证书格式:x509,pkcs12
x509:
包括公钥及其有效期限
证书的合法拥有者
证书该如何使用
CA的信息
CA签名的校验码
openssl
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
[root@localhost ~]
# openssl ?
openssl:Error:
'?'
is an invalid
command
.
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dh
dhparam dsa dsaparam ec
ecparam enc engine errstr
gendh gendsa genpkey genrsa
nseq ocsp
passwd
pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand req
rsa rsautl s_client s_server
s_time sess_id smime speed
spkac ts verify version
x509
Message Digest commands (see the `dgst'
command
for
more
details)
md2 md4 md5 rmd160
sha sha1
Cipher commands (see the `enc'
command
for
more
details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb base64 bf
bf-cbc bf-cfb bf-ecb bf-ofb
camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb
camellia-256-cbc camellia-256-ecb cast cast-cbc
cast5-cbc cast5-cfb cast5-ecb cast5-ofb
des des-cbc des-cfb des-ecb
des-ede des-ede-cbc des-ede-cfb des-ede-ofb
des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx idea
idea-cbc idea-cfb idea-ecb idea-ofb
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb zlib
|
标准命令:
|
1
|
[root@localhost ~]
# openssl enc -des3 -a -in inittab -out inittab.des3
|
enc:加密
-des3:表示加密使用的算法
-a:
-in -out:输入文件和输出文件
|
1
|
[root@localhost ~]
# openssl enc -des3 -d -a -in inittab.des3 -out inittab
|
-d:解密
dgst:计算特征码
|
1
2
3
4
|
[root@localhost ~]
# openssl dgst -md5 inittab
MD5(inittab)= 3768a70f5cc82dcdb3ce031b26fcb7ef
[root@localhost ~]
# md5sum inittab
3768a70f5cc82dcdb3ce031b26fcb7ef inittab
|
-md5:使用md5算法
passwd:给密码加密
|
1
2
3
4
5
6
7
|
[root@localhost ~]
# openssl passwd -1
Password:
#redhat
Verifying - Password:
$1$r4IAix30$IrHjX5LsZb9GJXoCnWL1T/
[root@localhost ~]
# openssl passwd -1 -salt r4IAix30
Password:
$1$r4IAix30$IrHjX5LsZb9GJXoCnWL1T/
|
-1:表示使用md5算法
#注意salt的用法
rsautl:rsa加密工具
rand:生成随机数
|
1
2
3
4
5
6
|
[root@localhost ~]
# openssl rand -base64 123
dO6DUcjmcjWapFS
/j5D1w7wVPk8jbEURqm0IXmx745WBtNUroM
+kAP2BHB+sK4gD
edaKY2xrBOSKRknX2slzszawYBYFRVRtjsGvtWPJCA
/K4gCYMyklIk8n3QG6NBbv
L8VP4gUPE1cm5fMRkq944S5WSqLdYS3
/W2FC
[root@localhost ~]
# openssl rand -base64 7
UnaMol4pBg==
|
openssl实现私有CA:
-
生成一对密钥
-
生成自签证书
genrsa:生成rsa私钥
|
1
2
3
4
5
|
[root@localhost ~]
# openssl genrsa 1024 > wudan.key
Generating RSA private key, 1024 bit long modulus
..++++++
.............++++++
e is 65537 (0x10001)
|
生成1024位(默认是512位)的私钥,保存到文件里。
-out wudan.key 也可以使用选项保存到文件。
|
1
|
[root@localhost ~]
# (umask 077; openssl genrsa 1024 > wudan.key)
|
注意私钥文件的权限!
rsa:控制管理ras密钥的工具
|
1
2
3
4
5
6
7
8
|
[root@localhost ~]
# openssl rsa -in wudan.key -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJPhmeLCdt2fIvCaEFtxVvnWMw
G8
//5dqzOlDnEKg82cl4ShXpzxWS5QSxxqYYsxOA0ISNbG6uwiExsqqAakKhsZeW
ySkRRgPlR9nZ6LE+rvb0YkbOT5XjuPrpXCva1L9hxffaZYPPUCo0uWHzc1vQ8Szc
TqcP3Pj+lW3e4S9OzQIDAQAB
-----END PUBLIC KEY-----
|
指定私钥,输出公钥
req:生成自签署的证书,布置一台证书服务器。
|
1
|
[root@localhost ~]
# openssl req -new -x509 -key wudan.key -out wudan.crt -days 365
|
-new:代表新的申请
-x509:代表x509格式的证书
-key:代表使用什么私钥
-out:代表证书输出到什么文件
-days:代表证书的有效期。单位是天。
|
1
2
3
4
5
6
7
8
|
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:pp
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server's
hostname
) []:
#主机名这里非常重要,证书是对应服务器主机名的!
Email Address []:
|
需要修改文件权限!
|
1
|
[root@localhost ~]
# openssl x509 -text -in wudan.crt
|
输出证书的信息
生成证书之后,表示CA准备好了,可以给其它机器发证了。
/etc/pki/tls/openssl.cnf CA配置文件
用配置好的CA服务器给chomper.key这个私钥签名,生成证书chomper.crt
|
1
|
[root@localhost private]
# openssl req -new -key chomper.key -out chomper.csr #先申请
|
csr:证书申请请求
|
1
|
[root@localhost private]
# openssl ca -in chomper.csr -out chomper.crt #生成证书
|
-days 365:证书期限,单位天
[root@localhost certs]# make chomper.crt
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > chomper.key
Generating RSA private key, 2048 bit long modulus
........................+++
..................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key chomper.key -x509 -days 365 -out chomper.crt -set_serial 0
Enter pass phrase for chomper.key:
