OpenSSL主要依赖着两个库文件
libcrypto加解密相关
libssl 主要是SSL网站
[root@CentOS CA]# rpm -qlopenssl | grep "/usr/"lib64 /usr/lib64/.libcrypto.so.1.0.1e.hmac /usr/lib64/.libcrypto.so.10.hmac /usr/lib64/.libssl.so.1.0.1e.hmac /usr/lib64/.libssl.so.10.hmac /usr/lib64/libcrypto.so.1.0.1e /usr/lib64/libcrypto.so.10 /usr/lib64/libssl.so.1.0.1e /usr/lib64/libssl.so.10
OpenSSL加解密方法示例
加密
1)openssl enc -des3 -in inittab –e [root@CentOSOpenssl]# openssl enc -des3 -in inittab -e enter des-ede3-cbc encryptionpassword: Verifying - enterdes-ede3-cbc encryption password: 这的密码必须输入 2)将加密信息保存到文件中 [root@CentOSOpenssl]# openssl enc -des3 -in inittab -e -out inittab.txt enter des-ede3-cbc encryptionpassword: Verifying - enterdes-ede3-cbc encryption password: [root@CentOS Openssl]# catinittab.txt Salted__;4F?攒&Xǚlk 3) dgst 单向加密他可以跟如下算法参数示例 Message Digest commands (seethe `dgst' command for more details) md2md4md5 rmd160shasha1 [root@CentOS Openssl]# openssl dgst -md5 fstab MD5(fstab)=9a3270848cc8d24e661a192e2a39a181 [root@CentOS Openssl]# md5sum fstab 9a3270848cc8d24e661a192e2a39a181 fstab 4) rand 产生随机数 [root@CentOS Openssl]#openssl rand -hex 4 7556a695 [root@CentOS Openssl]#openssl rand -base64 4 KKYIPA==
生成密钥
1)生成私钥 [root@CentOS key]#(umask 077;openssl genrsa -out mykey.key 2048) Generating RSA private key,2048 bit long modulus ..............+++ ....+++ e is 65537 (0x10001) [root@CentOS key]# ll total 4 -rw-------. 1 root root 1679 Oct 18 22:28 mykey.key 2)提取公钥 [root@CentOS key]# opensslrsa -in mykey.pri -pubout -out mykey.csr writing RSA key
建立CA证书颁发机构
配置文件 dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allowcreation of #several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # mustbe commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert 1)生成私钥 [root@CentOSprivate]# (umask 077;openssl genrsa -out cakey.pem 2048) Generating RSA private key,2048 bit long modulus ..................................................................................+++ ................................+++ e is 65537 (0x10001) [root@CentOS private]# ll total 4 -rw-------. 1 root root 1679Oct 18 22:49 cakey.pem 2)建立CA自签证书 [root@CentOS CA]# openssl req-new -x509 -key private/cakey.pem -out cacert.pem -days 365 You are about to be asked toenter information that will be incorporated into your certificaterequest. What you are about to enteris what is called a Distinguished Name or a DN. There are quite a few fieldsbut you can leave some blank For some fields there will bea default value, If you enter '.', the fieldwill be left blank. ----- Country Name (2 letter code)[XX]:CN State or Province Name (fullname) []:CQ Locality Name (eg, city)[Default City]:chongqing Organization Name (eg,company) [Default Company Ltd]:HT Organizational Unit Name (eg,section) []:haitian Common Name (eg, your name oryour server's hostname) []:www.haitian.com Email Address []: You have new mail in/var/spool/mail/root [root@CentOS CA]# ll total 20 -rw-r--r--. 1 root root 1318Oct 18 22:57 cacert.pem drwxr-xr-x. 2 root root 4096Apr 8 2014 certs drwxr-xr-x. 2 root root 4096Apr 8 2014 crl drwxr-xr-x. 2 root root 4096Oct 18 20:44 newcerts drwx------. 2 root root 4096Oct 18 22:49 private\ 3)创建证书记录 [root@CentOS CA]# touchindex.txt serial [root@CentOS CA]# echo 01> serial 用户向CA申请证书 (以当前CA模拟为客户端) 1)创建私钥 [root@CentOS key]# (umask077;openssl genrsa -out client.pri) Generating RSA private key,1024 bit long modulus .......++++++ .................................++++++ e is 65537 (0x10001) [root@CentOS key]# ll total 4 -rw-------. 1 root root 887Oct 18 23:04 client.pri 2)创建证书申请请求 [root@CentOS key]# opensslreq -new -key client.pri -out client.csr -days 365 You are about to be asked toenter information that will be incorporated into your certificaterequest. What you are about to enteris what is called a Distinguished Name or a DN. There are quite a few fieldsbut you can leave some blank For some fields there will bea default value, If you enter '.', the fieldwill be left blank. ----- Country Name (2 letter code)[XX]:CN State or Province Name (fullname) []:CQ Locality Name (eg, city)[Default City]:chongqing Organization Name (eg,company) [Default Company Ltd]:HT Organizational Unit Name (eg,section) []:hiteam Common Name (eg, your name oryour server's hostname) []:www.hiteam.com Email Address []: Please enter the following'extra' attributes to be sent with yourcertificate request A challenge password []: An optional company name []: You have new mail in/var/spool/mail/root [root@CentOS key]# ll total 8 -rw-r--r--. 1 root root 643Oct 18 23:08 client.csr -rw-------. 1 root root 887Oct 18 23:04 client.pri 3)将客户的证书申请请求文件发送到CA服务器上签署证书申请请求 [root@CentOS key]# openssl ca-in /root/Openssl/key/client.csr -out client.crt -days 365 Using configuration from/etc/pki/tls/openssl.cnf Check that the requestmatches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 18 15:15:56 2014GMT Not After : Oct 18 15:15:56 2015GMT Subject: countryName = CN stateOrProvinceName = CQ organizationName = HT organizationalUnitName = hiteam commonName = www.hiteam.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: DE:9D:97:81:E9:5F:06:85:7C:1F:48:E0:B8:09:E5:31:59:30:BC:BC X509v3 Authority Key Identifier: keyid:35:D3:05:74:A7:FC:3F:60:C6:A4:63:7C:B7:EF:9B:CE:28:FA:5D:42 Certificate is to becertified until Oct 18 15:15:56 2015 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificaterequests certified, commit? [y/n]y Write out database with 1 newentries Data Base Updated 4)查看证书是否签署成功 [root@CentOS key]# ll total 12 -rw-r--r--. 1 rootroot 3687 Oct 18 23:16 client.crt -rw-r--r--. 1 root root 647 Oct 18 23:14 client.csr -rw-------. 1 root root 887 Oct 18 23:04 client.pri 查看/etc/pki/CA里文件变化 [root@CentOS CA]# ll total 36 -rw-r--r--. 1 root root 1318Oct 18 22:57 cacert.pem drwxr-xr-x. 2 root root 4096Apr 8 2014 certs drwxr-xr-x. 2 root root 4096Apr 8 2014 crl -rw-r--r--. 1 root root 73 Oct 18 23:16 index.txt -rw-r--r--. 1 root root 21 Oct 18 23:16 index.txt.attr -rw-r--r--. 1 root root 0 Oct 18 22:59 index.txt.old drwxr-xr-x. 2 root root 4096Oct 18 20:44 newcerts drwx------. 2 root root 4096Oct 18 22:49 private -rw-r--r--. 1 root root 3 Oct 18 23:16 serial -rw-r--r--. 1 root root 3 Oct 18 22:59 serial.old [root@CentOS CA]# catindex.txt V 151018151556Z 01 unknown /C=CN/ST=CQ/O=HT/OU=hiteam/CN=www.hiteam.com [root@CentOS CA]# catindex.txt.attr unique_subject = yes [root@CentOS CA]# cat serial 02 [root@CentOS CA]# catserial.old 01
使用脚本实现创建私钥,生成证书申请请求,签署证书;
#!/bin/bash
read -p "Please Inputyour Request:" Req
private () {
if [ $Req == private ];then
read -p "Please Input your private keylong{1024|2048|4096...}:" Long
read -p "Please Input your keyname:" Name
(umask 077;openssl genrsa -out $Name.pri$Long)
fi
}
csr () {
if [ $Req == csr ];then
read -p "Please Input your private keypath:" Path
read -p "Please input your Certificatesigning request name:" Name
openssl req -new -key $Path.pri -out$Name.csr
fi
}
CA () {
if [ $Req == CA ];then
read -p "Please Input yourCertificate request:" Certi
read -p "Please your Certificate savepath:" Save
openssl ca -in $Certi.csr -out $Save,crt-days 365
fi
}
case $Req in
private)
private;;
csr)
csr
;;
CA)
CA;;
*)
echo"Usage:{private|csr|CA}
;;
esac
