OpenSSL操作
【摘要】 OpenSSL是什么不用介绍,都知道。先用des3做一下文本的加密和解密,密码是secret[root@ecs-d589 ~]# echo "hello world" > hello[root@ecs-d589 ~]# openssl versionOpenSSL 1.1.1k FIPS 25 Mar 2021[root@ecs-d589 ~]# openssl des3 -e -in ...
OpenSSL是什么不用介绍,都知道。
先用des3做一下文本的加密和解密,密码是secret
[root@ecs-d589 ~]# echo "hello world" > hello
[root@ecs-d589 ~]# openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021
[root@ecs-d589 ~]# openssl des3 -e -in hello -out hello.des3 -k secret #警告不管
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
[root@ecs-d589 ~]# cat hello.des3 #看到的是密文
Salted__`'▒o▒#É▒#▒X_▒i▒▒#z#خ▒
[root@ecs-d589 ~]# file hello.des3
hello.des3: openssl enc'd data with salted password
[root@ecs-d589 ~]# openssl des3 -d -in hello.des3 -k secret
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
hello world
再生成RSA私钥,然后根据私钥导出公钥。
然后用公钥加密,用私钥解密。
用私钥加密,再用公钥解密。这里没有做这样的操作。
[root@ecs-d589 ~]# openssl genrsa -out keys 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.................+++++
.................................................................+++++
e is 65537 (0x010001)
[root@ecs-d589 ~]# ll keys; file keys
-rw------- 1 root root 887 Jul 17 11:03 keys
keys: PEM RSA private key
[root@ecs-d589 ~]# cat keys
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDAGbsAXzu99izN+KD03RTV1g+WDKvlH1c+wkufXmotiNIrXnvl
7UuLpjWLgCztc+bkCNHyENH3aAmt4x33LdZk+LftsFPlPd3aFBn6uWlD4J6Ch4pG
NLULru8/ZXGXwKtGeyxe/uOQmeEdD9BafTtWjj6273Qg4jSXJbLvJwc3eQIDAQAB
AoGAE6FNe68/opzKXU3f3MXOwD88nn+y/Rnjx3UBV0rFnNuTZn0kOg2yn5WfeR7i
+GzUlk7UbWEMo7SM8Kj5we18L+3r/gwhz7iuLP0x0CV4A0Ah0HSRcdlA+4xtqxNh
D1+LrV927opzkDo8I5NOqE0Kv2IUiHjI3PYU4E3PbnNG6dECQQDeFYI6xboFVSOg
M+3TZY/EfYlkkgeyjQr3hgFbgHwPVEvsiankJtiQ+EFsHADH56anACMbjl5u4nIQ
9NDgaltdAkEA3XAAMSyfGn4FpJsw0fpZUUK0UKdXhRFhaaanAX0Z/NWWK4q9TvM0
DEJtzIVis/Lrsgl12Km3VCw/gdmXxPlmzQJBAIS4mfGBxR/2t6nAHvtdEMQ+ueNO
micMv2cZwKnsaTfICu+7fbqJtJc+pepz+ct+F0xqepC3Tpw53C1iAYp8RUkCQQCy
M8Ej0boUsthNuMqYIPWiLKE5ywHmx67yPDhoPUodq7FXRybEE3qOZyM/lRRyporB
U1WwUByGM7nEAN1fmin9AkBflvgEHdf6ExtOlJt1vvT5Eekv/4SCaolmPppZY8Up
pVHQfr5QAUoLos1nCd993ef87qB5ielAPBIO4myVzy6+
-----END RSA PRIVATE KEY-----
[root@ecs-d589 ~]# openssl rsa -in keys -pubout -out pkey
writing RSA key
[root@ecs-d589 ~]# ll pkey ;file pkey
-rw-r--r-- 1 root root 272 Jul 17 11:05 pkey
pkey: ASCII text
[root@ecs-d589 ~]# cat pkey
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAGbsAXzu99izN+KD03RTV1g+W
DKvlH1c+wkufXmotiNIrXnvl7UuLpjWLgCztc+bkCNHyENH3aAmt4x33LdZk+Lft
sFPlPd3aFBn6uWlD4J6Ch4pGNLULru8/ZXGXwKtGeyxe/uOQmeEdD9BafTtWjj62
73Qg4jSXJbLvJwc3eQIDAQAB
-----END PUBLIC KEY-----
[root@ecs-d589 ~]# openssl rsautl -encrypt -in hello -inkey pkey -pubin -out hello.rsapubenc
[root@ecs-d589 ~]# ll hello.rsapubenc ;file hello.rsapubenc
-rw-r--r-- 1 root root 128 Jul 17 11:09 hello.rsapubenc
hello.rsapubenc: data
[root@ecs-d589 ~]# cat hello.rsapubenc
▒▒l▒r▒▒ajNx▒D▒▒7A▒▒7
▒o▒;▒▒x("[~▒T7
X▒e
▒▒UZFy&▒▒O▒▒▒&s▒d▒,▒Ts▒Ϯ{y▒i▒▒▒▒▒#FO▒R▒▒▒0▒▒}▒V6▒DnR1}▒▒ɧO▒G>T▒e[root@ecs-d589 ~]# xterm-256color
-bash: xterm-256color: command not found
[root@ecs-d589 ~]# openssl rsautl -decrypt -in hello.rsapubenc -inkey keys
hello world
然后用md5生成摘要值:
[root@ecs-d589 ~]# openssl dgst -md5 hello
MD5(hello)= 6f5902ac237024bdd0c176cb93063dc4
看一下默认的openssl.cfg的位置(OPENSSLDIR):在/etc/pki/tls下面
[root@ecs-d589 ~]# openssl version -a
OpenSSL 1.1.1k FIPS 25 Mar 2021
built on: Mon Mar 28 15:35:23 2022 UTC
platform: linux-x86_64
options: bn(64,64) md2(char) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls"
ENGINESDIR: "/usr/lib64/engines-1.1"
Seeding source: os-specific
engines: rdrand dynamic
可以把openssl.cfg打开看一下,我们下面操作的话按cfg文件里配置的证书文件名、私钥文件名来。
然后我们来生成一个CA证书,CA证书是自签名的。
先参照openssl.cfg配置里生成一个自己的目录,建立一些文件和子目录:
[root@ecs-d589 ~]# mkdir iCA
[root@ecs-d589 ~]# cd iCA
[root@ecs-d589 iCA]# mkdir certs newcerts private crl
[root@ecs-d589 iCA]# >index.txt
[root@ecs-d589 iCA]# echo 0001 >serial
[root@ecs-d589 iCA]# echo 0001 >crlnumber
[root@ecs-d589 iCA]# tree --dirsfirst
.
├── certs/
├── crl/
├── newcerts/
├── private/
├── crlnumber
├── index.txt
└── serial
4 directories, 3 files
然后一条语句直接生成CA自签名证书(也有分三步的,1生成CA私钥 2为CA创建CSR证书请求 3对证书请求自签名),这里一步搞定,爽快。生成好后看一下自签名证书内容。也可以将证书拷贝到windows平台,将后缀名改为crt,就可以打开,对照着看。
[root@ecs-d589 iCA]# openssl req -x509 -newkey rsa:2048 -days 366 -out cacert.pem -outform PEM -keyout private/cakey.pem -subj "/C=CN/CN=iCA"
Generating a RSA private key
.................+++++
........+++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
[root@ecs-d589 iCA]# openssl x509 -in cacert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
17:4f:00:fb:78:20:9f:b2:7d:2f:2f:e0:9d:d1:f0:0c:3e:33:43:e9
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, CN = iCA
Validity
Not Before: Jul 17 07:42:02 2022 GMT
Not After : Jul 18 07:42:02 2023 GMT
Subject: C = CN, CN = iCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:cf:ab:4c:d3:ce:16:04:5f:85:d4:c0:70:bf:7a:
55:52:5a:92:c0:7d:5d:79:20:70:f7:c2:73:ed:cf:
78:bc:aa:3b:26:29:7f:1b:f3:94:86:ef:48:8b:01:
4c:8a:3e:a0:92:51:a2:a0:df:5e:c3:d5:3c:68:98:
2c:5e:52:3b:22:13:d3:e2:a4:17:5e:26:e0:ad:c2:
d4:12:27:2c:e3:42:5b:07:65:d5:48:01:23:8b:38:
6b:90:78:46:2f:56:d6:ba:c9:5b:9c:c6:25:76:74:
20:7a:0c:1c:fb:05:ad:c5:47:8e:23:a9:c3:44:50:
c7:a5:71:87:5a:2f:c4:b6:cf:80:52:cb:78:19:cb:
7d:45:3a:bd:10:9e:6d:78:f4:1c:2a:cf:da:ba:2e:
5e:95:b2:c9:68:cd:ab:12:d3:9d:4a:ab:ad:df:60:
72:ad:31:5d:79:97:54:31:fe:26:99:1c:6d:c2:3d:
4e:20:00:42:13:73:cd:72:17:22:2f:6b:e7:9f:51:
60:44:8c:5d:5c:9d:6f:85:c5:15:9f:26:d8:f8:5d:
41:d7:44:e7:b2:33:71:45:21:8b:fe:14:83:54:c0:
4c:95:92:a9:b9:84:13:3d:9a:9f:d4:57:fc:26:f0:
ac:ad:03:bc:4c:77:19:0b:26:64:9e:c2:88:6e:77:
10:61
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
05:68:9C:D5:53:32:77:A0:9C:94:FC:20:A9:F8:B6:BC:D4:60:F9:88
X509v3 Authority Key Identifier:
keyid:05:68:9C:D5:53:32:77:A0:9C:94:FC:20:A9:F8:B6:BC:D4:60:F9:88
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
8b:cf:97:5b:be:01:c3:31:16:a3:b3:87:d2:bf:f6:16:ac:6b:
9d:9f:1d:5a:ac:f2:69:53:fd:23:5e:de:59:eb:a4:df:2c:54:
ea:8f:df:b3:0b:b7:b5:79:ac:8c:a3:39:a9:8b:a2:05:b1:c6:
39:26:b8:01:ec:1e:bb:19:e1:56:ef:ad:8f:39:49:f9:d0:ba:
e9:7c:07:ea:04:3f:88:c4:f9:1f:6e:b5:14:72:e7:26:4c:75:
bc:54:27:96:2a:c6:29:f6:96:d0:20:d5:10:c4:13:8c:29:ea:
78:b0:c8:7a:2b:5b:4f:24:17:f8:12:6c:1a:82:0d:d1:a8:6e:
c8:d5:a9:6d:a9:a1:4a:a5:ad:e4:e9:d5:2a:98:0d:5d:ca:22:
47:88:e2:69:a2:ba:02:d2:a6:16:9f:e3:82:28:1f:86:63:a1:
92:c5:54:4f:ac:fb:36:bb:22:f6:9f:bb:8b:5d:06:ed:6a:de:
a6:86:ca:d6:d2:54:23:17:e1:a9:7a:8c:e3:5d:89:52:14:a1:
c8:99:36:a8:50:28:df:91:5b:79:b3:2b:d5:7d:7d:db:6c:eb:
46:3c:d2:c7:4c:54:0c:16:51:c3:6a:69:af:18:78:4a:37:10:
ff:10:25:b8:62:6f:a6:c0:8b:98:40:d5:27:5d:96:00:7f:02:
b4:af:a0:9c
windows下看证书的内容:
可以看到和linux系统上查看的内容是一致的,时间不一致差8个小时是时区的原因。
好了CA自签名证书创建好了,接下来要修改一下openssl.cfg文件,来创建用户证书。
修改如下:
[ CA_default ] 下的 dir 为上面自己创建的目录,policy 修改为 policy_anything,这样减少一些校验。只要CN(Common Name)符合就行。
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
#dir = /etc/pki/CA # Where everything is kept
dir = /root/iCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
x509_extensions = usr_cert # The extensions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
#policy = policy_match
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
然后创建用户证书请求,即CSR。这里也说一下华为云云证书管理服务,华为云SSL证书管理服务中,可以找到免费证书,即DigiCert品牌提供有证书类型为DV(Basic)、域名类型为单域名、有效期1年的免费证书。申请免费证书后,需要提交证书请求文件(Cerificate Signing Request,简称CSR),这个建议让华为云系统自动生成,因为你的网站信息他不会给你填错,以免审核不过,后面签发证书后,证书和私钥都会提供给你下载。当然也是可以自己手工生成CSR的。
回到创建用户CSR,然后CA签发用户证书:
[root@ecs-d589 iCA]# openssl req -newkey rsa:2048 -keyout private/user1key.pem -keyform PEM -out user1req.pem -outform PEM -nodes -subj "/C=CN/CN=user1"
Generating a RSA private key
.............+++++
.......+++++
writing new private key to 'private/user1key.pem'
-----
[root@ecs-d589 iCA]# openssl ca -in user1req.pem -out user1cert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /root/iCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 17 07:53:48 2022 GMT
Not After : Jul 17 07:53:48 2023 GMT
Subject:
countryName = CN
commonName = user1
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6B:80:5F:F5:2E:B3:67:A6:60:58:45:4E:B3:A1:B0:A0:45:29:34:FD
X509v3 Authority Key Identifier:
keyid:05:68:9C:D5:53:32:77:A0:9C:94:FC:20:A9:F8:B6:BC:D4:60:F9:88
Certificate is to be certified until Jul 17 07:53:48 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ecs-d589 iCA]# tree --dirsfirst
.
├── certs
├── crl
├── newcerts
│ └── 01.pem
├── private
│ ├── cakey.pem
│ └── user1key.pem
├── cacert.pem
├── crlnumber
├── index.txt
├── index.txt.attr
├── index.txt.old
├── serial
├── serial.old
├── user1cert.pem
└── user1req.pem
4 directories, 12 files
[root@ecs-d589 iCA]# cat index.txt
V 230717075348Z 01 unknown /C=CN/CN=user1
[root@ecs-d589 iCA]# cat serial
02
[root@ecs-d589 iCA]# openssl x509 -in user1cert.pem -text -noout Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, CN = iCA
Validity
Not Before: Jul 17 07:53:48 2022 GMT
Not After : Jul 17 07:53:48 2023 GMT
Subject: C = CN, CN = user1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:be:95:03:b6:01:0a:30:18:ae:18:4f:7f:65:7a:
53:93:85:61:a2:a1:66:16:79:9a:58:73:7c:44:4e:
b8:2c:b2:30:15:96:1f:f2:c2:08:34:8f:cd:ea:52:
43:f0:fe:12:63:68:2b:4c:56:f2:74:5e:b5:a0:e4:
7f:64:fe:9b:4f:aa:b9:96:b7:9c:fa:76:b7:2e:fa:
58:d9:03:08:eb:a1:01:84:db:84:bf:24:85:ae:db:
20:b9:a0:70:98:e8:47:88:ae:ef:2f:bc:61:c5:6b:
ac:3f:d7:5e:45:a2:77:54:b5:2d:0a:f5:71:d0:d9:
9f:55:40:ed:62:6f:d0:dc:42:e6:23:a4:95:40:2c:
1b:23:de:c2:4d:a9:cf:04:fb:ad:97:05:29:91:3f:
42:f3:78:4f:76:46:07:49:2c:01:c3:1b:32:33:97:
b5:2b:61:11:5f:3b:3b:8e:3a:1c:b8:83:a4:cf:2f:
47:94:40:f8:ee:bc:9b:9c:14:73:c8:73:b7:26:1f:
19:1c:88:9b:08:04:be:de:22:af:04:66:c3:4d:ab:
fb:06:8d:e3:97:4d:9e:76:af:e4:71:59:c2:28:f9:
df:a0:5c:15:c4:0a:d7:b7:c2:bd:c0:05:9f:b2:85:
94:58:70:14:85:1e:d8:eb:44:8a:44:d9:06:ef:23:
71:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6B:80:5F:F5:2E:B3:67:A6:60:58:45:4E:B3:A1:B0:A0:45:29:34:FD
X509v3 Authority Key Identifier:
keyid:05:68:9C:D5:53:32:77:A0:9C:94:FC:20:A9:F8:B6:BC:D4:60:F9:88
Signature Algorithm: sha256WithRSAEncryption
8d:7f:5c:41:42:ba:cd:29:9c:77:fc:85:6a:21:22:8b:11:e1:
db:3f:32:d1:32:f1:7f:b9:3a:2d:13:ab:c5:d7:78:99:c5:46:
86:8c:ae:1c:c5:1b:e8:6f:8e:17:2a:2c:b5:d6:40:84:76:58:
cb:b3:84:7d:e9:ac:c6:1e:1e:f3:34:fd:27:b2:85:d3:56:a0:
29:74:f3:b3:d7:ec:64:c8:1e:9b:c6:e7:ef:40:fa:49:9b:86:
f2:bc:70:3f:e9:51:51:82:dd:48:08:48:6e:52:ca:bd:fc:9f:
46:93:e2:89:c0:dc:e3:e1:a7:01:54:99:c0:18:ab:ca:73:28:
8e:ff:89:f7:63:c5:a8:b0:f4:bf:d7:d5:b2:cf:94:82:1c:8f:
2b:25:d3:33:4a:ab:4b:d5:8b:6a:22:a4:6c:9f:59:a2:d2:a3:
97:ee:b2:85:41:e9:9a:64:99:f8:57:d8:fe:bf:6d:9f:a0:56:
4a:81:af:d4:43:31:00:2e:cd:46:a3:e5:d4:c2:2a:27:c4:de:
07:f3:00:4f:af:a1:fa:a3:6f:2b:9d:b8:3e:c4:03:13:05:60:
cc:8c:3a:6b:2c:59:2f:1a:32:a0:23:29:84:dd:17:b3:22:53:
63:49:64:f0:75:86:e4:f3:95:66:05:1d:a7:36:e5:59:34:18:
4c:4c:d5:89
这个用户证书的X509v3 Basic Constraints是CA:FALSE,所以它不是CA证书。因为CA证书我们还没有安装到“受信任的根证书颁发机构”,用户证书如果拷贝到windows打开,会说没有足够的信息来验证这个用户证书。
后面还会有证书的作废和列表等操作,这里就不说了。
【版权声明】本文为华为云社区用户原创内容,转载时必须标注文章的来源(华为云社区)、文章链接、文章作者等基本信息, 否则作者和本社区有权追究责任。如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,举报邮箱:
cloudbbs@huaweicloud.com
- 点赞
- 收藏
- 关注作者
评论(0)