共計 12162 個字符,預計需要花費 31 分鐘才能閱讀完成。
本文丸趣 TV 小編為大家詳細介紹“linux openssl 的作用是什么”,內容詳細,步驟清晰,細節處理妥當,希望這篇“linux openssl 的作用是什么”文章能幫助大家解決疑惑,下面跟著丸趣 TV 小編的思路慢慢深入,一起來學習新知識吧。
在 linux 中,openssl 是一個功能極其強大的命令行工具,可以用來完成公鑰體系及 HTTPS 相關的很多任務。openssl 有兩種運行模式:交互模式和批處理模式;直接輸入 openssl 回車進入交互模式,輸入帶命令選項的 openssl 進入批處理模式。
一、openssl 命令簡介
??openssl 是一個功能極其強大的命令行工具,可以用來完成公鑰體系(Public Key Infrastructure)及 HTTPS 相關的很多任務。openssl 是一個強大的安全套接字層密碼庫,囊括主要的密碼算法、常用的密鑰和證書封裝管理功能及 SSL 協議,并提供豐富的應用程序供測試或其它目的使用。
??openssl 有兩種運行模式:交互模式和批處理模式。直接輸入 openssl 回車進入交互模式,輸入帶命令選項的 openssl 進入批處理模式。
??openssl 整個軟件包大概可以分成三個主要的功能部分:密碼算法庫、SSL 協議庫以及應用程序。openssl 的目錄結構自然也是圍繞這三個功能部分進行規劃的。openssl 命令的作用:
私鑰、公鑰和參數的創建和管理
公開密鑰加密操作
創建 X.509 證書、CSR 和 CRL
信息摘要的計算
使用密碼進行加密和解密
SSL/TLS 客戶端和服務器測試
處理 S /MIME 簽名或加密郵件
時間戳請求、生成和驗證
二、使用示例
1、交互模式下獲取命令幫助
OpenSSL help
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dhparam
dsa dsaparam ec ecparam
enc engine errstr gendsa
genpkey genrsa help list
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand rehash
req rsa rsautl s_client
s_server s_time sess_id smime
speed spkac srp storeutl
ts verify version x509
Message Digest commands (see the `dgst’ command for more details)
blake2b512 blake2s256 gost md4
md5 mdc2 rmd160 sha1
sha224 sha256 sha3-224 sha3-256
sha3-384 sha3-512 sha384 sha512
sha512-224 sha512-256 shake128 shake256
sm3
Cipher commands (see the `enc’ command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
idea idea-cbc idea-cfb idea-ecb
idea-ofb rc2 rc2-40-cbc rc2-64-cbc
rc2-cbc rc2-cfb rc2-ecb rc2-ofb
rc4 rc4-40 seed seed-cbc
seed-cfb seed-ecb seed-ofb sm4-cbc
sm4-cfb sm4-ctr sm4-ecb sm4-ofb2、查看命令版本
OpenSSL version
OpenSSL 1.1.1h 22 Sep 20203、利用 openssl 命令進行 base64 編碼和解碼
base64 編碼
(base) [root@sun-site certs]# echo “wuhs” |openssl base64
d3Vocwo=
(base) [root@sun-site certs]# echo “wuhs” 1.txt
(base) [root@sun-site certs]# openssl base64 -in 1.txt
d3Vocwo=base64 解碼
(base) [root@sun-site certs]# echo “d3Vocwo=” | openssl base64 -d
wuhs
(base) [root@sun-site certs]# openssl base64 -d -in 1.base64
wuhs4、利用 openssl 生成隨機密碼
生成 12 位的隨機密碼
(base) [root@sun-site certs]# openssl rand -base64 10 |cut -c 1-12
PGznlV5Og0Us5、利用 openssl 命令生成摘要
對字符串“wuhs”進行 md5 摘要計算
(base) [root@sun-site certs]# echo wuhs | openssl md5
(stdin)= 4cdb1fbd6a34ff27dc8c10913fab3e7e
(base) [root@sun-site certs]# openssl md5 1.txt
MD5(1.txt)= 4cdb1fbd6a34ff27dc8c10913fab3e7e對字符串“wuhs”進行 sha1 摘要計算
(base) [root@sun-site certs]# openssl sha1 1.txt
SHA1(1.txt)= bd8f0b20de17d623608218d05e8741502cf42302
(base) [root@sun-site certs]# echo wuhs | openssl sha1
(stdin)= bd8f0b20de17d623608218d05e8741502cf423026、利用 openssl 命令進行 AES 加密解密
對字符串“wuhs”進行 aes 加密,使用密鑰 123,輸出結果以 base64 編碼格式給出
(base) [root@sun-site certs]# openssl aes-128-cbc -in 1.txt -k 123 -base64
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
U2FsdGVkX194Z8P5c7C8vmXbA39omlqU/ET8xaehVFk=將 aes 加密文件數據進行解密,密鑰 123
(base) [root@sun-site certs]# openssl aes-128-cbc -d -k 123 -base64 -in 2.txt
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
wuhs7、密鑰生成與驗證
創建加密的私鑰
(base) [root@sun-site tmp]# openssl genrsa -des3 -out sunsite.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
…+++++
…+++++
e is 65537 (0x010001)
Enter pass phrase for sunsite.key:
Verifying - Enter pass phrase for sunsite.key:
(base) [root@sun-site tmp]# ll
total 16
-rw------- 1 root root 1751 Oct 25 14:43 sunsite.key驗證私鑰
(base) [root@sun-site tmp]# openssl rsa -check -in sunsite.key
Enter pass phrase for sunsite.key:
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1jDreCAjX5kpNmnyNayQB/GUvyIRvZZM2WoKAIjne91JupgP
OKmBdYSWeWsf0h0XU9ubhCHpgCss2hdRKxLN3rJLlFD98TUKpb9S2XkfrT9s3cLN
PQyCELK60zrs1sE52I4pDj4nTZPZCL9mykzqwNa5rcGuHN/lLnvJxFPJOJwVWbVE
Bvh+jGioJbi+Ar0rs37/8naGBYz5k4BFn5sCKrhssoMEpDWjMz4yJMpycTlEFITa
…加密私鑰,輸入密碼后私鑰文件完成加密
(base) [root@sun-site tmp]# openssl rsa -des3 -in sunsite.key -out sunsite.key
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:解密私鑰,輸入密碼后私鑰文件被解密
(base) [root@sun-site tmp]# openssl rsa -in sunsite.key -out sunsite2.key
Enter pass phrase for sunsite.key:
writing RSA key8、生成證書簽名
使用指定私鑰文件生產 csr 文件
(base) [root@sun-site tmp]# openssl req \
-key sunsite.key \
-new -out sunsite.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:HuNan
Locality Name (eg, city) []:changsha
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite
Organizational Unit Name (eg, section) []:jsb
Common Name (e.g. server FQDN or YOUR name) []:wuhs
Email Address []:524627027@qq.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456生成私鑰和 CSR
(base) [root@sun-site tmp]# openssl req \
-newkey rsa:2048 -nodes -keyout s.key \
-out s.csr
Generating a RSA private key
…+++++
.+++++
writing new private key to ‘s.key’ -----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:hunan
Locality Name (eg, city) []:changsha
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite
Organizational Unit Name (eg, section) []:jsb
Common Name (e.g. server FQDN or YOUR name) []:wuhs
Email Address []:524627027@qq.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
(base) [root@sun-site tmp]# ll
total 28
-rw-r–r-- 1 root root 1102 Oct 25 15:37 s.csr
-rw------- 1 root root 1708 Oct 25 15:37 s.key使用已有的證書和私鑰生成 CSR
openssl x509 \
-in domain.crt \
-signkey domain.key
-x509toreq -out domain.csr查看 CSR 文件
(base) [root@sun-site tmp]# openssl req -text -noout -verify -in sunsite.csr9、制作和查看 SSL 證書
生成自簽名證書
(base) [root@sun-site tmp]# openssl req \
-newkey rsa:2048 -nodes -keyout sunsite.key \
-x509 -days 365 -out sunsite.crt
Generating a RSA private key
…+++++
…+++++
writing new private key to ‘sunsite.key’ -----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:hn
Locality Name (eg, city) []:cs
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite
Organizational Unit Name (eg, section) []:jsb
Common Name (e.g. server FQDN or YOUR name) []:wuhs
Email Address []:524627027@qq.com
(base) [root@sun-site tmp]# ll
-rw-r–r-- 1 root root 1383 Oct 25 16:03 sunsite.crt
-rw-r–r-- 1 root root 1102 Oct 25 15:05 sunsite.csr
-rw------- 1 root root 1708 Oct 25 16:03 sunsite.key使用已有私鑰生成自簽名證書
(base) [root@sun-site tmp]# openssl req \
-key sunsite.key -new \
-x509 -days 365 -out sunsite.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:hn
Locality Name (eg, city) []:cs
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite
Organizational Unit Name (eg, section) []:jsb
Common Name (e.g. server FQDN or YOUR name) []:wuhs
Email Address []:wuhs@qq.com使用已有的私鑰和 CSR 生成自簽名證書
(base) [root@sun-site tmp]# openssl x509 \
-signkey sunsite.key \
-in sunsite.csr \
-req -days 365 -out sunsite.crt
Signature ok
subject=C = CN, ST = HuNan, L = changsha, O = sunsite, OU = jsb, CN = wuhs, emailAddress = 524627027@qq.com
Getting Private key查看證書
(base) [root@sun-site tmp]# openssl x509 -text -noout -in sunsite.crt
驗證證書是否由 ca 頒發
(base) [root@sun-site tmp]# openssl verify -verbose -CAfile ca.crt sunsite.crt
Error loading file ca.crt
# 需要 ca 證書 驗證私鑰、證書、CSR 是否匹配
(base) [root@sun-site tmp]# openssl x509 -noout -modulus -in sunsite.crt |openssl md5
(stdin)= e26905e973af69aed4e4d707f882de61
(base) [root@sun-site tmp]# openssl rsa -noout -modulus -in sunsite.key |openssl md5
(stdin)= e26905e973af69aed4e4d707f882de61
(base) [root@sun-site tmp]# openssl req -noout -modulus -in sunsite.csr |openssl md5
(stdin)= e26905e973af69aed4e4d707f882de61
#md5 校驗和一致說明,三者匹配 10、證書格式轉換
PEM 轉 DER
(base) [root@sun-site tmp]# openssl x509 -in sunsite.crt -outform der -out sunsite.derDER 轉 PEM
(base) [root@sun-site tmp]# openssl x509 -in sunsite.der -inform der -out sunsite.crtPEM 轉 PKCS7
(base) [root@sun-site tmp]# openssl crl2pkcs7 -nocrl -certfile sunsite.crt -certfile ca-chain.crt -out sunsite.p7bPKCS7 轉換為 PEM
#openssl pkcs7 -in domain.p7b -print_certs -out domain.crtPEM 轉換為 PKCS12
openssl pkcs12 -inkey domain.key -in domain.crt -export -out domain.pfxPKCS12 轉換為 PEM
openssl pkcs12 -in domain.pfx -nodes -out domain.combined.crt11、證書吊銷
客戶端獲取要吊銷證書的 serial(在使用證書的主機執行)
(base) [root@sun-site tmp]# openssl x509 -in sunsite.crt -noout -serial -subject
serial=2DA086B4B14ECE63535734049A4BCF70290446C9
subject=C = CN, ST = HuNan, L = changsha, O = sunsite, OU = jsb, CN = wuhs, emailAddress = 524627027@qq.com12、獲取命令幫助
以 openssl x509 命令為例
(base) [root@sun-site tmp]# openssl x509 –help
三、使用語法及命令介紹
1、使用語法
openssl command [ command_opts ] [ command_args ]2、標準命令
命令命令介紹 asn1parse 解析 ASN.1 序列。ca 證書頒發機構(ca)管理。ciphers 密碼套件描述確定。cmscms(加密消息語法)實用程序 crl 證書撤銷列表(crl)管理。crl2pkcs7CRL 到 PKCS#7 的轉換。dgst 消息摘要計算。dhDiffie-Hellman 參數管理。被 dhparam 淘汰。dhparamDiffie-Hellman 參數的生成和管理。由 genpkey 和 pkeyparam 取代 dsadsa 數據管理。dsaparamDSA 參數生成和管理。由 genpkey 和 pkeyparam 取代 ecec(橢圓曲線)密鑰處理 ecparamEC 參數操作和生成 enc 使用密碼進行編碼。engine 引擎(可加載模塊)信息和操作。errstr 錯誤編號到錯誤字符串的轉換。gendhDiffie-Hellman 參數的生成。被 dhparam 淘汰。gendsa 根據參數生成 DSA 私鑰。由 genpkey 和 pkey 取代 genpkey 生成私鑰或參數。genrsa 生成 RSA 私鑰。由根普基取代。nseq 創建或檢查 netscape 證書序列 ocsp 在線證書狀態協議實用程序。passwd 生成哈希密碼。pkcs12PKCS#12 數據管理。pkcs7PKCS#7 數據管理。pkey 公鑰和私鑰管理。pkeyparam 公鑰算法參數管理。pkeyutl 公鑰算法加密操作實用程序。rand 生成偽隨機字節。reqPKCS#10 X.509 證書簽名請求(CSR)管理。rsarsa 密鑰管理。rsautlRSA 實用程序,用于簽名、驗證、加密和解密。被 pkeyutl 取代 s_client 這實現了一個通用的 SSL/TLS 客戶端,它可以與使用 SSL/TLS 的遠程服務器建立透明連接。它僅用于測試目的,只提供基本的接口功能,但在內部主要使用 OpenSSL 庫的所有功能。s_server
s_timeSSL 連接計時器。sess_idSSL 會話數據管理。smimeS/MIME 郵件處理。speed 算法速度測量。spkacspkac 打印和生成實用程序 ts 時間戳授權工具(客戶端 / 服務器)verifyX.509 證書驗證。versionOpenSSL 版本信息。x509X.509 證書數據管理。
3、消息摘要命令
命令命令介紹 md2MD2 Digestmd5MD5 Digestmdc2MDC2 Digestrmd160RMD-160 DigestshaSHA Digestsha1SHA-1 Digestsha224SHA-224 Digestsha256SHA-256 Digestsha384SHA-384 Digestsha512SHA-512 Digest
4、編碼和密碼命令
命令命令介紹 base64base64 編碼 bf bf-cbc bf-cfb bf-ecb bf-ofb 河豚密碼 cast cast-cbc 強制轉換密碼 cast5-cbc cast5-cfb cast5-ecb cast5-ofbCAST5 密碼 des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofbDES 密碼 des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb 三重 DES 密碼 idea idea-cbc idea-cfb idea-ecb idea-ofbIDEA 密碼 rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofbRC2 密碼 rc4RC4 密碼 rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofbRC5 密碼
讀到這里,這篇“linux openssl 的作用是什么”文章已經介紹完畢,想要掌握這篇文章的知識點還需要大家自己動手實踐使用過才能領會,如果想了解更多相關內容的文章,歡迎關注丸趣 TV 行業資訊頻道。
