openssl套件
openssl
套件,开源程序,qemu
-
libcrypto:通用功能加密库
-
libssl:用于实现TLS/SSL功能
-
openssl:多功能命令行工具
- 标准命令:enc, dgst, genrsa, rsautl, req, ca, rsa, passwd
- speed:基准性能测试工具
- s_client:SSL/TLS client program
- rand:生成伪随机数
# openssl rand -hex 4 80998add (16进制)
生成密钥、创建数字证书、手动加密解密数据
加解密功能及算法
对称加密
数据私密性(临时会话密钥)。
- 算法:
- DES, 3DES, AES, Blowfish, Twofish, RC6, CAST5
- 工具:
- gpg, openssl enc
man enc
#加密
openssl enc -des3 -a -salt -in /path/to/input_file -out /path/to/cipher_file
#解密
openssl enc -d -des3 -a -salt -in /path/to/cipher_file -out /path/to/clear_file
单向加密
-
特性:
- one-way
- Collision-free
-
算法:
- md5:128bits
- sha1:160bits
- sha512:512bits
-
工具:
- sha1sum, md5sum, cksum, openssl dgst
# man dgst
# openssl dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] [-out filename] /path/to/somefile
用户认证
- 工具
- passwd, openssl passwd
# man sslpasswd
# openssl passwd -1
Password: google
Verifying - Password: google
$1$B9BSTeCN$8pBPETa/iDOSuLw8hqEtV0
# openssl passwd -1 -salt B9BSTeCN
Password: google
$1$B9BSTeCN$8pBPETa/iDOSuLw8hqEtV0
使用同一个salt同种算法产生的结果一样
公钥加密
公钥加密、私钥解密(成对),不用来加密数据(速度慢),常用来身份验证和密钥交换。
密钥交换(对方的公钥)、数据加密(对方的公钥)、身份认证(自己的私钥(加密数据特征码))。
-
公钥:pkey
-
私钥:skey
-
算法
- RSA, EIGamal
-
工具:
- pgp, openssl rsautl
数字签名
私钥加密、公钥解密
- 算法:RSA, EIGamal, DSA(只能签名)
- DSA: Digital Signature Algorithm
- DSS: Digital Signature Standard
密钥交换
- 算法:DH,公钥加密
- Diffie-Hellman (求模)
数字证书
- 证书格式:x509、pkcs
- X509 格式
- 公钥和有效期限;
- 持有者的个人合法身份信息;(主机名)
- 证书的使用方式;
- CA 的信息;
- CA 的数字签名;
- CA 证书:自签署证书
加密流程
- 单向加密生成数据特征码,用于验证数据完整性
- 己方私钥加密数据特征码,用于生成数字签名(只有己方公钥能正确解密)
- 对称加密数据和数字签名,加密口令用对方公钥加密(只有对方私钥能解密)
自建CA
用openssl实现私有CA,配置文件:/etc/pki/tls/openssl.cnf
进入工作目录
# cd /etc/pki/CA
生成密钥对儿:(公钥是从私钥中按某种格式提取出来的)
# (umask 077; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...................+++
......+++
e is 65537 (0x10001)
如果想查看公钥:(并非必要步骤)
# openssl rsa -in private/cakey.pem -pubout -text -noout
生成自签证书:
# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:fastweb
Organizational Unit Name (eg, section) []:stream
Common Name (eg, your name or your server's hostname) []:www.sunchao.club
Email Address []:javavb@163.com
创建需要的文件:(必需)
# touch index.txt serial crlnumber
# echo 01 >> serial (创建序号)
CA完成证书自签发。
证书申请
在主机上生成密钥,保存至应用此证书的服务的配置文件目录下:
# mkdir -pv /etc/httpd/ssl
# cd /etc/httpd/ssl
# (umask 077; openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
.......................................................................++++++
.................................++++++
e is 65537 (0x10001)
生成证书签署请求:(填写内容必须与上面CA相同)
# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:fastweb
Organizational Unit Name (eg, section) []:stream
Common Name (eg, your name or your server's hostname) []:www.sunchao.club
Email Address []:javavb@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
将请求文件发往 CA:
# scp httpd.csr localhost:/path
CA 签署证书:
# openssl ca -in httpd.csr -out httpd.crt -days 3655
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 29 12:43:26 2017 GMT
Not After : Jul 2 12:43:26 2027 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = fastweb
organizationalUnitName = stream
commonName = www.sunchao.club
emailAddress = javavb@163.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1F:EF:54:B6:87:80:0A:94:A3:99:CD:88:CD:F4:20:1A:4B:6C:96:D3
X509v3 Authority Key Identifier:
keyid:8D:DA:65:6A:A9:64:2C:8C:F8:BD:F2:56:27:90:0D:16:96:AA:94:54
Certificate is to be certified until Jul 2 12:43:26 2027 GMT (3655 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
将证书传回请求者
# scp httpd.crt locahost:/path
吊销证书(放置吊销列表中)
# openssl ca -revoke httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
openssl补充
后缀名
- .key 格式:私有的密钥
- .crt 格式:证书文件,certificate 的缩写
- .csr 格式:证书签名请求(证书请求文件),含有公钥信息,certificate signing request 的缩写
- .crl 格式:证书吊销列表,Certificate Revocation List 的缩写
- .pem 格式:用于导出,导入证书时候的证书的格式,有证书开头,结尾的格式
证书协议
- x509v3:IETF 的证书标准
- x.500:目录的标准
- SCEP:简单证书申请协议,用 http 来进行申请,数据有 PKCS#7 封装,数据其实格式也是 PKCS#10 的
- PKCS#7:是封装数据的标准,可以放置证书和一些请求信息
- PKCS#10:用于离线证书申请的证书申请的数据格式,注意数据包是使用 PKCS#7 封装这个数据
- PKCS#12:用于一个单一文件中交换公共和私有对象,就是公钥,私钥和证书,这些信息进行打包,加密放在存储目录中,CISCO 放在 NVRAM 中,用户可以导出,以防证书服务器挂掉可以进行相应恢复。思科是 .p12 ,微软是 .pfx。
