Home | 簡體中文 | 繁體中文 | 雜文 | 知乎專欄 | Github | OSChina 博客 | 雲社區 | 雲棲社區 | Facebook | Linkedin | 視頻教程 | 打賞(Donations) | About
Chapter 7. OpenSSL
Prev   Next

Chapter 7. OpenSSL

Table of Contents

7.1. openssl 命令參數
7.1.1. version
7.1.2. 測試加密算法的速度
7.1.3. req
7.1.4. x509
7.1.5. ca
7.1.6. crl
7.1.7. pkcs12
7.1.8. passwd
7.1.9. digest
7.1.9.1. list-message-digest-commands
7.1.9.2. md5
7.1.9.3. sha1
7.1.10. enc
7.1.10.1. list-cipher-commands
7.1.10.2. base64
7.1.10.3. des
7.1.10.4. aes
7.1.11. rsa
7.1.12. dsa
7.1.13. rc4
7.1.14. -config 指定配置檔案
7.1.15. -subj 指定參數
7.1.16. rand
7.1.17. 去除私鑰的密碼
7.2. web 伺服器 ssl 證書
7.2.1. Nginx
7.2.1.1. Nginx + Tomcat (HTTP2)
7.3. s_server / s_client
7.3.1. SSL POP3 / SMTP / IMAP
7.3.2. server / client 檔案傳輸
7.3.3. HTTP SSL 證書
7.3.3.1. 證書鏈
7.3.3.2. 顯示證書
7.3.3.3. 指定 servername
7.4. smime
7.5. Outlook smime x509 證書
7.5.1. 快速創建自簽名證書
7.5.2. 企業或集團方案
7.5.2.1. 證書環境
7.5.2.2. 頒發CA證書
7.5.2.3. 頒發客戶證書
7.5.2.4. 吊銷已簽發的證書
7.6. 證書轉換
7.6.1. CA證書
7.6.2. 創建CA證書有效期為一年
7.6.3. x509轉換為pfx
7.6.4. PEM格式的ca.key轉換為Microsoft可以識別的pvk格式
7.6.5. PKCS#12 到 PEM 的轉換
7.6.6. 從 PFX 格式檔案中提取私鑰格式檔案 (.key)
7.6.7. 轉換 pem 到到 spc
7.6.8. PEM 到 PKCS#12 的轉換
7.6.9. How to Convert PFX Certificate to PEM Format for SOAP
7.6.10. DER檔案(.crt .cer .der)轉為PEM格式檔案
7.6.11. JKS 轉 X509
7.6.12. jks to pem
7.7. 其他證書工具
7.8. OpenSSL 開發庫
7.8.1. DES encryption with OpenSSL

不多說了。

7.1. openssl 命令參數

7.1.1. version

[root@netkiller nginx]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

7.1.2. 測試加密算法的速度

$ openssl speed
			
$ openssl speed rsa
$ openssl speed aes

7.1.3. req

openssl req -new -x509 -days 7300 -key ca.key -out ca.crt

7.1.4. x509

openssl x509 -req -in client-req.csr -out client.crt -signkey client-key.pem -CA ca.crt -CAkey ca.key -days 365 -CAserial serial

驗證一下我們生成的檔案。

openssl x509 -in cacert.pem -text -noout

-extfile

openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca -signkey key.pem -out cacert.pem

7.1.5. ca

# 生成CRL列表
$ openssl ca -gencrl -out exampleca.crl

7.1.6. crl

# 查看CRL列表信息
$ openssl crl -in exampleca.crl -text -noout

# 驗證CRL列表簽名信息
$ openssl crl -in exampleca.crl -noout -CAfile cacert.pem

7.1.7. pkcs12

-clcerts 表示僅導出客戶證書。

openssl pkcs12 -export -clcerts -in 324.cer -inkey ca.pem -out 324.p12 -name "Email SMIME"

轉換PEM證書檔案和私鑰到PKCS#12檔案

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

7.1.8. passwd

MD5-based password algorithm

# openssl passwd -1 -salt 'random-phrase-here' 'your-password-here'
$1$random-p$AOw9RDIWQm6tfUo9Ediu/0

-crypt standard Unix password algorithm (default)

# openssl passwd -crypt -salt 'sa' 'password'
sa3tHJ3/KuYvI

7.1.9. digest

如何創建一個檔案的 MD5 或 SHA1 摘要?

摘要創建使用 dgst 選項.

7.1.9.1. list-message-digest-commands

列出可用摘要

$ openssl list-message-digest-commands
md2
md4
md5
mdc2
rmd160
sha
sha1

7.1.9.2. md5

# MD5 digest
openssl dgst -md5 filename
[Note]Note

MD5 信息摘要也同樣可以使用md5sum創建

				
$ echo "Hello World!" > message.txt
$ openssl dgst -md5 message.txt
MD5(message.txt)= d9226d4bd8779baa69db272f89a2e05c

7.1.9.3. sha1

# SHA1 digest
openssl dgst -sha1 filename
				
$ openssl dgst -sha1 /etc/passwd
SHA1(/etc/passwd)= 9d883a9d35fd9a6dc81e6a1717a8e2ecfc49cdd8

7.1.10. enc

使用方法:

$ openssl enc 加密算法 -k 密碼 -in 輸入明文檔案 -out 輸出密文檔案

$ openssl enc 加密算法 -k 密碼 -in 輸出密文檔案 -out 輸入明文檔案

7.1.10.1. list-cipher-commands

可用的編碼/解碼方案

# or get a long list, one cipher per line
openssl list-cipher-commands

# openssl list-cipher-commands
aes-128-cbc
aes-128-ecb
aes-192-cbc
aes-192-ecb
aes-256-cbc
aes-256-ecb
base64
bf
bf-cbc
bf-cfb
bf-ecb
bf-ofb
cast
cast-cbc
cast5-cbc
cast5-cfb
cast5-ecb
cast5-ofb
des
des-cbc
des-cfb
des-ecb
des-ede
des-ede-cbc
des-ede-cfb
des-ede-ofb
des-ede3
des-ede3-cbc
des-ede3-cfb
des-ede3-ofb
des-ofb
des3
desx
idea
idea-cbc
idea-cfb
idea-ecb
idea-ofb
rc2
rc2-40-cbc
rc2-64-cbc
rc2-cbc
rc2-cfb
rc2-ecb
rc2-ofb
rc4
rc4-40
rc5
rc5-cbc
rc5-cfb
rc5-ecb
rc5-ofb

7.1.10.2. base64

使用 base64-encode 編碼/解碼?

使用 enc -base64 選項

# send encoded contents of file.txt to stdout
openssl enc -base64 -in file.txt

# same, but write contents to file.txt.enc
openssl enc -base64 -in file.txt -out file.txt.enc

命令行

C:\GnuWin32\neo>openssl enc -base64 -in file.txt
SGVsbG8gV29ybGQhDQo=

C:\GnuWin32\neo>openssl enc -base64 -in file.txt -out file.txt.enc

C:\GnuWin32\neo>type file.txt.enc
SGVsbG8gV29ybGQhDQo=

C:\GnuWin32\neo>

通過管道操作

C:\GnuWin32\neo>echo "encode me" | openssl enc -base64
ImVuY29kZSBtZSIgDQo=

C:\GnuWin32\neo>echo -n "encode me" | openssl enc -base64
LW4gImVuY29kZSBtZSIgDQo=

C:\GnuWin32\neo>

使用 -d (解碼) 選項來反轉操作.

C:\GnuWin32\neo>openssl enc -base64 -d -in file.txt.enc
Hello World!

C:\GnuWin32\neo>openssl enc -base64 -d -in file.txt.enc -out file.txt

快速命令行

C:\GnuWin32\neo>type file.txt.enc | openssl enc -base64 -d
Hello World!

C:\GnuWin32\neo>type file.txt.enc
SGVsbG8gV29ybGQhDQo=

C:\GnuWin32\neo>echo SGVsbG8gV29ybGQhDQo= | openssl enc -base64 -d
Hello World!

7.1.10.3. des

對稱加密與解密

加密

# openssl enc -des -e -a -in file.txt -out file.txt.des
enter des-cbc encryption password:
Verifying - enter des-cbc encryption password:

解密

# openssl enc -des -d -a -in file.txt.des -out file.txt.tmp
enter des-cbc decryption password:
				
				
% echo abc | openssl des-cbc -k 123 -base64         
U2FsdGVkX1+atYQyhz7I1ktb5XtYasGk

7.1.10.4. aes

加密

openssl enc -aes-128-cbc -in filename -out filename.out

解密

openssl enc -d -aes-128-cbc -in filename.out -out filename
				
				
echo abc | openssl aes-128-cbc -k 123 -base64

7.1.11. rsa

產生密鑰對

生成私鑰

openssl genrsa -out private.key 1024

根據私鑰產生公鑰

openssl rsa -in private.key -pubout > public.key

用公鑰加密明文

$ openssl rsautl -encrypt -pubin -inkey public.key -in filename -out filename.out

用私鑰解密

$ openssl rsautl -decrypt -inkey private.key -in filename.out -out filename

7.1.12. dsa

Example 7.1. dsaparam & gendsa

# create parameters in dsaparam.pem
openssl dsaparam -out dsaparam.pem 1024

# create first key
openssl gendsa -out key1.pem dsaparam.pem

# and second ...
openssl gendsa -out key2.pem dsaparam.pem

生成私鑰

openssl dsaparam -out dsaparam.pem 1024
openssl gendsa -out private.key dsaparam.pem

根據私鑰產生公鑰

openssl dsa -in private.key -pubout -out public.key
			
$ ls
dsaparam.pem  private.key  public.key

$ cat *
-----BEGIN DSA PARAMETERS-----
MIIBHgKBgQCAkvuZmbK7zgTv3WnYayypdghcNKA+jP7/fdwy82JfqkJeF38FOOu8
4cbrQjzs6XdANeZk3c6BVQfqNfFnUomKARm0gdqeelsmyHMV+0jy7fuX1HHIUZyJ
Rqravmh+o9iYX1aA3jsP5sDoosEEEYKQBAUEi6vwzCnjCra3TBuvmQIVAPYqwKI3
v6nkKAfn+lqPvmHqVDv5AoGAb7vilZ7EtuYpJbpURZtTPOtLpMmpfwXq+g7cKQ7Z
mC+TCwzVUkBv8s/gxwr7r92bCmGTGJGuBVGqI0yEbrkMRGieJwOrS885NNg+AiTW
DB0Xo2klaTg5rFydGxPvWI72cpyds69Ptm4z9Th0xrtDUNIYPdDIR+rVUao5XBS9
U4w=
-----END DSA PARAMETERS-----
-----BEGIN DSA PRIVATE KEY-----
MIIBugIBAAKBgQCAkvuZmbK7zgTv3WnYayypdghcNKA+jP7/fdwy82JfqkJeF38F
OOu84cbrQjzs6XdANeZk3c6BVQfqNfFnUomKARm0gdqeelsmyHMV+0jy7fuX1HHI
UZyJRqravmh+o9iYX1aA3jsP5sDoosEEEYKQBAUEi6vwzCnjCra3TBuvmQIVAPYq
wKI3v6nkKAfn+lqPvmHqVDv5AoGAb7vilZ7EtuYpJbpURZtTPOtLpMmpfwXq+g7c
KQ7ZmC+TCwzVUkBv8s/gxwr7r92bCmGTGJGuBVGqI0yEbrkMRGieJwOrS885NNg+
AiTWDB0Xo2klaTg5rFydGxPvWI72cpyds69Ptm4z9Th0xrtDUNIYPdDIR+rVUao5
XBS9U4wCgYBISbp4/z5JY2OqXVttS6G4GQT0PMAiJZi9pty4H0rKoSmbrgjev/wp
7BW8NqaJnlSjNCzF4SH+DXxZeuktJPNftHYi8BPIrHxR6CG1h7VPDr/IwSoff0Kx
Lhc6vqxcCRpcQoqbhXGG5RxMsczD4nRmdmhXbelPRu10T4qxEiVG7gIUc1KsK+hA
+EzXl80Eyj2Si7UH/wI=
-----END DSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MIIBtjCCASsGByqGSM44BAEwggEeAoGBAICS+5mZsrvOBO/dadhrLKl2CFw0oD6M
/v993DLzYl+qQl4XfwU467zhxutCPOzpd0A15mTdzoFVB+o18WdSiYoBGbSB2p56
WybIcxX7SPLt+5fUcchRnIlGqtq+aH6j2JhfVoDeOw/mwOiiwQQRgpAEBQSLq/DM
KeMKtrdMG6+ZAhUA9irAoje/qeQoB+f6Wo++YepUO/kCgYBvu+KVnsS25iklulRF
m1M860ukyal/Ber6DtwpDtmYL5MLDNVSQG/yz+DHCvuv3ZsKYZMYka4FUaojTIRu
uQxEaJ4nA6tLzzk02D4CJNYMHRejaSVpODmsXJ0bE+9YjvZynJ2zr0+2bjP1OHTG
u0NQ0hg90MhH6tVRqjlcFL1TjAOBhAACgYBISbp4/z5JY2OqXVttS6G4GQT0PMAi
JZi9pty4H0rKoSmbrgjev/wp7BW8NqaJnlSjNCzF4SH+DXxZeuktJPNftHYi8BPI
rHxR6CG1h7VPDr/IwSoff0KxLhc6vqxcCRpcQoqbhXGG5RxMsczD4nRmdmhXbelP
Ru10T4qxEiVG7g==
-----END PUBLIC KEY-----

7.1.13. rc4

加密檔案

# openssl enc -e -rc4 -in in.txt -out out.txt
enter rc4 encryption password:
Verifying - enter rc4 encryption password:

解密檔案

# openssl enc -d -rc4 -in out.txt -out test.txt
enter rc4 decryption password:

使用 -k 指定密鑰

openssl enc -e -rc4 -k passwd -in in.txt -out out.txt
openssl enc -d -rc4 -k passwd -in out.txt -out test.txt

7.1.14. -config 指定配置檔案

# openssl req -new -newkey rsa:2048 -config openssl.cfg -keyout server.key -nodes -out certreq.csr

7.1.15. -subj 指定參數

# openssl req -new -newkey rsa:2048 -keyout server.key -nodes -subj /C=CN/O=example.com/OU=IT/CN=Neo/ST=GD/L=Shenzhen -out certreq.csr

C:\> openssl req -new -newkey rsa:2048 -config openssl.cfg -keyout server.key -nodes -subj /C=CN/O="%OrganizationName%"/OU="%OrganizationUnit%"/CN="%CommonName%"/ST="%StateName%"/L="%LocalityName%" -out certreq.csr

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/nginx/ssl/www.netkiller.cn.key -out /etc/nginx/ssl/www.netkiller.cn.crt -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=Global Security/OU=IT Department/CN=www.netkiller.cn/emailAddress=netkiller@msn.com"

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/nginx/ssl/www.netkiller.cn.key -out /etc/nginx/ssl/www.netkiller.cn.crt -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=Global Security/OU=IT Department/CN=*netkiller.cn/emailAddress=netkiller@msn.com"

7.1.16. rand

生成隨機數

openssl rand 12 -base64			
			
# openssl rand -base64 24
rgphwqZFFA2tY1QfuBrmw3aN62i6ctFy

7.1.17. 去除私鑰的密碼

$ openssl rsa -in neo.key -out nopassword.key
Enter pass phrase for neo.key:
writing RSA key

Prev   Next
6.5. 例子 Home 7.2. web 伺服器 ssl 證書