OpenSSL is an open source project that consists mainly of three components:
OpenSSL: Multi-purpose command-line tools
Libcrypto: Cryptographic Algorithm Library
LIBSSL: Encryption module application library for SSL and TLS
OpenSSL can be implemented: Key certificate management, symmetric encryption, and asymmetric encryption.
1. Symmetric encryption
The standard command required for symmetric encryption is enc, and is used as follows:
OpenSSL enc-ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64] [-a] [-k password] [-kfile f Ilename] [-k key] [-iv IV] [-s salt] [-salt] [-nosalt] [-z] [-MD] [-P] [-p] [-bufsize number ] [-nopad] [-debug] [-none ] [-engine ID]
Common options are:
-in FileName: Specifies the file storage path to encrypt
-out FileName: Specify the file storage path after encryption
-salt: Automatically inserts a random number as the file content encryption, the default option
-E: You can specify a cryptographic algorithm that, if not referred to, will use the default encryption algorithm
-D: Decryption, decryption can also specify the algorithm, if not specified using the default algorithm, but must be consistent with the algorithm of encryption
-a/-base64: Using-base64 bit encoding format
Example: encryption:]# OpenSSL enc-e-des3-a-salt-in fstab-out jiami decryption:]# OpenSSL enc-d-des3-a-salt-in fstab-out Jiami
2. One-way encryption
One-way encryption requires a standard command for DGST, which is used as follows:
OpenSSL dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] [-c] [-d] [-hex] [-binary] [-out filename] [-sign FileName] [-keyform arg] [-passin arg] [-verify filename] [-prverify filename] [-signature filename] [-hmac key] [file ...]
Common options are:
[-MD5|-MD4|-MD2|-SHA1|-SHA|-MDC2|-RIPEMD160|-DSS1]: Specifying a cryptographic algorithm
-out filename: Saving encrypted content to a specified file
Examples are as follows:
One-way encryption in addition to the OpenSSL dgst tools are: Md5sum,sha1sum,sha224sum,sha256sum, sha384sum,sha512sum
Examples are as follows:
3. Generate password
The standard command used to generate the password is passwd, as follows:
OpenSSL passwd [-crypt] [-1] [-APR1] [-salt string] [-in file] [-stdin] [-noverify] [-quiet] [-table] {password}
Common options are:
-1: Using the MD5 encryption algorithm
-salt string: Add random number, up to 8 random digits
-in file: Encrypt the contents of the input files
-stdion: Encrypt the content of the standard input
Examples are as follows:
4. Generate Random Numbers
The standard command required to generate a random number is Rand, as follows:
OpenSSL rand [-out file] [-rand file (s)] [-base64] [-hex] num
Common options are:
-out file: Saves the generated random numbers to the specified files
-BASE64: Using Base64 encoding format
-hex: Using 16 binary encoding format
Examples are as follows:
5. Generate secret key pair
You first need to generate the private key using the GENRSA standard command before you use the RSA Standard command to extract the public key from the private key.
The usage of GENRSA is as follows:
OpenSSL genrsa [-out filename] [-passout arg] [-des] [-DES3] [-idea] [-F4] [-3] [-rand file (s)] [-engine ID] [numbits]
Common options are:
-out FileName: Saves the generated private key to the specified file
-des|-des3|-idea: Different encryption algorithms
Numbits: Specifies the size of the generated private key, which is 2048 by default
In general, the permissions of the key file must be controlled, can only read and write, so you can use the Umask command to set the generated private key permissions, examples are as follows:
The usage of RAS is as follows:
OpenSSL RSA [-inform pem|net| DER] [-outform pem|net| DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-sgckey] [-des] [-DES3] [-idea] [-text] [-noout] [-M Odulus] [-check] [-pubin] [-pubout] [-engine ID]
Common options:
-in FileName: Indicates the private key file
-out FileName: Indicates that the extracted public key is saved to the specified file
-pubout: Extracting public key from private key
Examples are as follows:
6. Create a CA and request a certificate
When you use the OpenSSL tool to create a CA certificate and request a certificate, you need to review the configuration file, because the configuration file contains information about the name and location of the certificate, as well as reference to the/etc/pki/tls/openssl.cnf file.
(1), create self-signed certificate
First step: Create the required directories and files for the CA
Step two: Indicate the start number of the certificate
]# echo >> serial
The third step: generate the private key, the file name and location of the private key to match the settings in the configuration file;
Fourth step: Generate the self-visa book, from the location of the visa book should also be in the configuration file to match the settings, to generate the certificate needs to fill in the appropriate information;
The options used in the command are explained:
-new: Indicates a new certificate signing request was generated
-x509: specifically for the CA to generate self-visa books, if not self-visa books do not need this
-key: The private key file used to generate the request
-out: Save path to Certificate
-days: The validity period of the certificate, in Day (days), the default is 365 days
(2) Issuance of certificates
To generate a certificate request on the host that needs to use the certificate, take the HTTPD service as an example, with the following steps:
The first step: Generate a private key on the host that needs to use the certificate, the location of this private key file can be arbitrarily determined
Step two: Generate a certificate signing request
Step three: Send the request to the CA host in a reliable manner
The fourth step: the CA server gets the certificate to sign the request file after issuing the certificate, this step is done on the CA server
The command to view the certificate information is:
(3) Revocation of certificates
The steps to revoke the certificate are also performed on the CA server, taking the newly created HTTPD.CRT certificate as an example, with the following revocation steps:
Step one: Get the serial and subject information for the certificate to be revoked on the client
Step Two: Compare the consistency of storage in the remaining native database index.txt based on the serial and subject information submitted by the client
Step three: Perform revocation operations
Fourth step: Generate revocation number for revoked certificate (executed when certificate is first revoked)
]# echo >/etc/pki/ca/crlnumber
Fifth step: Update the certificate revocation List
]# OpenSSL CA-GENCRL-OUT/ETC/PKI/CA/CRL/CA.CRL
To view the CRL File command:
]# OpenSSL Crl-in/etc/pki/ca/crl/ca.crl-noout-text
Original http://www.178linux.com/48764
How to use OpenSSL