Home | 簡體中文 | 繁體中文 | 雜文 | 知乎專欄 | Github | OSChina 博客 | 雲社區 | 雲棲社區 | Facebook | Linkedin | 視頻教程 | 打賞(Donations) | About
第 208 章 OpenSSL
上一頁 部分 XVIII. 數字證書,編碼與解碼 下一頁
知乎專欄多維度架構 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者”

第 208 章 OpenSSL

目錄

208.1. openssl 命令參數
208.1.1. version
208.1.2. 測試加密算法的速度
208.1.3. req
208.1.4. x509
208.1.5. ca
208.1.6. crl
208.1.7. pkcs12
208.1.8. passwd
208.1.9. digest
208.1.9.1. list-message-digest-commands
208.1.9.2. md5
208.1.9.3. sha1
208.1.10. enc
208.1.10.1. list-cipher-commands
208.1.10.2. base64
208.1.10.3. des
208.1.10.4. aes
208.1.11. rsa
208.1.12. dsa
208.1.13. rc4
208.1.14. -config 指定配置檔案
208.1.15. -subj 指定參數
208.1.16. rand
208.1.17. 去除私鑰的密碼
208.2. web 伺服器 ssl 證書
208.2.1. Nginx
208.2.1.1. Nginx + Tomcat (HTTP2)
208.3. s_server / s_client
208.3.1. SSL POP3 / SMTP / IMAP
208.3.2. server / client 檔案傳輸
208.3.3. HTTP SSL 證書
208.3.3.1. 證書鏈
208.3.3.2. 顯示證書
208.3.3.3. 指定 servername
208.4. smime
208.5. Outlook smime x509 證書
208.5.1. 快速創建自簽名證書
208.5.2. 企業或集團方案
208.5.2.1. 證書環境
208.5.2.2. 頒發CA證書
208.5.2.3. 頒發客戶證書
208.5.2.4. 吊銷已簽發的證書
208.6. 證書轉換
208.6.1. CA證書
208.6.2. 創建CA證書有效期為一年
208.6.3. x509轉換為pfx
208.6.4. PEM格式的ca.key轉換為Microsoft可以識別的pvk格式
208.6.5. PKCS#12 到 PEM 的轉換
208.6.6. 從 PFX 格式檔案中提取私鑰格式檔案 (.key)
208.6.7. 轉換 pem 到到 spc
208.6.8. PEM 到 PKCS#12 的轉換
208.6.9. How to Convert PFX Certificate to PEM Format for SOAP
208.6.10. DER檔案(.crt .cer .der)轉為PEM格式檔案
208.6.11. JKS 轉 X509
208.6.12. jks to pem
208.7. 其他證書工具
208.8. OpenSSL 開發庫
208.8.1. DES encryption with OpenSSL

不多說了。

208.1. openssl 命令參數

208.1.1. version

[root@netkiller nginx]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

208.1.2. 測試加密算法的速度

$ openssl speed
			
$ openssl speed rsa
$ openssl speed aes

208.1.3. req

openssl req -new -x509 -days 7300 -key ca.key -out ca.crt

208.1.4. x509

openssl x509 -req -in client-req.csr -out client.crt -signkey client-key.pem -CA ca.crt -CAkey ca.key -days 365 -CAserial serial

驗證一下我們生成的檔案。

openssl x509 -in cacert.pem -text -noout

-extfile

openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca -signkey key.pem -out cacert.pem

208.1.5. ca

# 生成CRL列表
$ openssl ca -gencrl -out exampleca.crl

208.1.6. crl

# 查看CRL列表信息
$ openssl crl -in exampleca.crl -text -noout

# 驗證CRL列表簽名信息
$ openssl crl -in exampleca.crl -noout -CAfile cacert.pem

208.1.7. pkcs12

-clcerts 表示僅導出客戶證書。

openssl pkcs12 -export -clcerts -in 324.cer -inkey ca.pem -out 324.p12 -name "Email SMIME"

轉換PEM證書檔案和私鑰到PKCS#12檔案

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

208.1.8. passwd

MD5-based password algorithm

# openssl passwd -1 -salt 'random-phrase-here' 'your-password-here'
$1$random-p$AOw9RDIWQm6tfUo9Ediu/0

-crypt standard Unix password algorithm (default)

# openssl passwd -crypt -salt 'sa' 'password'
sa3tHJ3/KuYvI

208.1.9. digest

如何創建一個檔案的 MD5 或 SHA1 摘要?

摘要創建使用 dgst 選項.

208.1.9.1. list-message-digest-commands

列出可用摘要

$ openssl list-message-digest-commands
md2
md4
md5
mdc2
rmd160
sha
sha1

208.1.9.2. md5

# MD5 digest
openssl dgst -md5 filename
[注意]注意

MD5 信息摘要也同樣可以使用md5sum創建

				
$ echo "Hello World!" > message.txt
$ openssl dgst -md5 message.txt
MD5(message.txt)= d9226d4bd8779baa69db272f89a2e05c

208.1.9.3. sha1

# SHA1 digest
openssl dgst -sha1 filename
				
$ openssl dgst -sha1 /etc/passwd
SHA1(/etc/passwd)= 9d883a9d35fd9a6dc81e6a1717a8e2ecfc49cdd8

208.1.10. enc

使用方法:

$ openssl enc 加密算法 -k 密碼 -in 輸入明文檔案 -out 輸出密文檔案

$ openssl enc 加密算法 -k 密碼 -in 輸出密文檔案 -out 輸入明文檔案

208.1.10.1. list-cipher-commands

可用的編碼/解碼方案

# or get a long list, one cipher per line
openssl list-cipher-commands

# openssl list-cipher-commands
aes-128-cbc
aes-128-ecb
aes-192-cbc
aes-192-ecb
aes-256-cbc
aes-256-ecb
base64
bf
bf-cbc
bf-cfb
bf-ecb
bf-ofb
cast
cast-cbc
cast5-cbc
cast5-cfb
cast5-ecb
cast5-ofb
des
des-cbc
des-cfb
des-ecb
des-ede
des-ede-cbc
des-ede-cfb
des-ede-ofb
des-ede3
des-ede3-cbc
des-ede3-cfb
des-ede3-ofb
des-ofb
des3
desx
idea
idea-cbc
idea-cfb
idea-ecb
idea-ofb
rc2
rc2-40-cbc
rc2-64-cbc
rc2-cbc
rc2-cfb
rc2-ecb
rc2-ofb
rc4
rc4-40
rc5
rc5-cbc
rc5-cfb
rc5-ecb
rc5-ofb

208.1.10.2. base64

使用 base64-encode 編碼/解碼?

使用 enc -base64 選項

# send encoded contents of file.txt to stdout
openssl enc -base64 -in file.txt

# same, but write contents to file.txt.enc
openssl enc -base64 -in file.txt -out file.txt.enc

命令行

C:\GnuWin32\neo>openssl enc -base64 -in file.txt
SGVsbG8gV29ybGQhDQo=

C:\GnuWin32\neo>openssl enc -base64 -in file.txt -out file.txt.enc

C:\GnuWin32\neo>type file.txt.enc
SGVsbG8gV29ybGQhDQo=

C:\GnuWin32\neo>

通過管道操作

C:\GnuWin32\neo>echo "encode me" | openssl enc -base64
ImVuY29kZSBtZSIgDQo=

C:\GnuWin32\neo>echo -n "encode me" | openssl enc -base64
LW4gImVuY29kZSBtZSIgDQo=

C:\GnuWin32\neo>

使用 -d (解碼) 選項來反轉操作.

C:\GnuWin32\neo>openssl enc -base64 -d -in file.txt.enc
Hello World!

C:\GnuWin32\neo>openssl enc -base64 -d -in file.txt.enc -out file.txt

快速命令行

C:\GnuWin32\neo>type file.txt.enc | openssl enc -base64 -d
Hello World!

C:\GnuWin32\neo>type file.txt.enc
SGVsbG8gV29ybGQhDQo=

C:\GnuWin32\neo>echo SGVsbG8gV29ybGQhDQo= | openssl enc -base64 -d
Hello World!

208.1.10.3. des

對稱加密與解密

加密

# openssl enc -des -e -a -in file.txt -out file.txt.des
enter des-cbc encryption password:
Verifying - enter des-cbc encryption password:

解密

# openssl enc -des -d -a -in file.txt.des -out file.txt.tmp
enter des-cbc decryption password:
				
				
% echo abc | openssl des-cbc -k 123 -base64         
U2FsdGVkX1+atYQyhz7I1ktb5XtYasGk

208.1.10.4. aes

加密

openssl enc -aes-128-cbc -in filename -out filename.out

解密

openssl enc -d -aes-128-cbc -in filename.out -out filename
				
				
echo abc | openssl aes-128-cbc -k 123 -base64

208.1.11. rsa

產生密鑰對

生成私鑰

openssl genrsa -out private.key 1024

根據私鑰產生公鑰

openssl rsa -in private.key -pubout > public.key

用公鑰加密明文

$ openssl rsautl -encrypt -pubin -inkey public.key -in filename -out filename.out

用私鑰解密

$ openssl rsautl -decrypt -inkey private.key -in filename.out -out filename

208.1.12. dsa

例 208.1. dsaparam & gendsa

# create parameters in dsaparam.pem
openssl dsaparam -out dsaparam.pem 1024

# create first key
openssl gendsa -out key1.pem dsaparam.pem

# and second ...
openssl gendsa -out key2.pem dsaparam.pem

生成私鑰

openssl dsaparam -out dsaparam.pem 1024
openssl gendsa -out private.key dsaparam.pem

根據私鑰產生公鑰

openssl dsa -in private.key -pubout -out public.key
			
$ ls
dsaparam.pem  private.key  public.key

$ cat *
-----BEGIN DSA PARAMETERS-----
MIIBHgKBgQCAkvuZmbK7zgTv3WnYayypdghcNKA+jP7/fdwy82JfqkJeF38FOOu8
4cbrQjzs6XdANeZk3c6BVQfqNfFnUomKARm0gdqeelsmyHMV+0jy7fuX1HHIUZyJ
Rqravmh+o9iYX1aA3jsP5sDoosEEEYKQBAUEi6vwzCnjCra3TBuvmQIVAPYqwKI3
v6nkKAfn+lqPvmHqVDv5AoGAb7vilZ7EtuYpJbpURZtTPOtLpMmpfwXq+g7cKQ7Z
mC+TCwzVUkBv8s/gxwr7r92bCmGTGJGuBVGqI0yEbrkMRGieJwOrS885NNg+AiTW
DB0Xo2klaTg5rFydGxPvWI72cpyds69Ptm4z9Th0xrtDUNIYPdDIR+rVUao5XBS9
U4w=
-----END DSA PARAMETERS-----
-----BEGIN DSA PRIVATE KEY-----
MIIBugIBAAKBgQCAkvuZmbK7zgTv3WnYayypdghcNKA+jP7/fdwy82JfqkJeF38F
OOu84cbrQjzs6XdANeZk3c6BVQfqNfFnUomKARm0gdqeelsmyHMV+0jy7fuX1HHI
UZyJRqravmh+o9iYX1aA3jsP5sDoosEEEYKQBAUEi6vwzCnjCra3TBuvmQIVAPYq
wKI3v6nkKAfn+lqPvmHqVDv5AoGAb7vilZ7EtuYpJbpURZtTPOtLpMmpfwXq+g7c
KQ7ZmC+TCwzVUkBv8s/gxwr7r92bCmGTGJGuBVGqI0yEbrkMRGieJwOrS885NNg+
AiTWDB0Xo2klaTg5rFydGxPvWI72cpyds69Ptm4z9Th0xrtDUNIYPdDIR+rVUao5
XBS9U4wCgYBISbp4/z5JY2OqXVttS6G4GQT0PMAiJZi9pty4H0rKoSmbrgjev/wp
7BW8NqaJnlSjNCzF4SH+DXxZeuktJPNftHYi8BPIrHxR6CG1h7VPDr/IwSoff0Kx
Lhc6vqxcCRpcQoqbhXGG5RxMsczD4nRmdmhXbelPRu10T4qxEiVG7gIUc1KsK+hA
+EzXl80Eyj2Si7UH/wI=
-----END DSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MIIBtjCCASsGByqGSM44BAEwggEeAoGBAICS+5mZsrvOBO/dadhrLKl2CFw0oD6M
/v993DLzYl+qQl4XfwU467zhxutCPOzpd0A15mTdzoFVB+o18WdSiYoBGbSB2p56
WybIcxX7SPLt+5fUcchRnIlGqtq+aH6j2JhfVoDeOw/mwOiiwQQRgpAEBQSLq/DM
KeMKtrdMG6+ZAhUA9irAoje/qeQoB+f6Wo++YepUO/kCgYBvu+KVnsS25iklulRF
m1M860ukyal/Ber6DtwpDtmYL5MLDNVSQG/yz+DHCvuv3ZsKYZMYka4FUaojTIRu
uQxEaJ4nA6tLzzk02D4CJNYMHRejaSVpODmsXJ0bE+9YjvZynJ2zr0+2bjP1OHTG
u0NQ0hg90MhH6tVRqjlcFL1TjAOBhAACgYBISbp4/z5JY2OqXVttS6G4GQT0PMAi
JZi9pty4H0rKoSmbrgjev/wp7BW8NqaJnlSjNCzF4SH+DXxZeuktJPNftHYi8BPI
rHxR6CG1h7VPDr/IwSoff0KxLhc6vqxcCRpcQoqbhXGG5RxMsczD4nRmdmhXbelP
Ru10T4qxEiVG7g==
-----END PUBLIC KEY-----

208.1.13. rc4

加密檔案

# openssl enc -e -rc4 -in in.txt -out out.txt
enter rc4 encryption password:
Verifying - enter rc4 encryption password:

解密檔案

# openssl enc -d -rc4 -in out.txt -out test.txt
enter rc4 decryption password:

使用 -k 指定密鑰

openssl enc -e -rc4 -k passwd -in in.txt -out out.txt
openssl enc -d -rc4 -k passwd -in out.txt -out test.txt

208.1.14. -config 指定配置檔案

# openssl req -new -newkey rsa:2048 -config openssl.cfg -keyout server.key -nodes -out certreq.csr

208.1.15. -subj 指定參數

# openssl req -new -newkey rsa:2048 -keyout server.key -nodes -subj /C=CN/O=example.com/OU=IT/CN=Neo/ST=GD/L=Shenzhen -out certreq.csr

C:\> openssl req -new -newkey rsa:2048 -config openssl.cfg -keyout server.key -nodes -subj /C=CN/O="%OrganizationName%"/OU="%OrganizationUnit%"/CN="%CommonName%"/ST="%StateName%"/L="%LocalityName%" -out certreq.csr

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/nginx/ssl/www.netkiller.cn.key -out /etc/nginx/ssl/www.netkiller.cn.crt -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=Global Security/OU=IT Department/CN=www.netkiller.cn/emailAddress=netkiller@msn.com"

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/nginx/ssl/www.netkiller.cn.key -out /etc/nginx/ssl/www.netkiller.cn.crt -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=Global Security/OU=IT Department/CN=*netkiller.cn/emailAddress=netkiller@msn.com"

208.1.16. rand

生成隨機數

openssl rand 12 -base64			
			
# openssl rand -base64 24
rgphwqZFFA2tY1QfuBrmw3aN62i6ctFy

208.1.17. 去除私鑰的密碼

$ openssl rsa -in neo.key -out nopassword.key
Enter pass phrase for neo.key:
writing RSA key

上一頁 上一級 下一頁
207.5. 例子 起始頁 208.2. web 伺服器 ssl 證書