证书工具之OpenSSL
证书工具之OpenSSL1、OpenSSL的安装与帮助1.1、openssl install1.2、openssl help1.3、查看openssl完整版本信息1.4、openssl目录结构2、OpenSSL的实践之路2.1、生成rsa私钥帮助文档2.2、生成rsa私钥小例子2.2、查看openssl的配置文件openssl.cnf3、根据配置文件信息创建根证书CA所需的目录及文件,若没有则自己创建4、指明证书的开始编号5、生成根证书的私钥1、生成一个私钥pri_key.pem2、根据私钥pri_key.pem生成“证书请求文件”3、查看“证书请求文件”内容。指定“证书请求文件”中的签名算法验证“证书请求文件”的数字签名自签署证书,可用于自建根CA时附录:openssl.cnf 默认配置证书标准编码格式相关的文件扩展名生成csr向权威证书颁发机构申请证书生成自签名证书man opensslX.509证书(*.cer; *.crt) 个人信息交换(*.pfx; *.p12) 证书信任列表(*.stl) 证书吊销列表(*.crl) Microsoft系列证书存储(*.sst) PKCS #7证书(*.spc; *.p7b)公钥加密数据,私钥解密 称为加密和解密。私钥加密数据,公钥解密 称为签名和验证签名。互联网数据安全可靠的条件:1.数据来源可信,即数据发送者身份可信。2.数据具备完整性,即数据未被修改过。3.数据安全性,即数据不会被泄漏,他人截获后无法解密。1、OpenSSL的安装与帮助1.1、openssl installyum-yinstallopenssl 当安装碰到各种依赖循环问题无法解决时可以使用下面的命令哦!! yum-yinstallopenssl*1.2、openssl help[root@centos6a ~]# openssl --helpopenssl:Error:'--help'is an invalid command. Standard commands asn1parse ca ciphers cms crl crl2pkcs7 dgst dh dhparam dsa dsaparam ec ecparam enc engine errstr gendh gendsa genpkey genrsa nseq ocsppasswdpkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand req rsa rsautl s_client s_server s_time sess_id smime speed spkac ts verify version x509 Message Digest commands(see the`dgst'commandformoredetails)md2 md4 md5 rmd160 sha sha1 Cipher commands(see the`enc'commandformoredetails)aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 seed seed-cbc seed-cfb seed-ecb seed-ofb zlibopenssl命令的格式是"openssl command command-options args",command部分有很多种命令,这些命令需要依赖于openssl命令才能执行,所以称为伪命令(pseudo-command),每个伪命令都有各自的功能,大部分command都可以直接man command查看命令的用法和功能。1.3、查看openssl完整版本信息openssl version-a=========================================OpenSSL1.0.1e-fips11Feb2013built on: Mon May909:54:24 CDT2016platform: linux-x86_64 options: bn(64,64)md2(int)rc4(16x,int)des(idx,cisc,16,int)idea(int)blowfish(idx)compiler: gcc-fPIC-DOPENSSL_PIC-DZLIB-DOPENSSL_THREADS-D_REENTRANT-DDSO_DLFCN-DHAVE_DLFCN_H-DKRB5_MIT-m64-DL_ENDIAN-DTERMIO-Wall-O2-g-pipe-Wall-Wp,-D_FORTIFY_SOURCE=2-fexceptions-fstack-protector--param=ssp-buffer-size=4-m64-mtune=generic -Wa,--noexecstack-DPURIFY-DOPENSSL_IA32_SSE2-DOPENSSL_BN_ASM_MONT-DOPENSSL_BN_ASM_MONT5-DOPENSSL_BN_ASM_GF2m-DSHA1_ASM-DSHA256_ASM-DSHA512_ASM-DMD5_ASM-DAES_ASM-DVPAES_ASM-DBSAES_ASM-DWHIRLPOOL_ASM-DGHASH_ASMOPENSSLDIR:"/etc/pki/tls"engines: rdrand dynamic1.4、openssl目录结构/etc/pki 是 系统级 PKI(公钥基础设施)统一存放目录,专门存储:SSL/TLS 证书、私钥、根 CA 信任证书、证书吊销列表 CRL、OpenSSL 配置、私有 CA 相关文件。tree-d/etc/pki/============================/etc/pki/ ├── CA │ ├── certs │ ├── crl │ ├── newcerts │ └── private ├── ca-trust │ ├── extracted │ │ ├──java│ │ ├── openssl │ │ └── pem │ └──source│ ├── anchors │ └── blacklist ├──java├── nssdb ├── nss-legacy ├── rpm-gpg ├── rsyslog └── tls ├── certs ├── misc └── private/etc/pki/tls(最常用,Web/HTTPS 服务专用)OpenSSL 默认证书根目录,Nginx、Apache、MySQL 配置 HTTPS 标准路径:/etc/pki/tls/certs/:存放公钥证书 .crt/.pem(网站证书、中间 CA 证书)。/etc/pki/tls/private/:存放私钥 .key/.pem,权限严格 700,仅 root 可读,防止泄露。/etc/pki/tls/openssl.cnf:OpenSSL 全局配置文件(生成自签证书、CSR、私有 CA 都会读取)。示例 Nginx 配置: ssl_certificate /etc/pki/tls/certs/www.michael.cn.crt; ssl_certificate_key /etc/pki/tls/private/www.michael.cn.key;2、OpenSSL的实践之路2.1、生成rsa私钥帮助文档openssl genrsa-help==================================Usage: genrsa[options]numbits General options:-helpDisplay this summary-engineval Use engine, possibly a hardware device Input options:-3(deprecated)Use3forthe E value-F4Use the Fermat number F4(0x10001)forthe E value-f4Use the Fermat number F4(0x10001)forthe E value Output options:-outoutfile Output the key to specifiedfile-passoutval Outputfilepass phrasesource-primes+int Specify number of primes-verboseVerbose output-traditionalUse traditionalformatforprivate keys -* Encrypt the output with any supported cipher Random state options:-randval Load the given file(s)into the random number generator-writerandoutfile Write random data to the specifiedfileProvider options: -provider-path val Provider load path(must be before'provider'argumentifrequired)-providerval Provider to load(can be specified multipletimes)-propqueryval Property query used when fetching algorithms Parameters: numbits Size of keyinbitsmangenrsa==================================NAME asn1parse, ca, ciphers, cmp, cms, crl, crl2pkcs7, dgst, dhparam, dsa, dsaparam, ec, ecparam, enc, engine, errstr, gendsa, genpkey, genrsa, info, kdf, mac, nseq, ocsp, passwd, pkcs12, pkcs7, pkcs8, pkey, pkeyparam, pkeyutl, prime, rand, rehash, req, rsa, rsautl, s_client, s_server, s_time, sess_id, smime, speed, spkac, srp, storeutl, ts, verify, version, x509 - OpenSSL application commands SYNOPSIS openssl cmd-help|[-option|-optionarg]...[arg]... DESCRIPTION Every cmd listed above is a(sub-)command of the openssl(1)application. It has its own detailed manual page at openssl-cmd(1). For example, to view the manual pageforthe openssl dgst command,type"man openssl-dgst".OPTIONS Among others, every subcommand has ahelpoption.-help:Print out a usage messageforthe subcommand. SEE ALSO openssl(1), openssl-asn1parse(1), openssl-ca(1), openssl-ciphers(1), openssl-cmp(1), openssl-cms(1), openssl-crl(1), openssl-crl2pkcs7(1), openssl-dgst(1), openssl-dhparam(1), openssl-dsa(1), openssl-dsaparam(1), openssl-ec(1), openssl-ecparam(1), openssl-enc(1), openssl-engine(1), openssl-errstr(1), openssl-gendsa(1), openssl-genpkey(1), openssl-genrsa(1), openssl-info(1), openssl-kdf(1), openssl-mac(1