openssl命令简介:
SSL是Secure Sockets Layer(安全套接层协议)的缩写,可以在Internet上提供秘密性传输。Netscape公司在推出第一个Web浏览器的同时,提出了SSL协议标准。其目标是保证两个应用间通信的保密性和可靠性,可在服务器端和用户端同时实现支持。已经成为Internet上保密通讯的工业标准。SSL能使用户/服务器应用之间的通信不被***者窃听,并且始终对服务器进行认证,还可选择对用户进行认证。SSL协议要求建立在可靠的传输层协议(TCP)之上。SSL协议的优势在于它是与应用层协议独立无关的,高层的应用层协议(例如:HTTP,FTP,TELNET等)能透明地建立于SSL协议之上。SSL协议在应用层协议通信之前就已经完成加密算法、通信密钥的协商及服务器认证工作。在此之后应用层协议所传送的数据都会被加密,从而保证通信的私密性。
1.命令格式:
OpenSSL [选项][文件]
2.命令功能:
OpenSSL是一个安全套接字层密码库,囊括主要的密码算法、常用的密钥和证书封装管理功能及SSL协议,并提供丰富的应用程序供测试或其它目的使用。
OpenSSL被曝出现严重安全漏洞后,发现多数通过SSL协议加密的网站使用名为OpenSSL的开源软件包。OpenSSL漏洞不仅影响以https开头的网站,***还可利用此漏洞直接对个人电脑发起“心脏出血”(Heartbleed)***。据分析,Windows上有大量软件使用了存在漏洞的OpenSSL代码库,可能被******抓取用户电脑上的内存数据。
3.命令参数:
Standard commands
asn1parse ca cipherscrl crl2pkcs7 dgst dh dhparamdsa dsaparam
enc engine errstr gendh gendsa genrsa nseq ocsp passwd pkcs12 pkcs7 pkcs8 prime rand req rsa rsautl s_client s_server s_time sess_id smime speed spkac verify version x509 Message Digest commands (see the `dgst' command for more details)md2 md4 md5 rmd160 sha sha1 Cipher commands (see the `enc' command for more details)aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbcdes-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx rc2 rc2-40-cbcrc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb
4.使用实例:
实例1.使用openssl enc 加密文件
[root@jacktest ~]# ls
anaconda-ks.cfg Desktop grub.conf inittab install.log install.log.syslog[root@jacktest ~]# openssl enc -des3 -salt -a -in inittab -out inittab.des3enter des-ede3-cbc encryption password:Verifying - enter des-ede3-cbc encryption password:[root@jacktest ~]# lsanaconda-ks.cfg Desktop grub.conf inittab inittab.des3 install.log install.log.syslog[root@jacktest ~]# mv inittab inittab.bk
[root@jacktest ~]# cat inittab.des3
U2FsdGVkX19G5XhZb/jjhqwbvAaPBz2sgpsqfl6PlkqPR/0SO13ejnBHqTJYewiQ7FnG4an4QQZY4kaVwhs858Y4ic6KL1seXsvwtIW+BqL+woiVJH0fRFRFLzv6a5na... (省略35行)[root@jacktest ~]# openssl enc -des3 -d -salt -a -in inittab.des3 -out inittabenter des-ede3-cbc decryption password:[root@jacktest ~]# lsanaconda-ks.cfg Desktop grub.conf inittab inittab.bk inittab.des3 install.log install.log.syslog实例2.使用md5sum及openssl dgst -md5加密文件
[root@jacktest ~]# md5sum init
md5sum: init: No such file or directory[root@jacktest ~]# md5sum inittab #提取特征码92a39a223f68e67e9e6c412443851aeb inittab[root@jacktest ~]# shasha1hmac sha224sum sha256sum sha384sum sha512sum sha1sum sha256hmac sha384hmac sha512hmac [root@jacktest ~]# sha1sum inittab #同一文件的相同算法的特征码一样 78ef239097844c223671e99a79d6b533dced8d3b inittab[root@jacktest ~]# openssl dgst -sha1 inittabSHA1(inittab)= 78ef239097844c223671e99a79d6b533dced8d3b[root@jacktest ~]# openssl dgst -md5 inittabMD5(inittab)= 92a39a223f68e67e9e6c412443851aeb[root@jacktest ~]#实例3.使用openssl passwd生成有杂质的密码
[root@jacktest ~]# openssl passwd -1
Password: Verifying - Password: $1$H9SmHH0L$me6ujflYKSj6/XsM9I0XQ/[root@jacktest ~]# openssl passwd -1 #两次指定salt随机生成不一样 Password: Verifying - Password: $1$kY5RDrYX$MEU5eW3HHVXcDlfhUmrJ/1 [root@jacktest ~]# openssl passwd -1 -salt kY5RDrYX #指定salt生成的密码一样Password: $1$kY5RDrYX$MEU5eW3HHVXcDlfhUmrJ/1[root@jacktest ~]#实例4.使用openssl rand生成随机密码
[root@jacktest ~]# openssl rand -base64 12 #生成12位的随机数
7nYC9UjBQYR6FFaD[root@jacktest ~]# openssl rand -base64 12VgxBw3ZJUUxlZF0F[root@jacktest ~]# openssl rand -base64 1620noIYaMsnO7mSPypsUHjQ==[root@jacktest ~]#实例5.使用openssl genrsa生成指定长的对称密钥
[root@jacktest ~]# ( umask 077; openssl genrsa -out server512.key 512 )
Generating RSA private key, 512 bit long modulus.........++++++++++++......................++++++++++++e is 65537 (0x10001)[root@jacktest ~]# ll server5*
-rw------- 1 root root 493 Dec 10 13:45 server512.key[root@jacktest ~]# openssl rsa -in server512.key -pubout
writing RSA key-----BEGIN PUBLIC KEY-----MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMMjJyeTc0nIoHIrJqzC//CQ4Ca32TCn8TQdC4VrnmhMv8o1I70UlY3pghalb+21APl3gNA6AKFtAN3BdtpcAt8CAwEAAQ==-----END PUBLIC KEY-----[root@jacktest ~]# cat server512.key -----BEGIN RSA PRIVATE KEY-----MIIBOgIBAAJBAMMjJyeTc0nIoHIrJqzC//CQ4Ca32TCn8TQdC4VrnmhMv8o1I70UlY3pghalb+21APl3gNA6AKFtAN3BdtpcAt8CAwEAAQJABSm68XsfQ8aBKEQoA84tA2px49RddMIcyaozEdalHFFPrd6X85HuPvDiOd5urA296WYbfOZnPNVtCPOGyQIdgQIhAPBxohtu6yOnYw7uLYFo3prMSjhqdcG58lB/LQbmN5rhAiEAz8MgfmO77THypFt0A2lQ8RSqpF+U+2ZZDCSfsk+LFb8CIG7E6tmYj9stEgWe1Hf5yBOoacjzwqws7eUHscar6JIBAiEAtGNRJSvnES0a5cVZ11RrqMYu2wT6T8Uvb7GkzqbttfUCIDCvOvZmqJOxcrRVg+5EXdKn2VMCoj2pE/UMqoufNUO9-----END RSA PRIVATE KEY-----[root@jacktest ~]#实例6.生成自签署证书
[root@jacktest ~]# openssl req -new -x509 -key server512.key -out server.crt -days 365
You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:Jiangsu Locality Name (eg, city) [Newbury]:KunshanOrganization Name (eg, company) [My Company Ltd]:Fox Organizational Unit Name (eg, section) []:TechCommon Name (eg, your name or your server's hostname) []:ca.jacktest.comEmail Address []:caadmin@jacktest.com[root@jacktest ~]# ll server.crt -rw-r--r-- 1 root root 1115 Dec 10 13:54 server.crt #自签署证书 [root@jacktest ~]# cat server.crt -----BEGIN CERTIFICATE-----MIIDCzCCArWgAwIBAgIJAIwFOSD6/zYRMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHSmlhbmdzdTEQMA4GA1UEBxMHS3Vuc2hhbjEMMAoG...-----END CERTIFICATE-----[root@jacktest ~]# openssl x509 -text -in server.crt Certificate: Data: Version: 3 (0x2) #证书版本号 Serial Number: #证书序列号 8c:05:39:20:fa:ff:36:11 Signature Algorithm: sha1WithRSAEncryption #证书颁发机构信息 Issuer: C=CN, ST=Jiangsu, L=Kunshan, O=Fox, OU=Tech, CN=ca.jacktest.com/emailAddress=caadmin@jacktest.com Validity #证书有效期 Not Before: Dec 10 05:54:21 2016 GMT Not After : Dec 10 05:54:21 2017 GMT Subject: C=CN, ST=Jiangsu, L=Kunshan, O=Fox, OU=Tech, CN=ca.jacktest.com/emailAddress=caadmin@jacktest.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:c3:23:27:27:93:73:49:c8:a0:72:2b:26:ac:c2: ff:f0:90:e0:26:b7:d9:30:a7:f1:34:1d:0b:85:6b: 9e:68:4c:bf:ca:35:23:bd:14:95:8d:e9:82:16:a5: 6f:ed:b5:00:f9:77:80:d0:3a:00:a1:6d:00:dd:c1: 76:da:5c:02:df Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 6B:7E:CC:25:99:50:72:FB:AC:DF:9D:3E:05:4B:DF:0A:F8:EA:D2:E6 X509v3 Authority Key Identifier: keyid:6B:7E:CC:25:99:50:72:FB:AC:DF:9D:3E:05:4B:DF:0A:F8:EA:D2:E6 DirName:/C=CN/ST=Jiangsu/L=Kunshan/O=Fox/OU=Tech/CN=ca.jacktest.com/emailAddress=caadmin@jacktest.com serial:8C:05:39:20:FA:FF:36:11 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption #签名信息 58:ab:e1:5f:5a:e3:d4:d1:cc:c3:60:f2:2d:74:58:3b:a0:e4: 86:5d:5a:be:28:53:bf:ad:2a:69:44:ce:75:c7:23:7a:c2:9e: 55:4b:96:3e:9a:04:1c:64:f9:c2:bc:a7:99:3c:96:fc:69:9d: 5a:fc:92:71:60:33:ca:d4:47:00-----BEGIN CERTIFICATE-----MIIDCzCCArWgAwIBAgIJAIwFOSD6/zYRMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHSmlhbmdzdTEQMA4GA1UEBxMHS3Vuc2hhbjEMMAoG...-----END CERTIFICATE-----[root@jacktest ~]#实例7.在本机创建自签署证书服务器
[root@jacktest ~]# vi /etc/pki/tls/openssl.cnf #红色为已修改默认值
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are keptdatabase = $dir/index.txt # database index file.default_days = 3657 # how long to certify for
countryName_default = CNstateOrProvinceName_default = Jiangsu0.organizationName_default = FoxorganizationalUnitName_default = Tech[root@jacktest ~]# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008[root@test ~]# cd /etc/pki/CA/
[root@test CA]# lsprivate[root@test CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)Generating RSA private key, 2048 bit long modulus..+++...............................+++e is 65537 (0x10001)[root@test CA]# ll private/total 4-rw------- 1 root root 1679 Dec 10 14:48 cakey.pem[root@test CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pemYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [Jiangsu]:Locality Name (eg, city) [Kunshan]:Organization Name (eg, company) [Fox]:Organizational Unit Name (eg, section) [Tech]:Common Name (eg, your name or your server's hostname) []:ca.jacktest.comEmail Address []:caadmin@jacktest.com[root@test CA]# touch index.txt[root@test CA]# echo 01 > serial[root@test CA]# lscacert.pem certs crl index.txt newcerts private serial在HTTP里新建一个SSL:
[root@test httpd]# mkdir ssl [root@test httpd]# cd ssl [root@test ssl]# pwd /etc/httpd/ssl [root@test ssl]# (umask 077; openssl genrsa -out httpd.key 1024) Generating RSA private key, 1024 bit long modulus ..........................++++++ ...........++++++ e is 65537 (0x10001) [root@test ssl]# cat httpd.key -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDKxLVn2vx3xpl0pwFcfvgMCjfOVvhcNFCrQ0tG+XWtl9eXfohC Y9j+WiKC9cyMdUovyr9VmweUdXON3foFhIm7+VkSma7c5ixuQuGvh4HKSDrG6g9W U9gdpEa9BA1RyCoRWXo7fAb73/IAyqRoJAaqEXG2wnVzyUunCaieIgsmEwIDAQAB AoGBAMc/Wn7OOg48kiiFvxm0DmxOUh4pae243pgcDUmV8iP9tDVCegS69syhp44G mNRgoOCrmy40o9MnQsBiIr/vSCM0usYwdkz9TcKHND1Ime+3gQCRfbbnFQetF5dh LMDvIYiQhvSY0qpikMhP/pJV0A/1JJabkV/k4N3U4GoZ+WjxAkEA8krkLa2gh02n H7Kc7MCyxfo1TWb/ZwwaN031i1COO9CU1YoqhUPaNxdP3gzZaZWMrYOlw1Yguv1I C5XB5i6rKQJBANY9ZC6JvzhsRLj+rStmTPMqV9ODsssGFJD6blYVuY0QMEZCnHSF alhza1/q4XiNEccmMYd023r4OrEaw1r6KtsCQGHdPBLzKX7dL57O/zFlmA/9QyBT dN/DdKdX9tDhpcGlOyiRWSFgybgs01amK/7Ip/zByud+V1QPz9TWFW6K9RkCQAff /9O6Gn5PdIM8UU88Fm4Fy26p86OE2LKvkei2KbjmtG+QuUGLOeqAa5z9/EW7IcEp RT7Oa9bsUvP5oN6yPWsCQQDTpEwskF2NIuPj5s1ke2Q+okmoGiWClLcGaYiCVzJm DgIwxIU/hTe3KQCXIY+PEAypp5yLbmSgqXBNO3d0/TuM -----END RSA PRIVATE KEY----- [root@test ssl]#[root@test ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [Jiangsu]:Locality Name (eg, city) [Kunshan]:Organization Name (eg, company) [Fox]:Organizational Unit Name (eg, section) [Tech]:Common Name (eg, your name or your server's hostname) []:www.jacktest.comEmail Address []:wwwadmin@jacktest.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:: #密码可为空 An optional company name []:[root@test ssl]# lshttpd.csr httpd.key[root@test ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 10 08:26:36 2016 GMT Not After : Dec 10 08:26:36 2017 GMT Subject: countryName = CN stateOrProvinceName = Jiangsu organizationName = Fox organizationalUnitName = Tech commonName = www.jacktest.com emailAddress = wwwadmin@jacktest.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 78:00:55:EA:DC:3B:E1:07:32:05:C3:8E:A8:26:C6:4A:1B:32:8F:31 X509v3 Authority Key Identifier: keyid:F1:D0:03:45:E8:51:8E:AE:6C:87:CC:38:ED:9F:43:C2:D1:6E:46:42Certificate is to be certified until Dec 10 08:26:36 2017 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@test ssl]# cd /etc/pki/CA/[root@test CA]# cat index.txtV 171210082636Z 01 unknown /C=CN/ST=Jiangsu/O=Fox/OU=Tech/CN=www.jacktest.com/emailAddress=wwwadmin@jacktest.com[root@test CA]# cat serial #下一个发证序号
02
实例7.快速生成测试用证书
[root@test tls]# ls
cert.pem certs misc openssl.cnf private[root@test tls]# cd certs/[root@test certs]# lsca-bundle.crt make-dummy-cert Makefile[root@test certs]# make httpd.pemumask 77 ; \ PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ /usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \ cat $PEM1 > httpd.pem ; \ echo "" >> httpd.pem ; \ cat $PEM2 >> httpd.pem ; \ rm -f $PEM1 $PEM2Generating a 1024 bit RSA private key..++++++......++++++writing new private key to '/tmp/openssl.F15890'Country Name (2 letter code) [CN]:State or Province Name (full name) [Jiangsu]:Locality Name (eg, city) [Kunshan]:Organization Name (eg, company) [Fox]:Organizational Unit Name (eg, section) [Tech]:Common Name (eg, your name or your server's hostname) []:www.jacktest.comEmail Address []:wwwadmin@jacktest.com[root@test certs]# lsca-bundle.crt httpd.pem make-dummy-cert Makefile[root@test certs]# vi Makefile #可参考此文件写相关命令---end---