中文字幕av专区_日韩电影在线播放_精品国产精品久久一区免费式_av在线免费观看网站

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

openssl命令

發布時間:2020-07-10 10:01:03 來源:網絡 閱讀:202 作者:huyuwj 欄目:系統運維

openssl
組件:
libcrypto, libssl主要開發者使用;
openssl: 多用途命令行工具;

        openssl:
                    從多子命令   分為三類:
                                標準命令:
                                消息摘要命令(dgst子命令)
                                加密命令(enc子命令)

                對稱加密:
                        工具:openssl enc
                        支持的算法:3des,aes,blowfish,towfish

                    加密命令                    
                                 enc命令:

                                 實例:
                                                加密~]# openssl enc -e -des3 -a -salt -in fstab -out fstab.ciphertext      
                                                解密~]# openssl enc -d -des3 -a -salt -out fstab -in fstab.ciphertext

                 單向加密:
                             工具:openssl dgst,  md5sum, sha1sum, sha224sum,....

                             dgst命令:
                                         ~]# openssl dgst -md5 fstab
                                                MD5(fstab)= f24b68951add3236d19dff63f0c92206

                生成用戶密碼:
                            工具: passwd, openssl passwd

                            ~]#openssl passwd -1 -salt   隨機數(123456789)

                            實例:
                                [root@localhost ~]# openssl passwd -1 -salt $(openssl rand -hex 10)
                                                            Password: 
                                                            $1$9727a8fa$Ir21xFr8gVZJFK1trPohf.

                生成隨機數:
                            工具:openssl rand

                        實例:
                                    [root@localhost ~]# openssl rand -hex 10
                                    8a7f0ab5316d5c0f2aba

                                    [root@localhost ~]# openssl rand -base64 10
                                    G8mVfr06RCHmhQ==

                公鑰加密:
                                加密解密:
                                        算法:RSA, ELGamal
                                        工具:openssl rsautl, gpg
                                數字簽名:
                                        算法:RSA, DSA,ELGamal
                                密鑰交換:
                                            算法:DH
                    生成密鑰:
                                生成私鑰: ~]# (umask 077; openssl genrsa -out /tmp/mykey.private 2048)
                                提出公鑰:~]# openssl rsa -in /tmp/mykey.private  -pubout

            linux系統上的隨機數生成器:
                            /dev/random:僅從熵池返回隨機數;隨機數用盡,阻塞;
                            /dev/urandom:從熵池返回隨機數;隨機數用盡,會利用軟件生成偽隨機數,非阻塞;
                                    偽隨機數不安全;

                                熵池中隨機數的來源;
                                                硬盤IO中斷時間間隔;
                                                鍵盤IO中斷時間間隔;


                CA:
                        公共信任的CA,私用CA;

        openssl 命令:
                配置文件:~]# cat /etc/pki/tls/openssl.cnf 



`**構建私有CA:`
        在確定配置為CA的服務上生成一個自簽證書,并為CA提供所需要的目錄及文件即可;

        步驟:
                1.生成私鑰:
                        ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
                2.生成自簽證書:
                         -new:生成新證書簽署請求;
                         -x509:生成自簽格式證書,專用于創建私有CA時;
                         -key:生成請求時用到的私有文件路徑;
                         -out:生成的請求文件路徑;如果自簽操作將直接生成簽署過的證書;
                         -days:證書的有效時長,單位是day;

                         ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655

                                    You are about to be asked to enter information that will be incorporated
                                    into your certificate request.
                                    What you are about to enter is what is called a Distinguished Name or a DN.
                                    There are quite a few fields but you can leave some blank
                                    For some fields there will be a default value,
                                    If you enter '.', the field will be left blank.
                                    -----
                                    Country Name (2 letter code) [XX]:CN
                                    State or Province Name (full name) []:guangdong
                                    Locality Name (eg, city) [Default City]:shenzhen
                                    Organization Name (eg, company) [Default Company Ltd]:itxuezhe
                                    Organizational Unit Name (eg, section) []:ops
                                    Common Name (eg, your name or your server's hostname) []:ca.itxuezhe.com
                                    Email Address []:caadmin@itxuezhe.com

                                    [root@localhost ~]# ls /etc/pki/CA/
                                    caert.pem  certs  crl  newcerts  private

                    3.為CA提供所需的目錄及文件;
                            ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
                            ~]# touch /etc/pki/CA/{serial,index.txt}
                            ~]# echo 01 > /etc/pki/CA/serial **

要用到證書進行通信的服務器,需要向CA請求簽署證書:

                步驟:(以httpd主機為例)
                        1.用到證書的主機生成證書簽署請求;
                                        ~]# mkdir /etc/httpd/ssl
                                        ~]# cd /etc/httpd/ssl 
                                ssl]# (umask 077; openssl genrsa -out httpd.key 2048)

                        3.2.生成證書簽署請求
                            [root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr -days 365
                                You are about to be asked to enter information that will be incorporated
                                into your certificate request.
                                What you are about to enter is what is called a Distinguished Name or a DN.
                                There are quite a few fields but you can leave some blank
                                For some fields there will be a default value,
                                If you enter '.', the field will be left blank.
                                -----
                                Country Name (2 letter code) [XX]:CN
                                State or Province Name (full name) []:guangdong
                                Locality Name (eg, city) [Default City]:shenzhen
                                Organization Name (eg, company) [Default Company Ltd]:itxuezhe 
                                Organizational Unit Name (eg, section) []:ops
                                Common Name (eg, your name or your server's hostname) []:www.itxuezhe.com
                                Email Address []:web@itxuezhe.com

                                Please enter the following 'extra' attributes
                                to be sent with your certificate request
                                A challenge password []:
                                An optional company name []:

                                [root@localhost ssl]# ll
                                總用量 8
                                -rw-r--r--. 1 root root 1078 12月 10 11:24 httpd.csr
                                -rw-------. 1 root root 1679 12月 10 11:20 httpd.key

                        3.將請求通過可靠方式發送給CA主機;
                                        ssl]# scp httpd.csr root@192.168.80.16:/tmp/
                                                root@192.168.80.16's password: 
                                                httpd.csr              

                        4.在CA主機上簽署證書;
                            [root@localhost ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
                                        Using configuration from /etc/pki/tls/openssl.cnf
                                        Check that the request matches the signature
                                        Signature ok
                                        Certificate Details:
                                                        Serial Number: 1 (0x1)
                                                        Validity
                                                                Not Before: Dec 10 03:29:20 2019 GMT
                                                                Not After : Dec  9 03:29:20 2020 GMT
                                                        Subject:
                                                                countryName               = CN
                                                                stateOrProvinceName       = guangdong
                                                                organizationName          = itxuezhe
                                                                organizationalUnitName    = ops
                                                                commonName                = www.itxuezhe.com
                                                                emailAddress              = web@itxuezhe.com
                                                        X509v3 extensions:
                                                                X509v3 Basic Constraints: 
                                                                        CA:FALSE
                                                                Netscape Comment: 
                                                                        OpenSSL Generated Certificate
                                                                X509v3 Subject Key Identifier: 
                                                                        D9:B4:2D:FB:4C:5B:EC:8D:5E:90:9F:1B:C6:61:65:0C:FB:94:59:8C
                                                                X509v3 Authority Key Identifier: 
                                                                        keyid:44:C1:C1:A7:B5:5F:15:15:06:8B:3B:7C:15:CB:5E:B4:A6:19:FD:5E

                                        Certificate is to be certified until Dec  9 03:29:20 2020 GMT (365 days)
                                        Sign the certificate? [y/n]:y

                                        1 out of 1 certificate requests certified, commit? [y/n]y
                                        Write out database with 1 new entries
                                        Data Base Updated
                        證書簽署成功
                                ~]# cd /etc/pki/CA/
                                CA]# cat index.txt
                                V   201209032920Z       01  unknown/C=CN/ST=guangdong/O=itxuezhe/OU=www.itxuezhe.com/CN=www.itxuezhe.com/emailAddress=web@itxuezhe.com

        將簽署成功的證書發送給申請證書的主機                          
                             CA]# scp certs/httpd.crt root@192.168.80.17:/etc/httpd/ssl/
                                        The authenticity of host '192.168.80.17 (192.168.80.17)' can't be established.
                                        ECDSA key fingerprint is SHA256:iyMPO9k4t5oUNnOcDCOkJTLBLOSBKKPRuR9AugKmftM.
                                        ECDSA key fingerprint is MD5:73:2e:7e:37:b4:48:b9:45:3e:96:f1:ec:6a:9a:59:fd.
                                        Are you sure you want to continue connecting (yes/no)? yes
                                        Warning: Permanently added '192.168.80.17' (ECDSA) to the list of known hosts.
                                        root@192.168.80.17's password: 
                                        httpd.crt            

    查看證書中的信息:
                    [root@localhost ssl]# openssl x509 -in httpd.crt -noout -serial -subject
                                                        serial=01
                                                        subject= /C=CN/ST=guangdong/O=itxuezhe/OU=www.itxuezhe.com/CN=www.itxuezhe.com/emailAddress=web@itxuezhe.com

            吊銷證書:
                        步驟:
                                1.客戶端獲取要吊銷的證書的serial (在使用證書的主機執行);
                                        [root@localhost ssl]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -seral -subject

                                2.CA主機吊銷證書
                                        先根據客戶端提交的serial和subject信息,對比其與本機數據庫index.txt中存儲的是否一致;

                                        吊銷:
                                                    [root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem 
                                                    [root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem             
                                                                    其中的SERIAL要換成證書真正的序列號;

                                    3.生成吊銷證書的吊銷編號(第一次吊銷證書時執行)
                                                         CA]# echo 01 > /etc/pki/CA/crlnumber

                                    4.更新證書吊銷列表
                                                 CA]# openssl ca -gencrl -out thisca.crl

                查看crl文件:
                            ]# openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text
向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

屏边| 栾川县| 新河县| 海南省| 泗水县| 喜德县| 新巴尔虎右旗| 开远市| 北辰区| 霍邱县| 偃师市| 湖北省| 西林县| 宝丰县| 张家港市| 大名县| 凉城县| 盐源县| 闸北区| 仁布县| 安溪县| 攀枝花市| 桓台县| 西宁市| 大田县| 梧州市| 琼中| 高淳县| 峨眉山市| 特克斯县| 新绛县| 兴山县| 云安县| 威信县| 元朗区| 本溪| 沿河| 青海省| 夹江县| 方城县| 江阴市|