openssl是ssl的开源实现,至于ssl或tls就不在这讲述了。总之openssl就是一软件,实现加密数据、解密数据、创建私有CA。官网:www.openssl.org。

   openssl主要构成:

                   libcrypro:加密库

                   libssl:tls/ssl(库)的实现(基于会话,实现身份认证、数据完成性和机密性)

                   openssl:命令工具,可实现私有证书颁发

例子解释

#查看本系统openssl的安装

[root@localhost ~]# rpm -qa openssl

openssl-0.9.8e-22.el5

openssl-0.9.8e-22.el5

#openssl安装的文件路径,太多就不显示了

[root@localhost ~]# rpm -ql openssl | more


[root@localhost ~]# vim testssl.txt

12345678910

~                                                                                         

~                                                                                         

~                                                                                         

#执行下条命令时,输入加密密码(本次采用对称加密des3算法,也就是三重des)

[root@localhost ~]# openssl enc -des3 -salt -a -in testssl.txt -out testssl_des3

enter des-ede3-cbc encryption password:

Verifying - enter des-ede3-cbc encryption password:

[root@localhost ~]# vim testssl_des3

U2FsdGVkX18Ac3RL0TNIX/2lCQEGy959/u2/A4SCNt8=

~                                                                                         

~                                                                                         

#执行下条命令时,输入解密密码

[root@localhost ~]# openssl enc -des3 -d -salt -a -in testssl_des3 -out testssl.txt1

enter des-ede3-cbc decryption password:

#比较原文件和解密后的文件 

[root@localhost ~]# diff testssl.txt testssl.txt1


#几种单向加密的输出

[root@localhost ~]# sha1sum  testssl.txt

bb9670e73957e64e15d8411e2e424d84b8599e20  testssl.txt

[root@localhost ~]# openssl dgst -sha1 testssl.txt

SHA1(testssl.txt)= bb9670e73957e64e15d8411e2e424d84b8599e20

[root@localhost ~]# openssl dgst -md5 testssl.txt

MD5(testssl.txt)= 8140de300ce2cf5032f9489bd39afed0

[root@localhost ~]# openssl passwd -1 testssl.txt

$1$Ml2abKeF$Kx6uZL.1RTBshxFa.CT3I0


#openssl实现私有CA

# 1. 先生成一对密钥

# 2. 生成自签署证书

[root@localhost ~]# cd /etc/pki/CA

[root@localhost CA]# openssl genrsa -out private/cakey.pem 2048

Generating RSA private key, 2048 bit long modulus

......................................................................................................................+++

..+++

e is 65537 (0x10001)

[root@localhost CA]# ls  -l private/

total 8

-rw-r--r-- 1 root root 1675 Apr 15 19:55 cakey.pem

[root@localhost CA]# chmod 600 private/cakey.pem 

[root@localhost CA]# ls  -l private/

total 8

-rw------- 1 root root 1675 Apr 15 19:55 cakey.pem

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:JS

Locality Name (eg, city) [Newbury]:NJ

Organization Name (eg, company) [My Company Ltd]:bocs

Organizational Unit Name (eg, section) []:Tech  

Common Name (eg, your name or your server's hostname) []:ca.bocs.com

Email Address []:ca@bocs.com

[root@localhost CA]# openssl x509 -text -in cacert.pem 

[root@localhost CA]# mkdir certs newcerts crl

[root@localhost CA]# touch index.txt

[root@localhost CA]# touch serial

[root@localhost CA]# echo 01 > serial 


#假设现有一台web要签证

[root@localhost ~]# mkdir /tmp/httpd

[root@localhost ~]# cd /tmp/httpd/

[root@localhost httpd]# mkdir ssl

[root@localhost httpd]# cd ssl

#生成私钥

[root@localhost ssl]# (umask 077; openssl genrsa -out httpd.key 1024)

Generating RSA private key, 1024 bit long modulus

.................++++++

..........................................................++++++

e is 65537 (0x10001)

#生成证书申请请求

[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:JS

Locality Name (eg, city) [Newbury]:NJ

Organization Name (eg, company) [My Company Ltd]:bocs

Organizational Unit Name (eg, section) []:Tech  

Common Name (eg, your name or your server's hostname) []:www.bocs.com

Email Address []:www@bocs.com


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


#CA服务器签证,执行命令时,先检查下/etc/pki/tls/openss.cnf  确认:dir  = /etc/pki/CA  

[root@localhost ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Apr 15 12:23:06 2016 GMT

            Not After : Apr 15 12:23:06 2017 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = JS

            organizationName          = bocs

            organizationalUnitName    = Tech

            commonName                = www.bocs.com

            emailAddress              = www@bocs.com

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                E9:FE:1D:40:A2:42:A5:C1:80:A2:CD:94:3F:B0:D4:AB:92:45:7D:30

            X509v3 Authority Key Identifier: 

                keyid:B2:0B:0D:C7:11:34:EF:B7:E3:AF:F7:75:D6:82:73:12:FA:A0:55:62


Certificate is to be certified until Apr 15 12:23:06 2017 GMT (365 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@localhost ssl]# 


#查看是否签证成功

[root@localhost CA]# cd /etc/pki/CA

[root@localhost CA]# cat index.txt

V 170415122306Z 01 unknown /C=CN/ST=JS/O=bocs/OU=Tech/CN=www.bocs.com/emailAddress=www@bocs.com

[root@localhost CA]# cat serial

02

[root@localhost CA]#