Linux操作系统安全-OpenSSL工具常用命令介绍

            Linux操作系统安全-OpenSSL工具常用命令介绍

                                          作者:尹正杰

版权声明:原创作品,谢绝转载!否则将追究法律责任。

 

 

 

一.OpenSSL开源项目有三个组件

  openssl:
    多用途的命令行工具,包openssl   libcrypto:
    加密算法库,包openssl-libs   libssl:
    加密模块应用库,实现了ssl及tls,包nss
[root@node101.yinzhengjie.org.cn ~]# yum search openssl
Loaded plugins: fastestmirror
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
Determining fastest mirrors
 * base: mirrors.huaweicloud.com
 * extras: mirrors.tuna.tsinghua.edu.cn
 * updates: mirrors.huaweicloud.com
=========================================================================== N/S matched: openssl ===========================================================================
apr-util-openssl.x86_64 : APR utility library OpenSSL crytpo support
openssl-devel.i686 : Files for development of applications which will use OpenSSL
openssl-devel.x86_64 : Files for development of applications which will use OpenSSL
openssl-perl.x86_64 : Perl scripts provided with OpenSSL
openssl-static.i686 : Libraries for static linking of applications which will use OpenSSL
openssl-static.x86_64 : Libraries for static linking of applications which will use OpenSSL
perl-Crypt-OpenSSL-Bignum.x86_64 : Perl interface to OpenSSL for Bignum
perl-Crypt-OpenSSL-RSA.x86_64 : Perl interface to OpenSSL for RSA
perl-Crypt-OpenSSL-Random.x86_64 : Perl interface to OpenSSL for Random
pyOpenSSL.x86_64 : Python wrapper module around the OpenSSL library
pyOpenSSL-doc.noarch : Documentation for pyOpenSSL
xmlsec1-openssl.i686 : OpenSSL crypto plugin for XML Security Library
xmlsec1-openssl.x86_64 : OpenSSL crypto plugin for XML Security Library
xmlsec1-openssl-devel.i686 : OpenSSL crypto plugin for XML Security Library
xmlsec1-openssl-devel.x86_64 : OpenSSL crypto plugin for XML Security Library
m2crypto.x86_64 : Support for using OpenSSL in python scripts
nss_compat_ossl.i686 : Source-level compatibility library for OpenSSL to NSS porting
nss_compat_ossl.x86_64 : Source-level compatibility library for OpenSSL to NSS porting
openssl.x86_64 : Utilities from the general purpose cryptography library with TLS implementation
openssl-libs.i686 : A general purpose cryptography library with TLS implementation
openssl-libs.x86_64 : A general purpose cryptography library with TLS implementation
openssl098e.i686 : A compatibility version of a general cryptography and TLS library
openssl098e.x86_64 : A compatibility version of a general cryptography and TLS library
perl-Crypt-SSLeay.x86_64 : Crypt::SSLeay - OpenSSL glue that provides LWP https support
perl-Net-SSLeay.x86_64 : Perl extension for using OpenSSL
qca-ossl.i686 : OpenSSL plugin for the Qt Cryptographic Architecture v2
qca-ossl.x86_64 : OpenSSL plugin for the Qt Cryptographic Architecture v2

  Name and summary matches only, use "search all" for everything.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# yum search openssl
[root@node101.yinzhengjie.org.cn ~]# yum info openssl-libs
Loaded plugins: fastestmirror
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
Loading mirror speeds from cached hostfile
 * base: mirrors.huaweicloud.com
 * extras: mirrors.tuna.tsinghua.edu.cn
 * updates: mirrors.huaweicloud.com
Installed Packages
Name        : openssl-libs
Arch        : x86_64
Epoch       : 1
Version     : 1.0.2k
Release     : 16.el7
Size        : 3.1 M
Repo        : installed
From repo   : anaconda
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : OpenSSL is a toolkit for supporting cryptography. The openssl-libs
            : package contains the libraries that are used by various applications which
            : support cryptographic algorithms and protocols.

Available Packages
Name        : openssl-libs
Arch        : i686
Epoch       : 1
Version     : 1.0.2k
Release     : 16.el7_6.1
Size        : 994 k
Repo        : updates/7/x86_64
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : OpenSSL is a toolkit for supporting cryptography. The openssl-libs
            : package contains the libraries that are used by various applications which
            : support cryptographic algorithms and protocols.

Name        : openssl-libs
Arch        : x86_64
Epoch       : 1
Version     : 1.0.2k
Release     : 16.el7_6.1
Size        : 1.2 M
Repo        : updates/7/x86_64
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : OpenSSL is a toolkit for supporting cryptography. The openssl-libs
            : package contains the libraries that are used by various applications which
            : support cryptographic algorithms and protocols.

[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# yum info openssl-libs

 

二.openssl命令

1>.查看openssl软件包及默认版本号

[root@node101.yinzhengjie.org.cn ~]# which openssl 
/usr/bin/openssl
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# rpm -qf /usr/bin/openssl 
openssl-1.0.2k-16.el7.x86_64
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# openssl version            #程序版本号
OpenSSL 1.0.2k-fips  26 Jan 2017
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# openssl 
OpenSSL> ?
openssl:Error: '?' is an invalid command.

Standard commands
asn1parse         ca                ciphers           cms               
crl               crl2pkcs7         dgst              dh                
dhparam           dsa               dsaparam          ec                
ecparam           enc               engine            errstr            
gendh             gendsa            genpkey           genrsa            
nseq              ocsp              passwd            pkcs12            
pkcs7             pkcs8             pkey              pkeyparam         
pkeyutl           prime             rand              req               
rsa               rsautl            s_client          s_server          
s_time            sess_id           smime             speed             
spkac             ts                verify            version           
x509              

Message Digest commands (see the `dgst' command for more details)
md2               md4               md5               rmd160            
sha               sha1              

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
aes-256-cbc       aes-256-ecb       base64            bf                
bf-cbc            bf-cfb            bf-ecb            bf-ofb            
camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb  
camellia-256-cbc  camellia-256-ecb  cast              cast-cbc          
cast5-cbc         cast5-cfb         cast5-ecb         cast5-ofb         
des               des-cbc           des-cfb           des-ecb           
des-ede           des-ede-cbc       des-ede-cfb       des-ede-ofb       
des-ede3          des-ede3-cbc      des-ede3-cfb      des-ede3-ofb      
des-ofb           des3              desx              idea              
idea-cbc          idea-cfb          idea-ecb          idea-ofb          
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc           
rc2-cfb           rc2-ecb           rc2-ofb           rc4               
rc4-40            rc5               rc5-cbc           rc5-cfb           
rc5-ecb           rc5-ofb           seed              seed-cbc          
seed-cfb          seed-ecb          seed-ofb          zlib              

OpenSSL> quit
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# openssl              #可以支持命令行交互式

2>.enc命令

对称加密:
  工具:
    openssl enc, gpg   算法:
    3des, aes, blowfish, twofish
[root@node101.yinzhengjie.org.cn ~]# man enc
ENC(1)                                                                          OpenSSL                                                                          ENC(1)

NAME
       enc - symmetric cipher routines

SYNOPSIS
       openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64] [-A] [-k password] [-kfile filename] [-K key] [-iv IV] [-S salt]
       [-salt] [-nosalt] [-z] [-md] [-p] [-P] [-bufsize number] [-nopad] [-debug] [-none] [-engine id]

DESCRIPTION
       The symmetric cipher commands allow data to be encrypted or decrypted using various block and stream ciphers using keys based on passwords or explicitly
       provided. Base64 encoding or decoding can also be performed either by itself or in addition to the encryption or decryption.

OPTIONS
       -in filename
           the input filename, standard input by default.

       -out filename
           the output filename, standard output by default.

       -pass arg
           the password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).

       -salt
           use a salt in the key derivation routines. This is the default.

       -nosalt
           don't use a salt in the key derivation routines. This option SHOULD NOT be used except for test purposes or compatibility with ancient versions of OpenSSL
           and SSLeay.

       -e  encrypt the input data: this is the default.

       -d  decrypt the input data.
      -a  base64 process the data. This means that if encryption is taking place the data is base64 encoded after encryption. If decryption is set then the input data
           is base64 decoded before being decrypted.

       -base64
           same as -a

       -A  if the -a option is set then base64 process the data on one line.

       -k password
           the password to derive the key from. This is for compatibility with previous versions of OpenSSL. Superseded by the -pass argument.

       -kfile filename
           read the password to derive the key from the first line of filename.  This is for compatibility with previous versions of OpenSSL. Superseded by the -pass
           argument.

       -nosalt
           do not use a salt

       -salt
           use salt (randomly generated or provide with -S option) when encrypting (this is the default).

       -S salt
           the actual salt to use: this must be represented as a string of hex digits.

       -K key
           the actual key to use: this must be represented as a string comprised only of hex digits. If only the key is specified, the IV must additionally specified
           using the -iv option. When both a key and a password are specified, the key given with the -K option will be used and the IV generated from the password
           will be taken. It probably does not make much sense to specify both key and password.

       -iv IV
           the actual IV to use: this must be represented as a string comprised only of hex digits. When only the key is specified using the -K option, the IV must
           explicitly be defined. When a password is being specified using one of the other options, the IV is generated from this password.

       -p  print out the key and IV used.

       -P  print out the key and IV used then immediately exit: don't do any encryption or decryption.

       -bufsize number
           set the buffer size for I/O

       -nopad
           disable standard block padding

       -debug
           debug the BIOs used for I/O.

       -z  Compress or decompress clear text using zlib before encryption or after decryption. This option exists only if OpenSSL with compiled with zlib or zlib-
           dynamic option.

       -none
           Use NULL cipher (no encryption or decryption of input).

NOTES
       The program can be called either as openssl ciphername or openssl enc -ciphername. But the first form doesn't work with engine-provided ciphers, because this
       form is processed before the configuration file is read and any ENGINEs loaded.

       Engines which provide entirely new encryption algorithms (such as ccgost engine which provides gost89 algorithm) should be configured in the configuration file.
       Engines, specified in the command line using -engine options can only be used for hadrware-assisted implementations of ciphers, which are supported by OpenSSL
       core or other engine, specified in the configuration file.

       When enc command lists supported ciphers, ciphers provided by engines, specified in the configuration files are listed too.

       A password will be prompted for to derive the key and IV if necessary.

       The -salt option should ALWAYS be used if the key is being derived from a password unless you want compatibility with previous versions of OpenSSL and SSLeay.

       Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this
       is that without the salt the same password always generates the same encryption key. When the salt is being used the first eight bytes of the encrypted data are
       reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.

       Some of the ciphers do not have large keys and others have security implications if not used correctly. A beginner is advised to just use a strong block cipher
       in CBC mode such as bf or des3.

       All the block ciphers normally use PKCS#5 padding also known as standard block padding: this allows a rudimentary integrity or password check to be performed.
       However since the chance of random data passing the test is better than 1 in 256 it isn't a very good test.

       If padding is disabled then the input data must be a multiple of the cipher block length.

       All RC2 ciphers have the same key and effective key length.

       Blowfish and RC5 algorithms use a 128 bit key.

SUPPORTED CIPHERS
       Note that some of these ciphers can be disabled at compile time and some are available only if an appropriate engine is configured in the configuration file.
       The output of the enc command run with unsupported options (for example openssl enc -help) includes a list of ciphers, supported by your versesion of OpenSSL,
       including ones provided by configured engines.

       The enc program does not support authenticated encryption modes like CCM and GCM. The utility does not store or retrieve the authentication tag.

        base64             Base 64

        bf-cbc             Blowfish in CBC mode
        bf                 Alias for bf-cbc
        bf-cfb             Blowfish in CFB mode
        bf-ecb             Blowfish in ECB mode
        bf-ofb             Blowfish in OFB mode

        cast-cbc           CAST in CBC mode
        cast               Alias for cast-cbc
        cast5-cbc          CAST5 in CBC mode
        cast5-cfb          CAST5 in CFB mode
        cast5-ecb          CAST5 in ECB mode
     cast5-ofb          CAST5 in OFB mode

        des-cbc            DES in CBC mode
        des                Alias for des-cbc
        des-cfb            DES in CBC mode
        des-ofb            DES in OFB mode
        des-ecb            DES in ECB mode

        des-ede-cbc        Two key triple DES EDE in CBC mode
        des-ede            Two key triple DES EDE in ECB mode
        des-ede-cfb        Two key triple DES EDE in CFB mode
        des-ede-ofb        Two key triple DES EDE in OFB mode

        des-ede3-cbc       Three key triple DES EDE in CBC mode
        des-ede3           Three key triple DES EDE in ECB mode
        des3               Alias for des-ede3-cbc
        des-ede3-cfb       Three key triple DES EDE CFB mode
        des-ede3-ofb       Three key triple DES EDE in OFB mode

        desx               DESX algorithm.

        gost89             GOST 28147-89 in CFB mode (provided by ccgost engine)
        gost89-cnt        `GOST 28147-89 in CNT mode (provided by ccgost engine)

        idea-cbc           IDEA algorithm in CBC mode
        idea               same as idea-cbc
        idea-cfb           IDEA in CFB mode
        idea-ecb           IDEA in ECB mode
        idea-ofb           IDEA in OFB mode

        rc2-cbc            128 bit RC2 in CBC mode
        rc2                Alias for rc2-cbc
        rc2-cfb            128 bit RC2 in CFB mode
        rc2-ecb            128 bit RC2 in ECB mode
       rc2-ofb            128 bit RC2 in OFB mode
        rc2-64-cbc         64 bit RC2 in CBC mode
        rc2-40-cbc         40 bit RC2 in CBC mode

        rc4                128 bit RC4
        rc4-64             64 bit RC4
        rc4-40             40 bit RC4

        rc5-cbc            RC5 cipher in CBC mode
        rc5                Alias for rc5-cbc
        rc5-cfb            RC5 cipher in CFB mode
        rc5-ecb            RC5 cipher in ECB mode
        rc5-ofb            RC5 cipher in OFB mode

        aes-[128|192|256]-cbc  128/192/256 bit AES in CBC mode
        aes-[128|192|256]      Alias for aes-[128|192|256]-cbc
        aes-[128|192|256]-cfb  128/192/256 bit AES in 128 bit CFB mode
        aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode
        aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode
        aes-[128|192|256]-ecb  128/192/256 bit AES in ECB mode
        aes-[128|192|256]-ofb  128/192/256 bit AES in OFB mode

EXAMPLES
       Just base64 encode a binary file:

        openssl base64 -in file.bin -out file.b64

       Decode the same file

        openssl base64 -d -in file.b64 -out file.bin

       Encrypt a file using triple DES in CBC mode using a prompted password:

        openssl des3 -salt -in file.txt -out file.des3

       Decrypt a file using a supplied password:

        openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword

       Encrypt a file then base64 encode it (so it can be sent via mail for example) using Blowfish in CBC mode:

        openssl bf -a -salt -in file.txt -out file.bf

       Base64 decode a file then decrypt it:

        openssl bf -d -salt -a -in file.bf -out file.txt

       Decrypt some data using a supplied 40 bit RC4 key:

        openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405

BUGS
       The -A option when used with large files doesn't work properly.

       There should be an option to allow an iteration count to be included.

       The enc program only supports a fixed number of algorithms with certain parameters. So if, for example, you want to use RC2 with a 76 bit key or RC4 with an 84
       bit key you can't use this program.

1.0.2k                                                                         2017-01-26                                                                        ENC(1)
[root@node101.yinzhengjie.org.cn ~]# man enc                    #查看帮助信息
[root@node101.yinzhengjie.org.cn ~]# cp /etc/sysctl.conf  ./
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r-- 1 root root 735 Dec 21 09:48 sysctl.conf
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# openssl enc -e -des3 -in sysctl.conf -out my_sysctl.conf            #指定des3对称加密算法进行加密
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll
total 8
-rw-r--r-- 1 root root 752 Dec 21 09:50 my_sysctl.conf
-rw-r--r-- 1 root root 735 Dec 21 09:48 sysctl.conf
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# openssl enc -d -des3 -in my_sysctl.conf -out my_sysctl.conf.bak        #指定des3对称加密算法进行解密
enter des-ede3-cbc decryption password:
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll
total 12
-rw-r--r-- 1 root root 752 Dec 21 09:50 my_sysctl.conf
-rw-r--r-- 1 root root 735 Dec 21 09:50 my_sysctl.conf.bak
-rw-r--r-- 1 root root 735 Dec 21 09:48 sysctl.conf
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# file my_sysctl.conf          #该文件已经被加密了,我们直接查看了,需要进行解密后才能查看
my_sysctl.conf: data
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# file my_sysctl.conf.bak 
my_sysctl.conf.bak: ASCII text
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# file sysctl.conf 
sysctl.conf: ASCII text
[root@node101.yinzhengjie.org.cn ~]# 

3>.dgst命令

单向加密:
  工具:
    md5sum, sha1sum, sha224sum,sha256sum,openssl dgst,...

MAC: 
  Message Authentication Code,单向加密的一种延伸应用,用于实现网络通信中保证所传输数据的完整性机制   CBC-MAC   HMAC:使用md5或sha1算法
[root@node101.yinzhengjie.org.cn ~]# man dgst 
DGST(1)                                                                         OpenSSL                                                                         DGST(1)

NAME
       dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md2, md4, md5, dss1 - message digests

SYNOPSIS
       openssl dgst [-sha|-sha1|-mdc2|-ripemd160|-sha224|-sha256|-sha384|-sha512|-md2|-md4|-md5|-dss1] [-c] [-d] [-hex] [-binary] [-r] [-non-fips-allow] [-out
       filename] [-sign filename] [-keyform arg] [-passin arg] [-verify filename] [-prverify filename] [-signature filename] [-hmac key] [-non-fips-allow]
       [-fips-fingerprint] [file...]

       openssl [digest] [...]

DESCRIPTION
       The digest functions output the message digest of a supplied file or files in hexadecimal.  The digest functions also generate and verify digital signatures
       using message digests.

OPTIONS
       -c  print out the digest in two digit groups separated by colons, only relevant if hex format output is used.

       -d  print out BIO debugging information.

       -hex
           digest is to be output as a hex dump. This is the default case for a "normal" digest as opposed to a digital signature.  See NOTES below for digital
           signatures using -hex.

       -binary
           output the digest or signature in binary form.

       -r  output the digest in the "coreutils" format used by programs like sha1sum.

       -non-fips-allow
           Allow use of non FIPS digest when in FIPS mode.  This has no effect when not in FIPS mode.

       -out filename
           filename to output to, or standard output by default.

       -sign filename
           digitally sign the digest using the private key in "filename".

       -keyform arg
           Specifies the key format to sign digest with. The DER, PEM, P12, and ENGINE formats are supported.

       -engine id
           Use engine id for operations (including private key storage).  This engine is not used as source for digest algorithms, unless it is also specified in the
           configuration file.

       -sigopt nm:v
           Pass options to the signature algorithm during sign or verify operations.  Names and values of these options are algorithm-specific.

       -passin arg
           the private key password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).

       -verify filename
           verify the signature using the the public key in "filename".  The output is either "Verification OK" or "Verification Failure".

       -prverify filename
           verify the signature using the  the private key in "filename".

       -signature filename
           the actual signature to verify.

       -hmac key
           create a hashed MAC using "key".

       -mac alg
           create MAC (keyed Message Authentication Code). The most popular MAC algorithm is HMAC (hash-based MAC), but there are other MAC algorithms which are not
           based on hash, for instance gost-mac algorithm, supported by ccgost engine. MAC keys and other options should be set via -macopt parameter.
     -macopt nm:v
           Passes options to MAC algorithm, specified by -mac key.  Following options are supported by both by HMAC and gost-mac:

           key:string
                   Specifies MAC key as alphnumeric string (use if key contain printable characters only). String length must conform to any restrictions of the MAC
                   algorithm for example exactly 32 chars for gost-mac.

           hexkey:string
                   Specifies MAC key in hexadecimal form (two hex digits per byte).  Key length must conform to any restrictions of the MAC algorithm for example
                   exactly 32 chars for gost-mac.

       -rand file(s)
           a file or files containing random data used to seed the random number generator, or an EGD socket (see RAND_egd(3)).  Multiple files can be specified
           separated by a OS-dependent character.  The separator is ; for MS-Windows, , for OpenVMS, and : for all others.

       -non-fips-allow
           enable use of non-FIPS algorithms such as MD5 even in FIPS mode.

       -fips-fingerprint
           compute HMAC using a specific key for certain OpenSSL-FIPS operations.

       file...
           file or files to digest. If no files are specified then standard input is used.

EXAMPLES
       To create a hex-encoded message digest of a file:
        openssl dgst -md5 -hex file.txt

       To sign a file using SHA-256 with binary file output:
        openssl dgst -sha256 -sign privatekey.pem -out signature.sign file.txt

       To verify a signature:
        openssl dgst -sha256 -verify publickey.pem \
        -signature signature.sign \
        file.txt

NOTES
       The digest of choice for all new applications is SHA1. Other digests are however still widely used.

       When signing a file, dgst will automatically determine the algorithm (RSA, ECC, etc) to use for signing based on the private key's ASN.1 info.  When verifying
       signatures, it only handles the RSA, DSA, or ECDSA signature itself, not the related data to identify the signer and algorithm used in formats such as x.509,
       CMS, and S/MIME.

       A source of random numbers is required for certain signing algorithms, in particular ECDSA and DSA.

       The signing and verify options should only be used if a single file is being signed or verified.

       Hex signatures cannot be verified using openssl.  Instead, use "xxd -r" or similar program to transform the hex signature into a binary signature prior to
       verification.

1.0.2k                                                                         2017-01-26                                                                       DGST(1)
[root@node101.yinzhengjie.org.cn ~]# man dgst                    #查看帮助信息
[root@node101.yinzhengjie.org.cn ~]# cp /etc/fstab ./
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r-- 1 root root 541 Dec 21 09:54 fstab
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# openssl dgst -md5 fstab           #指定md5单项散列算法,可以很快得到的一个hash摘要值
MD5(fstab)= 964ddd7a410b74512ea8dfaa11ac5157
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# md5sum fstab 
964ddd7a410b74512ea8dfaa11ac5157  fstab
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 

4>.生成用户密码

[root@node101.yinzhengjie.org.cn ~]# man sslpasswd
PASSWD(1)                                                                       OpenSSL                                                                       PASSWD(1)

NAME
       passwd - compute password hashes

SYNOPSIS
       openssl passwd [-crypt] [-1] [-apr1] [-salt string] [-in file] [-stdin] [-noverify] [-quiet] [-table] {password}

DESCRIPTION
       The passwd command computes the hash of a password typed at run-time or the hash of each password in a list.  The password list is taken from the named file for
       option -in file, from stdin for option -stdin, or from the command line, or from the terminal otherwise.  The Unix standard algorithm crypt and the MD5-based
       BSD password algorithm 1 and its Apache variant apr1 are available.

OPTIONS
       -crypt
           Use the crypt algorithm (default).

       -1  Use the MD5 based BSD password algorithm 1.

       -apr1
           Use the apr1 algorithm (Apache variant of the BSD algorithm).

       -salt string
           Use the specified salt.  When reading a password from the terminal, this implies -noverify.

       -in file
           Read passwords from file.

       -stdin
           Read passwords from stdin.

       -noverify
           Don't verify when reading a password from the terminal.


       -quiet
           Don't output warnings when passwords given at the command line are truncated.

       -table
           In the output list, prepend the cleartext password and a TAB character to each password hash.

EXAMPLES
       openssl passwd -crypt -salt xx password prints xxj31ZMTZzkVA.

       openssl passwd -1 -salt xxxxxxxx password prints $1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a..

       openssl passwd -apr1 -salt xxxxxxxx password prints $apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0.

1.0.2k                                                                         2017-01-26                                                                     PASSWD(1)
[root@node101.yinzhengjie.org.cn ~]# man sslpasswd
[root@node101.yinzhengjie.org.cn ~]# openssl passwd -1            #此处我输入的是"yinzhengjie"得到一个密码如下
Password: 
Verifying - Password: 
$1$IetQRS9t$hoCuehrhgRASJxU08nQBE.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# openssl passwd -1            #此处我依旧输入的是"yinzhengjie"得到一个新的密码如下,我擦,是不是很神奇?输入相同的密码得到的结果却不一致!这是因为我们没有指定盐,默认是一个随机值
Password: 
Verifying - Password: 
$1$VsdAqm1E$2aQXCaV7SSu8gCl9YitHI.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# openssl passwd -1 -salt "IetQRS9t"    #上面标记红色的就是指定的盐,我们使用指定的盐进行加密,发现使用相同的盐且密码一直时得到的结果是一致的
Password: 
$1$IetQRS9t$hoCuehrhgRASJxU08nQBE.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# openssl passwd -1 -salt "VsdAqm1E"    #再次印证了使用相同的盐且密码相同的情况下,得到的结果是一致的。
Password: 
$1$VsdAqm1E$2aQXCaV7SSu8gCl9YitHI.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 

5>.生成随机数

语法:
  openssl rand -base64|-hex NUM     NUM:
      表示字节数,使用-hex,每个字符为十六进制,相当于4位二进制,出现的字符数为NUM*2
[root@node101.yinzhengjie.org.cn ~]# man sslrand



RAND(1)                                                                         OpenSSL                                                                         RAND(1)

NAME
       rand - generate pseudo-random bytes

SYNOPSIS
       openssl rand [-out file] [-rand file(s)] [-base64] [-hex] num

DESCRIPTION
       The rand command outputs num pseudo-random bytes after seeding the random number generator once.  As in other openssl command line tools, PRNG seeding uses the
       file $HOME/.rnd or .rnd in addition to the files given in the -rand option.  A new $HOME/.rnd or .rnd file will be written back if enough seeding was obtained
       from these sources.

OPTIONS
       -out file
           Write to file instead of standard output.

       -rand file(s)
           Use specified file or files or EGD socket (see RAND_egd(3)) for seeding the random number generator.  Multiple files can be specified separated by a OS-
           dependent character.  The separator is ; for MS-Windows, , for OpenVMS, and : for all others.

       -base64
           Perform base64 encoding on the output.

       -hex
           Show the output as a hex string.

SEE ALSO
       RAND_bytes(3)

1.0.2k                                                                         2017-01-26                                                                       RAND(1)
[root@node101.yinzhengjie.org.cn ~]# man sslrand
[root@node101.yinzhengjie.org.cn ~]# openssl rand  -hex 6
3c3f702525c1
[root@node101.yinzhengjie.org.cn ~]# openssl rand  -hex 6
5da7fe82a1d6
[root@node101.yinzhengjie.org.cn ~]# openssl rand  -hex 6
2064b6e40f46
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 6
cno1an+B
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 6
k1KMD3+N
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 6
yCMifZfM
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# openssl rand  -hex 9
18c1541b7e4f63cb44
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 9
WS7G4KPNu0Jt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 

6>. 生成密钥对儿

公钥加密:
  算法:
    RSA, ELGamal   工具:
    gpg, openssl rsautl(man rsautl)
数字签名:   算法:
    RSA, DSA, ELGamal   
密钥交换:   算法:
    dh   DSA:
    Digital Signature Algorithm   DSS:
    Digital Signature Standard   RSA:
[root@node101.yinzhengjie.org.cn ~]# man genrsa
GENRSA(1)                                                                       OpenSSL                                                                       GENRSA(1)

NAME
       genrsa - generate an RSA private key

SYNOPSIS
       openssl genrsa [-out filename] [-passout arg] [-aes128] [-aes192] [-aes256] [-camellia128] [-camellia192] [-camellia256] [-des] [-des3] [-idea] [-f4] [-3]
       [-rand file(s)] [-engine id] [numbits]

DESCRIPTION
       The genrsa command generates an RSA private key.

OPTIONS
       -out filename
           the output filename. If this argument is not specified then standard output is used.

       -passout arg
           the output file password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).

       -aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea
           These options encrypt the private key with specified cipher before outputting it. If none of these options is specified no encryption is used. If encryption
           is used a pass phrase is prompted for if it is not supplied via the -passout argument.

       -F4|-3
           the public exponent to use, either 65537 or 3. The default is 65537.

       -rand file(s)
           a file or files containing random data used to seed the random number generator, or an EGD socket (see RAND_egd(3)).  Multiple files can be specified
           separated by a OS-dependent character.  The separator is ; for MS-Windows, , for OpenVMS, and : for all others.

       -engine id
           specifying an engine (by its unique id string) will cause genrsa to attempt to obtain a functional reference to the specified engine, thus initialising it
           if needed. The engine will then be set as the default for all available algorithms.

       numbits
           the size of the private key to generate in bits. This must be the last option specified. The default is 512.

NOTES
       RSA private key generation essentially involves the generation of two prime numbers. When generating a private key various symbols will be output to indicate
       the progress of the generation. A . represents each number which has passed an initial sieve test, + means a number has passed a single round of the Miller-
       Rabin primality test. A newline means that the number has passed all the prime tests (the actual number depends on the key size).

       Because key generation is a random process the time taken to generate a key may vary somewhat.

BUGS
       A quirk of the prime generation algorithm is that it cannot generate small primes. Therefore the number of bits should not be less that 64. For typical private
       keys this will not matter because for security reasons they will be much larger (typically 1024 bits).

SEE ALSO
       gendsa(1)

1.0.2k                                                                         2017-01-26                                                                     GENRSA(1)
[root@node101.yinzhengjie.org.cn ~]# man genrsa
[root@node101.yinzhengjie.org.cn ~]# mkdir ssl && cd ssl
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# (umask 066;openssl genrsa -out test.key 1024)    
Generating RSA private key, 1024 bit long modulus
.................++++++
..........++++++
e is 65537 (0x10001)
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# ll
total 4
-rw------- 1 root root 887 Dec 21 10:22 test.key
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# (umask 066;openssl genrsa -out test2.key -des3 1024)
Generating RSA private key, 1024 bit long modulus
..............................................++++++
......++++++
e is 65537 (0x10001)
Enter pass phrase for test2.key:
Verifying - Enter pass phrase for test2.key:
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# ll
total 8
-rw------- 1 root root 963 Dec 21 10:23 test2.key
-rw------- 1 root root 887 Dec 21 10:22 test.key
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# cat test.key 
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC7n9G30qtd+8kr4Z4lFskT5aS+6/7DYr10k9TI+fgbWBpRbsnc
wPPQV+YVMn12KYtVoglgIAbDeRTfygS4q8NFqk9kYRKRlzcBIsVkem5I5P5BM9y0
2CaYZDohwOniTK5yc886EjBkvTCcglWo2oCcUdjN8+4ZoQaauoK6T0K72QIDAQAB
AoGAcpM9SWkf9wusJNzpazLH5huliGWrNPvWQBuKpJRpm6EoqTPjl6hI+6DBw44K
qZ7jFI8X9Jh6KOKHCcZfLbrOSm/KMjjVsb/3YCG174wyI+U7RCqWU/xH8FMhmOeG
LlSJIycwOnWq6CGDOsmWyhbepYX3+uoucIHU3qxUG1/p+FECQQDi6CXV0/bmBb6O
2odsgY047m5Q35tFR1ZrzhTJ1ZNfwaizFbfl0Mt4Fstm8Ie3dQAp3HjR+686NXNc
M6VN5QklAkEA065JDAj6PAzHhmnn0bCG/k8NUii9ksUuXT8WotdmgVzIUWHbiPtO
mws3v6nbZYBy0tSSX34/itpwQB5Agj5LpQJBAL7DoZuF2ttEFRMQ0i39NPeaLRC9
DVNPSG7WEVAmyQIGVIhLSBJkWcuajmL68X7hVMPc4Y7YZFcxvMzVdrJoTikCQQC6
jHHbpV3B5hFAp7yg001keQ5oRXcsDZHao2qzf9jaUIZJElCC29ZeVPiAdJThUt3e
Z2/HsF8XY4JhP0figDvxAkAcszHvpgCIV+831m8kv4XrXLL2yMqqALV8CzAXBtWX
X8gZ+pbI4yC+QfMg4Hj2h4HRPN/qRfs3zkeinsnhGZ0Y
-----END RSA PRIVATE KEY-----
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# cat test.key          #私钥未被加密
[root@node101.yinzhengjie.org.cn ~/ssl]# cat test2.key 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,A10A88A3A65686C4

g2uwaR6TgLObrkEAz/VNGzWhmH4IHd3XHceYnP8M0ReMARjk/keiATkQ1MmBY++M
dP+f77+g/u3Oq8SbqqJNwBKHC+rZeWjcRI0nDJ7gcDtxxq0VsAno6aUeRxRt5xrV
HsjoohpVjty9K0/ioE7y69JcYaxhuGotvxmReKWoL8DKvo73EJh5ZP/wMNNBtl7w
8Xh4SD/QqsmJ8HLX/O0rmo2INT8ahvHrhBA4cnAvnjqjPpt8BJbhYZakDbG3pAg6
abd9o6X0Tr3jWI9YxV8KkXZTpIsmbL4lhWE2pdLafDDDCd+zoVTbrRbA9vm76A1+
Jl0mX1ndl5DwC/S6gs4pW2EQX99tmWad/xYMVpB1j3UdBRsi+1LG8oFS0ngStGxv
RjNl1zGPUhm226SnM5P2Urj2X7TiwRQbLirqI0iJlELhvK8AVAsG2UWPpy1B8y4p
2Gkvu9l4YDBP3iH5OsctzI14aU3NWTRhUUNwVZZbRo+YfjQ6bDx6/8ZUf9iNYGQW
vlbuXLl3/SzaDjhoigXke5JxH31cN4IbQMbhzCZP5uemYaFdcPRSKGt5hyIj/Uxj
moZHfyk21pCtiCV2KipK8hOjXXJmu1yvtrvmtbg7mKiE4wt2G7qTeVFSN/KwF6kf
TJnPonWgqliaO20bg3a0nNgmpkdb/qKmj1xt7HCDQt+xVM98JFVPfuFtcjhDi75L
5BQ+Qt0IXVh1QkSvaB4QdU4ZICozX5cJYWO1EPBvuqOr2BL8bFapAvsADZRaXP+b
wuUVHkUc7+vCzFyvNaorVKQFB0+TBJYib6ycjpCRxqY5AcqcY9HHWQ==
-----END RSA PRIVATE KEY-----
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# cat test2.key          #私钥已被des3加密
[root@node101.yinzhengjie.org.cn ~/ssl]# cat test2.key 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,A10A88A3A65686C4

g2uwaR6TgLObrkEAz/VNGzWhmH4IHd3XHceYnP8M0ReMARjk/keiATkQ1MmBY++M
dP+f77+g/u3Oq8SbqqJNwBKHC+rZeWjcRI0nDJ7gcDtxxq0VsAno6aUeRxRt5xrV
HsjoohpVjty9K0/ioE7y69JcYaxhuGotvxmReKWoL8DKvo73EJh5ZP/wMNNBtl7w
8Xh4SD/QqsmJ8HLX/O0rmo2INT8ahvHrhBA4cnAvnjqjPpt8BJbhYZakDbG3pAg6
abd9o6X0Tr3jWI9YxV8KkXZTpIsmbL4lhWE2pdLafDDDCd+zoVTbrRbA9vm76A1+
Jl0mX1ndl5DwC/S6gs4pW2EQX99tmWad/xYMVpB1j3UdBRsi+1LG8oFS0ngStGxv
RjNl1zGPUhm226SnM5P2Urj2X7TiwRQbLirqI0iJlELhvK8AVAsG2UWPpy1B8y4p
2Gkvu9l4YDBP3iH5OsctzI14aU3NWTRhUUNwVZZbRo+YfjQ6bDx6/8ZUf9iNYGQW
vlbuXLl3/SzaDjhoigXke5JxH31cN4IbQMbhzCZP5uemYaFdcPRSKGt5hyIj/Uxj
moZHfyk21pCtiCV2KipK8hOjXXJmu1yvtrvmtbg7mKiE4wt2G7qTeVFSN/KwF6kf
TJnPonWgqliaO20bg3a0nNgmpkdb/qKmj1xt7HCDQt+xVM98JFVPfuFtcjhDi75L
5BQ+Qt0IXVh1QkSvaB4QdU4ZICozX5cJYWO1EPBvuqOr2BL8bFapAvsADZRaXP+b
wuUVHkUc7+vCzFyvNaorVKQFB0+TBJYib6ycjpCRxqY5AcqcY9HHWQ==
-----END RSA PRIVATE KEY-----
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# openssl rsa -in test2.key -out test2.bak.key 
Enter pass phrase for test2.key:
writing RSA key
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# ll
total 12
-rw-r--r-- 1 root root 887 Dec 21 10:28 test2.bak.key
-rw------- 1 root root 963 Dec 21 10:23 test2.key
-rw------- 1 root root 887 Dec 21 10:24 test.key
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# cat test2.bak.key 
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC0X5rHhleCbl3XxD8ygpOHtXCTADc8eJIvigc0pUqGFJGBAlHq
I/GMho1SvDYDKO7zxhztd6h807wQiRmmr9gCExJButPJENmZ4CJcbguVjVnySMxc
3Tm8JQiGerMsP654bh0+yYEwPnAqFHC8Ca9mxJLmtNokDSKP78e9LDYt8QIDAQAB
AoGAbIgiT/BL85WJLe1NwYzETKImLK2yjtZVz/kTwN+8adUygBfvRh1+mHnVy3So
Y1pb/Z61hUW8we99d82m+59PL1zZf/aQ1FBgfiyv8WXEnWsEs8J1PpvlDKfGr9X4
3KqEd8KnHHnrFI0sRXwk9AK3IFce3L7jCqpztlrG35R9eukCQQDpyhtBcW7KJtYW
pQHk3NOO0pLD6Lf/Re38e+SBuc2ijvpDpt+ZEAPl6hkkTVJDcczlTucNQE7O3vwN
V/Tsb3AvAkEAxYJj1bTOeP3zLtb+IfLyc64ciqJuzvIF4RC0o4y3uZ1rjYxpLhT5
CFFjDq+pjXSX3vwzFbebiKvU6rMFyHmb3wJBAJlGlz39t4wzkBMClc5NdSpjJjPp
JJDpcREizPq8LXSRVsT56Ai69kNLirZBN1jeiF4ir9sBOWnpyciZzQsiOKMCQC8n
zWw1ieJLR2dUf0JdvdMuq7PRykDwecTddzNhInBXjFk0P9x3t2lr/QmBmSqjvqrH
be7uclz0IZaTfXr6xeMCQQCoQ9cgHu8SPQIXXXNrwuwlHmHqs4dURNLa6jJycsLQ
xIYVn3x5vl1mywwalMFQRzu4PWwydDHFosfAUpOSMZ0z
-----END RSA PRIVATE KEY-----
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# openssl rsa -in test2.key -out test2.bak.key        #将加密的私钥进行解密 
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# cd /etc/pki/tls/certs/
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# 
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# ll
total 12
lrwxrwxrwx. 1 root root   49 Jul  8 16:23 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root   55 Jul  8 16:23 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x. 1 root root  610 Oct 31  2018 make-dummy-cert
-rw-r--r--. 1 root root 2516 Oct 31  2018 Makefile
-rwxr-xr-x. 1 root root  829 Oct 31  2018 renew-dummy-cert
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# 
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# make ~/ssl/test100.key      #进入到"/etc/pki/tls/certs"目录后使用make命令可以生成加密的私钥,主要是该目录有一个Makefile文件
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > /root/ssl/test100.key
Generating RSA private key, 2048 bit long modulus
.....................................................+++
...........................................................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# 
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# ll ~/ssl/test100.key 
-rw------- 1 root root 1766 Dec 21 10:31 /root/ssl/test100.key
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# 
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# cat ~/ssl/test100.key 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,72305F310C826FAD49FF9DF021894C36

zs69lfGhV8a/GF6h6EJTKoBvCKSHs0Dn3jubW0FNUrh0IFC/RSn+Yhu2TWPdMp/j
3wZUbNYj8RTJ43yIfsoWTuBgTU1zlL2e1aTR5YO8VpfPHBT4hh5xnq9QWCTRPzk2
+FS2kpj/Iod3qmnOA2L8D00QMAQrc2anJYAJV8mQaRNfFaTw4Ka8zttgI6DiO6Pk
WYlPaD6e4EJkfUZF6kTm0CrUlRK+RRPoz4RzzBj33tXGxOCV4d6n0n2X07RnbRuE
Vayigy0p1jnW2ovC/IXWp13zYNXA4nWMqtljuqRN8ovrFdxY8DGkkUgPvYGQtKPZ
EfaIBctvgQtDrmmeOtcGLARoqGzTESPC5mzlMtU9Hc+UJnQZ87r/SUDhfrjWWC2m
4hmPzGaNcNjlW3zEs9jATnHjeHcAwvu1jGrhgGgrno2xsQv3eJzILRV7BQP5myiS
wl6whWB4SW5D/U5BHouM82Y4QJ6SX3MI3rG1PQ8M3dtyg9Miou5cVSbIF8BXBW7n
cfVjI7/B1HVQ4NIO89Sv15+fr+PGf46o2Ig8axep287itInEBZjCsmgLN0x9cC6T
W0P8NwjIXdrBOtCnuLxrlhrU2s0c2XfH4+Pal65QUkOWizLK88Y1RkLLXmGDb09D
1LYVcz2A2uM75Yh4zrFLtvJla/An/Qu9jvKGbgL7plB1dSSz4ajyeyYCnnM13A31
jmi2CmwAxJwTEbUSzCFtcGVCL7kvd7ETtnKZLgwAgXuEy3mxHu0aNYN2blc5222w
j19MLYBmbN4rd/Remhk2Y9vsBtygSJRNVoOEVEcnz4u12vsPIUO6HgAVbAARRXOK
rqaZD8+2qZxZq/um3pSt1VNufg66NIcP5f4Uww+F6AqC5XqOvCvoPxbqcqAEbxP/
wigmsPiqagfnpv/rtKArY/sHcpLeSUOrNGd6bDt7rVDY7zZdjgMmLbhxoaNCD8M3
CpFYhVEGH9A0hzY8KO+O/XZEMqwbsq1rMyjPQ2Rpz1CjpGG7/gVbPVlv7OoBEEqy
FvsP1v97kNG4SSFhAgIQdRsYKsSrM6Fj1k9BB0XVKGQK34o3r2WB9k2/IpYHZvPI
qam8LCFLI150L315gJJVKk453ZklQVKpZoI7voX4FG9x3XPuYKpywsjf/y/ErMpG
g52seo7igYHj5u63fbgpHGJRGpNAeMhKCxvXOkCUjl8e0OyowdpRmt61HVkHARae
q/BC+AX4KmOYEeHfytPe9vB74xERWy86wHGa6KU3IqcVWh/sWsTrDEuhwO0Kl3dD
6Trrw85PCv3l6NpU9I06sI2roNrtCPYXXMYPVcrmbnAxS2tpoqmevXrjf1cDocCl
1Bd2vdjIdYT92H3cB9My0RpgLb2cqPMP6GtjitJAIGWVmTPixcQsFjRpyhthuddX
DauxAzZh6X/DtjjeIPNXCkYnck6xWz8vU+fqr6kd1AXLyDA0MUJr8YuEXGn7SlFK
S9TgZY22S3waLHfVEBNp/u6m4b/BO4ZeSzqAu4cRfmFH7Lw49pRQebTPEOMchfO2
uZMvNYYiyjqwk00PcKBcX/yJHJyD/uUJ+yj2MGftUWBUY4elPUZ6EKLMSEPjf6SA
-----END RSA PRIVATE KEY-----
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# 
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# make ~/ssl/test100.key   #进入到"/etc/pki/tls/certs"目录后使用make命令可以生成加密的私钥,主要是该目录有一个Makefile文件
[root@node101.yinzhengjie.org.cn ~/ssl]# ll
total 16
-rw------- 1 root root 1766 Dec 21 10:31 test100.key
-rw-r--r-- 1 root root  887 Dec 21 10:28 test2.bak.key
-rw------- 1 root root  963 Dec 21 10:23 test2.key
-rw------- 1 root root  887 Dec 21 10:24 test.key
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# openssl rsa -in test100.key -pubout -out test100.pubkey       #从私钥中导出公钥,如果私钥设置的有密码需要验证密码后才能生成公钥文件
Enter pass phrase for test100.key:
writing RSA key
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# ll
total 20
-rw------- 1 root root 1766 Dec 21 10:31 test100.key
-rw-r--r-- 1 root root  451 Dec 21 10:35 test100.pubkey
-rw-r--r-- 1 root root  887 Dec 21 10:28 test2.bak.key
-rw------- 1 root root  963 Dec 21 10:23 test2.key
-rw------- 1 root root  887 Dec 21 10:24 test.key
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# openssl rsa -in test.key -pubout -out test.pubkey         #如果私钥文件没有设置密码则直接可以导出公钥
writing RSA key
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# ll
total 24
-rw------- 1 root root 1766 Dec 21 10:31 test100.key
-rw-r--r-- 1 root root  451 Dec 21 10:35 test100.pubkey
-rw-r--r-- 1 root root  887 Dec 21 10:28 test2.bak.key
-rw------- 1 root root  963 Dec 21 10:23 test2.key
-rw------- 1 root root  887 Dec 21 10:24 test.key
-rw-r--r-- 1 root root  272 Dec 21 10:36 test.pubkey
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# cat test100.pubkey 
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtt0fSFIhcbLMrObFw1nf
rp4HnL8s72RxtIKIrf0rEVRsgHt5AaW/wUFzeIn8nN0xrPwAwJFg2lNj+xBapXxu
61UU1CkLGblpdn1G+/eWWGsgkEw14UCg79Ifc5FLuaStraBOjAEYpXB5ge+KcFXE
IIULBUhBlmgzwXNFIM47ucy484JiwD4dXr3YTDRxWeVs0LMST3RmSJb5rq/ZnZJQ
n3t+wHfrUH8uoHnSpOaWrrLwGxdrNws8jUXFDv+T+63B8QGXjlQFEgs+sxyUo2n1
WO/9Sgop0CvSegjofKBD5bxVJsbrUAkYVD1sXEWhYb6juDLROECtxTfxV78evnW1
IwIDAQAB
-----END PUBLIC KEY-----
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# cat test.pubkey 
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7n9G30qtd+8kr4Z4lFskT5aS+
6/7DYr10k9TI+fgbWBpRbsncwPPQV+YVMn12KYtVoglgIAbDeRTfygS4q8NFqk9k
YRKRlzcBIsVkem5I5P5BM9y02CaYZDohwOniTK5yc886EjBkvTCcglWo2oCcUdjN
8+4ZoQaauoK6T0K72QIDAQAB
-----END PUBLIC KEY-----
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# 
[root@node101.yinzhengjie.org.cn ~/ssl]# openssl rsa -in test100.key -pubout -out test100.pubkey       #从私钥中导出公钥,如果私钥设置的有密码需要验证密码后才能生成公钥文件

7>. 随机数生成器(伪随机数字)

键盘和鼠标,块设备中断
/dev/random:
  仅从熵池返回随机数;随机数用尽,阻塞 /dev/urandom:
  从熵池返回随机数;随机数用尽,会利用软件生成伪随机数,非阻塞
[root@node101.yinzhengjie.org.cn ~]# tr -dc 'a-zA-Z0-9' </dev/urandom       #可以从操纵系统中获取随机数

[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 6            #使用openssl也可以说去随机数
C73Eji13
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 6
yhYfP1qL
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 6
7+2gmWNK
[root@node101.yinzhengjie.org.cn ~]# 

 

三.使用openssl创建私有CA和证书申请颁发

博主推荐阅读:
    https://www.cnblogs.com/yinzhengjie/p/12075752.html

 

posted @ 2019-12-20 23:21  尹正杰  阅读(1758)  评论(0编辑  收藏  举报