A detailed description of OpenSSL usage

OpenSSL is an open source project that consists mainly of three components:

• OpenSSL: Multi-purpose command-line tools

• Libcrypto: Cryptographic Algorithm Library

• LIBSSL: Encryption module application library for SSL and TLS

OpenSSL can be implemented: Key certificate management, symmetric encryption, and asymmetric encryption.

1. Symmetric encryption

The standard command required for symmetric encryption is enc, and is used as follows:

OpenSSL enc-ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64]       [-a] [-k password] [-kfile f Ilename] [-k key] [-iv IV] [-s salt] [-salt] [-nosalt] [-z] [-MD] [-P] [-p] [-bufsize number       ] [-nopad] [-debug] [-none ] [-engine ID]

Common options are:

-in FileName: Specifies the file storage path to encrypt

-out FileName: Specify the file storage path after encryption

-salt: Automatically inserts a random number as the file content encryption, the default option

-E: You can specify a cryptographic algorithm that, if not referred to, will use the default encryption algorithm

-D: Decryption, decryption can also specify the algorithm, if not specified using the default algorithm, but must be consistent with the algorithm of encryption

-a/-base64: Using-base64 bit encoding format

Example: encryption:]# OpenSSL enc-e-des3-a-salt-in fstab-out jiami decryption:]# OpenSSL enc-d-des3-a-salt-in fstab-out Jiami

2. One-way encryption

One-way encryption requires a standard command for DGST, which is used as follows:

OpenSSL dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] [-c] [-d] [-hex] [-binary]       [-out filename] [-sign FileName] [-keyform arg] [-passin arg] [-verify filename] [-prverify       filename] [-signature filename] [-hmac key] [file ...]

Common options are:

[-MD5|-MD4|-MD2|-SHA1|-SHA|-MDC2|-RIPEMD160|-DSS1]: Specifying a cryptographic algorithm

-out filename: Saving encrypted content to a specified file

Examples are as follows:

One-way encryption in addition to the OpenSSL dgst tools are: Md5sum,sha1sum,sha224sum,sha256sum, sha384sum,sha512sum

Examples are as follows:

3. Generate password

The standard command used to generate the password is passwd, as follows:

OpenSSL passwd [-crypt] [-1] [-APR1] [-salt string] [-in file] [-stdin] [-noverify] [-quiet] [-table] {password}

Common options are:

-1: Using the MD5 encryption algorithm

-salt string: Add random number, up to 8 random digits

-in file: Encrypt the contents of the input files

-stdion: Encrypt the content of the standard input

Examples are as follows:

4. Generate Random Numbers

The standard command required to generate a random number is Rand, as follows:

OpenSSL rand [-out file] [-rand file (s)] [-base64] [-hex] num

Common options are:

-out file: Saves the generated random numbers to the specified files

-BASE64: Using Base64 encoding format

-hex: Using 16 binary encoding format

Examples are as follows:

5. Generate secret key pair

You first need to generate the private key using the GENRSA standard command before you use the RSA Standard command to extract the public key from the private key.

The usage of GENRSA is as follows:

OpenSSL genrsa [-out filename] [-passout arg] [-des] [-DES3] [-idea] [-F4] [-3] [-rand file (s)] [-engine ID] [numbits]

Common options are:

-out FileName: Saves the generated private key to the specified file

-des|-des3|-idea: Different encryption algorithms

Numbits: Specifies the size of the generated private key, which is 2048 by default

In general, the permissions of the key file must be controlled, can only read and write, so you can use the Umask command to set the generated private key permissions, examples are as follows:

The usage of RAS is as follows:

OpenSSL RSA [-inform pem|net| DER] [-outform pem|net| DER] [-in filename] [-passin arg] [-out filename] [-passout arg]       [-sgckey] [-des] [-DES3] [-idea] [-text] [-noout] [-M Odulus] [-check] [-pubin] [-pubout] [-engine ID]

Common options:

-in FileName: Indicates the private key file

-out FileName: Indicates that the extracted public key is saved to the specified file

-pubout: Extracting public key from private key

Examples are as follows:

6. Create a CA and request a certificate

When you use the OpenSSL tool to create a CA certificate and request a certificate, you need to review the configuration file, because the configuration file contains information about the name and location of the certificate, as well as reference to the/etc/pki/tls/openssl.cnf file.

(1), create self-signed certificate

First step: Create the required directories and files for the CA

Step two: Indicate the start number of the certificate

]# echo >> serial

The third step: generate the private key, the file name and location of the private key to match the settings in the configuration file;

Fourth step: Generate the self-visa book, from the location of the visa book should also be in the configuration file to match the settings, to generate the certificate needs to fill in the appropriate information;

The options used in the command are explained:

-new: Indicates a new certificate signing request was generated

-x509: specifically for the CA to generate self-visa books, if not self-visa books do not need this

-key: The private key file used to generate the request

-out: Save path to Certificate

-days: The validity period of the certificate, in Day (days), the default is 365 days

(2) Issuance of certificates

To generate a certificate request on the host that needs to use the certificate, take the HTTPD service as an example, with the following steps:

The first step: Generate a private key on the host that needs to use the certificate, the location of this private key file can be arbitrarily determined

Step two: Generate a certificate signing request

Step three: Send the request to the CA host in a reliable manner

The fourth step: the CA server gets the certificate to sign the request file after issuing the certificate, this step is done on the CA server

The command to view the certificate information is:

(3) Revocation of certificates

The steps to revoke the certificate are also performed on the CA server, taking the newly created HTTPD.CRT certificate as an example, with the following revocation steps:

Step one: Get the serial and subject information for the certificate to be revoked on the client

Step Two: Compare the consistency of storage in the remaining native database index.txt based on the serial and subject information submitted by the client

Step three: Perform revocation operations

Fourth step: Generate revocation number for revoked certificate (executed when certificate is first revoked)

]# echo >/etc/pki/ca/crlnumber

Fifth step: Update the certificate revocation List

]# OpenSSL CA-GENCRL-OUT/ETC/PKI/CA/CRL/CA.CRL

To view the CRL File command:

]# OpenSSL Crl-in/etc/pki/ca/crl/ca.crl-noout-text

Original http://www.178linux.com/48764

How to use OpenSSL