linux openssl是什么

3310

linux中,openssl是一個功能極其強大的命令行工具,可以用來完成公鑰體系及https相關的很多任務。openssl有兩種運行模式:交互模式和批處理模式;直接輸入openssl回車進入交互模式,輸入帶命令選項的openssl進入批處理模式。

linux openssl是什么

本教程操作環境:linux7.3系統、Dell G3電腦。

一、openssl命令簡介

??openssl是一個功能極其強大的命令行工具,可以用來完成公鑰體系(public Key Infrastructure)及HTTPS相關的很多任務。openssl是一個強大的安全套接字層密碼庫,囊括主要的密碼算法、常用的密鑰和證書封裝管理功能及SSL協議,并提供豐富的應用程序供測試或其它目的使用。
??openssl有兩種運行模式:交互模式和批處理模式。直接輸入openssl回車進入交互模式,輸入帶命令選項的openssl進入批處理模式。
??openssl整個軟件包大概可以分成三個主要的功能部分:密碼算法庫、SSL協議庫以及應用程序。openssl的目錄結構自然也是圍繞這三個功能部分進行規劃的。 openssl命令的作用:

  • 私鑰、公鑰和參數的創建和管理
  • 公開密鑰加密操作
  • 創建X.509證書、CSR和CRL
  • 信息摘要的計算
  • 使用密碼進行加密和解密
  • SSL/TLS客戶端和服務器測試
  • 處理S/MIME簽名或加密郵件
  • 時間戳請求、生成和驗證

二、使用示例

1、交互模式下獲取命令幫助

OpenSSL>?help ?Standard?commands ?asn1parse?ca?ciphers?cms ?crl?crl2pkcs7?dgst?dhparam ?dsa?dsaparam?ec?ecparam ?enc?engine?errstr?gendsa ?genpkey?genrsa?help?list ?nseq?ocsp?passwd?pkcs12 ?pkcs7?pkcs8?pkey?pkeyparam ?pkeyutl?prime?rand?rehash ?req?rsa?rsautl?s_client ?s_server?s_time?sess_id?smime ?speed?spkac?srp?storeutl ?ts?verify?version?x509 ?Message?Digest?commands?(see?the?`dgst’?command?for?more?details) ?blake2b512?blake2s256?gost?md4 ?md5?mdc2?rmd160?sha1 ?sha224?sha256?sha3-224?sha3-256 ?sha3-384?sha3-512?sha384?sha512 ?sha512-224?sha512-256?shake128?shake256 ?sm3 ?Cipher?commands?(see?the?`enc’?command?for?more?details) ?aes-128-cbc?aes-128-ecb?aes-192-cbc?aes-192-ecb ?aes-256-cbc?aes-256-ecb?aria-128-cbc?aria-128-cfb ?aria-128-cfb1?aria-128-cfb8?aria-128-ctr?aria-128-ecb ?aria-128-ofb?aria-192-cbc?aria-192-cfb?aria-192-cfb1 ?aria-192-cfb8?aria-192-ctr?aria-192-ecb?aria-192-ofb ?aria-256-cbc?aria-256-cfb?aria-256-cfb1?aria-256-cfb8 ?aria-256-ctr?aria-256-ecb?aria-256-ofb?base64 ?bf?bf-cbc?bf-cfb?bf-ecb ?bf-ofb?camellia-128-cbc?camellia-128-ecb?camellia-192-cbc ?camellia-192-ecb?camellia-256-cbc?camellia-256-ecb?cast ?cast-cbc?cast5-cbc?cast5-cfb?cast5-ecb ?cast5-ofb?des?des-cbc?des-cfb ?des-ecb?des-ede?des-ede-cbc?des-ede-cfb ?des-ede-ofb?des-ede3?des-ede3-cbc?des-ede3-cfb ?des-ede3-ofb?des-ofb?des3?desx ?idea?idea-cbc?idea-cfb?idea-ecb ?idea-ofb?rc2?rc2-40-cbc?rc2-64-cbc ?rc2-cbc?rc2-cfb?rc2-ecb?rc2-ofb ?rc4?rc4-40?seed?seed-cbc ?seed-cfb?seed-ecb?seed-ofb?sm4-cbc ?sm4-cfb?sm4-ctr?sm4-ecb?sm4-ofb

2、查看命令版本

OpenSSL>?version ?OpenSSL?1.1.1h?22?Sep?2020

3、利用openssl命令進行base64編碼和解碼

  • base64編碼
(base)?[root@sun-site?certs]#?echo?“wuhs”?|openssl?base64 ?d3Vocwo= ?(base)?[root@sun-site?certs]#?echo?“wuhs”?>?1.txt ?(base)?[root@sun-site?certs]#?openssl?base64?-in?1.txt ?d3Vocwo=
  • base64解碼
(base)?[root@sun-site?certs]#?echo?“d3Vocwo=”?|?openssl?base64?-d ?wuhs ?(base)?[root@sun-site?certs]#?openssl?base64?-d?-in?1.base64 ?wuhs

4、利用openssl生成隨機密碼

  • 生成12位的隨機密碼
(base)?[root@sun-site?certs]#?openssl?rand?-base64?10?|cut?-c?1-12 ?PGznlV5Og0Us

5、利用openssl命令生成摘要

  • 字符串“wuhs”進行md5摘要計算
(base)?[root@sun-site?certs]#?echo?wuhs?|?openssl?md5 ?(stdin)=?4cdb1fbd6a34ff27dc8c10913fab3e7e ?(base)?[root@sun-site?certs]#?openssl?md5?1.txt ?MD5(1.txt)=?4cdb1fbd6a34ff27dc8c10913fab3e7e
  • 對字符串“wuhs”進行sha1摘要計算
(base)?[root@sun-site?certs]#?openssl?sha1?1.txt ?SHA1(1.txt)=?bd8f0b20de17d623608218d05e8741502cf42302 ?(base)?[root@sun-site?certs]#?echo?wuhs?|?openssl?sha1 ?(stdin)=?bd8f0b20de17d623608218d05e8741502cf42302

6、利用openssl命令進行AES加密解密

  • 對字符串“wuhs”進行aes加密,使用密鑰123,輸出結果以base64編碼格式給出
(base)?[root@sun-site?certs]#?openssl?aes-128-cbc?-in?1.txt?-k?123?-base64 ?***?WARNING?:?deprecated?key?derivation?used. ?Using?-iter?or?-pbkdf2?would?be?better. ?U2FsdGVkX194Z8P5c7C8vmXbA39omlqU/ET8xaehVFk=
  • 將aes加密文件數據進行解密,密鑰123
(base)?[root@sun-site?certs]#?openssl?aes-128-cbc?-d?-k?123?-base64?-in?2.txt ?***?WARNING?:?deprecated?key?derivation?used. ?Using?-iter?or?-pbkdf2?would?be?better. ?wuhs

7、密鑰生成與驗證

  • 創建加密的私鑰
(base)?[root@sun-site?tmp]#?openssl?genrsa?-des3?-out?sunsite.key?2048 ?Generating?RSA?private?key,?2048?bit?long?modulus?(2?primes) ?…+++++ ?…+++++ ?e?is?65537?(0x010001) ?Enter?pass?phrase?for?sunsite.key: ?Verifying?-?Enter?pass?phrase?for?sunsite.key: ?(base)?[root@sun-site?tmp]#?ll ?total?16 ?-rw-------?1?root?root?1751?Oct?25?14:43?sunsite.key
  • 驗證私鑰
(base)?[root@sun-site?tmp]#?openssl?rsa?-check?-in?sunsite.key ?Enter?pass?phrase?for?sunsite.key: ?RSA?key?ok ?writing?RSA?key ?-----BEGIN?RSA?PRIVATE?KEY----- ?MIIEpAIBAAKCAQEA1jDreCAjX5kpNmnyNayQB/GUvyIRvZZM2WoKAIjne91JupgP ?OKmBdYSWeWsf0h0XU9ubhCHpgCss2hdRKxLN3rJLlFD98TUKpb9S2XkfrT9s3cLN ?PQyCELK60zrs1sE52I4pDj4nTZPZCL9mykzqwNa5rcGuHN/lLnvJxFPJOJwVWbVE ?Bvh+jGioJbi+Ar0rs37/8naGBYz5k4BFn5sCKrhssoMEpDWjMz4yJMpycTlEFITa ?…
  • 加密私鑰,輸入密碼后私鑰文件完成加密
(base)?[root@sun-site?tmp]#?openssl?rsa?-des3?-in?sunsite.key?-out?sunsite.key ?writing?RSA?key ?Enter?PEM?pass?phrase: ?Verifying?-?Enter?PEM?pass?phrase:
  • 解密私鑰,輸入密碼后私鑰文件被解密
(base)?[root@sun-site?tmp]#?openssl?rsa?-in?sunsite.key?-out?sunsite2.key ?Enter?pass?phrase?for?sunsite.key: ?writing?RSA?key

8、生成證書簽名

  • 使用指定私鑰文件生產csr文件
(base)?[root@sun-site?tmp]#?openssl?req? ?-key?sunsite.key? ?-new?-out?sunsite.csr ?You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated ?into?your?certificate?request. ?What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. ?There?are?quite?a?few?fields?but?you?can?leave?some?blank ?For?some?fields?there?will?be?a?default?value, ?If?you?enter?‘.’,?the?field?will?be?left?blank. ?----- ?Country?Name?(2?letter?code)?[AU]:CN ?State?or?Province?Name?(full?name)?[Some-State]:HuNan ?Locality?Name?(eg,?city)?[]:changsha ?Organization?Name?(eg,?company)?[Internet?Widgits?Pty?Ltd]:sunsite ?Organizational?Unit?Name?(eg,?section)?[]:jsb ?Common?Name?(e.g.?server?FQDN?or?YOUR?name)?[]:wuhs ?Email?Address?[]:524627027@qq.com ?Please?enter?the?following?‘extra’?attributes ?to?be?sent?with?your?certificate?request ?A?challenge?password?[]:123456 ?An?optional?company?name?[]:123456
  • 生成私鑰和CSR
(base)?[root@sun-site?tmp]#?openssl?req? ?-newkey?rsa:2048?-nodes?-keyout?s.key? ?-out?s.csr ?Generating?a?RSA?private?key ?…+++++ ?.+++++ ?writing?new?private?key?to?‘s.key’ ?----- ?You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated ?into?your?certificate?request. ?What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. ?There?are?quite?a?few?fields?but?you?can?leave?some?blank ?For?some?fields?there?will?be?a?default?value, ?If?you?enter?‘.’,?the?field?will?be?left?blank. ?----- ?Country?Name?(2?letter?code)?[AU]:cn ?State?or?Province?Name?(full?name)?[Some-State]:hunan ?Locality?Name?(eg,?city)?[]:changsha ?Organization?Name?(eg,?company)?[Internet?Widgits?Pty?Ltd]:sunsite ?Organizational?Unit?Name?(eg,?section)?[]:jsb ?Common?Name?(e.g.?server?FQDN?or?YOUR?name)?[]:wuhs ?Email?Address?[]:524627027@qq.com ?Please?enter?the?following?‘extra’?attributes ?to?be?sent?with?your?certificate?request ?A?challenge?password?[]:123456 ?An?optional?company?name?[]:123456 ?(base)?[root@sun-site?tmp]#?ll ?total?28 ?-rw-r–r--?1?root?root?1102?Oct?25?15:37?s.csr ?-rw-------?1?root?root?1708?Oct?25?15:37?s.key
  • 使用已有的證書和私鑰生成CSR
openssl?x509? ?-in?domain.crt? ?-signkey?domain.key? ?-x509toreq?-out?domain.csr
  • 查看CSR文件
(base)?[root@sun-site?tmp]#?openssl?req?-text?-noout?-verify?-in?sunsite.csr

linux openssl是什么

9、制作和查看SSL證書

  • 生成自簽名證書
(base)?[root@sun-site?tmp]#?openssl?req? ?-newkey?rsa:2048?-nodes?-keyout?sunsite.key? ?-x509?-days?365?-out?sunsite.crt ?Generating?a?RSA?private?key ?…+++++ ?…+++++ ?writing?new?private?key?to?‘sunsite.key’ ?----- ?You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated ?into?your?certificate?request. ?What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. ?There?are?quite?a?few?fields?but?you?can?leave?some?blank ?For?some?fields?there?will?be?a?default?value, ?If?you?enter?‘.’,?the?field?will?be?left?blank. ?----- ?Country?Name?(2?letter?code)?[AU]:cn ?State?or?Province?Name?(full?name)?[Some-State]:hn ?Locality?Name?(eg,?city)?[]:cs ?Organization?Name?(eg,?company)?[Internet?Widgits?Pty?Ltd]:sunsite ?Organizational?Unit?Name?(eg,?section)?[]:jsb ?Common?Name?(e.g.?server?FQDN?or?YOUR?name)?[]:wuhs ?Email?Address?[]:524627027@qq.com ?(base)?[root@sun-site?tmp]#?ll ?-rw-r–r--?1?root?root?1383?Oct?25?16:03?sunsite.crt ?-rw-r–r--?1?root?root?1102?Oct?25?15:05?sunsite.csr ?-rw-------?1?root?root?1708?Oct?25?16:03?sunsite.key
  • 使用已有私鑰生成自簽名證書
(base)?[root@sun-site?tmp]#?openssl?req? ?-key?sunsite.key?-new? ?-x509?-days?365?-out?sunsite.crt ?You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated ?into?your?certificate?request. ?What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. ?There?are?quite?a?few?fields?but?you?can?leave?some?blank ?For?some?fields?there?will?be?a?default?value, ?If?you?enter?‘.’,?the?field?will?be?left?blank. ?----- ?Country?Name?(2?letter?code)?[AU]:cn ?State?or?Province?Name?(full?name)?[Some-State]:hn ?Locality?Name?(eg,?city)?[]:cs ?Organization?Name?(eg,?company)?[Internet?Widgits?Pty?Ltd]:sunsite ?Organizational?Unit?Name?(eg,?section)?[]:jsb ?Common?Name?(e.g.?server?FQDN?or?YOUR?name)?[]:wuhs ?Email?Address?[]:wuhs@qq.com
  • 使用已有的私鑰和CSR生成自簽名證書
(base)?[root@sun-site?tmp]#?openssl?x509? ?-signkey?sunsite.key? ?-in?sunsite.csr? ?-req?-days?365?-out?sunsite.crt ?Signature?ok ?subject=C?=?CN,?ST?=?HuNan,?L?=?changsha,?O?=?sunsite,?OU?=?jsb,?CN?=?wuhs,?emailAddress?=?524627027@qq.com ?Getting?Private?key
  • 查看證書

(base) [root@sun-site tmp]# openssl x509 -text -noout -in sunsite.crt

linux openssl是什么

  • 驗證證書是否由ca頒發
(base)?[root@sun-site?tmp]#?openssl?verify?-verbose?-CAfile?ca.crt?sunsite.crt ?Error?loading?file?ca.crt ?#需要ca證書
  • 驗證私鑰、證書、CSR是否匹配
(base)?[root@sun-site?tmp]#?openssl?x509?-noout?-modulus?-in?sunsite.crt?|openssl?md5 ?(stdin)=?e26905e973af69aed4e4d707f882de61 ?(base)?[root@sun-site?tmp]#?openssl?rsa?-noout?-modulus?-in?sunsite.key?|openssl?md5 ?(stdin)=?e26905e973af69aed4e4d707f882de61 ?(base)?[root@sun-site?tmp]#?openssl?req?-noout?-modulus?-in?sunsite.csr?|openssl?md5 ?(stdin)=?e26905e973af69aed4e4d707f882de61 ?#md5校驗和一致說明,三者匹配

10、證書格式轉換

  • PEM轉DER
(base)?[root@sun-site?tmp]#?openssl?x509?-in?sunsite.crt?-outform?der?-out?sunsite.der
  • DER轉PEM
(base)?[root@sun-site?tmp]#?openssl?x509?-in?sunsite.der?-inform?der?-out?sunsite.crt
  • PEM轉PKCS7
(base)?[root@sun-site?tmp]#?openssl?crl2pkcs7?-nocrl?-certfile?sunsite.crt?-certfile?ca-chain.crt?-out?sunsite.p7b
  • PKCS7轉換為PEM
#openssl?pkcs7?-in?domain.p7b?-print_certs?-out?domain.crt
  • PEM轉換為PKCS12
openssl?pkcs12?-inkey?domain.key?-in?domain.crt?-export?-out?domain.pfx
  • PKCS12轉換為PEM
openssl?pkcs12?-in?domain.pfx?-nodes?-out?domain.combined.crt

11、證書吊銷

  • 客戶端獲取要吊銷證書的serial(在使用證書的主機執行)
(base)?[root@sun-site?tmp]#?openssl?x509?-in?sunsite.crt?-noout?-serial?-subject ?serial=2DA086B4B14ECE63535734049A4BCF70290446C9 ?subject=C?=?CN,?ST?=?HuNan,?L?=?changsha,?O?=?sunsite,?OU?=?jsb,?CN?=?wuhs,?emailAddress?=?524627027@qq.com

12、獲取命令幫助

  • 以openssl x509命令為例

(base) [root@sun-site tmp]# openssl x509 –help

linux openssl是什么

三、使用語法及命令介紹

1、使用語法

openssl?command?[?command_opts?]?[?command_args?]

2、標準命令

命令 命令介紹
asn1parse 解析ASN.1序列。
ca 證書頒發機構(ca)管理。
ciphers 密碼套件描述確定。
cms cms(加密消息語法)實用程序
crl 證書撤銷列表(crl)管理。
crl2pkcs7 CRL到PKCS#7的轉換。
dgst 消息摘要計算。
dh Diffie-Hellman參數管理。被dhparam淘汰。
dhparam Diffie-Hellman參數的生成和管理。由genpkey和pkeyparam取代
dsa dsa數據管理。
dsaparam DSA參數生成和管理。由genpkey和pkeyparam取代
ec ec(橢圓曲線)密鑰處理
ecparam EC參數操作和生成
enc 使用密碼進行編碼。
engine 引擎(可加載模塊)信息和操作。
errstr 錯誤編號到錯誤字符串的轉換。
gendh Diffie-Hellman參數的生成。被dhparam淘汰。
gendsa 根據參數生成DSA私鑰。由genpkey和pkey取代
genpkey 生成私鑰或參數。
genrsa 生成RSA私鑰。由根普基取代。
nseq 創建或檢查netscape證書序列
ocsp 在線證書狀態協議實用程序。
passwd 生成哈希密碼。
pkcs12 PKCS#12數據管理。
pkcs7 PKCS#7數據管理。
pkey 公鑰和私鑰管理。
pkeyparam 公鑰算法參數管理。
pkeyutl 公鑰算法加密操作實用程序。
rand 生成偽隨機字節。
req PKCS#10 X.509證書簽名請求(CSR)管理。
rsa rsa密鑰管理。
rsautl RSA實用程序,用于簽名、驗證、加密和解密。被pkeyutl取代
s_client 這實現了一個通用的SSL/TLS客戶端,它可以與使用SSL/TLS的遠程服務器建立透明連接。它僅用于測試目的,只提供基本的接口功能,但在內部主要使用OpenSSL庫的所有功能。
s_server
s_time SSL連接計時器。
sess_id SSL會話數據管理。
smime S/MIME郵件處理。
speed 算法速度測量。
spkac spkac打印和生成實用程序
ts 時間戳授權工具(客戶端/服務器)
verify X.509證書驗證。
version OpenSSL版本信息。
x509 X.509證書數據管理。

3、消息摘要命令

命令 命令介紹
md2 MD2 Digest
md5 MD5 Digest
mdc2 MDC2 Digest
rmd160 RMD-160 Digest
sha SHA Digest
sha1 SHA-1 Digest
sha224 SHA-224 Digest
sha256 SHA-256 Digest
sha384 SHA-384 Digest
sha512 SHA-512 Digest

4、編碼和密碼命令

命令 命令介紹
base64 base64編碼
bf bf-cbc bf-cfb bf-ecb bf-ofb 河豚密碼
cast cast-cbc 強制轉換密碼
cast5-cbc cast5-cfb cast5-ecb cast5-ofb CAST5 密碼
des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb DES 密碼
des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb 三重DES密碼
idea idea-cbc idea-cfb idea-ecb idea-ofb IDEA 密碼
rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb RC2 密碼
rc4 RC4 密碼
rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb RC5 密碼

相關推薦:《Linux視頻教程

以上就是

? 版權聲明
THE END
互聯網運維
# linux# 字符串# 接口# https# 算法# 封裝# ssl# public# idea
喜歡就支持一下吧
點贊10 分享