Di Linux, openssl ialah alat baris arahan yang sangat berkuasa yang boleh digunakan untuk menyelesaikan banyak tugas yang berkaitan dengan sistem kunci awam dan HTTPS. openssl mempunyai dua mod operasi: mod interaktif dan mod kelompok terus masukkan openssl dan tekan Enter untuk memasuki mod interaktif, masukkan openssl dengan pilihan arahan untuk memasuki mod kelompok.
Persekitaran pengendalian tutorial ini: sistem linux7.3, komputer Dell G3.
Openssl ialah alat baris arahan yang sangat berkuasa yang boleh digunakan untuk melengkapkan sistem kunci awam (Public Key). Infrastruktur) dan banyak tugas yang berkaitan dengan HTTPS. openssl ialah perpustakaan kriptografi Lapisan Soket Selamat yang berkuasa, termasuk algoritma kriptografi utama, fungsi pengurusan pengkapsulan kunci dan sijil yang biasa digunakan, dan protokol SSL, dan menyediakan pelbagai aplikasi untuk ujian atau tujuan lain.
OpenSSL mempunyai dua mod pengendalian: mod interaktif dan mod kelompok. Terus masukkan openssl dan tekan Enter untuk memasuki mod interaktif, masukkan openssl dengan pilihan arahan untuk memasuki mod kelompok.
Keseluruhan pakej perisian openssl boleh dibahagikan secara kasar kepada tiga bahagian berfungsi utama: perpustakaan algoritma kriptografi, perpustakaan protokol SSL dan aplikasi. Struktur direktori openssl secara semula jadi dirancang di sekitar tiga bahagian berfungsi ini. Peranan arahan openssl:
OpenSSL> help Standard commands asn1parse ca ciphers cms crl crl2pkcs7 dgst dhparam dsa dsaparam ec ecparam enc engine errstr gendsa genpkey genrsa help list nseq ocsp passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand rehash req rsa rsautl s_client s_server s_time sess_id smime speed spkac srp storeutl ts verify version x509 Message Digest commands (see the `dgst’ command for more details) blake2b512 blake2s256 gost md4 md5 mdc2 rmd160 sha1 sha224 sha256 sha3-224 sha3-256 sha3-384 sha3-512 sha384 sha512 sha512-224 sha512-256 shake128 shake256 sm3 Cipher commands (see the `enc’ command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1 aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8 aria-256-ctr aria-256-ecb aria-256-ofb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 seed seed-cbc seed-cfb seed-ecb seed-ofb sm4-cbc sm4-cfb sm4-ctr sm4-ecb sm4-ofb
3 Gunakan arahan openssl untuk pengekodan dan penyahkodan base64
OpenSSL> version OpenSSL 1.1.1h 22 Sep 2020
pengekodan base64
(base) [root@sun-site certs]# echo “wuhs” |openssl base64 d3Vocwo= (base) [root@sun-site certs]# echo “wuhs” > 1.txt (base) [root@sun-site certs]# openssl base64 -in 1.txt d3Vocwo=
(base) [root@sun-site certs]# echo “d3Vocwo=” | openssl base64 -d wuhs (base) [root@sun-site certs]# openssl base64 -d -in 1.base64 wuhs
Janakan a. Kata laluan 12 digit Kata laluan rawak
(base) [root@sun-site certs]# openssl rand -base64 10 |cut -c 1-12 PGznlV5Og0Us
ke md5 the. rentetan "wuhs" Pengiraan digest
(base) [root@sun-site certs]# echo wuhs | openssl md5 (stdin)= 4cdb1fbd6a34ff27dc8c10913fab3e7e (base) [root@sun-site certs]# openssl md5 1.txt MD5(1.txt)= 4cdb1fbd6a34ff27dc8c10913fab3e7e
(base) [root@sun-site certs]# openssl sha1 1.txt SHA1(1.txt)= bd8f0b20de17d623608218d05e8741502cf42302 (base) [root@sun-site certs]# echo wuhs | openssl sha1 (stdin)= bd8f0b20de17d623608218d05e8741502cf42302
Lakukan penyulitan AES pada rentetan "wuhs", gunakan kekunci 123, dan hasil output diberikan dalam format pengekodan base64
(base) [root@sun-site certs]# openssl aes-128-cbc -in 1.txt -k 123 -base64 *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. U2FsdGVkX194Z8P5c7C8vmXbA39omlqU/ET8xaehVFk=
(base) [root@sun-site certs]# openssl aes-128-cbc -d -k 123 -base64 -in 2.txt *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. wuhs
Buat kunci persendirian yang disulitkan
(base) [root@sun-site tmp]# openssl genrsa -des3 -out sunsite.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) …+++++ …+++++ e is 65537 (0x010001) Enter pass phrase for sunsite.key: Verifying - Enter pass phrase for sunsite.key: (base) [root@sun-site tmp]# ll total 16 -rw------- 1 root root 1751 Oct 25 14:43 sunsite.key
(base) [root@sun-site tmp]# openssl rsa -check -in sunsite.key Enter pass phrase for sunsite.key: RSA key ok writing RSA key -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA1jDreCAjX5kpNmnyNayQB/GUvyIRvZZM2WoKAIjne91JupgP OKmBdYSWeWsf0h0XU9ubhCHpgCss2hdRKxLN3rJLlFD98TUKpb9S2XkfrT9s3cLN PQyCELK60zrs1sE52I4pDj4nTZPZCL9mykzqwNa5rcGuHN/lLnvJxFPJOJwVWbVE Bvh+jGioJbi+Ar0rs37/8naGBYz5k4BFn5sCKrhssoMEpDWjMz4yJMpycTlEFITa …
(base) [root@sun-site tmp]# openssl rsa -des3 -in sunsite.key -out sunsite.key writing RSA key Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
(base) [root@sun-site tmp]# openssl rsa -in sunsite.key -out sunsite2.key Enter pass phrase for sunsite.key: writing RSA key
Gunakan fail kunci peribadi yang ditentukan untuk menghasilkan fail csr
(base) [root@sun-site tmp]# openssl req \ -key sunsite.key \ -new -out sunsite.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:HuNan Locality Name (eg, city) []:changsha Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite Organizational Unit Name (eg, section) []:jsb Common Name (e.g. server FQDN or YOUR name) []:wuhs Email Address []:524627027@qq.com Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:123456
(base) [root@sun-site tmp]# openssl req \ -newkey rsa:2048 -nodes -keyout s.key \ -out s.csr Generating a RSA private key …+++++ .+++++ writing new private key to ‘s.key’ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. ----- Country Name (2 letter code) [AU]:cn State or Province Name (full name) [Some-State]:hunan Locality Name (eg, city) []:changsha Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite Organizational Unit Name (eg, section) []:jsb Common Name (e.g. server FQDN or YOUR name) []:wuhs Email Address []:524627027@qq.com Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:123456 (base) [root@sun-site tmp]# ll total 28 -rw-r–r-- 1 root root 1102 Oct 25 15:37 s.csr -rw------- 1 root root 1708 Oct 25 15:37 s.key
openssl x509 \ -in domain.crt \ -signkey domain.key -x509toreq -out domain.csr
(base) [root@sun-site tmp]# openssl req -text -noout -verify -in sunsite.csr
Jana sijil yang ditandatangani sendiri
Gunakan kunci peribadi sedia ada untuk menjana sijil yang ditandatangani sendiri(base) [root@sun-site tmp]# openssl req \ -newkey rsa:2048 -nodes -keyout sunsite.key \ -x509 -days 365 -out sunsite.crt Generating a RSA private key …+++++ …+++++ writing new private key to ‘sunsite.key’ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. ----- Country Name (2 letter code) [AU]:cn State or Province Name (full name) [Some-State]:hn Locality Name (eg, city) []:cs Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite Organizational Unit Name (eg, section) []:jsb Common Name (e.g. server FQDN or YOUR name) []:wuhs Email Address []:524627027@qq.com (base) [root@sun-site tmp]# ll -rw-r–r-- 1 root root 1383 Oct 25 16:03 sunsite.crt -rw-r–r-- 1 root root 1102 Oct 25 15:05 sunsite.csr -rw------- 1 root root 1708 Oct 25 16:03 sunsite.key
(base) [root@sun-site tmp]# openssl req \ -key sunsite.key -new \ -x509 -days 365 -out sunsite.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. ----- Country Name (2 letter code) [AU]:cn State or Province Name (full name) [Some-State]:hn Locality Name (eg, city) []:cs Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite Organizational Unit Name (eg, section) []:jsb Common Name (e.g. server FQDN or YOUR name) []:wuhs Email Address []:wuhs@qq.com
(base) [root@sun-site tmp]# openssl x509 \ -signkey sunsite.key \ -in sunsite.csr \ -req -days 365 -out sunsite.crt Signature ok subject=C = CN, ST = HuNan, L = changsha, O = sunsite, OU = jsb, CN = wuhs, emailAddress = 524627027@qq.com Getting Private key
(base) [root@sun-site tmp]# openssl verify -verbose -CAfile ca.crt sunsite.crt Error loading file ca.crt #需要ca证书
(base) [root@sun-site tmp]# openssl x509 -noout -modulus -in sunsite.crt |openssl md5 (stdin)= e26905e973af69aed4e4d707f882de61 (base) [root@sun-site tmp]# openssl rsa -noout -modulus -in sunsite.key |openssl md5 (stdin)= e26905e973af69aed4e4d707f882de61 (base) [root@sun-site tmp]# openssl req -noout -modulus -in sunsite.csr |openssl md5 (stdin)= e26905e973af69aed4e4d707f882de61 #md5校验和一致说明,三者匹配
DER kepada PEM
(base) [root@sun-site tmp]# openssl x509 -in sunsite.crt -outform der -out sunsite.der
(base) [root@sun-site tmp]# openssl x509 -in sunsite.der -inform der -out sunsite.crt
(base) [root@sun-site tmp]# openssl crl2pkcs7 -nocrl -certfile sunsite.crt -certfile ca-chain.crt -out sunsite.p7b
#openssl pkcs7 -in domain.p7b -print_certs -out domain.crt
openssl pkcs12 -inkey domain.key -in domain.crt -export -out domain.pfx
openssl pkcs12 -in domain.pfx -nodes -out domain.combined.crt
(base) [root@sun-site tmp]# openssl x509 -in sunsite.crt -noout -serial -subject serial=2DA086B4B14ECE63535734049A4BCF70290446C9 subject=C = CN, ST = HuNan, L = changsha, O = sunsite, OU = jsb, CN = wuhs, emailAddress = 524627027@qq.com
Ambil arahan openssl x509 sebagai contoh(asas) [root@sun-site tmp]# openssl x509 --help
openssl command [ command_opts ] [ command_args ]
2、标准命令
命令 | 命令介绍 |
---|---|
asn1parse | 解析ASN.1序列。 |
ca | 证书颁发机构(ca)管理。 |
ciphers | 密码套件描述确定。 |
cms | cms(加密消息语法)实用程序 |
crl | 证书撤销列表(crl)管理。 |
crl2pkcs7 | CRL到PKCS#7的转换。 |
dgst | 消息摘要计算。 |
dh | Diffie-Hellman参数管理。被dhparam淘汰。 |
dhparam | Diffie-Hellman参数的生成和管理。由genpkey和pkeyparam取代 |
dsa | dsa数据管理。 |
dsaparam | DSA参数生成和管理。由genpkey和pkeyparam取代 |
ec | ec(椭圆曲线)密钥处理 |
ecparam | EC参数操作和生成 |
enc | 使用密码进行编码。 |
engine | 引擎(可加载模块)信息和操作。 |
errstr | 错误编号到错误字符串的转换。 |
gendh | Diffie-Hellman参数的生成。被dhparam淘汰。 |
gendsa | 根据参数生成DSA私钥。由genpkey和pkey取代 |
genpkey | 生成私钥或参数。 |
genrsa | 生成RSA私钥。由根普基取代。 |
nseq | 创建或检查netscape证书序列 |
ocsp | 在线证书状态协议实用程序。 |
passwd | 生成哈希密码。 |
pkcs12 | PKCS#12数据管理。 |
pkcs7 | PKCS#7数据管理。 |
pkey | 公钥和私钥管理。 |
pkeyparam | 公钥算法参数管理。 |
pkeyutl | 公钥算法加密操作实用程序。 |
rand | 生成伪随机字节。 |
req | PKCS#10 X.509证书签名请求(CSR)管理。 |
rsa | rsa密钥管理。 |
rsautl | RSA实用程序,用于签名、验证、加密和解密。被pkeyutl取代 |
s_client | 这实现了一个通用的SSL/TLS客户端,它可以与使用SSL/TLS的远程服务器建立透明连接。它仅用于测试目的,只提供基本的接口功能,但在内部主要使用OpenSSL库的所有功能。 |
s_server | |
s_time | SSL连接计时器。 |
sess_id | SSL会话数据管理。 |
smime | S/MIME邮件处理。 |
speed | 算法速度测量。 |
spkac | spkac打印和生成实用程序 |
ts | 时间戳授权工具(客户端/服务器) |
verify | X.509证书验证。 |
version | OpenSSL版本信息。 |
x509 | X.509证书数据管理。 |
命令 | 命令介绍 |
---|---|
md2 | MD2 Digest |
md5 | MD5 Digest |
mdc2 | MDC2 Digest |
rmd160 | RMD-160 Digest |
sha | SHA Digest |
sha1 | SHA-1 Digest |
sha224 | SHA-224 Digest |
sha256 | SHA-256 Digest |
sha384 | SHA-384 Digest |
sha512 | SHA-512 Digest |
命令 | 命令介绍 |
---|---|
base64 | base64编码 |
bf bf-cbc bf-cfb bf-ecb bf-ofb | 河豚密码 |
cast cast-cbc | 强制转换密码 |
cast5-cbc cast5-cfb cast5-ecb cast5-ofb | CAST5 密码 |
des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb | DES 密码 |
des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb | 三重DES密码 |
idea idea-cbc idea-cfb idea-ecb idea-ofb | IDEA 密码 |
rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb | RC2 密码 |
rc4 | RC4 密码 |
rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb | RC5 密码 |
Cadangan berkaitan: "Tutorial Video Linux"
Atas ialah kandungan terperinci Apakah itu linux openssl. Untuk maklumat lanjut, sila ikut artikel berkaitan lain di laman web China PHP!