OpenSSL command line number of very large, very scare people.
This is because there are a lot of areas OpenSSL involved, such as a variety of symmetric / asymmetric algorithms, random number, signature, encryption, certificates, structural analysis, building systems such as PKI, behind in these areas have a lot of RFC documents, OpenSSL put these things in theory are translated into algorithms for us to learn and use.
Algorithm can have two forms: API and "Tools."
The former is a library used by programmers, while the latter is compiled to native code, which has three names refer to the same object, namely: commands, tools, applications.
For example, generate a self-signed certificate command line:
openssl req -x509 -newkey rsa:8192 -keyout rca.key -out rca.cer -days 365
One of the "req" is the "command" (also referred to as "tools" and "Application"), - days is "Options", 365 is a "parameter."
As the saying goes, "remain the same", although it's large and complex command line, but still there is a pattern, such as -inform specify the input file format, -outform specify the output file format, these two options are repeated in more than among the command; there are options, although the same name, but have different functions for different commands, such as -in option, if with the req command, is to enter the certificate request file, if with the x509 command is input certificate.
Given the flexibility OpenlSSL the command line, the same function can be performed by a different line of command, the following are some of my summary.
Of course, there are not likely to come include the command line, you are welcome to write in the comments section, I will put you in the body as a thank author.
Let us work together to complete this very interesting "projects" - to the Open SSL find the same!
Current version: OpenSSL 1.1.1c for Windows 28 May 2019
4 ways to generate a self-signed certificate
Method 1: req command (no need to request a file)
:: generate a self-signed certificate and private key openssl req -x509 -newkey rsa: 8192 -keyout rca.key -out rca.cer -days 365
Method 2: x509 command (request file required)
:: file and private key generation request OpenSSL REQ -new -out ca.csr -keyout ca.key :: generate a self-signed certificate openssl x509 -signkey ca.key -req -days 365 -in ca.csr -out cacert.pem
Method 3: ca command (request file required)
:: file and private key generation request OpenSSL REQ -new -out ca.csr -keyout ca.key :: generate a self-signed certificate openssl ca -selfsign -in ca.csr -keyfile ca.key -out ca.cer -outdir. -days 3650 -create_serial -extensions v3_ca
Method 4: ca command re-signing
Before reading a self-signed certificate ca1.cer, with a new name DN re-signature, the following code is OpenSSL self CA and CA chain, to the host issued a batch certificate (using the CA command) one of the "two CA-signed certificate "part, to understand look at this article.
D: & CD \ & RD / S / Q CA1 & MD CA1 & CD \ CA1 & MD demoCA & MD demoCA \ newcerts & MD demoCA \ Private CD> demoCA \ index.txt & echo CA02> demoCA \ Serial. :: generated self-signed CA1 root certificate, private key and public: OpenSSL req -x509 -newkey rsa: 8192 -keyout ca1.key -out ca1.cer -days 3650 -subj / C = CN / ST = jiangsu / L = nanjing / O = Tiger / OU = CA1 / CN = CA1 / -set_serial 0xca01 -passout Pass [email protected]: ABCD OpenSSL rsa -IN ca1.key -pubout -out ca1.pub -passin Pass: ABCD :: DN name a new re-sign a new root certificate CA1, output self-signed certificate is ok.cer-CA1 OpenSSL CA -ss_cert ca1.cer -keyfile ca1.key -cert ca1.cer -out CA1-ok.cer -outdir -create_serial -policy policy_anything the -batch -passin Pass:. ABCD -subj / C = CN / O = aa / ST = bb / CN = CA1
As to the two methods CA (terminal or intermediate CA) certificates signed by
There are two ways: X509 CA command and command, see my other two articles, not repeat them here.
OpenSSL self CA and CA chain, to the host issued a batch certificate (using x509 command)
OpenSSL self CA and CA chain, to the host issued a batch certificate (using the CA command)
Generating a private key methods RSA 3
Method 1: genrsa command:
openssl genrsa -out ca.key 8192
Method 2: genpkey command:
openssl genpkey -out rsa_pri.key -outform PEM -pass pass:123456 -aes-128-cbc -algorithm RSA -pkeyopt rsa_keygen_bits:4096
Method 3: req command
openssl req -x509 -newkey rsa:8192 -keyout rca.key -out rca.cer -days 3650
RSA encryption two methods
Method 1: pkeyutl command:
:: public key encryption OpenSSL rsautl -encrypt -IN a.txt -out 1.enc -inkey ca.pub -pubin :: private key to decrypt openssl rsautl -decrypt -in 1.enc -out dec.txt -inkey ca.key
Note: The disadvantage of this command is only for short file encryption and signature operations, if too large reported the following error:
Method 2: rsautl command:
Note: File experiment, the current version of OpenSSL, the command can handle up to 1013 bytes
:: public key encryption OpenSSL rsautl -encrypt -IN a.txt -out 1.enc -inkey ca.pub -pubin :: private key to decrypt openssl rsautl -decrypt -in 1.enc -out dec.txt -inkey ca.key
Sign / verify the signature of the four methods
Method 1: dgst command:
::对待签名的文件体积没有限制;原理是生成待签名文件的散列值,然后用公钥/私钥加密该散列值。 ::用私钥key.pem给1.zip生成二进制的签名文件,算法是SHA-256,签名文件是1.sig,注意不能使用-hex选项: openssl dgst -sha256 -sign key.pem -out 1.sig 1.zip ::用公钥对生成的签名文件1.sig与源文件1.zip进行比对验证,注意签名的算法和验证签名的算法要相同: openssl dgst -sha256 -verify pub.pem -signature 1.sig 1.zip ::同上,只不过用私钥验证签名 openssl dgst -sha256 -prverify key.pem -signature 1.sig 1.zip
方法2:md5命令(语法与dgst一模一样):
::对待签名的文件体积没有限制;原理是生成待签名文件的散列值,然后用公钥/私钥加密该散列值。 ::用私钥ca.key给文件text.txt签名,生成了名为sign的签名文件: openssl md5 -sha256 -sign ca.key -out sign test.txt ::用公钥ca.pub对生成的签名文件1.sig与源文件1.zip进行比对验证,注意签名的算法和验证签名的算法要相同: openssl md5 -sha256 -verify ca.pub -signature sign test.txt ::同上,只不过用私钥验证签名 openssl md5 -sha256 -prverify ca1.key -signature sign test.txt
方法3:rsautl命令:
::rsautl只能给小文件签名,经我的实验不能大于1013字节 ::私钥签名(其实就是私钥加密文件) openssl rsautl -sign -in abc.txt -out abc.sig -inkey ca.key ::公钥验证(其实就是用公钥将其解密),如果通过就恢复出原始数据,否则报错 openssl rsautl -verify -in abc.sig -out abc.vfy -inkey ca.pub -pubin方法1:pkeyutl令:
方法4:pkeyutl命令:
:: pkeyutl only signature to the hash value. :: experiment goal: to test.txt generate a hash value, then the hash value of the signature, and finally to verify the signature of this hash value. :: Mr. dgst to use the command file test.txt into a binary hash value of the file name is test.sig OpenSSL dgst -sha256 -binary -out test.sig test.txt :: with the private key to the hash value of the signature (that is, private key encryption hash value), generating a signature file md.sig: OpenSSL pkeyutl -sign -inkey ca.key -keyform PEM -IN test.sig -out md.sig :: read the public key, hash signature md.sig, test.sig hash value to verify the signature is correct. Principle is to use the public key to decrypt md.sig, i.e. the results verified by the same test.sig -inkey ca.pub -keyform PEM -pubin -in test.sig -sigfile md.sig openssl pkeyutl -verify
Two methods of extracting the public key
Method 1: rsa command:
openssl rsa -in ca.key -pubout -out ca.pub
Method 2: pkey command:
openssl pkey -in ca.key -pubout -out ca.pub