1. 程式人生 > >Centos7下的Openssl和CA

Centos7下的Openssl和CA

tap 需要 密文 rtb nmf 密碼 cux next sse

一、Openssl常用命令:

# openssl ?    # 查看openssl的命令及子命令
# man enc    # 可以直接查看子命令幫助

加密:

# openssl enc -des3 -e -salt -in /lee/sh/test.sh -out /lee/sh/test.sh.des3

-des3:指定加密算法,可以在openssl ?中查看支持的加密算法

-e:加密,缺省參數

-salt:加鹽

-in:輸入文件,也就是要加密的文件

-out:輸出文件,也就是加密後的密文

enter des-ede3-cbc encryption password:    # 輸入加密密碼
Verifying - enter des-ede3-cbc encryption password:    #確認輸入加密密碼


解密:

# openssl enc -des3 -d -salt -in /lee/sh/test.sh.des3 -out /lee/sh/test1.sh

-d:解密

enter des-ede3-cbc decryption password:


散列:

# md5sum /lee/sh/test.sh    # 用MD5散列
590c2fdc61a76337dd2e1df91a217a27  /lee/sh/test.sh
# sha1sum /lee/sh/test.sh    # SHA1散列
40554fd040b5a54821280603a67e5c07818aff65  /lee/sh/test.sh
# openssl dgst -sha1 /lee/sh/test.sh    # 用openssl命令進行SHA1散列
SHA1(/lee/sh/test.sh)= 40554fd040b5a54821280603a67e5c07818aff65
# openssl dgst -md5 /lee/sh/test.sh    # 用openssl命令進行MD5散列
MD5(/lee/sh/test.sh)= 590c2fdc61a76337dd2e1df91a217a27
# openssl dgst -?    # 這樣可以輸出支持的命令
unknown option '-?'
options are
-c              to output the digest with separating colons
-r              to output the digest in coreutils format
-d              to output debug info
-hex            output as hex dump
-binary         output in binary form
-hmac arg       set the HMAC key to arg
-non-fips-allow allow use of non FIPS digest
-sign   file    sign digest using private key in file
-verify file    verify a signature using public key in file
-prverify file  verify a signature using private key in file
-keyform arg    key file format (PEM or ENGINE)
-out filename   output to filename rather than stdout
-signature file signature to verify
-sigopt nm:v    signature parameter
-hmac key       create hashed MAC with key
-mac algorithm  create MAC (not neccessarily HMAC)
-macopt nm:v    MAC algorithm parameters or key
-engine e       use engine e, possibly a hardware device.
-md4            to use the md4 message digest algorithm
-md5            to use the md5 message digest algorithm
-ripemd160      to use the ripemd160 message digest algorithm
-sha            to use the sha message digest algorithm
-sha1           to use the sha1 message digest algorithm
-sha224         to use the sha224 message digest algorithm
-sha256         to use the sha256 message digest algorithm
-sha384         to use the sha384 message digest algorithm
-sha512         to use the sha512 message digest algorithm
-whirlpool      to use the whirlpool message digest algorithm


生成密碼串(散列值):

# openssl passwd -?    # 詳細幫助還是查看man
Usage: passwd [options] [passwords]
where options are
-crypt             standard Unix password algorithm (default)
-1                 MD5-based password algorithm# MD5算法
-apr1              MD5-based password algorithm, Apache variant
-salt string       use provided salt
-in file           read passwords from file
-stdin             read passwords from stdin
-noverify          never verify when reading password from terminal
-quiet             no warnings
-table             format output as table
-reverse           switch table columns

但是,passwd本身是一個操作系統命令,用man查看的是操作系統那個passwd的幫助,於是whatis一下:

# whatis passwd
sslpasswd (1ssl)     - compute password hashes    # 可以看出是sslpasswd
passwd (1)           - update user's authentication tokens
passwd (5)           - password file
# man sslpasswd    # 這樣就可以查看了
# openssl passwd -1    # 使用MD5算法計算密碼的(字符串)的散列值
Password: 
Verifying - Password: 
$1$VAehBGE.$vSHYjZqz4O3xLXgqaWTL70

註意:這個命令時默認加鹽的,所以多次執行同一個密碼串所得到的結果都會不同

# openssl passwd -1 -salt VAehBGE.    # 指定salt值
Password: 
$1$VAehBGE.$vSHYjZqz4O3xLXgqaWTL70    # 相同的salt結果輸出一樣了


生成非對稱密鑰:

# openssl genrsa    # 生成RSA私鑰
Generating RSA private key, 2048 bit long modulus
...........+++
........................+++
e is 65537 (0x10001)
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA9armbPLhXtJc70Ktvw0JJEZtWaA6MtWGjL6sr51WGhrC2wcu
XVdrQlpWXWxFjO7zlwfIs2Oo9+6LmQdmRbqlt0Jmh0RG9XxB51cKR1s8c71k/u2A
Jm6Ccg8wsxLgBVKrpFB9bZ7WsLAJ7n61mkJul49Vp/uIuGX+3HEgmgoOWObw6xiC
tMSR9c5ksobz3oI6R9ccwpOfcXBWUzVo2fc+KnuKyM1saR8HXrHBPpoyP6DT2GOv
CyLjw1l1c4jPKO6PC2CJMyM4q6EuTow/j8y+X2vCVPzferYRixH8b96HGisxqD2f
UxK1H3RPOCk8L/NiWyE2L5950FgDxUB1gRXANwIDAQABAoIBABg0S1mmoG/QOBnW
rvmo1iK90Z5H/BPwF76cNrViwg32XwZncbj+mPHDpsizlzKohFV4Dd0mz4oF9bkR
EpGCLzucDi/7mSYspO2fFMMtCQq6OU4opjyjHLUSLBEopevAVmrtBz6arLphzciy
sT/OlcjW9XCEhtbsLa0YdEbZAMrfXKdpR88CX8zIKn5ZTG2BO6vP6tfLrSVPM/Rl
5dJVLFkB4cgoZKLYDzllYPn9YerUFJnl1H+2ky/skEWf+jDoIw+zVQPhUn/kdBpU
gFEbp60FvJK5iRx81fK0liOhZHFefNGsiSSqPVVvP7qRmqgCamZYqfQdRujzZ4Io
sW4Q5FECgYEA/iTMjxSnE3x5d8jzR/s5rotEq08XlfVlkAYSxFOje0lOtdlX/OJv
02+4lf0btEOHPcdCbHIuhx6zMlx2TPaXcfgMvowKe+/bfcX76VldhQxj/xJvXzVx
acCYY2fRZc69GPsXR+PHANMjI4AZWoDeGYaqxEtMafSQnFiagatyx1kCgYEA93ZA
kHUDBHlpkg+bQLrlimMGqXGj4m7TasW/PTxEWe1WbgKuN9o7grGdnAlhKDhdAi9S
4eCNzKA4CTK8Zx9WH6izgq9oushDSofTgzozuPXiJ2PFxDl0nGQLvg2UrgzzBmSK
0GO0Il7tkkDKfZdApFgqyWbA7CrShs1rF9fsYg8CgYEA00kau5Vq9btVbO2mvGAz
a1YjZ9ygei6DGkLCVXBHiNbAVlT0XqyOVZUbO68q2ioOBKFlKq2e2vz988+FFqUn
8TtMtRnOGY2myCDSNwTxyAwuEkBsURYoTMguqO4F24MOGPefOkg3CQt/uiLkcSaT
/1rDG+CSDcCifSj4gvdbvDkCgYEAorch6xrVuhpvfXg/mMeL6XwFxGMR5PEEmT+f
6Q74zrzNyRaAIf+gg+ZwgUp1lTHCjo45jIbQFo3/aqTu10v2oGiYaMUYM0E9ZgN7
49zgZ61eYJItV0KEV9U9F2HssqmXH0v7Lt1wc+1Bf5qUyxIqkiXbNIUZM/FQbw0h
bxMuvqcCgYEA8JMQHjmx9NCUAH9ShHrrqO4qw9NCvAteShx0D/AbQALP5L56QfWQ
L0h31nNpL1E2AHAME/ZcWQzeHhrPY0+gOklBRG+mQS2MNOD31bZNUgh6LF20s4M/
1Qb1srzf9qKbhD2PG3PSSuj1UuFGT/al/L3QOnv4+ewXgL/Iyl7HAgs=
-----END RSA PRIVATE KEY-----
# openssl genrsa -out /lee/my.key    # 生成RSA私鑰同時輸出
# openssl rsa -in /lee/my.key -pubout    # 查看私鑰的公鑰
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9armbPLhXtJc70Ktvw0J
JEZtWaA6MtWGjL6sr51WGhrC2wcuXVdrQlpWXWxFjO7zlwfIs2Oo9+6LmQdmRbql
t0Jmh0RG9XxB51cKR1s8c71k/u2AJm6Ccg8wsxLgBVKrpFB9bZ7WsLAJ7n61mkJu
l49Vp/uIuGX+3HEgmgoOWObw6xiCtMSR9c5ksobz3oI6R9ccwpOfcXBWUzVo2fc+
KnuKyM1saR8HXrHBPpoyP6DT2GOvCyLjw1l1c4jPKO6PC2CJMyM4q6EuTow/j8y+
X2vCVPzferYRixH8b96HGisxqD2fUxK1H3RPOCk8L/NiWyE2L5950FgDxUB1gRXA
NwIDAQAB
-----END PUBLIC KEY-----
# openssl rsa -in /lee/my.key -pubout -out /lee/mypub.key    # 輸出私鑰的公鑰


二、配置CA:

1):查看並修改CA配置文件:

# cat /etc/pki/tls/openssl.cnf    # 主要的是下面的內容
####################################################################
[ ca ]
default_ca= CA_default# The default ca section
####################################################################
[ CA_default ]
dir= /etc/pki/CA# Where everything is kept    # 默認主工作目錄
certs= $dir/certs# Where the issued certs are kept    # 客戶端證書保存目錄
crl_dir= $dir/crl# Where the issued crl are kept    # 證書撤銷列表位置
database= $dir/index.txt# database index file.    # 發放的證書列表,默認是沒有這個文件的,需要自己創建
#unique_subject= no# Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir= $dir/newcerts# default place for new certs.    # 新生成的證書
certificate= $dir/cacert.pem # The CA certificate    # CA自己的證書(自簽署證書)
serial= $dir/serial # The current serial number    # 序號,默認是沒有這個文件的,需要自己創建
crlnumber= $dir/crlnumber# the current crl number
# must be commented out to leave a V1 CRL
crl= $dir/crl.pem # The current CRL
private_key= $dir/private/cakey.pem# The private key    # CA的私鑰存放位置
RANDFILE= $dir/private/.rand# private random number file
x509_extensions= usr_cert# The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default# Subject Name options
cert_opt = ca_default# Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions= crl_ext
default_days= 365# how long to certify for    # 證書默認有效期
default_crl_days= 30# how long before next CRL
default_md= sha256# use SHA-256 by default
preserve= no# keep passed DN ordering


2):創建CA工作目錄下的必要文件

# touch /etc/pki/CA/index.txt    # 創建證書發放列表文件
# touch /etc/pki/CA/serial    # 創建序號文件
# echo "01" > /etc/pki/CA/serial    # 寫入起始序號


3):生成一個CA自己的非對稱私鑰:

# openssl genrsa -out /etc/pki/CA/private/cakey.pem


4):生成自簽署證書:

# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem

-new:新建

-x509:指定自簽署證書

-key:指定非對稱秘鑰(私鑰)

-out:輸出文件

-days:證書有效期

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong      
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:ca.test.com
Email Address []:[email protected]
# openssl x509 -text -in cacert.pem# 查看證書信息
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ae:af:f9:0e:f3:0e:96:bd
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=GuangDong, L=ShenZhen, O=test, OU=test, CN=ca.test.com/[email protected]
        Validity
            Not Before: Feb  3 07:38:39 2018 GMT
            Not After : Mar  5 07:38:39 2018 GMT
        Subject: C=CN, ST=GuangDong, L=ShenZhen, O=test, OU=test, CN=ca.test.com/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c3:91:60:ee:17:d2:14:36:75:1c:d3:95:ac:43:
                    69:5c:f0:7f:a6:00:cb:7f:b2:45:5c:1e:0a:da:a9:
                    ba:82:37:7f:36:9c:49:c3:2a:23:2e:b1:fa:78:87:
                    aa:a5:cc:91:2f:55:0f:e5:dd:de:e8:07:46:61:9e:
                    c3:dd:33:12:a1:98:f2:cb:62:00:45:1d:54:89:cb:
                    28:cb:4f:b4:eb:46:df:df:ca:5b:94:81:64:c0:4f:
                    fe:91:23:a0:33:cf:b8:05:27:63:cc:d2:87:c0:42:
                    30:d7:1f:d6:e0:3d:61:61:6d:46:2a:99:63:b3:7f:
                    70:6a:f8:96:5f:9e:f6:b6:9f:8e:44:09:cc:eb:3e:
                    ac:e0:d0:97:5e:43:9a:8d:b2:f9:18:08:73:7f:39:
                    d9:9b:a5:b2:4e:c7:25:93:ce:a6:ee:36:bc:22:e9:
                    08:8b:17:c0:5e:af:ff:c6:ce:ea:0b:f5:a6:d3:bc:
                    f7:77:76:48:f1:57:25:56:88:6b:73:bf:65:44:59:
                    aa:a4:94:cd:d5:7c:4a:ca:fd:77:19:8e:42:62:3a:
                    d3:4c:7c:b3:2d:73:ac:1c:70:4b:a5:26:cf:62:c0:
                    2f:e0:c3:06:eb:37:6e:1d:7b:df:53:08:09:bf:e0:
                    6d:d8:ee:95:6d:1f:d9:df:3e:11:8b:e0:3d:0e:7b:
                    94:0f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                30:2F:BF:46:D3:E2:89:32:F3:76:D8:59:72:E5:06:79:65:E3:FF:2B
            X509v3 Authority Key Identifier: 
                keyid:30:2F:BF:46:D3:E2:89:32:F3:76:D8:59:72:E5:06:79:65:E3:FF:2B
            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         c0:d5:cc:e8:65:34:82:b5:99:f5:5d:e9:6d:43:42:c1:8c:01:
         0c:09:34:df:d0:46:ca:01:7c:9b:f8:a1:08:e4:99:b1:5c:ef:
         eb:6d:2d:d5:82:fa:3f:10:c9:96:ac:35:3a:1a:de:a7:37:69:
         9d:20:d3:4f:19:3b:29:e8:e1:4a:7e:29:cd:5f:a1:81:f5:3e:
         5d:c4:55:e6:e5:5d:c5:87:bd:4f:45:d0:3c:2c:5a:60:9b:2e:
         79:23:0d:fa:80:bf:80:83:f2:09:ce:6f:94:5c:c6:21:53:f7:
         58:8e:cf:8d:88:7e:c1:57:38:a3:1c:e5:02:16:af:56:51:04:
         9e:ad:54:e4:70:1f:76:d9:bf:1d:38:95:e4:94:91:6d:36:87:
         c4:fa:75:3d:87:53:c9:10:8d:46:81:34:44:e3:53:12:cf:31:
         ca:10:48:14:c0:6f:d3:7a:3a:62:3f:04:90:f7:00:d6:c0:ce:
         ea:2f:44:ad:70:36:58:20:04:f9:2a:98:b4:af:fe:b4:67:35:
         1d:3b:3e:ea:ba:e4:70:8b:56:f4:d5:bd:61:05:d4:30:23:64:
         c9:54:cd:96:bf:86:dd:38:41:6a:b1:4e:8d:72:ce:79:b7:fa:
         51:53:c5:08:e2:d6:2f:43:b0:39:d4:c3:3c:84:b6:83:23:60:
         4b:c0:9e:9d
-----BEGIN CERTIFICATE-----
MIID4zCCAsugAwIBAgIJAK6v+Q7zDpa9MA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD
VQQGEwJDTjESMBAGA1UECAwJR3VhbmdEb25nMREwDwYDVQQHDAhTaGVuWmhlbjEN
MAsGA1UECgwEdGVzdDENMAsGA1UECwwEdGVzdDEUMBIGA1UEAwwLY2EudGVzdC5j
b20xHTAbBgkqhkiG9w0BCQEWDmFkbWluQHRlc3QuY29tMB4XDTE4MDIwMzA3Mzgz
OVoXDTE4MDMwNTA3MzgzOVowgYcxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFu
Z0RvbmcxETAPBgNVBAcMCFNoZW5aaGVuMQ0wCwYDVQQKDAR0ZXN0MQ0wCwYDVQQL
DAR0ZXN0MRQwEgYDVQQDDAtjYS50ZXN0LmNvbTEdMBsGCSqGSIb3DQEJARYOYWRt
aW5AdGVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDkWDu
F9IUNnUc05WsQ2lc8H+mAMt/skVcHgraqbqCN382nEnDKiMusfp4h6qlzJEvVQ/l
3d7oB0ZhnsPdMxKhmPLLYgBFHVSJyyjLT7TrRt/fyluUgWTAT/6RI6Azz7gFJ2PM
0ofAQjDXH9bgPWFhbUYqmWOzf3Bq+JZfnva2n45ECczrPqzg0JdeQ5qNsvkYCHN/
OdmbpbJOxyWTzqbuNrwi6QiLF8Ber//GzuoL9abTvPd3dkjxVyVWiGtzv2VEWaqk
lM3VfErK/XcZjkJiOtNMfLMtc6wccEulJs9iwC/gwwbrN24de99TCAm/4G3Y7pVt
H9nfPhGL4D0Oe5QPAgMBAAGjUDBOMB0GA1UdDgQWBBQwL79G0+KJMvN22Fly5QZ5
ZeP/KzAfBgNVHSMEGDAWgBQwL79G0+KJMvN22Fly5QZ5ZeP/KzAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDA1czoZTSCtZn1XeltQ0LBjAEMCTTf0EbK
AXyb+KEI5JmxXO/rbS3Vgvo/EMmWrDU6Gt6nN2mdINNPGTsp6OFKfinNX6GB9T5d
xFXm5V3Fh71PRdA8LFpgmy55Iw36gL+Ag/IJzm+UXMYhU/dYjs+NiH7BVzijHOUC
Fq9WUQSerVTkcB922b8dOJXklJFtNofE+nU9h1PJEI1GgTRE41MSzzHKEEgUwG/T
ejpiPwSQ9wDWwM7qL0StcDZYIAT5Kpi0r/60ZzUdOz7quuRwi1b01b1hBdQwI2TJ
VM2Wv4bdOEFqsU6Ncs55t/pRU8UI4tYvQ7A51MM8hLaDI2BLwJ6d
-----END CERTIFICATE-----


三、向CA申請證書:

1):生成一個自己的非對稱密鑰

# openssl genrsa -out /lee/my.key


2):申請證書(在這裏私有CA申請流程就是一個證書生成的步驟了)

# openssl req -new -key /lee/my.key -out /lee/my.crt    # 註意這裏沒有-x509的選項了,-x509代表的是自簽署
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:www.test.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


3):CA簽署證書:

# openssl ca -in /lee/my.crt -out www.test.com.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb  3 08:29:30 2018 GMT
            Not After : Feb  3 08:29:30 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GuangDong
            organizationName          = test
            organizationalUnitName    = test
            commonName                = www.test.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                36:1E:30:68:9A:42:75:DE:EA:BE:F3:FF:EB:3C:26:5F:5B:30:4B:30
            X509v3 Authority Key Identifier: 
                keyid:30:2F:BF:46:D3:E2:89:32:F3:76:D8:59:72:E5:06:79:65:E3:FF:2B
Certificate is to be certified until Feb  3 08:29:30 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y   
Write out database with 1 new entries
Data Base Updated
[root@localhost CA]# cat index.txt# 查看下證書頒發列表,發現已經有了一條信息,”01“就是從剛才的serial中繼承來的
V190203082930Z01unknown/C=CN/ST=GuangDong/O=test/OU=test/CN=www.test.com/[email protected]























Centos7下的Openssl和CA