前言:对称加密解密命令行工具,单向加密工具,生成密钥对工具
OpenSSL:
组件:libcrypto库,libssl库主要有开发人员使用。
openssl:多用途命令行工具。
openssl命令:
命令主要分为三类:
(1)标准命令 :
(2)消息摘要命令(dgst子命令):
(3)加密命令(enc子命令):
对称加密的工具:
openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-salt] [-a]
-cirphername:表示要使用的加密算法
-in filename:表示要加密的文件
-out filename:表示加密后输出的文件
-pass arg:表示加密时使用的密码
-e:表示加密
-d:表示解密
-salt:表示在加密后掺入杂质
-a:表示文本格式编码,不加-a表示二进制格式编码
复制文件/etc/fstab到当前目录并对它进行加密:
[root@Tzz ~]# openssl enc -e -des3 -a -salt -in fstab -out fatab.cirphertext enter des-ede3-cbc encryption password:
系统会提示你输入密码。
加密后的结果:
之后再对它解密:
[root@Tzz ~]# openssl enc -d -des3 -a -out fstab -in fatab.cirphertextenter des-ede3-cbc decryption password:
单向加密工具:
openssl dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] /PATH/TO/SOMEFILE
提取fstab文件的特征码(使用md5算法):
[root@Tzz ~]# openssl dgst -md5 fstabMD5(fstab)= b56aba6febb1a5c74a4664f34a6b2a56
生成用户密码工具:
openssl passwd [-1] [-salt string](我们可以生成随机数当成杂质掺入密码)
[root@Tzz ~]# openssl passwd -1 -salt 12345Password: $1$12345$nbKSwtiwEKb8OtTPKCO1J0
生成随机数工具:
openssl rand [-base64] [-hex] num
[-hex]:生成十六进制编码格式随机数
[-base64]:生成base64编码格式随机数
[root@Tzz ~]# openssl rand -base64 10zA0wV94TMnOyuQ==
[root@Tzz ~]# openssl rand -hex 107266f7ed0539a2b28f4c
(使用时要将其后的= =删除)
基于随机数生成密码:
[root@Tzz ~]# openssl passwd -1 -salt `openssl rand -hex 4`Password: $1$1b5632d4$9ds0.QBvLD0U0hCfdjlQ6.
公钥加密:
(1)加密算法:算法:RSA,ELGamal,工具:openssl rsautl,gpg
(2)数字签名:算法:RSA,DSA,ELGamal,工具:openssl rsautl,gpg
(3)密钥交换:算法:DH,工具:openssl rsautl,gpg
在公钥加密时我们要使用密钥对来加密,怎样获得密钥对?
生成密钥工具:
openssl genrsa [-out filename][numbits]
[-out filename]:生成密钥存储的位置
[numbits]:生成密钥的位数
生成1024位的私钥:
[root@Tzz ~]# openssl genrsa 1024Generating RSA private key, 1024 bit long modulus...........................................++++++....................++++++e is 65537 (0x10001)-----BEGIN RSA PRIVATE KEY-----MIICWwIBAAKBgQDgpNf+Xl+Kx5eIRS99mtgpMQPsTT6d9mnMF2clPoMgcjR22jwE9rYDKJp6xyxzyBNvNYRQvUQWwRl0rQh7n/HlcDVAcdIO880lFljUF2EJsB5M4T8UjI+4OY/jx1gEiIAL+hL63HWVrwvfT9uUe80WnhjWOUyUHklNSG70UJb0lQIDAQABAoGAYgpPYepaFD1LeuOG+HBtynxj0+taWqJCRhoon+6KV8y/7OcNrrTldrdvxAnM8rLtGGno1zvizXN04qDpxNpnPQN+1wolepe8x0oe+DJyYqdwiY6YpdxcTjVskVFtgdfK0ETJUuXPGnRgOKSwlmGlwi96JfbQqy9J+qyqawYObnkCQQD898XI7Bg7hM89dHUHJptLxWntA3R2NH8RrUK94msSf4kLWgP/JJSka0D2S0vIP5h+8KVnWXuGZHrNZFuSA9FbAkEA41Yo3Kmz8FXy3YtCEboJV+Cn0UC5FfYGUd+rNGVn3S01liccbaIOhofxKz48HW9ZYMvhi+pzMJ0KRZRmcFXEzwJARAf6iAt+hNs1xMhCBNdMIneIAjbQpk198uoOrfRraUElQQlHU+GpnAJAKTyct9DqmRDs2ruE7eKt5/jaa41dSwJAbZSMYcETURe813lWwYCxHEDX44+VJ7bNWQ29UqZGqGAwYk4778Sbx9EjOLro8y9HH9dmwrCiEZ7A4sUjk6ZkFQJAShE2wvu8SGTkeDB6Pvxf7/ldrbwq7koaDJfCjOgc6NRCybweV6+44HfMK3F9L0G+FoCrM9MnZKYXVkTa3TVIRg==-----END RSA PRIVATE KEY-----
为了安全起见,我们生成私钥时可以使用遮罩码创建私钥:
[root@Tzz ~]# (umask 077; openssl genrsa -out /tmp/mykey.private 1024)Generating RSA private key, 1024 bit long modulus..........................++++++.............++++++e is 65537 (0x10001)
我们使用077mask码创建该密钥文件时,创建出来的文件只有属主才有读权限,在命令行中加入括号表示该命令在子shell中进行,经不会被用户看见,从而保证了私钥的安全性。
提取公钥:
openssl rsa -in /PATH/FROM/PRIVATE_KEY_FILE -pubout
[root@Tzz ~]# openssl rsa -in /tmp/mykey.private -puboutwriting RSA key-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTR5HAHJLzmsJF101boyuzGh3RM/rUxQC2MzmIKD0w+0Fk+tLJWZYs5q7vqviPREGVOstOqefWvqVM7Df8Dx75S67rMzCEI9AL3pPIhS29y2dFOA/qau+oQslR3d1z7T1Pq12w0cMTNQ9XhXJk5Dc/wWxhyqF9xf0TB63j4wEaEwIDAQAB-----END PUBLIC KEY-----
关于随机数:
在生成私钥和提取公钥时都要依赖随机数。
Linux系统上的随机数生成器:
/dev/random:仅从熵池返回随机数;随机数用尽,阻塞
/dev/urandom:从熵池返回随机数,随机数用尽,会利用软件生成伪随机数,非阻塞;
(注:伪随机数不安全)
熵池:内核维护的一段空间用来存放随机数。
熵池中随机数的来源:硬盘IO中断时间间隔;键盘IO中断时间间隔;
CA:公共信任的CA,私有CA;
创建私有CA工具:
openssl命令的配置文件:/etc/pki/tls/openssl.cnf,其中定义了CA的工作环境
[ ca ]:CA的子命令
dir = /etc/pki/CA :CA的工作目录
certs = $dir/certs:已经签发过的证书存放位置
crl_dir = $dir/crl:吊销列表存放位置
database = $dir/index.txt:存放了各个证书的索引数据库
certificate = $dir/cacert.pem:CA的自签证书
crlnumber = $dir/crlnumber:吊销证书编号
serial = $dir/serial:证书序列号
private_key = $dir/private/cakey.pem:CA的私钥
[ req ]:请求证书子命令
构建私有CA:
第一步:在确定配置为CA的服务器上生成一个自签证书,并为CA提供所需要的目录及文件。
(1)生成私钥:
[root@Tzz ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)Generating RSA private key, 4096 bit long modulus..................................................................................................................................................................................................++..........................................................++e is 65537 (0x10001)[root@Tzz ~]# ls -l /etc/pki/CA/private/cakey.pem-rw------- 1 root root 3243 Jan 7 19:41 /etc/pki/CA/private/cakey.pem
(2)生成自签证书:
[root@Tzz ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3656You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:beijingLocality Name (eg, city) [Default City]:beijingOrganization Name (eg, company) [Default Company Ltd]:mageeduOrganizational Unit Name (eg, section) []:opsCommon Name (eg, your name or your server's hostname) []:ca.mageedu.comEmail Address []:caadmin@mageedu.com
-new:生成新证书签署请求
-x509:生成自签格式证书,专用于创建私有CA时;
-key:生成请求时用到的私有文件路径;
-out:生成的请求文件路径;如果自签操作将直接生成签署过的证书;
-days:证书的有效时长,单位是day;
(注:该命令选项会根据私钥自动提取公钥)
(3)提供CA所需要的目录及文件;
[root@Tzz ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}[root@Tzz ~]# touch /etc/pki/CA/{serial,index.txt}[root@Tzz ~]# echo 01 > /etc/pki/CA/serial
第二步:要用到证书进行安全通信的服务器,需要向CA请求签署证书;
(1)用到证书的主机生成私钥(以httpd为例):
[root@localhost httpd]# mkdir /etc/httpd/ssl[root@localhost httpd]# (umask 077; openssl genrsa -out httpd.key 2048)Generating RSA private key, 2048 bit long modulus.......................................................................+++...............................+++e is 65537 (0x10001)[root@localhost httpd]# mv httpd.key ssl[root@localhost httpd]# cd ssl[root@localhost ssl]# lltotal 4-rw-------. 1 root root 1679 Jan 8 21:42 httpd.key
(2)生成证书签署请求:
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr -days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:beijingLocality Name (eg, city) [Default City]:beijingOrganization Name (eg, company) [Default Company Ltd]:mageeduOrganizational Unit Name (eg, section) []:opsCommon Name (eg, your name or your server's hostname) []:ca.mageedu.comEmail Address []:caadmin@mageedu.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:tianzhuangAn optional company name []:
创建完证书签署请求就会在当前目录生成证书请求文件,需要把该文件拷贝到需要签署的CA主机上
[root@localhost ssl]# lltotal 8-rw-r--r--. 1 root root 1094 Jan 8 21:53 httpd.csr-rw-------. 1 root root 1679 Jan 8 21:42 httpd.key
(3)使用scp命令将请求文件拷贝到CA主机上
[root@localhost ssl]# scp httpd.csr root@172.16.249.147:/tmp/The authenticity of host '172.16.249.147 (172.16.249.147)' can't be established.RSA key fingerprint is bd:1c:aa:7f:18:b9:94:8e:32:64:5d:b0:ab:0f:68:56.Are you sure you want to continue connecting (yes/no)?yesWarning: Permanently added '172.16.249.147' (RSA) to the list of known hosts.root@172.16.249.147's password: httpd.csr 100% 1094 1.1KB/s 00:00
在CA主机上的/tmp目录下就会存在需要签署的证书请求文件
(4)在CA主机上签署证书:
[root@Tzz ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Jan 8 10:34:22 2016 GMT Not After : Jan 7 10:34:22 2017 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = mageedu organizationalUnitName = ops commonName = ca.mageedu.com emailAddress = caadmin@mageedu.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 6A:9A:B4:54:2E:ED:3F:2B:8C:92:7B:23:76:F8:C4:7A:52:5D:62:E9 X509v3 Authority Key Identifier: keyid:32:1F:DF:C4:D4:8D:0C:3C:1B:46:58:A6:9D:DD:3F:13:6E:16:C6:13Certificate is to be certified until Jan 7 10:34:22 2017 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@Tzz CA]# cat index.txtV 170107103422Z 01 unknown /C=CN/ST=beijing/O=mageedu/OU=ops/CN=ca.mageedu.com/emailAddress=caadmin@mageedu.com
(5)将该证书发给请求的服务器:
[root@Tzz CA]# scp certs/httpd.crt root@172.16.249.130:/etc/httpd/ssl/The authenticity of host '172.16.249.130 (172.16.249.130)' can't be established.RSA key fingerprint is 6a:da:12:82:89:b5:83:c9:52:ca:01:4b:eb:83:35:56.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '172.16.249.130' (RSA) to the list of known hosts.root@172.16.249.130's password: httpd.crt 100% 5882 5.7KB/s 00:00
(6)查看证书信息:
[root@Tzz CA]# openssl x509 -in certs/httpd.crt -noout -serial -subjectserial=01subject= /C=CN/ST=beijing/O=mageedu/OU=ops/CN=ca.mageedu.com/emailAddress=caadmin@mageedu.com
至此证书就签署完毕并可以使用。