Linux操作系统安全-OpenSSL工具常用命令介绍
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.OpenSSL开源项目有三个组件
openssl:
多用途的命令行工具,包openssl
libcrypto:
加密算法库,包openssl-libs
libssl:
加密模块应用库,实现了ssl及tls,包nss
[root@node101.yinzhengjie.org.cn ~]# yum search openssl
Loaded plugins: fastestmirror
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
Determining fastest mirrors
* base: mirrors.huaweicloud.com
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.huaweicloud.com
=========================================================================== N/S matched: openssl ===========================================================================
apr-util-openssl.x86_64 : APR utility library OpenSSL crytpo support
openssl-devel.i686 : Files for development of applications which will use OpenSSL
openssl-devel.x86_64 : Files for development of applications which will use OpenSSL
openssl-perl.x86_64 : Perl scripts provided with OpenSSL
openssl-static.i686 : Libraries for static linking of applications which will use OpenSSL
openssl-static.x86_64 : Libraries for static linking of applications which will use OpenSSL
perl-Crypt-OpenSSL-Bignum.x86_64 : Perl interface to OpenSSL for Bignum
perl-Crypt-OpenSSL-RSA.x86_64 : Perl interface to OpenSSL for RSA
perl-Crypt-OpenSSL-Random.x86_64 : Perl interface to OpenSSL for Random
pyOpenSSL.x86_64 : Python wrapper module around the OpenSSL library
pyOpenSSL-doc.noarch : Documentation for pyOpenSSL
xmlsec1-openssl.i686 : OpenSSL crypto plugin for XML Security Library
xmlsec1-openssl.x86_64 : OpenSSL crypto plugin for XML Security Library
xmlsec1-openssl-devel.i686 : OpenSSL crypto plugin for XML Security Library
xmlsec1-openssl-devel.x86_64 : OpenSSL crypto plugin for XML Security Library
m2crypto.x86_64 : Support for using OpenSSL in python scripts
nss_compat_ossl.i686 : Source-level compatibility library for OpenSSL to NSS porting
nss_compat_ossl.x86_64 : Source-level compatibility library for OpenSSL to NSS porting
openssl.x86_64 : Utilities from the general purpose cryptography library with TLS implementation
openssl-libs.i686 : A general purpose cryptography library with TLS implementation
openssl-libs.x86_64 : A general purpose cryptography library with TLS implementation
openssl098e.i686 : A compatibility version of a general cryptography and TLS library
openssl098e.x86_64 : A compatibility version of a general cryptography and TLS library
perl-Crypt-SSLeay.x86_64 : Crypt::SSLeay - OpenSSL glue that provides LWP https support
perl-Net-SSLeay.x86_64 : Perl extension for using OpenSSL
qca-ossl.i686 : OpenSSL plugin for the Qt Cryptographic Architecture v2
qca-ossl.x86_64 : OpenSSL plugin for the Qt Cryptographic Architecture v2 Name and summary matches only, use "search all" for everything.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# yum search openssl
[root@node101.yinzhengjie.org.cn ~]# yum info openssl-libs
Loaded plugins: fastestmirror
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
Loading mirror speeds from cached hostfile
* base: mirrors.huaweicloud.com
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.huaweicloud.com
Installed Packages
Name : openssl-libs
Arch : x86_64
Epoch : 1
Version : 1.0.2k
Release : 16.el7
Size : 3.1 M
Repo : installed
From repo : anaconda
Summary : A general purpose cryptography library with TLS implementation
URL : http://www.openssl.org/
License : OpenSSL
Description : OpenSSL is a toolkit for supporting cryptography. The openssl-libs
: package contains the libraries that are used by various applications which
: support cryptographic algorithms and protocols. Available Packages
Name : openssl-libs
Arch : i686
Epoch : 1
Version : 1.0.2k
Release : 16.el7_6.1
Size : 994 k
Repo : updates/7/x86_64
Summary : A general purpose cryptography library with TLS implementation
URL : http://www.openssl.org/
License : OpenSSL
Description : OpenSSL is a toolkit for supporting cryptography. The openssl-libs
: package contains the libraries that are used by various applications which
: support cryptographic algorithms and protocols. Name : openssl-libs
Arch : x86_64
Epoch : 1
Version : 1.0.2k
Release : 16.el7_6.1
Size : 1.2 M
Repo : updates/7/x86_64
Summary : A general purpose cryptography library with TLS implementation
URL : http://www.openssl.org/
License : OpenSSL
Description : OpenSSL is a toolkit for supporting cryptography. The openssl-libs
: package contains the libraries that are used by various applications which
: support cryptographic algorithms and protocols. [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# yum info openssl-libs
二.openssl命令
1>.查看openssl软件包及默认版本号
[root@node101.yinzhengjie.org.cn ~]# which openssl
/usr/bin/openssl
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# rpm -qf /usr/bin/openssl
openssl-1.0.2k-16.el7.x86_64
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# openssl version #程序版本号
OpenSSL 1.0.2k-fips 26 Jan 2017
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# openssl
OpenSSL> ?
openssl:Error: '?' is an invalid command. Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dh
dhparam dsa dsaparam ec
ecparam enc engine errstr
gendh gendsa genpkey genrsa
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand req
rsa rsautl s_client s_server
s_time sess_id smime speed
spkac ts verify version
x509 Message Digest commands (see the `dgst' command for more details)
md2 md4 md5 rmd160
sha sha1 Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb base64 bf
bf-cbc bf-cfb bf-ecb bf-ofb
camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb
camellia-256-cbc camellia-256-ecb cast cast-cbc
cast5-cbc cast5-cfb cast5-ecb cast5-ofb
des des-cbc des-cfb des-ecb
des-ede des-ede-cbc des-ede-cfb des-ede-ofb
des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx idea
idea-cbc idea-cfb idea-ecb idea-ofb
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 rc5 rc5-cbc rc5-cfb
rc5-ecb rc5-ofb seed seed-cbc
seed-cfb seed-ecb seed-ofb zlib OpenSSL> quit
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# openssl #可以支持命令行交互式
2>.enc命令
对称加密:
工具:
openssl enc, gpg
算法:
3des, aes, blowfish, twofish
[root@node101.yinzhengjie.org.cn ~]# man enc
ENC(1) OpenSSL ENC(1) NAME
enc - symmetric cipher routines SYNOPSIS
openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64] [-A] [-k password] [-kfile filename] [-K key] [-iv IV] [-S salt]
[-salt] [-nosalt] [-z] [-md] [-p] [-P] [-bufsize number] [-nopad] [-debug] [-none] [-engine id] DESCRIPTION
The symmetric cipher commands allow data to be encrypted or decrypted using various block and stream ciphers using keys based on passwords or explicitly
provided. Base64 encoding or decoding can also be performed either by itself or in addition to the encryption or decryption. OPTIONS
-in filename
the input filename, standard input by default. -out filename
the output filename, standard output by default. -pass arg
the password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1). -salt
use a salt in the key derivation routines. This is the default. -nosalt
don't use a salt in the key derivation routines. This option SHOULD NOT be used except for test purposes or compatibility with ancient versions of OpenSSL
and SSLeay. -e encrypt the input data: this is the default. -d decrypt the input data.
-a base64 process the data. This means that if encryption is taking place the data is base64 encoded after encryption. If decryption is set then the input data
is base64 decoded before being decrypted. -base64
same as -a -A if the -a option is set then base64 process the data on one line. -k password
the password to derive the key from. This is for compatibility with previous versions of OpenSSL. Superseded by the -pass argument. -kfile filename
read the password to derive the key from the first line of filename. This is for compatibility with previous versions of OpenSSL. Superseded by the -pass
argument. -nosalt
do not use a salt -salt
use salt (randomly generated or provide with -S option) when encrypting (this is the default). -S salt
the actual salt to use: this must be represented as a string of hex digits. -K key
the actual key to use: this must be represented as a string comprised only of hex digits. If only the key is specified, the IV must additionally specified
using the -iv option. When both a key and a password are specified, the key given with the -K option will be used and the IV generated from the password
will be taken. It probably does not make much sense to specify both key and password. -iv IV
the actual IV to use: this must be represented as a string comprised only of hex digits. When only the key is specified using the -K option, the IV must
explicitly be defined. When a password is being specified using one of the other options, the IV is generated from this password. -p print out the key and IV used. -P print out the key and IV used then immediately exit: don't do any encryption or decryption. -bufsize number
set the buffer size for I/O -nopad
disable standard block padding -debug
debug the BIOs used for I/O. -z Compress or decompress clear text using zlib before encryption or after decryption. This option exists only if OpenSSL with compiled with zlib or zlib-
dynamic option. -none
Use NULL cipher (no encryption or decryption of input). NOTES
The program can be called either as openssl ciphername or openssl enc -ciphername. But the first form doesn't work with engine-provided ciphers, because this
form is processed before the configuration file is read and any ENGINEs loaded. Engines which provide entirely new encryption algorithms (such as ccgost engine which provides gost89 algorithm) should be configured in the configuration file.
Engines, specified in the command line using -engine options can only be used for hadrware-assisted implementations of ciphers, which are supported by OpenSSL
core or other engine, specified in the configuration file. When enc command lists supported ciphers, ciphers provided by engines, specified in the configuration files are listed too. A password will be prompted for to derive the key and IV if necessary. The -salt option should ALWAYS be used if the key is being derived from a password unless you want compatibility with previous versions of OpenSSL and SSLeay. Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this
is that without the salt the same password always generates the same encryption key. When the salt is being used the first eight bytes of the encrypted data are
reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted. Some of the ciphers do not have large keys and others have security implications if not used correctly. A beginner is advised to just use a strong block cipher
in CBC mode such as bf or des3. All the block ciphers normally use PKCS#5 padding also known as standard block padding: this allows a rudimentary integrity or password check to be performed.
However since the chance of random data passing the test is better than 1 in 256 it isn't a very good test. If padding is disabled then the input data must be a multiple of the cipher block length. All RC2 ciphers have the same key and effective key length. Blowfish and RC5 algorithms use a 128 bit key. SUPPORTED CIPHERS
Note that some of these ciphers can be disabled at compile time and some are available only if an appropriate engine is configured in the configuration file.
The output of the enc command run with unsupported options (for example openssl enc -help) includes a list of ciphers, supported by your versesion of OpenSSL,
including ones provided by configured engines. The enc program does not support authenticated encryption modes like CCM and GCM. The utility does not store or retrieve the authentication tag. base64 Base 64 bf-cbc Blowfish in CBC mode
bf Alias for bf-cbc
bf-cfb Blowfish in CFB mode
bf-ecb Blowfish in ECB mode
bf-ofb Blowfish in OFB mode cast-cbc CAST in CBC mode
cast Alias for cast-cbc
cast5-cbc CAST5 in CBC mode
cast5-cfb CAST5 in CFB mode
cast5-ecb CAST5 in ECB mode
cast5-ofb CAST5 in OFB mode des-cbc DES in CBC mode
des Alias for des-cbc
des-cfb DES in CBC mode
des-ofb DES in OFB mode
des-ecb DES in ECB mode des-ede-cbc Two key triple DES EDE in CBC mode
des-ede Two key triple DES EDE in ECB mode
des-ede-cfb Two key triple DES EDE in CFB mode
des-ede-ofb Two key triple DES EDE in OFB mode des-ede3-cbc Three key triple DES EDE in CBC mode
des-ede3 Three key triple DES EDE in ECB mode
des3 Alias for des-ede3-cbc
des-ede3-cfb Three key triple DES EDE CFB mode
des-ede3-ofb Three key triple DES EDE in OFB mode desx DESX algorithm. gost89 GOST 28147-89 in CFB mode (provided by ccgost engine)
gost89-cnt `GOST 28147-89 in CNT mode (provided by ccgost engine) idea-cbc IDEA algorithm in CBC mode
idea same as idea-cbc
idea-cfb IDEA in CFB mode
idea-ecb IDEA in ECB mode
idea-ofb IDEA in OFB mode rc2-cbc 128 bit RC2 in CBC mode
rc2 Alias for rc2-cbc
rc2-cfb 128 bit RC2 in CFB mode
rc2-ecb 128 bit RC2 in ECB mode
rc2-ofb 128 bit RC2 in OFB mode
rc2-64-cbc 64 bit RC2 in CBC mode
rc2-40-cbc 40 bit RC2 in CBC mode rc4 128 bit RC4
rc4-64 64 bit RC4
rc4-40 40 bit RC4 rc5-cbc RC5 cipher in CBC mode
rc5 Alias for rc5-cbc
rc5-cfb RC5 cipher in CFB mode
rc5-ecb RC5 cipher in ECB mode
rc5-ofb RC5 cipher in OFB mode aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode
aes-[128|192|256] Alias for aes-[128|192|256]-cbc
aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode
aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode
aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode
aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode
aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode EXAMPLES
Just base64 encode a binary file: openssl base64 -in file.bin -out file.b64 Decode the same file openssl base64 -d -in file.b64 -out file.bin Encrypt a file using triple DES in CBC mode using a prompted password: openssl des3 -salt -in file.txt -out file.des3 Decrypt a file using a supplied password: openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword Encrypt a file then base64 encode it (so it can be sent via mail for example) using Blowfish in CBC mode: openssl bf -a -salt -in file.txt -out file.bf Base64 decode a file then decrypt it: openssl bf -d -salt -a -in file.bf -out file.txt Decrypt some data using a supplied 40 bit RC4 key: openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405 BUGS
The -A option when used with large files doesn't work properly. There should be an option to allow an iteration count to be included. The enc program only supports a fixed number of algorithms with certain parameters. So if, for example, you want to use RC2 with a 76 bit key or RC4 with an 84
bit key you can't use this program. 1.0.2k 2017-01-26 ENC(1)
[root@node101.yinzhengjie.org.cn ~]# man enc #查看帮助信息
[root@node101.yinzhengjie.org.cn ~]# cp /etc/sysctl.conf ./
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r-- 1 root root 735 Dec 21 09:48 sysctl.conf
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# openssl enc -e -des3 -in sysctl.conf -out my_sysctl.conf #指定des3对称加密算法进行加密
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll
total 8
-rw-r--r-- 1 root root 752 Dec 21 09:50 my_sysctl.conf
-rw-r--r-- 1 root root 735 Dec 21 09:48 sysctl.conf
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# openssl enc -d -des3 -in my_sysctl.conf -out my_sysctl.conf.bak #指定des3对称加密算法进行解密
enter des-ede3-cbc decryption password:
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll
total 12
-rw-r--r-- 1 root root 752 Dec 21 09:50 my_sysctl.conf
-rw-r--r-- 1 root root 735 Dec 21 09:50 my_sysctl.conf.bak
-rw-r--r-- 1 root root 735 Dec 21 09:48 sysctl.conf
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# file my_sysctl.conf #该文件已经被加密了,我们直接查看了,需要进行解密后才能查看
my_sysctl.conf: data
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# file my_sysctl.conf.bak
my_sysctl.conf.bak: ASCII text
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# file sysctl.conf
sysctl.conf: ASCII text
[root@node101.yinzhengjie.org.cn ~]#
3>.dgst命令
单向加密:
工具:
md5sum, sha1sum, sha224sum,sha256sum,openssl dgst,... MAC:
Message Authentication Code,单向加密的一种延伸应用,用于实现网络通信中保证所传输数据的完整性机制
CBC-MAC
HMAC:使用md5或sha1算法
[root@node101.yinzhengjie.org.cn ~]# man dgst
DGST(1) OpenSSL DGST(1) NAME
dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md2, md4, md5, dss1 - message digests SYNOPSIS
openssl dgst [-sha|-sha1|-mdc2|-ripemd160|-sha224|-sha256|-sha384|-sha512|-md2|-md4|-md5|-dss1] [-c] [-d] [-hex] [-binary] [-r] [-non-fips-allow] [-out
filename] [-sign filename] [-keyform arg] [-passin arg] [-verify filename] [-prverify filename] [-signature filename] [-hmac key] [-non-fips-allow]
[-fips-fingerprint] [file...] openssl [digest] [...] DESCRIPTION
The digest functions output the message digest of a supplied file or files in hexadecimal. The digest functions also generate and verify digital signatures
using message digests. OPTIONS
-c print out the digest in two digit groups separated by colons, only relevant if hex format output is used. -d print out BIO debugging information. -hex
digest is to be output as a hex dump. This is the default case for a "normal" digest as opposed to a digital signature. See NOTES below for digital
signatures using -hex. -binary
output the digest or signature in binary form. -r output the digest in the "coreutils" format used by programs like sha1sum. -non-fips-allow
Allow use of non FIPS digest when in FIPS mode. This has no effect when not in FIPS mode. -out filename
filename to output to, or standard output by default. -sign filename
digitally sign the digest using the private key in "filename". -keyform arg
Specifies the key format to sign digest with. The DER, PEM, P12, and ENGINE formats are supported. -engine id
Use engine id for operations (including private key storage). This engine is not used as source for digest algorithms, unless it is also specified in the
configuration file. -sigopt nm:v
Pass options to the signature algorithm during sign or verify operations. Names and values of these options are algorithm-specific. -passin arg
the private key password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1). -verify filename
verify the signature using the the public key in "filename". The output is either "Verification OK" or "Verification Failure". -prverify filename
verify the signature using the the private key in "filename". -signature filename
the actual signature to verify. -hmac key
create a hashed MAC using "key". -mac alg
create MAC (keyed Message Authentication Code). The most popular MAC algorithm is HMAC (hash-based MAC), but there are other MAC algorithms which are not
based on hash, for instance gost-mac algorithm, supported by ccgost engine. MAC keys and other options should be set via -macopt parameter.
-macopt nm:v
Passes options to MAC algorithm, specified by -mac key. Following options are supported by both by HMAC and gost-mac: key:string
Specifies MAC key as alphnumeric string (use if key contain printable characters only). String length must conform to any restrictions of the MAC
algorithm for example exactly 32 chars for gost-mac. hexkey:string
Specifies MAC key in hexadecimal form (two hex digits per byte). Key length must conform to any restrictions of the MAC algorithm for example
exactly 32 chars for gost-mac. -rand file(s)
a file or files containing random data used to seed the random number generator, or an EGD socket (see RAND_egd(3)). Multiple files can be specified
separated by a OS-dependent character. The separator is ; for MS-Windows, , for OpenVMS, and : for all others. -non-fips-allow
enable use of non-FIPS algorithms such as MD5 even in FIPS mode. -fips-fingerprint
compute HMAC using a specific key for certain OpenSSL-FIPS operations. file...
file or files to digest. If no files are specified then standard input is used. EXAMPLES
To create a hex-encoded message digest of a file:
openssl dgst -md5 -hex file.txt To sign a file using SHA-256 with binary file output:
openssl dgst -sha256 -sign privatekey.pem -out signature.sign file.txt To verify a signature:
openssl dgst -sha256 -verify publickey.pem \
-signature signature.sign \
file.txt NOTES
The digest of choice for all new applications is SHA1. Other digests are however still widely used. When signing a file, dgst will automatically determine the algorithm (RSA, ECC, etc) to use for signing based on the private key's ASN.1 info. When verifying
signatures, it only handles the RSA, DSA, or ECDSA signature itself, not the related data to identify the signer and algorithm used in formats such as x.509,
CMS, and S/MIME. A source of random numbers is required for certain signing algorithms, in particular ECDSA and DSA. The signing and verify options should only be used if a single file is being signed or verified. Hex signatures cannot be verified using openssl. Instead, use "xxd -r" or similar program to transform the hex signature into a binary signature prior to
verification. 1.0.2k 2017-01-26 DGST(1)
[root@node101.yinzhengjie.org.cn ~]# man dgst #查看帮助信息
[root@node101.yinzhengjie.org.cn ~]# cp /etc/fstab ./
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r-- 1 root root 541 Dec 21 09:54 fstab
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# openssl dgst -md5 fstab #指定md5单项散列算法,可以很快得到的一个hash摘要值
MD5(fstab)= 964ddd7a410b74512ea8dfaa11ac5157
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# md5sum fstab
964ddd7a410b74512ea8dfaa11ac5157 fstab
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
4>.生成用户密码
[root@node101.yinzhengjie.org.cn ~]# man sslpasswd
PASSWD(1) OpenSSL PASSWD(1) NAME
passwd - compute password hashes SYNOPSIS
openssl passwd [-crypt] [-1] [-apr1] [-salt string] [-in file] [-stdin] [-noverify] [-quiet] [-table] {password} DESCRIPTION
The passwd command computes the hash of a password typed at run-time or the hash of each password in a list. The password list is taken from the named file for
option -in file, from stdin for option -stdin, or from the command line, or from the terminal otherwise. The Unix standard algorithm crypt and the MD5-based
BSD password algorithm 1 and its Apache variant apr1 are available. OPTIONS
-crypt
Use the crypt algorithm (default). -1 Use the MD5 based BSD password algorithm 1. -apr1
Use the apr1 algorithm (Apache variant of the BSD algorithm). -salt string
Use the specified salt. When reading a password from the terminal, this implies -noverify. -in file
Read passwords from file. -stdin
Read passwords from stdin. -noverify
Don't verify when reading a password from the terminal. -quiet
Don't output warnings when passwords given at the command line are truncated. -table
In the output list, prepend the cleartext password and a TAB character to each password hash. EXAMPLES
openssl passwd -crypt -salt xx password prints xxj31ZMTZzkVA. openssl passwd -1 -salt xxxxxxxx password prints $1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.. openssl passwd -apr1 -salt xxxxxxxx password prints $apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0. 1.0.2k 2017-01-26 PASSWD(1)
[root@node101.yinzhengjie.org.cn ~]# man sslpasswd
[root@node101.yinzhengjie.org.cn ~]# openssl passwd -1 #此处我输入的是"yinzhengjie"得到一个密码如下
Password:
Verifying - Password:
$1$IetQRS9t$hoCuehrhgRASJxU08nQBE.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# openssl passwd -1 #此处我依旧输入的是"yinzhengjie"得到一个新的密码如下,我擦,是不是很神奇?输入相同的密码得到的结果却不一致!这是因为我们没有指定盐,默认是一个随机值
Password:
Verifying - Password:
$1$VsdAqm1E$2aQXCaV7SSu8gCl9YitHI.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# openssl passwd -1 -salt "IetQRS9t" #上面标记红色的就是指定的盐,我们使用指定的盐进行加密,发现使用相同的盐且密码一直时得到的结果是一致的
Password:
$1$IetQRS9t$hoCuehrhgRASJxU08nQBE.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# openssl passwd -1 -salt "VsdAqm1E" #再次印证了使用相同的盐且密码相同的情况下,得到的结果是一致的。
Password:
$1$VsdAqm1E$2aQXCaV7SSu8gCl9YitHI.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
5>.生成随机数
语法:
openssl rand -base64|-hex NUM
NUM:
表示字节数,使用-hex,每个字符为十六进制,相当于4位二进制,出现的字符数为NUM*2
[root@node101.yinzhengjie.org.cn ~]# man sslrand RAND(1) OpenSSL RAND(1) NAME
rand - generate pseudo-random bytes SYNOPSIS
openssl rand [-out file] [-rand file(s)] [-base64] [-hex] num DESCRIPTION
The rand command outputs num pseudo-random bytes after seeding the random number generator once. As in other openssl command line tools, PRNG seeding uses the
file $HOME/.rnd or .rnd in addition to the files given in the -rand option. A new $HOME/.rnd or .rnd file will be written back if enough seeding was obtained
from these sources. OPTIONS
-out file
Write to file instead of standard output. -rand file(s)
Use specified file or files or EGD socket (see RAND_egd(3)) for seeding the random number generator. Multiple files can be specified separated by a OS-
dependent character. The separator is ; for MS-Windows, , for OpenVMS, and : for all others. -base64
Perform base64 encoding on the output. -hex
Show the output as a hex string. SEE ALSO
RAND_bytes(3) 1.0.2k 2017-01-26 RAND(1)
[root@node101.yinzhengjie.org.cn ~]# man sslrand
[root@node101.yinzhengjie.org.cn ~]# openssl rand -hex 6
3c3f702525c1
[root@node101.yinzhengjie.org.cn ~]# openssl rand -hex 6
5da7fe82a1d6
[root@node101.yinzhengjie.org.cn ~]# openssl rand -hex 6
2064b6e40f46
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 6
cno1an+B
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 6
k1KMD3+N
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 6
yCMifZfM
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# openssl rand -hex 9
18c1541b7e4f63cb44
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 9
WS7G4KPNu0Jt
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
6>. 生成密钥对儿
公钥加密:
算法:
RSA, ELGamal
工具:
gpg, openssl rsautl(man rsautl)
数字签名:
算法:
RSA, DSA, ELGamal
密钥交换:
算法:
dh
DSA:
Digital Signature Algorithm
DSS:
Digital Signature Standard
RSA:
[root@node101.yinzhengjie.org.cn ~]# man genrsa
GENRSA(1) OpenSSL GENRSA(1) NAME
genrsa - generate an RSA private key SYNOPSIS
openssl genrsa [-out filename] [-passout arg] [-aes128] [-aes192] [-aes256] [-camellia128] [-camellia192] [-camellia256] [-des] [-des3] [-idea] [-f4] [-3]
[-rand file(s)] [-engine id] [numbits] DESCRIPTION
The genrsa command generates an RSA private key. OPTIONS
-out filename
the output filename. If this argument is not specified then standard output is used. -passout arg
the output file password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1). -aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea
These options encrypt the private key with specified cipher before outputting it. If none of these options is specified no encryption is used. If encryption
is used a pass phrase is prompted for if it is not supplied via the -passout argument. -F4|-3
the public exponent to use, either 65537 or 3. The default is 65537. -rand file(s)
a file or files containing random data used to seed the random number generator, or an EGD socket (see RAND_egd(3)). Multiple files can be specified
separated by a OS-dependent character. The separator is ; for MS-Windows, , for OpenVMS, and : for all others. -engine id
specifying an engine (by its unique id string) will cause genrsa to attempt to obtain a functional reference to the specified engine, thus initialising it
if needed. The engine will then be set as the default for all available algorithms. numbits
the size of the private key to generate in bits. This must be the last option specified. The default is 512. NOTES
RSA private key generation essentially involves the generation of two prime numbers. When generating a private key various symbols will be output to indicate
the progress of the generation. A . represents each number which has passed an initial sieve test, + means a number has passed a single round of the Miller-
Rabin primality test. A newline means that the number has passed all the prime tests (the actual number depends on the key size). Because key generation is a random process the time taken to generate a key may vary somewhat. BUGS
A quirk of the prime generation algorithm is that it cannot generate small primes. Therefore the number of bits should not be less that 64. For typical private
keys this will not matter because for security reasons they will be much larger (typically 1024 bits). SEE ALSO
gendsa(1) 1.0.2k 2017-01-26 GENRSA(1)
[root@node101.yinzhengjie.org.cn ~]# man genrsa
[root@node101.yinzhengjie.org.cn ~]# mkdir ssl && cd ssl
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# (umask 066;openssl genrsa -out test.key 1024)
Generating RSA private key, 1024 bit long modulus
.................++++++
..........++++++
e is 65537 (0x10001)
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# ll
total 4
-rw------- 1 root root 887 Dec 21 10:22 test.key
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# (umask 066;openssl genrsa -out test2.key -des3 1024)
Generating RSA private key, 1024 bit long modulus
..............................................++++++
......++++++
e is 65537 (0x10001)
Enter pass phrase for test2.key:
Verifying - Enter pass phrase for test2.key:
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# ll
total 8
-rw------- 1 root root 963 Dec 21 10:23 test2.key
-rw------- 1 root root 887 Dec 21 10:22 test.key
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# cat test.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC7n9G30qtd+8kr4Z4lFskT5aS+6/7DYr10k9TI+fgbWBpRbsnc
wPPQV+YVMn12KYtVoglgIAbDeRTfygS4q8NFqk9kYRKRlzcBIsVkem5I5P5BM9y0
2CaYZDohwOniTK5yc886EjBkvTCcglWo2oCcUdjN8+4ZoQaauoK6T0K72QIDAQAB
AoGAcpM9SWkf9wusJNzpazLH5huliGWrNPvWQBuKpJRpm6EoqTPjl6hI+6DBw44K
qZ7jFI8X9Jh6KOKHCcZfLbrOSm/KMjjVsb/3YCG174wyI+U7RCqWU/xH8FMhmOeG
LlSJIycwOnWq6CGDOsmWyhbepYX3+uoucIHU3qxUG1/p+FECQQDi6CXV0/bmBb6O
2odsgY047m5Q35tFR1ZrzhTJ1ZNfwaizFbfl0Mt4Fstm8Ie3dQAp3HjR+686NXNc
M6VN5QklAkEA065JDAj6PAzHhmnn0bCG/k8NUii9ksUuXT8WotdmgVzIUWHbiPtO
mws3v6nbZYBy0tSSX34/itpwQB5Agj5LpQJBAL7DoZuF2ttEFRMQ0i39NPeaLRC9
DVNPSG7WEVAmyQIGVIhLSBJkWcuajmL68X7hVMPc4Y7YZFcxvMzVdrJoTikCQQC6
jHHbpV3B5hFAp7yg001keQ5oRXcsDZHao2qzf9jaUIZJElCC29ZeVPiAdJThUt3e
Z2/HsF8XY4JhP0figDvxAkAcszHvpgCIV+831m8kv4XrXLL2yMqqALV8CzAXBtWX
X8gZ+pbI4yC+QfMg4Hj2h4HRPN/qRfs3zkeinsnhGZ0Y
-----END RSA PRIVATE KEY-----
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# cat test.key #私钥未被加密
[root@node101.yinzhengjie.org.cn ~/ssl]# cat test2.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,A10A88A3A65686C4 g2uwaR6TgLObrkEAz/VNGzWhmH4IHd3XHceYnP8M0ReMARjk/keiATkQ1MmBY++M
dP+f77+g/u3Oq8SbqqJNwBKHC+rZeWjcRI0nDJ7gcDtxxq0VsAno6aUeRxRt5xrV
HsjoohpVjty9K0/ioE7y69JcYaxhuGotvxmReKWoL8DKvo73EJh5ZP/wMNNBtl7w
8Xh4SD/QqsmJ8HLX/O0rmo2INT8ahvHrhBA4cnAvnjqjPpt8BJbhYZakDbG3pAg6
abd9o6X0Tr3jWI9YxV8KkXZTpIsmbL4lhWE2pdLafDDDCd+zoVTbrRbA9vm76A1+
Jl0mX1ndl5DwC/S6gs4pW2EQX99tmWad/xYMVpB1j3UdBRsi+1LG8oFS0ngStGxv
RjNl1zGPUhm226SnM5P2Urj2X7TiwRQbLirqI0iJlELhvK8AVAsG2UWPpy1B8y4p
2Gkvu9l4YDBP3iH5OsctzI14aU3NWTRhUUNwVZZbRo+YfjQ6bDx6/8ZUf9iNYGQW
vlbuXLl3/SzaDjhoigXke5JxH31cN4IbQMbhzCZP5uemYaFdcPRSKGt5hyIj/Uxj
moZHfyk21pCtiCV2KipK8hOjXXJmu1yvtrvmtbg7mKiE4wt2G7qTeVFSN/KwF6kf
TJnPonWgqliaO20bg3a0nNgmpkdb/qKmj1xt7HCDQt+xVM98JFVPfuFtcjhDi75L
5BQ+Qt0IXVh1QkSvaB4QdU4ZICozX5cJYWO1EPBvuqOr2BL8bFapAvsADZRaXP+b
wuUVHkUc7+vCzFyvNaorVKQFB0+TBJYib6ycjpCRxqY5AcqcY9HHWQ==
-----END RSA PRIVATE KEY-----
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# cat test2.key #私钥已被des3加密
[root@node101.yinzhengjie.org.cn ~/ssl]# cat test2.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,A10A88A3A65686C4 g2uwaR6TgLObrkEAz/VNGzWhmH4IHd3XHceYnP8M0ReMARjk/keiATkQ1MmBY++M
dP+f77+g/u3Oq8SbqqJNwBKHC+rZeWjcRI0nDJ7gcDtxxq0VsAno6aUeRxRt5xrV
HsjoohpVjty9K0/ioE7y69JcYaxhuGotvxmReKWoL8DKvo73EJh5ZP/wMNNBtl7w
8Xh4SD/QqsmJ8HLX/O0rmo2INT8ahvHrhBA4cnAvnjqjPpt8BJbhYZakDbG3pAg6
abd9o6X0Tr3jWI9YxV8KkXZTpIsmbL4lhWE2pdLafDDDCd+zoVTbrRbA9vm76A1+
Jl0mX1ndl5DwC/S6gs4pW2EQX99tmWad/xYMVpB1j3UdBRsi+1LG8oFS0ngStGxv
RjNl1zGPUhm226SnM5P2Urj2X7TiwRQbLirqI0iJlELhvK8AVAsG2UWPpy1B8y4p
2Gkvu9l4YDBP3iH5OsctzI14aU3NWTRhUUNwVZZbRo+YfjQ6bDx6/8ZUf9iNYGQW
vlbuXLl3/SzaDjhoigXke5JxH31cN4IbQMbhzCZP5uemYaFdcPRSKGt5hyIj/Uxj
moZHfyk21pCtiCV2KipK8hOjXXJmu1yvtrvmtbg7mKiE4wt2G7qTeVFSN/KwF6kf
TJnPonWgqliaO20bg3a0nNgmpkdb/qKmj1xt7HCDQt+xVM98JFVPfuFtcjhDi75L
5BQ+Qt0IXVh1QkSvaB4QdU4ZICozX5cJYWO1EPBvuqOr2BL8bFapAvsADZRaXP+b
wuUVHkUc7+vCzFyvNaorVKQFB0+TBJYib6ycjpCRxqY5AcqcY9HHWQ==
-----END RSA PRIVATE KEY-----
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# openssl rsa -in test2.key -out test2.bak.key
Enter pass phrase for test2.key:
writing RSA key
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# ll
total 12
-rw-r--r-- 1 root root 887 Dec 21 10:28 test2.bak.key
-rw------- 1 root root 963 Dec 21 10:23 test2.key
-rw------- 1 root root 887 Dec 21 10:24 test.key
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# cat test2.bak.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC0X5rHhleCbl3XxD8ygpOHtXCTADc8eJIvigc0pUqGFJGBAlHq
I/GMho1SvDYDKO7zxhztd6h807wQiRmmr9gCExJButPJENmZ4CJcbguVjVnySMxc
3Tm8JQiGerMsP654bh0+yYEwPnAqFHC8Ca9mxJLmtNokDSKP78e9LDYt8QIDAQAB
AoGAbIgiT/BL85WJLe1NwYzETKImLK2yjtZVz/kTwN+8adUygBfvRh1+mHnVy3So
Y1pb/Z61hUW8we99d82m+59PL1zZf/aQ1FBgfiyv8WXEnWsEs8J1PpvlDKfGr9X4
3KqEd8KnHHnrFI0sRXwk9AK3IFce3L7jCqpztlrG35R9eukCQQDpyhtBcW7KJtYW
pQHk3NOO0pLD6Lf/Re38e+SBuc2ijvpDpt+ZEAPl6hkkTVJDcczlTucNQE7O3vwN
V/Tsb3AvAkEAxYJj1bTOeP3zLtb+IfLyc64ciqJuzvIF4RC0o4y3uZ1rjYxpLhT5
CFFjDq+pjXSX3vwzFbebiKvU6rMFyHmb3wJBAJlGlz39t4wzkBMClc5NdSpjJjPp
JJDpcREizPq8LXSRVsT56Ai69kNLirZBN1jeiF4ir9sBOWnpyciZzQsiOKMCQC8n
zWw1ieJLR2dUf0JdvdMuq7PRykDwecTddzNhInBXjFk0P9x3t2lr/QmBmSqjvqrH
be7uclz0IZaTfXr6xeMCQQCoQ9cgHu8SPQIXXXNrwuwlHmHqs4dURNLa6jJycsLQ
xIYVn3x5vl1mywwalMFQRzu4PWwydDHFosfAUpOSMZ0z
-----END RSA PRIVATE KEY-----
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# openssl rsa -in test2.key -out test2.bak.key #将加密的私钥进行解密
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# cd /etc/pki/tls/certs/
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]#
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# ll
total 12
lrwxrwxrwx. 1 root root 49 Jul 8 16:23 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 Jul 8 16:23 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x. 1 root root 610 Oct 31 2018 make-dummy-cert
-rw-r--r--. 1 root root 2516 Oct 31 2018 Makefile
-rwxr-xr-x. 1 root root 829 Oct 31 2018 renew-dummy-cert
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]#
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# make ~/ssl/test100.key #进入到"/etc/pki/tls/certs"目录后使用make命令可以生成加密的私钥,主要是该目录有一个Makefile文件
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > /root/ssl/test100.key
Generating RSA private key, 2048 bit long modulus
.....................................................+++
...........................................................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]#
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# ll ~/ssl/test100.key
-rw------- 1 root root 1766 Dec 21 10:31 /root/ssl/test100.key
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]#
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# cat ~/ssl/test100.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,72305F310C826FAD49FF9DF021894C36 zs69lfGhV8a/GF6h6EJTKoBvCKSHs0Dn3jubW0FNUrh0IFC/RSn+Yhu2TWPdMp/j
3wZUbNYj8RTJ43yIfsoWTuBgTU1zlL2e1aTR5YO8VpfPHBT4hh5xnq9QWCTRPzk2
+FS2kpj/Iod3qmnOA2L8D00QMAQrc2anJYAJV8mQaRNfFaTw4Ka8zttgI6DiO6Pk
WYlPaD6e4EJkfUZF6kTm0CrUlRK+RRPoz4RzzBj33tXGxOCV4d6n0n2X07RnbRuE
Vayigy0p1jnW2ovC/IXWp13zYNXA4nWMqtljuqRN8ovrFdxY8DGkkUgPvYGQtKPZ
EfaIBctvgQtDrmmeOtcGLARoqGzTESPC5mzlMtU9Hc+UJnQZ87r/SUDhfrjWWC2m
4hmPzGaNcNjlW3zEs9jATnHjeHcAwvu1jGrhgGgrno2xsQv3eJzILRV7BQP5myiS
wl6whWB4SW5D/U5BHouM82Y4QJ6SX3MI3rG1PQ8M3dtyg9Miou5cVSbIF8BXBW7n
cfVjI7/B1HVQ4NIO89Sv15+fr+PGf46o2Ig8axep287itInEBZjCsmgLN0x9cC6T
W0P8NwjIXdrBOtCnuLxrlhrU2s0c2XfH4+Pal65QUkOWizLK88Y1RkLLXmGDb09D
1LYVcz2A2uM75Yh4zrFLtvJla/An/Qu9jvKGbgL7plB1dSSz4ajyeyYCnnM13A31
jmi2CmwAxJwTEbUSzCFtcGVCL7kvd7ETtnKZLgwAgXuEy3mxHu0aNYN2blc5222w
j19MLYBmbN4rd/Remhk2Y9vsBtygSJRNVoOEVEcnz4u12vsPIUO6HgAVbAARRXOK
rqaZD8+2qZxZq/um3pSt1VNufg66NIcP5f4Uww+F6AqC5XqOvCvoPxbqcqAEbxP/
wigmsPiqagfnpv/rtKArY/sHcpLeSUOrNGd6bDt7rVDY7zZdjgMmLbhxoaNCD8M3
CpFYhVEGH9A0hzY8KO+O/XZEMqwbsq1rMyjPQ2Rpz1CjpGG7/gVbPVlv7OoBEEqy
FvsP1v97kNG4SSFhAgIQdRsYKsSrM6Fj1k9BB0XVKGQK34o3r2WB9k2/IpYHZvPI
qam8LCFLI150L315gJJVKk453ZklQVKpZoI7voX4FG9x3XPuYKpywsjf/y/ErMpG
g52seo7igYHj5u63fbgpHGJRGpNAeMhKCxvXOkCUjl8e0OyowdpRmt61HVkHARae
q/BC+AX4KmOYEeHfytPe9vB74xERWy86wHGa6KU3IqcVWh/sWsTrDEuhwO0Kl3dD
6Trrw85PCv3l6NpU9I06sI2roNrtCPYXXMYPVcrmbnAxS2tpoqmevXrjf1cDocCl
1Bd2vdjIdYT92H3cB9My0RpgLb2cqPMP6GtjitJAIGWVmTPixcQsFjRpyhthuddX
DauxAzZh6X/DtjjeIPNXCkYnck6xWz8vU+fqr6kd1AXLyDA0MUJr8YuEXGn7SlFK
S9TgZY22S3waLHfVEBNp/u6m4b/BO4ZeSzqAu4cRfmFH7Lw49pRQebTPEOMchfO2
uZMvNYYiyjqwk00PcKBcX/yJHJyD/uUJ+yj2MGftUWBUY4elPUZ6EKLMSEPjf6SA
-----END RSA PRIVATE KEY-----
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]#
[root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# make ~/ssl/test100.key #进入到"/etc/pki/tls/certs"目录后使用make命令可以生成加密的私钥,主要是该目录有一个Makefile文件
[root@node101.yinzhengjie.org.cn ~/ssl]# ll
total 16
-rw------- 1 root root 1766 Dec 21 10:31 test100.key
-rw-r--r-- 1 root root 887 Dec 21 10:28 test2.bak.key
-rw------- 1 root root 963 Dec 21 10:23 test2.key
-rw------- 1 root root 887 Dec 21 10:24 test.key
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# openssl rsa -in test100.key -pubout -out test100.pubkey #从私钥中导出公钥,如果私钥设置的有密码需要验证密码后才能生成公钥文件
Enter pass phrase for test100.key:
writing RSA key
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# ll
total 20
-rw------- 1 root root 1766 Dec 21 10:31 test100.key
-rw-r--r-- 1 root root 451 Dec 21 10:35 test100.pubkey
-rw-r--r-- 1 root root 887 Dec 21 10:28 test2.bak.key
-rw------- 1 root root 963 Dec 21 10:23 test2.key
-rw------- 1 root root 887 Dec 21 10:24 test.key
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# openssl rsa -in test.key -pubout -out test.pubkey #如果私钥文件没有设置密码则直接可以导出公钥
writing RSA key
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# ll
total 24
-rw------- 1 root root 1766 Dec 21 10:31 test100.key
-rw-r--r-- 1 root root 451 Dec 21 10:35 test100.pubkey
-rw-r--r-- 1 root root 887 Dec 21 10:28 test2.bak.key
-rw------- 1 root root 963 Dec 21 10:23 test2.key
-rw------- 1 root root 887 Dec 21 10:24 test.key
-rw-r--r-- 1 root root 272 Dec 21 10:36 test.pubkey
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# cat test100.pubkey
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtt0fSFIhcbLMrObFw1nf
rp4HnL8s72RxtIKIrf0rEVRsgHt5AaW/wUFzeIn8nN0xrPwAwJFg2lNj+xBapXxu
61UU1CkLGblpdn1G+/eWWGsgkEw14UCg79Ifc5FLuaStraBOjAEYpXB5ge+KcFXE
IIULBUhBlmgzwXNFIM47ucy484JiwD4dXr3YTDRxWeVs0LMST3RmSJb5rq/ZnZJQ
n3t+wHfrUH8uoHnSpOaWrrLwGxdrNws8jUXFDv+T+63B8QGXjlQFEgs+sxyUo2n1
WO/9Sgop0CvSegjofKBD5bxVJsbrUAkYVD1sXEWhYb6juDLROECtxTfxV78evnW1
IwIDAQAB
-----END PUBLIC KEY-----
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# cat test.pubkey
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7n9G30qtd+8kr4Z4lFskT5aS+
6/7DYr10k9TI+fgbWBpRbsncwPPQV+YVMn12KYtVoglgIAbDeRTfygS4q8NFqk9k
YRKRlzcBIsVkem5I5P5BM9y02CaYZDohwOniTK5yc886EjBkvTCcglWo2oCcUdjN
8+4ZoQaauoK6T0K72QIDAQAB
-----END PUBLIC KEY-----
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]#
[root@node101.yinzhengjie.org.cn ~/ssl]# openssl rsa -in test100.key -pubout -out test100.pubkey #从私钥中导出公钥,如果私钥设置的有密码需要验证密码后才能生成公钥文件
7>. 随机数生成器(伪随机数字)
键盘和鼠标,块设备中断
/dev/random:
仅从熵池返回随机数;随机数用尽,阻塞
/dev/urandom:
从熵池返回随机数;随机数用尽,会利用软件生成伪随机数,非阻塞
[root@node101.yinzhengjie.org.cn ~]# tr -dc 'a-zA-Z0-9' </dev/urandom #可以从操纵系统中获取随机数 [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 6 #使用openssl也可以说去随机数
C73Eji13
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# openssl rand -base64
yhYfP1qL
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# openssl rand -base64
+2gmWNK
[root@node101.yinzhengjie.org.cn ~]#
三.使用openssl创建私有CA和证书申请颁发
博主推荐阅读:
https://www.cnblogs.com/yinzhengjie/p/12075752.html