7.1.1. version
[root@netkiller nginx]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013
7.1.2. 测试加密算法的速度
$ openssl speed
$ openssl speed rsa $ openssl speed aes
7.1.3. req
openssl req -new -x509 -days 7300 -key ca.key -out ca.crt
7.1.4. x509
openssl x509 -req -in client-req.csr -out client.crt -signkey client-key.pem -CA ca.crt -CAkey ca.key -days 365 -CAserial serial
验证一下我们生成的文件。
openssl x509 -in cacert.pem -text -noout
-extfile
openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca -signkey key.pem -out cacert.pem
7.1.5. ca
# 生成CRL列表 $ openssl ca -gencrl -out exampleca.crl
7.1.6. crl
# 查看CRL列表信息 $ openssl crl -in exampleca.crl -text -noout # 验证CRL列表签名信息 $ openssl crl -in exampleca.crl -noout -CAfile cacert.pem
7.1.7. pkcs12
-clcerts 表示仅导出客户证书。
openssl pkcs12 -export -clcerts -in 324.cer -inkey ca.pem -out 324.p12 -name "Email SMIME"
转换PEM证书文件和私钥到PKCS#12文件
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
7.1.8. passwd
MD5-based password algorithm
# openssl passwd -1 -salt 'random-phrase-here' 'your-password-here' $1$random-p$AOw9RDIWQm6tfUo9Ediu/0
-crypt standard Unix password algorithm (default)
# openssl passwd -crypt -salt 'sa' 'password' sa3tHJ3/KuYvI
7.1.9. digest
如何创建一个文件的 MD5 或 SHA1 摘要?
摘要创建使用 dgst 选项.
7.1.9.1. list-message-digest-commands
列出可用摘要
$ openssl list-message-digest-commands md2 md4 md5 mdc2 rmd160 sha sha1
7.1.9.2. md5
# MD5 digest openssl dgst -md5 filename
 |
Note |
|---|---|
|
MD5 信息摘要也同样可以使用md5sum创建 |
$ echo "Hello World!" > message.txt $ openssl dgst -md5 message.txt MD5(message.txt)= d9226d4bd8779baa69db272f89a2e05c
7.1.9.3. sha1
# SHA1 digest openssl dgst -sha1 filename
$ openssl dgst -sha1 /etc/passwd SHA1(/etc/passwd)= 9d883a9d35fd9a6dc81e6a1717a8e2ecfc49cdd8
7.1.10. enc
使用方法:
$ openssl enc 加密算法 -k 密码 -in 输入明文文件 -out 输出密文文件
$ openssl enc 加密算法 -k 密码 -in 输出密文文件 -out 输入明文文件
7.1.10.1. list-cipher-commands
可用的编码/解码方案
# or get a long list, one cipher per line openssl list-cipher-commands # openssl list-cipher-commands aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb
7.1.10.2. base64
使用 base64-encode 编码/解码?
使用 enc -base64 选项
# send encoded contents of file.txt to stdout openssl enc -base64 -in file.txt # same, but write contents to file.txt.enc openssl enc -base64 -in file.txt -out file.txt.enc
命令行
C:\GnuWin32\neo>openssl enc -base64 -in file.txt SGVsbG8gV29ybGQhDQo= C:\GnuWin32\neo>openssl enc -base64 -in file.txt -out file.txt.enc C:\GnuWin32\neo>type file.txt.enc SGVsbG8gV29ybGQhDQo= C:\GnuWin32\neo>
通过管道操作
C:\GnuWin32\neo>echo "encode me" | openssl enc -base64 ImVuY29kZSBtZSIgDQo= C:\GnuWin32\neo>echo -n "encode me" | openssl enc -base64 LW4gImVuY29kZSBtZSIgDQo= C:\GnuWin32\neo>
使用 -d (解码) 选项来反转操作.
C:\GnuWin32\neo>openssl enc -base64 -d -in file.txt.enc Hello World! C:\GnuWin32\neo>openssl enc -base64 -d -in file.txt.enc -out file.txt
快速命令行
C:\GnuWin32\neo>type file.txt.enc | openssl enc -base64 -d Hello World! C:\GnuWin32\neo>type file.txt.enc SGVsbG8gV29ybGQhDQo= C:\GnuWin32\neo>echo SGVsbG8gV29ybGQhDQo= | openssl enc -base64 -d Hello World!
7.1.10.3. des
对称加密与解密
加密
# openssl enc -des -e -a -in file.txt -out file.txt.des enter des-cbc encryption password: Verifying - enter des-cbc encryption password:
解密
# openssl enc -des -d -a -in file.txt.des -out file.txt.tmp enter des-cbc decryption password:
7.1.10.4. aes
加密
openssl enc -aes-128-cbc -in filename -out filename.out
解密
openssl enc -d -aes-128-cbc -in filename.out -out filename
7.1.11. rsa
产生密钥对
生成私钥
openssl genrsa -out private.key 1024
根据私钥产生公钥
openssl rsa -in private.key -pubout > public.key
用公钥加密明文
$ openssl rsautl -encrypt -pubin -inkey public.key -in filename -out filename.out
用私钥解密
$ openssl rsautl -decrypt -inkey private.key -in filename.out -out filename
7.1.12. dsa
Example 7.1. dsaparam & gendsa
# create parameters in dsaparam.pem openssl dsaparam -out dsaparam.pem 1024 # create first key openssl gendsa -out key1.pem dsaparam.pem # and second ... openssl gendsa -out key2.pem dsaparam.pem
生成私钥
openssl dsaparam -out dsaparam.pem 1024 openssl gendsa -out private.key dsaparam.pem
根据私钥产生公钥
openssl dsa -in private.key -pubout -out public.key
$ ls dsaparam.pem private.key public.key $ cat * -----BEGIN DSA PARAMETERS----- MIIBHgKBgQCAkvuZmbK7zgTv3WnYayypdghcNKA+jP7/fdwy82JfqkJeF38FOOu8 4cbrQjzs6XdANeZk3c6BVQfqNfFnUomKARm0gdqeelsmyHMV+0jy7fuX1HHIUZyJ Rqravmh+o9iYX1aA3jsP5sDoosEEEYKQBAUEi6vwzCnjCra3TBuvmQIVAPYqwKI3 v6nkKAfn+lqPvmHqVDv5AoGAb7vilZ7EtuYpJbpURZtTPOtLpMmpfwXq+g7cKQ7Z mC+TCwzVUkBv8s/gxwr7r92bCmGTGJGuBVGqI0yEbrkMRGieJwOrS885NNg+AiTW DB0Xo2klaTg5rFydGxPvWI72cpyds69Ptm4z9Th0xrtDUNIYPdDIR+rVUao5XBS9 U4w= -----END DSA PARAMETERS----- -----BEGIN DSA PRIVATE KEY----- MIIBugIBAAKBgQCAkvuZmbK7zgTv3WnYayypdghcNKA+jP7/fdwy82JfqkJeF38F OOu84cbrQjzs6XdANeZk3c6BVQfqNfFnUomKARm0gdqeelsmyHMV+0jy7fuX1HHI UZyJRqravmh+o9iYX1aA3jsP5sDoosEEEYKQBAUEi6vwzCnjCra3TBuvmQIVAPYq wKI3v6nkKAfn+lqPvmHqVDv5AoGAb7vilZ7EtuYpJbpURZtTPOtLpMmpfwXq+g7c KQ7ZmC+TCwzVUkBv8s/gxwr7r92bCmGTGJGuBVGqI0yEbrkMRGieJwOrS885NNg+ AiTWDB0Xo2klaTg5rFydGxPvWI72cpyds69Ptm4z9Th0xrtDUNIYPdDIR+rVUao5 XBS9U4wCgYBISbp4/z5JY2OqXVttS6G4GQT0PMAiJZi9pty4H0rKoSmbrgjev/wp 7BW8NqaJnlSjNCzF4SH+DXxZeuktJPNftHYi8BPIrHxR6CG1h7VPDr/IwSoff0Kx Lhc6vqxcCRpcQoqbhXGG5RxMsczD4nRmdmhXbelPRu10T4qxEiVG7gIUc1KsK+hA +EzXl80Eyj2Si7UH/wI= -----END DSA PRIVATE KEY----- -----BEGIN PUBLIC KEY----- MIIBtjCCASsGByqGSM44BAEwggEeAoGBAICS+5mZsrvOBO/dadhrLKl2CFw0oD6M /v993DLzYl+qQl4XfwU467zhxutCPOzpd0A15mTdzoFVB+o18WdSiYoBGbSB2p56 WybIcxX7SPLt+5fUcchRnIlGqtq+aH6j2JhfVoDeOw/mwOiiwQQRgpAEBQSLq/DM KeMKtrdMG6+ZAhUA9irAoje/qeQoB+f6Wo++YepUO/kCgYBvu+KVnsS25iklulRF m1M860ukyal/Ber6DtwpDtmYL5MLDNVSQG/yz+DHCvuv3ZsKYZMYka4FUaojTIRu uQxEaJ4nA6tLzzk02D4CJNYMHRejaSVpODmsXJ0bE+9YjvZynJ2zr0+2bjP1OHTG u0NQ0hg90MhH6tVRqjlcFL1TjAOBhAACgYBISbp4/z5JY2OqXVttS6G4GQT0PMAi JZi9pty4H0rKoSmbrgjev/wp7BW8NqaJnlSjNCzF4SH+DXxZeuktJPNftHYi8BPI rHxR6CG1h7VPDr/IwSoff0KxLhc6vqxcCRpcQoqbhXGG5RxMsczD4nRmdmhXbelP Ru10T4qxEiVG7g== -----END PUBLIC KEY-----
7.1.13. rc4
加密文件
# openssl enc -e -rc4 -in in.txt -out out.txt enter rc4 encryption password: Verifying - enter rc4 encryption password:
解密文件
# openssl enc -d -rc4 -in out.txt -out test.txt enter rc4 decryption password:
使用 -k 指定密钥
openssl enc -e -rc4 -k passwd -in in.txt -out out.txt openssl enc -d -rc4 -k passwd -in out.txt -out test.txt
7.1.14. -config 指定配置文件
# openssl req -new -newkey rsa:2048 -config openssl.cfg -keyout server.key -nodes -out certreq.csr
7.1.15. -subj 指定参数
# openssl req -new -newkey rsa:2048 -keyout server.key -nodes -subj /C=CN/O=example.com/OU=IT/CN=Neo/ST=GD/L=Shenzhen -out certreq.csr C:\> openssl req -new -newkey rsa:2048 -config openssl.cfg -keyout server.key -nodes -subj /C=CN/O="%OrganizationName%"/OU="%OrganizationUnit%"/CN="%CommonName%"/ST="%StateName%"/L="%LocalityName%" -out certreq.csr openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/nginx/ssl/www.netkiller.cn.key -out /etc/nginx/ssl/www.netkiller.cn.crt -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=Global Security/OU=IT Department/CN=www.netkiller.cn/emailAddress=netkiller@msn.com" openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/nginx/ssl/www.netkiller.cn.key -out /etc/nginx/ssl/www.netkiller.cn.crt -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=Global Security/OU=IT Department/CN=*netkiller.cn/emailAddress=netkiller@msn.com"
7.1.16. rand
生成随机数
openssl rand 12 -base64
# openssl rand -base64 24 rgphwqZFFA2tY1QfuBrmw3aN62i6ctFy
7.1.17. 去除私钥的密码
$ openssl rsa -in neo.key -out nopassword.key Enter pass phrase for neo.key: writing RSA key
原文出处:Netkiller 系列 手札
本文作者:陈景峯
转载请与作者联系,同时请务必标明文章原始出处和作者信息及本声明。
时间: 2024-08-02 10:45:16