现身份认证、数据完成性和机密性）

openssl:命令工具，可实现私有证书颁发

例子解释

#查看本系统openssl的安装

[root@localhost ~]# rpm -qa openssl

openssl-0.9.8e-22.el5

#openssl安装的文件路径，太多就不显示了

[root@localhost ~]# rpm -ql openssl | more

[root@localhost ~]# vim testssl.txt

12345678910

#执行下条命令时，输入加密密码（本次采用对称加密des3算法，也就是三重des)

[root@localhost ~]# openssl enc -des3 -salt -a -in testssl.txt -out testssl_des3

enter des-ede3-cbc encryption password:

Verifying - enter des-ede3-cbc encryption password:

[root@localhost ~]# vim testssl_des3

U2FsdGVkX18Ac3RL0TNIX/2lCQEGy959/u2/A4SCNt8=

#执行下条命令时，输入解密密码

[root@localhost ~]# openssl enc -des3 -d -salt -a -in testssl_des3 -out testssl.txt1

enter des-ede3-cbc decryption password:

#比较原文件和解密后的文件

[root@localhost ~]# diff testssl.txt testssl.txt1

#几种单向加密的输出

[root@localhost ~]# sha1sum testssl.txt

bb9670e73957e64e15d8411e2e424d84b8599e20 testssl.txt

[root@localhost ~]# openssl dgst -sha1 testssl.txt

SHA1(testssl.txt)= bb9670e73957e64e15d8411e2e424d84b8599e20

[root@localhost ~]# openssl dgst -md5 testssl.txt

MD5(testssl.txt)= 8140de300ce2cf5032f9489bd39afed0

[root@localhost ~]# openssl passwd -1 testssl.txt

$1$Ml2abKeF$Kx6uZL.1RTBshxFa.CT3I0

#openssl实现私有CA

# 1. 先生成一对密钥

# 2. 生成自签署证书

[root@localhost ~]# cd /etc/pki/CA

[root@localhost CA]# openssl genrsa -out private/cakey.pem 2048

Generating RSA private key, 2048 bit long modulus

......................................................................................................................+++

..+++

e is 65537 (0x10001)

[root@localhost CA]# ls -l private/

total 8

-rw-r--r-- 1 root root 1675 Apr 15 19:55 cakey.pem

[root@localhost CA]# chmod 600 private/cakey.pem

[root@localhost CA]# ls -l private/

total 8

-rw------- 1 root root 1675 Apr 15 19:55 cakey.pem

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:JS

Locality Name (eg, city) [Newbury]:NJ

Organization Name (eg, company) [My Company Ltd]:bocs

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server's hostname) []:ca.bocs.com

Email Address []:ca@bocs.com

[root@localhost CA]# openssl x509 -text -in cacert.pem

[root@localhost CA]# mkdir certs newcerts crl

[root@localhost CA]# touch index.txt

[root@localhost CA]# touch serial

[root@localhost CA]# echo 01 > serial

#假设现有一台web要签证

[root@localhost ~]# mkdir /tmp/httpd

[root@localhost ~]# cd /tmp/httpd/

[root@localhost httpd]# mkdir ssl

[root@localhost httpd]# cd ssl

#生成私钥

[root@localhost ssl]# (umask 077; openssl genrsa -out httpd.key 1024)

Generating RSA private key, 1024 bit long modulus

.................++++++

..........................................................++++++

e is 65537 (0x10001)

#生成证书申请请求

[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:JS

Locality Name (eg, city) [Newbury]:NJ

Organization Name (eg, company) [My Company Ltd]:bocs

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server's hostname) []:www.bocs.com

Email Address []:www@bocs.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

#CA服务器签证,执行命令时，先检查下/etc/pki/tls/openss.cnf 确认：dir = /etc/pki/CA

[root@localhost ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Apr 15 12:23:06 2016 GMT

Not After : Apr 15 12:23:06 2017 GMT

Subject:

countryName = CN

stateOrProvinceName = JS

organizationName = bocs

organizationalUnitName = Tech

commonName = www.bocs.com

emailAddress = www@bocs.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

E9:FE:1D:40:A2:42:A5:C1:80:A2:CD:94:3F:B0:D4:AB:92:45:7D:30

X509v3 Authority Key Identifier:

keyid:B2:0B:0D:C7:11:34:EF:B7:E3:AF:F7:75:D6:82:73:12:FA:A0:55:62

Certificate is to be certified until Apr 15 12:23:06 2017 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@localhost ssl]#

#查看是否签证成功

[root@localhost CA]# cd /etc/pki/CA

[root@localhost CA]# cat index.txt

V 170415122306Z 01 unknown /C=CN/ST=JS/O=bocs/OU=Tech/CN=www.bocs.com/emailAddress=www@bocs.com

[root@localhost CA]# cat serial

[root@localhost CA]#

转载于:https://blog.51cto.com/puregrass/1764059

你可能感兴趣的文章

python3之装饰器修复技术@wraps

Can’t create handler inside thread that has not called Looper.prepare()

uoj#228. 基础数据结构练习题（线段树）

查看>>

JS键盘事件监听

查看>>

ios开发周期之--（向上，向下，四舍五入）取整

iOS 单元测试（Unit Test 和 UI Test）

查看>>

[linux小技巧]

查看>>

文件下载_中文乱码:"Content-disposition","attachment; filename=中文名

查看>>

HBase 笔记3

查看>>

2017.11.23 display fun --STM8

查看>>

深入学习jQuery选择器系列第八篇——过滤选择器之伪子元素选择器

查看>>

一个关于log4j的悲伤的故事

查看>>