OpenSSL
三个组建:
openssl : 多用途的命令行工具,包openssl
libcrypto : 加密算法库,包openssl-libs
libssl : 加密模块应用库,实现了ssl及tls,包nss
OpenSSL开源项目:
两种运行模式:交互模式和批处理模式
enc命令:
帮助:man enc
加密:
openssl enc -e -des3 -a -salt -in testfile -out testfile.cipher
解密:
openssl enc -d -des3 -a -salt –in testfile.cipher -out testfile
openssl ?
单向加密工具:
md5sum
sha1sum
sha224sum
sha256sum
openssl dgst
dgst命令:
# 帮助
man dgst
openssl dgst -md5 [-hex默认] /PATH/SOMEFILE
openssl dgst -md5 testfile
md5sum /PATH/TO/SOMEFILE
MAC : Message Authenticatiom Code
单向加密的一种延伸应用,用于实现网络通讯中保证所传输数据的完整性机制
CBC-MAC
HMAC:使用md5或sha1算法
base64编码原理:不加密
openssl rand -base65 10
6和8的公倍数,3的公倍数就不会因为补充而有 =
Base64是一种任意二进制到文本字符串的编码方法,常用于在URL、Cookie、网页中传输少量二进制数据。
Openssl命令:
# 生成私钥
openssl genrsa -out /PATH/TO/PRIVATEKEY.FILE NUM_BITS
(umask 077; openssl genrsa –out test.key –des 2048)
openssl rsa -in test.key –out test2.key # 将加密key解密
# 从私钥中提取出公钥
openssl rsa -in PRIVATEKEYFILE –pubout –out PUBLICKEYFILE
openssl rsa –in test.key –pubout –out test.key.pub
公钥隐藏在私钥中
随机数生成器:伪随机数字
键盘和鼠标、块设备中断
/dev/random
# 仅从熵池返回随机数;随机数用尽,阻塞
/dev/urandom
# 从熵池返回随机数;随机数用尽,会利用软件生成伪随机数,非阻塞
建立CA
OpenCA
openssl
证书申请及签署步骤:
- 生成申请请求
- RA核验 :RA注册机构,收集注册申请
- CA签署
- 获取证书
常见CA和申请证书:
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
实验:建立私有CA,为用户颁发证书
-
建立CA
# 建立私钥 [root@localhost ~]#cd /etc/pki/CA/ [root@localhost CA]#ls certs crl newcerts private # 第一步:生成私钥文件,注意私钥存放位置 [root@localhost CA]#(umask 077;openssl genrsa -out private/cakey.pem 4096) Generating RSA private key, 4096 bit long modulus .........................................................................................................................................................................................................................................................................................................................................................................++ ........++ e is 65537 (0x10001) # 第二步:生成自签名证书 [root@localhost private]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: # 查看生成的证书 [root@localhost CA]#openssl x509 -in cacert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: e0:40:bd:58:a6:76:64:22 Signature Algorithm: sha256WithRSAEncryption # 注意下面这些 Issuer: C=CN, ST=Jiangxi, L=Nanchang, O=flamenca, OU=coralloveme, CN=coralloveme.com/[email protected] Validity Not Before: May 10 12:43:08 2020 GMT Not After : May 8 12:43:08 2030 GMT Subject: C=CN, ST=Jiangxi, L=Nanchang, O=flamenca, OU=coralloveme, CN=coralloveme.com/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:ca:d8:c2:31:55:58:a9:7d:31:68:2f:95:c7:e4: ... 76:87:6f:dc:28:fb:51:56:b1:3b:59:5e:8b:b3:dc: 25:a6:04:b1:67:d7:c9:c1:ad:60:9d:a9:dc:66:f7: 6d:55:3d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 88:02:E5:5C:23:09:B1:B0:24:B6:70:0D:C7:AC:A9:08:10:D7:1A:DC X509v3 Authority Key Identifier: keyid:88:02:E5:5C:23:09:B1:B0:24:B6:70:0D:C7:AC:A9:08:10:D7:1A:DC X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 8d:2b:11:1a:d5:13:b1:01:d1:07:79:c3:4a:ec:e9:81:2a:c6: ... 6b:4f:aa:63:9e:2e:b5:2c:d9:56:75:99:16:89:74:2e:fc:8b: c5:2c:7d:92:d7:08:32:e1 # 要想向用户颁发文件还必须要有serial、index.txt文件 # database = $dir/index.txt # database index file. # serial = $dir/serial # The current serial number # 第三部:收到证书申请,准备颁发 # certs = $dir/certs # Where the issued certs are kept 专门放证书的路径 # -days 不写默认365天 [root@localhost CA]#openssl ca -in /data/app.csr -out /etc/pki/CA/certs/app.crt -days 100 Using configuration from /etc/pki/tls/openssl.cnf /etc/pki/CA/index.txt: No such file or directory # 报错,无该文件 unable to open '/etc/pki/CA/index.txt' 140064137033616:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r') 140064137033616:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: # 建立该文件 [root@localhost CA]#touch /etc/pki/CA/index.txt [root@localhost CA]#openssl ca -in /data/app.csr -out /etc/pki/CA/certs/app.crt -days 100 Using configuration from /etc/pki/tls/openssl.cnf # 缺少文件,版本文件 /etc/pki/CA/serial: No such file or directory error while loading serial number 139691611453328:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r') 139691611453328:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: # 向其写入十六进制文件 [root@localhost CA]#echo 0F > /etc/pki/CA/serial [root@localhost CA]#cat /etc/pki/CA/serial 0F # 颁发证书 [root@localhost CA]#openssl ca -in /data/app.csr -out /etc/pki/CA/certs/app.crt -days 100 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 15 (0xf) Validity Not Before: May 10 13:10:47 2020 GMT Not After : Aug 18 13:10:47 2020 GMT Subject: countryName = CN stateOrProvinceName = Jiangxi organizationName = flamenca organizationalUnitName = coral.app commonName = app.coralloveme.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D2:FC:F6:90:83:5F:64:2D:F7:C7:D3:A7:36:A8:5B:C7:31:78:70:36 X509v3 Authority Key Identifier: keyid:88:02:E5:5C:23:09:B1:B0:24:B6:70:0D:C7:AC:A9:08:10:D7:1A:DC Certificate is to be certified until Aug 18 13:10:47 2020 GMT (100 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated # 查看颁发的证书 [root@localhost CA]#tree . ├── cacert.pem ├── certs │ └── app.crt ├── crl ├── index.txt ├── index.txt.attr ├── index.txt.old ├── newcerts │ └── 0F.pem ├── private │ └── cakey.pem ├── serial └── serial.old 4 directories, 9 files [root@localhost CA]#diff certs/app.crt newcerts/0F.pem # certs/app.crt 和 newcerts/0F.pem 完全相同,内容一样 # 查看证书信息 [root@localhost CA]#cat index.txt V 200818131047Z 0F unknown /C=CN/ST=Jiangxi/O=flamenca/OU=coral.app/CN=app.coralloveme.com/emailAddress=[email protected] # V代表证书有效 # 此时serial文件由0F变成10 [root@localhost CA]#cat serial 10 # 第四部:颁发传给客户端 # 一个用户是否可以申请多个证书 [root@localhost CA]#cat index.txt.attr unique_subject = yes # no 为可以申请多个;yes 为只能申请一个 # 吊销证书 openssl -revoke /etc/pki/CA/newcerts/11.pem # 吊销证书后别人也不知道,所以要生成一个公开的吊销列表 openssl ca -gencrl -out /etc/pki/CA/crl.pem # 可以执行该操作的前提是需要有crlnumber文件才行 # 指定第一个吊销证书的标号,注意:第一次更新证书吊销列表前,才需要执行 echo 01 > /etc/pki/CA/crlnumber -
申请证书
# 不同服务要想申请不同证书,最好方法是在不同文件的配置文件加中放入证书信息 # 以https 服务为例 [root@localhost data]# mkdir app [root@localhost data]# cd app [root@localhost app]# pwd /data/app # 证书就放这个文件夹下了 # 第一步:生成私钥 [root@localhost app]# (umask 066;openssl genrsa -out app.key 1024 ) Generating RSA private key, 1024 bit long modulus ................++++++ ..............................++++++ e is 65537 (0x10001) # 第二步:利用私钥文件生成证书申请文件 [root@localhost app]# openssl req -new -key app.key -out app.csr<<EOF > CN > Jiangxi > nc > flamenca > coral.app > app.coralloveme.com > [email protected] > > > EOF You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:State or Province Name (full name) []:Locality Name (eg, city) [Default City]:Organization Name (eg, company) [Default Company Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:problems making Certificate Request [root@localhost app]# ll total 8 -rw-r--r--. 1 root root 712 May 10 13:59 app.csr -rw-------. 1 root root 887 May 10 13:51 app.key # 将这个文件传给CA服务器上,让CA检查 [root@localhost app]# scp /data/app/app.csr 192.168.33.128:/data/ [email protected]'s password: app.csr 100% 712 0.7KB/s 00:00 -
颁发证书
CA证书作作用:
为了让通讯双方安全得到对方的公钥