openssl 常用选项及自签名证书
openssl命令十分强大,可通过help查看,子命令包含三大部分
- 标准命令
- 信息摘要命令
- 加密命令
[root@32df238d23 ~]# openssl help
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dhparam
dsa dsaparam ec ecparam
enc engine errstr gendsa
genpkey genrsa help list
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand rehash
req rsa rsautl s_client
s_server s_time sess_id smime
speed spkac srp storeutl
ts verify version x509
Message Digest commands (see the `dgst' command for more details)
blake2b512 blake2s256 gost md2
md4 md5 rmd160 sha1
sha224 sha256 sha3-224 sha3-256
sha3-384 sha3-512 sha384 sha512
sha512-224 sha512-256 shake128 shake256
sm3
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
idea idea-cbc idea-cfb idea-ecb
idea-ofb rc2 rc2-40-cbc rc2-64-cbc
rc2-cbc rc2-cfb rc2-ecb rc2-ofb
rc4 rc4-40 rc5 rc5-cbc
rc5-cfb rc5-ecb rc5-ofb seed
seed-cbc seed-cfb seed-ecb seed-ofb
zlib
对称加密解密
openssl enc 帮助 man enc | openssl enc --help
#加密一
[root@32df238d23 ~]# openssl enc -e -des3 -a -salt -in nginx_source_install.sh -out nginx_source_install.sh.enc
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
#加密二
[root@32df238d23 ~]# openssl des3 -a -salt -in nginx_source_install.sh -out nginx_source_install.sh1.enc
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
#上述两条指令完成的功能是一样的,而且其参数也是一样。
#openssl提供了很多的对称加密算法指令,enc就是把这些很多的对称的加密算法指令统一集成到enc指令中。当使用时,只需使用enc,然后指定加密算法
#解密
[root@32df238d23 ~]# openssl enc -d -des3 -a -salt -in nginx_source_install.sh.enc -out nginx_source_install.sh.bak
enter des-ede3-cbc decryption password:
选项参数
- enc 表示对文件进行对称加密或解密
- -e 加密 可以指明一种加密算法,若不指的话将使用默认加密算法
- -d 解密,解密时也可以指定算法,若不指定则使用默认算法,但一定要与加密时的算法一致
- -des3 使用的加密算法
- -a 使用base64 转换( 64 个可打印字符a-Z,0-9,+,/)
- -salt 自动插入一个随机数作为文件内容加密,默认选项
- -in 表示需要被加密或解密的文件
- -out 表示加密或解密之后生成的新文件
哈希运算
openssl md5|sha512… 帮助: openssl dgst -help
[root@32df238d23 ~]# openssl md5 nginx_source_install.sh
MD5(nginx_source_install.sh)= a55feb7c1e56fc5f9e6026c8ab93e955
[root@32df238d23 ~]# openssl dgst -md5 nginx_source_install.sh
MD5(nginx_source_install.sh)= a55feb7c1e56fc5f9e6026c8ab93e955
#以上两种方式等价于md5sum nginx_source_install.sh
[root@32df238d23 ~]# md5sum nginx_source_install.sh
a55feb7c1e56fc5f9e6026c8ab93e955 nginx_source_install.sh
生成用户密码
openssl passwd 帮助 openssl passwd -help
[root@32df238d23 ~]# openssl passwd -6 123
$6$Z1.8ERHfsxnvnfxA$tIfAKV/k9/ecqx.BnByDoLw0pgCc8GwWOp1T14jYzCAaj9.K1SRYh04HL0oyoRRwmVuuom1jDRC9636HjRBza.
# -6参数 指定算法为sha512 (centos 7 无此选项)
# 注意因为-salt 加盐为默认选项,因此每次加密结果都不同
#例:使用openssl直接生成用户密码
[root@32df238d23 ~]# useradd -p $(openssl passwd -6 123456) hanjy
[root@32df238d23 ~]# tail -1 /etc/shadow
hanjy:$6$l1GzZdww6DCKIglm$80AdNI48lIx69fwwWpEv6I..dQOpOF/cJyO50s6M.AR.Vt2Waa2U7clKJQm8Bvjk.0nZ2QuUxLNFBKRQv.LvF/:19280:0:99999:7:::
生成随机数
openssl rand 帮助 openssl rand -help
[root@32df238d23 ~]# openssl rand -base64 12
qjgpF5OjoweXoiiX
[root@32df238d23 ~]# openssl rand -base64 12
O4A0aOTHJBhl8SL7
[root@32df238d23 ~]# openssl rand -base64 12
LKFDdo5wF01Rv3sA
# -base64 使用base64转换( 64 个可打印字符)
生成公钥私钥(PKI)
openssl genrsa|gendsa /path/filename [-des3] [num_bits 默认2048] 帮助 openssl genrsa|gendsa -help
#生成名称为private.key的私钥文件
#方式一
[root@32df238d23 ~]# openssl genrsa -out private.key
# 方式二 通过umask生成700权限的私钥文件,并且加入对称秘钥算法des3
[root@32df238d23 ~]# (umask 077;openssl genrsa -des3 -out private1.key 2048)
Enter pass phrase for private1.key:
Verifying - Enter pass phrase for private1.key:
[root@32df238d23 ~]# ll private1.key
-rw------- 1 root root 1743 10月 15 14:02 private1.key
从私钥中提取公钥
openssl 指定算法 -in 私钥文件 -pubout -out 输出公钥文件
openssl rsa -in private.key -pubout -out *.pub 命令 提取公钥
[root@32df238d23 ~]# openssl rsa -in private.key -pubout -out private.pub
writing RSA key
[root@32df238d23 ~]# ll private.*
-rw------- 1 root root 1675 10月 15 13:54 private.key
-rw-r--r-- 1 root root 451 10月 15 14:20 private.pub
[root@32df238d23 ~]# openssl rsa -in private1.key -pubout -out private1.pub
Enter pass phrase for private1.key:
writing RSA key
[root@32df238d23 ~]# ll private1.*
-rw------- 1 root root 1751 10月 15 14:15 private1.key
-rw-r--r-- 1 root root 451 10月 15 14:20 private1.pub
使用openssl 搭建私有CA用于实现证书颁发
- openssl 搭建 需要依赖openssl 和openssl-libs
- OpenCA 免费软件搭建
证书申请流程:
- 生成证书申请请求
- RA核验
- CA签发
- 获取证书
证书签发需要依赖openssl配置文件.路径位于:/etc/pki/tls/openssl.cnf
openssl.cnf中的三种策略:match匹配、optional可选、supplied提供
- match:要求申请填写的信息跟CA设置信息必须一致
- optional:可有可无,跟CA设置信息可不一致
- supplied:必须填写这项申请信息
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept 主目录
certs = $dir/certs # Where the issued certs are kept 签发证书保存目录
crl_dir = $dir/crl # Where the issued crl are kept 吊销证书保存目录
database = $dir/index.txt # database index file. index索引文件保存位置和文件名称 需手动创建
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs. 新证书的默认保存目录
certificate = $dir/cacert.pem # The CA certificate 根CA证书名称
serial = $dir/serial # The current serial number 证书当前序列号 需手动创建
crlnumber = $dir/crlnumber # the current crl number 证书吊销编号
# must be commented out to leave a V1 CRL
crl = $crl_dir/crl.pem # The current CRL 当前吊销列表证书名称
private_key = $dir/private/cakey.pem# The private key #私钥存放位置名称
x509_extensions = usr_cert # The extensions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for 证书默认有效期
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match #证书匹配规则
# For the CA policy
[ policy_match ]
countryName = match #国家必须匹配
stateOrProvinceName = match #省,州必须匹配
organizationName = match #公司名称必须匹配
organizationalUnitName = optional #公司部门
commonName = supplied #应用主体
emailAddress = optional #邮箱
#需严格遵守配置文件中指定的文件和路径
#可以在配置文件中加入此项,用于后期配置证书crl分发点
[ server_cert ]
# ... snipped ...
crlDistributionPoints = URI:http://example.com/crl.pem
目录结构
/etc/pki/CA/ 主目录
├── certs 签发证书存放位置
├── crl 吊销证书存放位置
├── index.txt 证书索引数据库文件
├── newcerts 新证书存放位置
├── private 私钥存放位置
└── serial 证书编号文件
常见证书后缀
| 后缀 | 说明 |
|---|---|
| *.cer *.crt | 证书(Certificate) –只包含证书,不保存私钥。一般Linux使用.crt后缀,.cer是windows后缀。 |
| *.key | 私钥(Private Key 可以用来申请证书签名请求 |
| *.csr | 证书签名请求(Certificate signing request)。这个并不是证书,而是向证书颁发机构获得签名证书的申请,其核心内容是一个公钥(当然还附带了一些别的信息) |
| *.pem | 编码方式: 1. pem - base64编码 2. der - 二进制编码(少见), cer,key,csr 均可用这两种编码方式 打开看文本格式,以“-----BEGIN…”开头,“-----END…”结尾,内容是 BASE64 编码。 |
| *.crl | 证书吊销列表(Certificate Revocation List) |
创建相应目录和文件
#centos7以后默认目录不存在,需要手动创建
root@32df238d23 ~]# tree /etc/pki/CA -L 1
/etc/pki/CA [error opening dir]
#创建目录和文件
[root@32df238d23 ~]# mkdir -p /etc/pki/CA/{certs,crl,private,newcerts}
#创建证书索引数据库文件
[root@32df238d23 ~]# touch /etc/pki/CA/index.txt
#创建第一个颁发证书的序列号(指定一个16进制数字)
[root@32df238d23 ~]# echo 01 > /etc/pki/CA/serial
--------------------------------------
#上述必须要做,否则后期会出现一下两个错误
Using configuration from /etc/pki/tls/openssl.cnf
139627403040576:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/index.txt','r')
139627403040576:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140423263721280:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/serial','r')
140423263721280:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
---------------------------------------
[root@32df238d23 ~]# tree -L 2 /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── index.txt
├── newcerts
├── private
└── serial
创建私有CA
生成私有CA秘钥
[root@32df238d23 ~]# cd /etc/pki/CA/
#注意私钥文件名称要与配置文件中的私钥名称对应
[root@32df238d23 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
生成CA自签名证书
命令格式:
openssl req -new -x509 -key /path/keyfilename -days 3650 -out /path/certfilename
常用选项
req:生成证书请求文件、验证证书请求文件和创建根CA
ca:命令是用于签署证书的 依赖于/etc/pki/tls/openssl.cnf文件
-status:查看证书状态
-revoke: 吊销证书
-new:创建一个证书请求文件,会交互式提醒输入一些信息,这些交互选项以及交互选项信息的长度值以及其他一些扩展属性在配置文件(默认为 openssl.cnf,还有些辅助配置文件)中指定了默认值。如果没有指定"-key"选项,则会自动生成一个RSA私钥,该私钥的生成位置也在openssl.cnf中指定了。如果指定了-x509选项,则表示创建的是自签署证书文件,而非证书请求文件
-newkey args:类似于"-new"选项,创建一个新的证书请求,并创建私钥。args的格式是"rsa:bits"(其他加密算法请查看man),其中bits是rsa密钥的长度,如果bits省略了(即-newkey rsa),则长度根据配置文件中default_bits指令的值作为默认长度,默认该值为2048如果指定了-x509选项,则表示创建的是自签署证书文件,而非证书请求文件
-x509 :指定该选项时,将生成一个自签署证书,而不是创建证书请求。一般用于测试或者为根CA创建自签名证书
-days: 指定自签名证书的有效期限,默认30天,需要和"-x509"一起使用
-text:以文本格式打印证书请求
-noout :不输出部分信息 -subject :输出证书请求文件中的subject(如果指定了x509,则打印证书中的subject)
-pubkey :输出证书请求文件中的公钥 【配置文件项和杂项:】
-subj args:替换或自定义证书请求时需要输入的信息,并输出修改后的请求信息。args的格式为"/type0=value0/type1=value1…",如果value为空,则表示使用配置文件中指定的默认值,如果value值为".",则表示该项留空。其中可识别type(man req)有C是Country、ST是state、L是localcity、O是Organization、OU是Organization Unit、CN是common name等
[root@32df238d23 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShanDong
Locality Name (eg, city) [Default City]:QingDao
Organization Name (eg, company) [Default Company Ltd]:lhwf
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.hanjy.com
Email Address []:admin@163.com
#此时已经生成证书文件
[root@32df238d23 CA]# tree -L 2
.
├── cacert.pem #证书文件
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem ca私钥文件
#可以查看证书的内容
[root@32df238d23 CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
44:74:58:76:82:db:ab:06:71:d6:e1:e5:a5:24:a9:03:fd:95:b2:78
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = ShanDong, L = QingDao, O = lhwf, OU = IT, CN = www.hanjy.com, emailAddress = admin@163.com
Validity
Not Before: Oct 15 07:46:15 2022 GMT
Not After : Oct 12 07:46:15 2032 GMT
Subject: C = CN, ST = ShanDong, L = QingDao, O = lhwf, OU = IT, CN = www.hanjy.com, emailAddress = admin@163.com
通过ca申请颁发证书
1.为所需要申请的主机生成私钥文件
[root@32df238d23 CA]# openssl genrsa -out /data/hjy.com.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................................+++++
.................................+++++
2.通过key为所需要申请证书的主机生成证书申请文件
root@32df238d23 CA]# openssl req -new -key /data/hjy.com.key -out /data/hjy.com.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShanDong
Locality Name (eg, city) [Default City]:QingDao
Organization Name (eg, company) [Default Company Ltd]:lhwf
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:hjy.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:lhwf
#查看data目录下生成的证书申请文件和私钥
[root@32df238d23 CA]# tree /data/
/data/
├── hjy.com.csr #证书申请文件
└── hjy.com.key #私钥
3.通过私钥申请请求文件在自建CA中签署并颁发给请求者
[root@32df238d23 CA]# openssl ca -in /data/hjy.com.csr -out /etc/pki/CA/certs/hjy.com.crt -days 365
[root@32df238d23 CA]# openssl ca -in /data/hjy.com.csr -out /etc/pki/CA/certs/hjy.com.crt -days 365 [ -extensions server_cert 可指定crl分发点模块 ]
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 15 08:54:10 2022 GMT
Not After : Oct 15 08:54:10 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = ShanDong
organizationName = lhwf
organizationalUnitName = IT
commonName = hjy.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
58:0B:5D:9F:C4:E4:9A:9E:78:D0:16:C4:3E:96:B9:A5:05:27:40:CB
X509v3 Authority Key Identifier:
keyid:BA:B1:F6:63:2F:78:B5:6C:90:69:B7:25:16:36:7B:49:C2:9A:60:E7
Certificate is to be certified until Oct 15 08:54:10 2023 GMT (365 days)
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#证书已生成
[root@32df238d23 CA]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem #根证书
├── certs
│ └── hjy.com.crt #通过CA颁发的证书
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem #与certs中的证书一样这里是以证书编号命名
├── private
│ └── cakey.pem #根证书私钥
├── serial
└── serial.old
[root@vm-nfs-41 data]# cp /etc/pki/CA/certs/hjy.com.crt ./
[root@vm-nfs-41 data]# ls
hjy.com.crt #证书
hjy.com.csr #证书申请文件
hjy.com.key #私钥
#通过这key和crt即可以部署到nginx
吊销证书
通过revoke 子命令进行证书吊销
格式:openssl ca -revoke /path/.crt|.pem 帮助 openssl ca -help
#获取吊销证书的serial
[root@vm-nfs-41 data]# openssl x509 -in hjy.com.crt -noout -serial -subject
serial=01
subject=C = CN, ST = ShanDong, O = lhwf, OU = IT, CN = hjy.com
#对比验证于index.txt文件中信息一致后进行吊销证书
[root@vm-nfs-41 data]# openssl ca -revoke hjy.com.crt
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
#查看index.txt文件内容
[root@vm-nfs-41 data]# cat /etc/pki/CA/index.txt
R 231015085410Z 221017065805Z 01 unknown /C=CN/ST=ShanDong/O=lhwf/OU=IT/CN=hjy.com
#此时/etc/pki/CA/index.txt 文件 第一字段为R (revoke)
#CA指定第一个吊销列表的编号,注意:只在第一次更新吊销证书列表前才需要执行(文件名和路径必须遵从配置文件)
[root@vm-nfs-41 data]# echo 01 > /etc/pki/CA/crlnumber
#更新证书吊销列表(文件名和路径必须遵从配置文件)
[root@vm-nfs-41 data]# openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@vm-nfs-41 data]# tree -L 2 /etc/pki/CA
/etc/pki/CA
├── cacert.pem #CA根证书文件
├── certs
│ └── hjy.com.crt #通过CA 颁发的证书
├── crl
│ └──crl.pem #吊销证书文件
├── crlnumber #吊销证书编号文件
├── crlnumber.old
├── index.txt #数据库文件
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem #CA私钥
├── serial #证书当前序列号
└── serial.old
#如果需要查看crl.pem文件内容的话执行
root@vm-nfs-41 data]# openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = ShanDong, L = QingDao, O = lhwf, OU = IT, CN = www.hanjy.com, emailAddress = admin@163.com
Last Update: Oct 17 07:18:34 2022 GMT
Next Update: Nov 16 07:18:34 2022 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Oct 17 06:58:05 2022 GMT
Signature Algorithm: sha256WithRSAEncryption
2c:39:ed:ba:e2:7d:27:45:14:28:99:18:5c:cc:0d:55:85:58:
b8:ff:3b:69:1b:8f:cf:52:01:0c:cf:00:ea:64:17:7a:e0:ab:
41:90:b8:a0:af:95:da:c3:53:1d:31:ef:22:63:25:c0:e1:3c:
63:d2:fd:1b:e3:4f:cb:22:36:ba:c7:9c:9e:82:e0:2a:39:9e:
a4:23:54:81:a7:e9:90:09:99:ac:d5:c7:24:dd:18:cf:23:55:
4b:76:ab:03:97:ee:72:10:4a:36:84:1b:71:af:0c:74:ed:74:
1c:fa:cd:dc:a5:13:d6:72:40:a7:04:89:fc:ef:30:ff:e0:46:
7b:ef:cb:c7:92:2f:bb:65:cf:b7:33:9e:ad:50:89:56:b7:12:
b1:7d:a5:57:13:b0:ee:00:3f:c8:0c:ce:52:34:4b:60:38:80:
3e:e8:61:be:91:28:1b:5c:69:33:cb:aa:2e:6e:06:97:58:b7:
31:96:b4:9f:f3:9c:77:14:4a:38:4d:af:2f:43:5c:68:83:d4:
07:6a:1f:c7:f8:e0:65:e1:80:c8:1c:ce:8a:52:ea:00:0b:ee:
b8:21:97:fd:a0:fa:3c:62:10:c2:44:74:ef:a4:45:5f:74:c3:
e7:3d:ea:65:5a:c7:be:5c:c4:2a:e8:46:c5:5d:f1:cd:98:6a:
0f:c9:83:65
本文是原创文章,采用 CC BY-NC-SA 许可协议,完整转载请注明来自 半城小栈
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果