歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux基礎 >> Linux服務器

OpenSSL相關命令(for Linux)詳細介紹

加密算法:

  對稱加密算法:

  DES、IDEA、RC2、RC4、AES、Skipjack ……

  非對稱加密算法:

  RSA、DSA、DiffieHellman、PKCS、PGP ……

  單向的HASH算法屬於報文摘要算法,雖然有些也出自OpenSSL庫。

  命令操作:

  1、生成普通私鑰:

[weigw@TEST src]$ openssl genrsa -out privatekey.key 1024

Generating RSA private key, 1024 bit long modulus ....++++++ .......++++++ e is 65537 (0x10001)

  2、生成帶加密口令的密鑰:

[weigw@TEST src]$ openssl genrsa -des3 -out privatekey.key 1024

Generating RSA private key, 1024 bit long modulus ............++++++ .....................++++++ e is 65537 (0x10001) Enter pass phrase for privatekey.key: Verifying - Enter pass phrase for privatekey.key:

  在生成帶加密口令的密鑰時需要自己去輸入密碼。對於為密鑰加密現在提供了一下幾種算法:

-des encrypt the generated key with DES in cbc mode

-des3 encrypt the generated key with DES in ede cbc mode (168 bit key)

-aes128, -aes192, -aes256 encrypt PEM output with cbc aes

  去除密鑰的口令:

[weigw@TEST src]$ openssl rsa -in privatekey.key -out

privatekey.key Enter pass phrase for privatekey.key: writing RSA key

  通過生成的私鑰去生成證書:

[weigw@TEST src]$ openssl req -new -x509 -key privatekey.key -out cacert.crt -days 1095

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:beijing

Locality Name (eg, city) [Newbury]:beijing

Organization Name (eg, company) [My Company Ltd]:wondersoft

Organizational Unit Name (eg, section) []:develop

Common Name (eg, your name or your server's hostname) []:WeiGW

Email Address []:[email protected]

  在生成證書的時候需要按照提示輸入一些個人信息。

  通過私鑰生成公鑰:

[weigw@TEST src]$ openssl rsa -in privatekey.key -pubout -out pubkey.key writing RSA key

  格式轉換:(證書、私鑰、公鑰)(PEM <——>DER)

[weigw@TEST src]$ openssl x509 -in cacert.crt -inform PEM -out cacert.der -outform DER

[weigw@TEST src]$


[weigw@TEST src]$ openssl rsa -in privatekey.key -inform PEM -out privatekey.der -outform DER

writing RSA key


[weigw@TEST src]$ openssl rsa -pubin -in pubkey.key -inform PEM -pubout -out pubkey.der -outform DER

writing RSA key

從DER格式轉換成PEM格式一樣,就是把inform的格式改成DERoutform的格式改成PEM即可。

  下面是一個服務器和客戶端認證的證書、私鑰生成方法:(server.crt、client.crt、ca.crt)

第一步: 生成私鑰

[weigw@TEST bin]$ openssl genrsa -out server.key 1024 
Generating RSA private key, 1024 bit long modulus .++++++ ..
.........++++++ e is 65537 (0x10001) 
[weigw@TEST bin]$ openssl genrsa -out client.key 1024 
Generating RSA private key, 1024 bit long modulus ...++++++ ......
..........++++++ e is 65537 (0x10001) 
[weigw@TEST bin]$ openssl genrsa -out ca.key 1024
Generating RSA private key, 1024 bit long modulus .......
..++++++ .........++++++ e is 65537 (0x10001) 
      [weigw@TEST bin]$

  第三步: 申請證書(為請求文件簽名)

[weigw@TEST bin]$ openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key

[weigw@TEST bin]$ openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key

  如果在這步出現錯誤信息:

[weigw@TEST bin]$ openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key

Using configuration from /usr/share/ssl/openssl.cnf I am unable to access the ./demoCA/newcerts directory ./demoCA/newcerts: No such file or directory

[weigw@TEST bin]$

  自己手動創建一個CA目錄結構

  [weigw@TEST bin]$ mkdir ./demoCA
  [weigw@TEST bin]$ mkdir demoCA/newcerts
  創建個空文件:
  [weigw@TEST bin]$ vi demoCA/index.txt
  向文件中寫入01:
  [weigw@TEST bin]$ vi demoCA/serial

  合並證書文件(crt)和私鑰文件(key):

[weigw@TEST bin]$ cat client.crt client.key > client.pem [weigw@TEST bin]$ cat server.crt server.key > server.pem


  合並成pfx證書:

[weigw@TEST bin]$ openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Enter Export Password:

Verifying - Enter Export Password:

[weigw@TEST bin]$openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12  
Enter Export Password:
Verifying - Enter Export Password:

  文本化證書:

[weigw@TEST bin]$ openssl pkcs12 -in client.p12 -out client.txt Enter Import Password:

MAC verified OK

Enter PEM pass phrase: Verifying - Enter PEM pass phrase:

[weigw@TEST bin]$openssl pkcs12 -in server.p12 -out server.txt

Enter Import Password:

MAC verified OK

Enter PEM pass phrase: Verifying - Enter PEM pass phrase:


  屏幕模式顯式:(證書、私鑰、公鑰)

[weigw@TEST bin]$ openssl x509 -in client.crt -noout -text -modulus

[weigw@TEST bin]$ openssl rsa -in server.key -noout -text -modulus

[weigw@TEST bin]$ openssl rsa -in server.pub -noout -text -modulus


  得到DH:

[weigw@TEST bin]$ openssl dhparam -out dh1024.pem 1024

Copyright © Linux教程網 All Rights Reserved