openssl
組件:
libcrypto, libssl主要開發者使用;
openssl: 多用途命令行工具;
openssl:
從多子命令 分爲三類:
標準命令:
消息摘要命令(dgst子命令)
加密命令(enc子命令) 對稱加密:
工具:openssl enc
支持的算法:3des,aes,blowfish,towfish
加密命令
enc命令:
實例:
加密~]# openssl enc -e -des3 -a -salt -in fstab -out fstab.ciphertext
解密~]# openssl enc -d -des3 -a -salt -out fstab -in fstab.ciphertext 單向加密:
工具:openssl dgst, md5sum, sha1sum, sha224sum,....
dgst命令:
~]# openssl dgst -md5 fstab
MD5(fstab)= f24b68951add3236d19dff63f0c92206 生成用戶密碼:
工具: passwd, openssl passwd
~]#openssl passwd -1 -salt 隨機數(123456789)
實例:
[root@localhost ~]# openssl passwd -1 -salt $(openssl rand -hex 10)
Password:
$1$9727a8fa$Ir21xFr8gVZJFK1trPohf.
生成隨機數:
工具:openssl rand
實例:
[root@localhost ~]# openssl rand -hex 10
8a7f0ab5316d5c0f2aba
[root@localhost ~]# openssl rand -base64 10
G8mVfr06RCHmhQ== 公鑰加密:
加密解密:
算法:RSA, ELGamal
工具:openssl rsautl, gpg
數字簽名:
算法:RSA, DSA,ELGamal
密鑰交換:
算法:DH
生成密鑰:
生成私鑰: ~]# (umask 077; openssl genrsa -out /tmp/mykey.private 2048)
提出公鑰:~]# openssl rsa -in /tmp/mykey.private -pubout
linux系統上的隨機數生成器:
/dev/random:僅從熵池返回隨機數;隨機數用盡,阻塞;
/dev/urandom:從熵池返回隨機數;隨機數用盡,會利用軟件生成僞隨機數,非阻塞;
僞隨機數不安全;
熵池中隨機數的來源;
硬盤IO中斷時間間隔;
鍵盤IO中斷時間間隔; CA:
公共信任的CA,私用CA;
openssl 命令:
配置文件:~]# cat /etc/pki/tls/openssl.cnf
`**構建私有CA:`
在確定配置爲CA的服務上生成一個自簽證書,併爲CA提供所需要的目錄及文件即可;
步驟:
1.生成私鑰:
~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
2.生成自簽證書:
-new:生成新證書籤署請求;
-x509:生成自籤格式證書,專用於創建私有CA時;
-key:生成請求時用到的私有文件路徑;
-out:生成的請求文件路徑;如果自籤操作將直接生成簽署過的證書;
-days:證書的有效時長,單位是day;
~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:shenzhen
Organization Name (eg, company) [Default Company Ltd]:itxuezhe
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.itxuezhe.com
Email Address []:[email protected]
[root@localhost ~]# ls /etc/pki/CA/
caert.pem certs crl newcerts private
3.爲CA提供所需的目錄及文件;
~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
~]# touch /etc/pki/CA/{serial,index.txt}
~]# echo 01 > /etc/pki/CA/serial **
要用到證書進行通信的服務器,需要向CA請求籤署證書:
步驟:(以httpd主機爲例)
1.用到證書的主機生成證書籤署請求;
~]# mkdir /etc/httpd/ssl
~]# cd /etc/httpd/ssl
ssl]# (umask 077; openssl genrsa -out httpd.key 2048)
3.2.生成證書籤署請求
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:shenzhen
Organization Name (eg, company) [Default Company Ltd]:itxuezhe
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.itxuezhe.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# ll
總用量 8
-rw-r--r--. 1 root root 1078 12月 10 11:24 httpd.csr
-rw-------. 1 root root 1679 12月 10 11:20 httpd.key
3.將請求通過可靠方式發送給CA主機;
ssl]# scp httpd.csr [email protected]:/tmp/
[email protected]'s password:
httpd.csr
4.在CA主機上籤署證書;
[root@localhost ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 10 03:29:20 2019 GMT
Not After : Dec 9 03:29:20 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = guangdong
organizationName = itxuezhe
organizationalUnitName = ops
commonName = www.itxuezhe.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D9:B4:2D:FB:4C:5B:EC:8D:5E:90:9F:1B:C6:61:65:0C:FB:94:59:8C
X509v3 Authority Key Identifier:
keyid:44:C1:C1:A7:B5:5F:15:15:06:8B:3B:7C:15:CB:5E:B4:A6:19:FD:5E
Certificate is to be certified until Dec 9 03:29:20 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
證書籤署成功
~]# cd /etc/pki/CA/
CA]# cat index.txt
V 201209032920Z 01 unknown/C=CN/ST=guangdong/O=itxuezhe/OU=www.itxuezhe.com/CN=www.itxuezhe.com/[email protected]
將簽署成功的證書發送給申請證書的主機
CA]# scp certs/httpd.crt [email protected]:/etc/httpd/ssl/
The authenticity of host '192.168.80.17 (192.168.80.17)' can't be established.
ECDSA key fingerprint is SHA256:iyMPO9k4t5oUNnOcDCOkJTLBLOSBKKPRuR9AugKmftM.
ECDSA key fingerprint is MD5:73:2e:7e:37:b4:48:b9:45:3e:96:f1:ec:6a:9a:59:fd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.80.17' (ECDSA) to the list of known hosts.
[email protected]'s password:
httpd.crt
查看證書中的信息:
[root@localhost ssl]# openssl x509 -in httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=guangdong/O=itxuezhe/OU=www.itxuezhe.com/CN=www.itxuezhe.com/[email protected]
吊銷證書:
步驟:
1.客戶端獲取要吊銷的證書的serial (在使用證書的主機執行);
[root@localhost ssl]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -seral -subject
2.CA主機吊銷證書
先根據客戶端提交的serial和subject信息,對比其與本機數據庫index.txt中存儲的是否一致;
吊銷:
[root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
[root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
其中的SERIAL要換成證書真正的序列號;
3.生成吊銷證書的吊銷編號(第一次吊銷證書時執行)
CA]# echo 01 > /etc/pki/CA/crlnumber
4.更新證書吊銷列表
CA]# openssl ca -gencrl -out thisca.crl
查看crl文件:
]# openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text