haoman 发表于 2018-5-20 15:25:31

Linux openssl 实现

  openssl是ssl的开源实现,至于ssl或tls就不在这讲述了。总之openssl就是一软件,实现加密数据、解密数据、创建私有CA。官网:www.openssl.org。
  openssl主要构成:
  libcrypro:加密库
  libssl:tls/ssl(库)的实现(基于会话,实现身份认证、数据完成性和机密性)
  openssl:命令工具,可实现私有证书颁发
  例子解释
  #查看本系统openssl的安装
  # rpm -qa openssl
  openssl-0.9.8e-22.el5
  openssl-0.9.8e-22.el5
  #openssl安装的文件路径,太多就不显示了
  # rpm -ql openssl | more
  

  # vim testssl.txt
  12345678910
  ~
  ~
  ~
  #执行下条命令时,输入加密密码(本次采用对称加密des3算法,也就是三重des)
  # openssl enc -des3 -salt -a -in testssl.txt -out testssl_des3
  enter des-ede3-cbc encryption password:
  Verifying - enter des-ede3-cbc encryption password:
  # vim testssl_des3
  U2FsdGVkX18Ac3RL0TNIX/2lCQEGy959/u2/A4SCNt8=
  ~
  ~
  #执行下条命令时,输入解密密码
  # openssl enc -des3 -d -salt -a -in testssl_des3 -out testssl.txt1
  enter des-ede3-cbc decryption password:
  #比较原文件和解密后的文件
  # diff testssl.txt testssl.txt1
  

  #几种单向加密的输出
  # sha1sumtestssl.txt
  bb9670e73957e64e15d8411e2e424d84b8599e20testssl.txt
  # openssl dgst -sha1 testssl.txt
  SHA1(testssl.txt)= bb9670e73957e64e15d8411e2e424d84b8599e20
  # openssl dgst -md5 testssl.txt
  MD5(testssl.txt)= 8140de300ce2cf5032f9489bd39afed0
  # openssl passwd -1 testssl.txt
  $1$Ml2abKeF$Kx6uZL.1RTBshxFa.CT3I0
  

  #openssl实现私有CA
  # 1. 先生成一对密钥
  # 2. 生成自签署证书
  # cd /etc/pki/CA
  # openssl genrsa -out private/cakey.pem 2048
  Generating RSA private key, 2048 bit long modulus
  ......................................................................................................................+++
  ..+++
  e is 65537 (0x10001)
  # ls-l private/
  total 8
  -rw-r--r-- 1 root root 1675 Apr 15 19:55 cakey.pem
  # chmod 600 private/cakey.pem
  # ls-l private/
  total 8
  -rw------- 1 root root 1675 Apr 15 19:55 cakey.pem
  # openssl req -new -x509 -key private/cakey.pem -out cacert.pem
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) :CN
  State or Province Name (full name) :JS
  Locality Name (eg, city) :NJ
  Organization Name (eg, company) :bocs
  Organizational Unit Name (eg, section) []:Tech
  Common Name (eg, your name or your server's hostname) []:ca.bocs.com
  Email Address []:ca@bocs.com
  # openssl x509 -text -in cacert.pem
  # mkdir certs newcerts crl
  # touch index.txt
  # touch serial
  # echo 01 > serial
  

  #假设现有一台web要签证
  # mkdir /tmp/httpd
  # cd /tmp/httpd/
  # mkdir ssl
  # cd ssl
  #生成私钥
  # (umask 077; openssl genrsa -out httpd.key 1024)
  Generating RSA private key, 1024 bit long modulus
  .................++++++
  ..........................................................++++++
  e is 65537 (0x10001)
  #生成证书申请请求
  # openssl req -new -key httpd.key -out httpd.csr
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) :CN
  State or Province Name (full name) :JS
  Locality Name (eg, city) :NJ
  Organization Name (eg, company) :bocs
  Organizational Unit Name (eg, section) []:Tech
  Common Name (eg, your name or your server's hostname) []:www.bocs.com
  Email Address []:www@bocs.com
  

  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:
  An optional company name []:
  

  #CA服务器签证,执行命令时,先检查下/etc/pki/tls/openss.cnf确认:dir= /etc/pki/CA
  # openssl ca -in httpd.csr -out httpd.crt -days 365
  Using configuration from /etc/pki/tls/openssl.cnf
  Check that the request matches the signature
  Signature ok
  Certificate Details:
  Serial Number: 1 (0x1)
  Validity
  Not Before: Apr 15 12:23:06 2016 GMT
  Not After : Apr 15 12:23:06 2017 GMT
  Subject:
  countryName               = CN
  stateOrProvinceName       = JS
  organizationName          = bocs
  organizationalUnitName    = Tech
  commonName                = www.bocs.com
  emailAddress            = www@bocs.com
  X509v3 extensions:
  X509v3 Basic Constraints:
  CA:FALSE
  Netscape Comment:
  OpenSSL Generated Certificate
  X509v3 Subject Key Identifier:
  E9:FE:1D:40:A2:42:A5:C1:80:A2:CD:94:3F:B0:D4:AB:92:45:7D:30
  X509v3 Authority Key Identifier:
  keyid:B2:0B:0D:C7:11:34:EF:B7:E3:AF:F7:75:D6:82:73:12:FA:A0:55:62
  

  Certificate is to be certified until Apr 15 12:23:06 2017 GMT (365 days)
  Sign the certificate? :y
  

  

  1 out of 1 certificate requests certified, commit? y
  Write out database with 1 new entries
  Data Base Updated
  #
  

  #查看是否签证成功
  # cd /etc/pki/CA
  # cat index.txt
  V170415122306Z01unknown/C=CN/ST=JS/O=bocs/OU=Tech/CN=www.bocs.com/emailAddress=www@bocs.com
  # cat serial
  02
  #
  
页: [1]
查看完整版本: Linux openssl 实现