共计 12162 个字符,预计需要花费 31 分钟才能阅读完成。
本文丸趣 TV 小编为大家详细介绍“linux openssl 的作用是什么”,内容详细,步骤清晰,细节处理妥当,希望这篇“linux openssl 的作用是什么”文章能帮助大家解决疑惑,下面跟着丸趣 TV 小编的思路慢慢深入,一起来学习新知识吧。
在 linux 中,openssl 是一个功能极其强大的命令行工具,可以用来完成公钥体系及 HTTPS 相关的很多任务。openssl 有两种运行模式:交互模式和批处理模式;直接输入 openssl 回车进入交互模式,输入带命令选项的 openssl 进入批处理模式。
一、openssl 命令简介
openssl 是一个功能极其强大的命令行工具,可以用来完成公钥体系(Public Key Infrastructure)及 HTTPS 相关的很多任务。openssl 是一个强大的安全套接字层密码库,囊括主要的密码算法、常用的密钥和证书封装管理功能及 SSL 协议,并提供丰富的应用程序供测试或其它目的使用。
openssl 有两种运行模式:交互模式和批处理模式。直接输入 openssl 回车进入交互模式,输入带命令选项的 openssl 进入批处理模式。
openssl 整个软件包大概可以分成三个主要的功能部分:密码算法库、SSL 协议库以及应用程序。openssl 的目录结构自然也是围绕这三个功能部分进行规划的。openssl 命令的作用:
私钥、公钥和参数的创建和管理
公开密钥加密操作
创建 X.509 证书、CSR 和 CRL
信息摘要的计算
使用密码进行加密和解密
SSL/TLS 客户端和服务器测试
处理 S /MIME 签名或加密邮件
时间戳请求、生成和验证
二、使用示例
1、交互模式下获取命令帮助
OpenSSL help
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dhparam
dsa dsaparam ec ecparam
enc engine errstr gendsa
genpkey genrsa help list
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand rehash
req rsa rsautl s_client
s_server s_time sess_id smime
speed spkac srp storeutl
ts verify version x509
Message Digest commands (see the `dgst’ command for more details)
blake2b512 blake2s256 gost md4
md5 mdc2 rmd160 sha1
sha224 sha256 sha3-224 sha3-256
sha3-384 sha3-512 sha384 sha512
sha512-224 sha512-256 shake128 shake256
sm3
Cipher commands (see the `enc’ command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
idea idea-cbc idea-cfb idea-ecb
idea-ofb rc2 rc2-40-cbc rc2-64-cbc
rc2-cbc rc2-cfb rc2-ecb rc2-ofb
rc4 rc4-40 seed seed-cbc
seed-cfb seed-ecb seed-ofb sm4-cbc
sm4-cfb sm4-ctr sm4-ecb sm4-ofb
2、查看命令版本
OpenSSL version
OpenSSL 1.1.1h 22 Sep 2020
3、利用 openssl 命令进行 base64 编码和解码
base64 编码
(base) [root@sun-site certs]# echo “wuhs” |openssl base64
d3Vocwo=
(base) [root@sun-site certs]# echo “wuhs” 1.txt
(base) [root@sun-site certs]# openssl base64 -in 1.txt
d3Vocwo=
base64 解码
(base) [root@sun-site certs]# echo “d3Vocwo=” | openssl base64 -d
wuhs
(base) [root@sun-site certs]# openssl base64 -d -in 1.base64
wuhs
4、利用 openssl 生成随机密码
生成 12 位的随机密码
(base) [root@sun-site certs]# openssl rand -base64 10 |cut -c 1-12
PGznlV5Og0Us
5、利用 openssl 命令生成摘要
对字符串“wuhs”进行 md5 摘要计算
(base) [root@sun-site certs]# echo wuhs | openssl md5
(stdin)= 4cdb1fbd6a34ff27dc8c10913fab3e7e
(base) [root@sun-site certs]# openssl md5 1.txt
MD5(1.txt)= 4cdb1fbd6a34ff27dc8c10913fab3e7e
对字符串“wuhs”进行 sha1 摘要计算
(base) [root@sun-site certs]# openssl sha1 1.txt
SHA1(1.txt)= bd8f0b20de17d623608218d05e8741502cf42302
(base) [root@sun-site certs]# echo wuhs | openssl sha1
(stdin)= bd8f0b20de17d623608218d05e8741502cf42302
6、利用 openssl 命令进行 AES 加密解密
对字符串“wuhs”进行 aes 加密,使用密钥 123,输出结果以 base64 编码格式给出
(base) [root@sun-site certs]# openssl aes-128-cbc -in 1.txt -k 123 -base64
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
U2FsdGVkX194Z8P5c7C8vmXbA39omlqU/ET8xaehVFk=
将 aes 加密文件数据进行解密,密钥 123
(base) [root@sun-site certs]# openssl aes-128-cbc -d -k 123 -base64 -in 2.txt
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
wuhs
7、密钥生成与验证
创建加密的私钥
(base) [root@sun-site tmp]# openssl genrsa -des3 -out sunsite.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
…+++++
…+++++
e is 65537 (0x010001)
Enter pass phrase for sunsite.key:
Verifying - Enter pass phrase for sunsite.key:
(base) [root@sun-site tmp]# ll
total 16
-rw------- 1 root root 1751 Oct 25 14:43 sunsite.key
验证私钥
(base) [root@sun-site tmp]# openssl rsa -check -in sunsite.key
Enter pass phrase for sunsite.key:
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1jDreCAjX5kpNmnyNayQB/GUvyIRvZZM2WoKAIjne91JupgP
OKmBdYSWeWsf0h0XU9ubhCHpgCss2hdRKxLN3rJLlFD98TUKpb9S2XkfrT9s3cLN
PQyCELK60zrs1sE52I4pDj4nTZPZCL9mykzqwNa5rcGuHN/lLnvJxFPJOJwVWbVE
Bvh+jGioJbi+Ar0rs37/8naGBYz5k4BFn5sCKrhssoMEpDWjMz4yJMpycTlEFITa
…
加密私钥,输入密码后私钥文件完成加密
(base) [root@sun-site tmp]# openssl rsa -des3 -in sunsite.key -out sunsite.key
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
解密私钥,输入密码后私钥文件被解密
(base) [root@sun-site tmp]# openssl rsa -in sunsite.key -out sunsite2.key
Enter pass phrase for sunsite.key:
writing RSA key
8、生成证书签名
使用指定私钥文件生产 csr 文件
(base) [root@sun-site tmp]# openssl req \
-key sunsite.key \
-new -out sunsite.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:HuNan
Locality Name (eg, city) []:changsha
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite
Organizational Unit Name (eg, section) []:jsb
Common Name (e.g. server FQDN or YOUR name) []:wuhs
Email Address []:524627027@qq.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
生成私钥和 CSR
(base) [root@sun-site tmp]# openssl req \
-newkey rsa:2048 -nodes -keyout s.key \
-out s.csr
Generating a RSA private key
…+++++
.+++++
writing new private key to ‘s.key’ -----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:hunan
Locality Name (eg, city) []:changsha
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite
Organizational Unit Name (eg, section) []:jsb
Common Name (e.g. server FQDN or YOUR name) []:wuhs
Email Address []:524627027@qq.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
(base) [root@sun-site tmp]# ll
total 28
-rw-r–r-- 1 root root 1102 Oct 25 15:37 s.csr
-rw------- 1 root root 1708 Oct 25 15:37 s.key
使用已有的证书和私钥生成 CSR
openssl x509 \
-in domain.crt \
-signkey domain.key
-x509toreq -out domain.csr
查看 CSR 文件
(base) [root@sun-site tmp]# openssl req -text -noout -verify -in sunsite.csr
9、制作和查看 SSL 证书
生成自签名证书
(base) [root@sun-site tmp]# openssl req \
-newkey rsa:2048 -nodes -keyout sunsite.key \
-x509 -days 365 -out sunsite.crt
Generating a RSA private key
…+++++
…+++++
writing new private key to ‘sunsite.key’ -----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:hn
Locality Name (eg, city) []:cs
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite
Organizational Unit Name (eg, section) []:jsb
Common Name (e.g. server FQDN or YOUR name) []:wuhs
Email Address []:524627027@qq.com
(base) [root@sun-site tmp]# ll
-rw-r–r-- 1 root root 1383 Oct 25 16:03 sunsite.crt
-rw-r–r-- 1 root root 1102 Oct 25 15:05 sunsite.csr
-rw------- 1 root root 1708 Oct 25 16:03 sunsite.key
使用已有私钥生成自签名证书
(base) [root@sun-site tmp]# openssl req \
-key sunsite.key -new \
-x509 -days 365 -out sunsite.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:hn
Locality Name (eg, city) []:cs
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite
Organizational Unit Name (eg, section) []:jsb
Common Name (e.g. server FQDN or YOUR name) []:wuhs
Email Address []:wuhs@qq.com
使用已有的私钥和 CSR 生成自签名证书
(base) [root@sun-site tmp]# openssl x509 \
-signkey sunsite.key \
-in sunsite.csr \
-req -days 365 -out sunsite.crt
Signature ok
subject=C = CN, ST = HuNan, L = changsha, O = sunsite, OU = jsb, CN = wuhs, emailAddress = 524627027@qq.com
Getting Private key
查看证书
(base) [root@sun-site tmp]# openssl x509 -text -noout -in sunsite.crt
验证证书是否由 ca 颁发
(base) [root@sun-site tmp]# openssl verify -verbose -CAfile ca.crt sunsite.crt
Error loading file ca.crt
# 需要 ca 证书
验证私钥、证书、CSR 是否匹配
(base) [root@sun-site tmp]# openssl x509 -noout -modulus -in sunsite.crt |openssl md5
(stdin)= e26905e973af69aed4e4d707f882de61
(base) [root@sun-site tmp]# openssl rsa -noout -modulus -in sunsite.key |openssl md5
(stdin)= e26905e973af69aed4e4d707f882de61
(base) [root@sun-site tmp]# openssl req -noout -modulus -in sunsite.csr |openssl md5
(stdin)= e26905e973af69aed4e4d707f882de61
#md5 校验和一致说明,三者匹配
10、证书格式转换
PEM 转 DER
(base) [root@sun-site tmp]# openssl x509 -in sunsite.crt -outform der -out sunsite.der
DER 转 PEM
(base) [root@sun-site tmp]# openssl x509 -in sunsite.der -inform der -out sunsite.crt
PEM 转 PKCS7
(base) [root@sun-site tmp]# openssl crl2pkcs7 -nocrl -certfile sunsite.crt -certfile ca-chain.crt -out sunsite.p7b
PKCS7 转换为 PEM
#openssl pkcs7 -in domain.p7b -print_certs -out domain.crt
PEM 转换为 PKCS12
openssl pkcs12 -inkey domain.key -in domain.crt -export -out domain.pfx
PKCS12 转换为 PEM
openssl pkcs12 -in domain.pfx -nodes -out domain.combined.crt
11、证书吊销
客户端获取要吊销证书的 serial(在使用证书的主机执行)
(base) [root@sun-site tmp]# openssl x509 -in sunsite.crt -noout -serial -subject
serial=2DA086B4B14ECE63535734049A4BCF70290446C9
subject=C = CN, ST = HuNan, L = changsha, O = sunsite, OU = jsb, CN = wuhs, emailAddress = 524627027@qq.com
12、获取命令帮助
以 openssl x509 命令为例
(base) [root@sun-site tmp]# openssl x509 –help
三、使用语法及命令介绍
1、使用语法
openssl command [ command_opts ] [ command_args ]
2、标准命令
命令命令介绍 asn1parse 解析 ASN.1 序列。ca 证书颁发机构(ca)管理。ciphers 密码套件描述确定。cmscms(加密消息语法)实用程序 crl 证书撤销列表(crl)管理。crl2pkcs7CRL 到 PKCS#7 的转换。dgst 消息摘要计算。dhDiffie-Hellman 参数管理。被 dhparam 淘汰。dhparamDiffie-Hellman 参数的生成和管理。由 genpkey 和 pkeyparam 取代 dsadsa 数据管理。dsaparamDSA 参数生成和管理。由 genpkey 和 pkeyparam 取代 ecec(椭圆曲线)密钥处理 ecparamEC 参数操作和生成 enc 使用密码进行编码。engine 引擎(可加载模块)信息和操作。errstr 错误编号到错误字符串的转换。gendhDiffie-Hellman 参数的生成。被 dhparam 淘汰。gendsa 根据参数生成 DSA 私钥。由 genpkey 和 pkey 取代 genpkey 生成私钥或参数。genrsa 生成 RSA 私钥。由根普基取代。nseq 创建或检查 netscape 证书序列 ocsp 在线证书状态协议实用程序。passwd 生成哈希密码。pkcs12PKCS#12 数据管理。pkcs7PKCS#7 数据管理。pkey 公钥和私钥管理。pkeyparam 公钥算法参数管理。pkeyutl 公钥算法加密操作实用程序。rand 生成伪随机字节。reqPKCS#10 X.509 证书签名请求(CSR)管理。rsarsa 密钥管理。rsautlRSA 实用程序,用于签名、验证、加密和解密。被 pkeyutl 取代 s_client 这实现了一个通用的 SSL/TLS 客户端,它可以与使用 SSL/TLS 的远程服务器建立透明连接。它仅用于测试目的,只提供基本的接口功能,但在内部主要使用 OpenSSL 库的所有功能。s_server
s_timeSSL 连接计时器。sess_idSSL 会话数据管理。smimeS/MIME 邮件处理。speed 算法速度测量。spkacspkac 打印和生成实用程序 ts 时间戳授权工具(客户端 / 服务器)verifyX.509 证书验证。versionOpenSSL 版本信息。x509X.509 证书数据管理。
3、消息摘要命令
命令命令介绍 md2MD2 Digestmd5MD5 Digestmdc2MDC2 Digestrmd160RMD-160 DigestshaSHA Digestsha1SHA-1 Digestsha224SHA-224 Digestsha256SHA-256 Digestsha384SHA-384 Digestsha512SHA-512 Digest
4、编码和密码命令
命令命令介绍 base64base64 编码 bf bf-cbc bf-cfb bf-ecb bf-ofb 河豚密码 cast cast-cbc 强制转换密码 cast5-cbc cast5-cfb cast5-ecb cast5-ofbCAST5 密码 des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofbDES 密码 des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb 三重 DES 密码 idea idea-cbc idea-cfb idea-ecb idea-ofbIDEA 密码 rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofbRC2 密码 rc4RC4 密码 rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofbRC5 密码
读到这里,这篇“linux openssl 的作用是什么”文章已经介绍完毕,想要掌握这篇文章的知识点还需要大家自己动手实践使用过才能领会,如果想了解更多相关内容的文章,欢迎关注丸趣 TV 行业资讯频道。