A detailed description of OpenSSL tools and a self-built CA method

Objective:

OpenSSL is a powerful, multi-purpose, open source Cryptographic decryption command-line tool, such as creating a private key, creating a certificate signing request, testing various cryptographic algorithm time-consuming, and so on.

Before we go into the OpenSSL tool, it is necessary to understand the encryption and decryption methods under Linux, as well as the common cryptographic algorithms and protocols.

Then finally we explain in detail how to use OpenSSL to build a CA

Directory:

1. Linux encryption and decryption process:

2. Common cryptographic algorithms and protocols

There are three types of cryptographic algorithms commonly used:

1. Symmetric encryption algorithm:

The same key can be used as information encryption and decryption, the plaintext is divided into fixed-size blocks, decrypted one by one, this encryption method is called symmetric encryption;

The flaw in symmetric cryptography is that there are too many keys to maintain.

Commonly used symmetric encryption algorithm: DES (56), 3DES, AES (128,192,256,384,512), Blowfish, Twofish, Idea, RC6, CAST5, etc.;

2. Public Key Cryptography

Also called asymmetric encryption, is a cryptographic method consisting of a corresponding pair of unique keys (that is, public key and private key).

Common public key encryption algorithms: RSA, DSA, eigamal, etc.;

3. One-way encryption:

is non-decrypted encryption method, non-reversible, and the result of encryption is fixed-length

Common public Key cryptography algorithms: MD5, SHA1, SHA256, SHA384, SHA512, etc.;

In fact, one-way encryption, usually just to extract the file signature, verify the data or certificate data integrity, also known as the data fingerprint

4. Authentication Agreement:

IKE protocol (Internet Key Exchange): Commonly used to ensure the security of a virtual private network VPN when communicating with a remote network or host;

SSL (Secure Sockets Layer): A security protocol for network communication that provides security and data integrity.

TLS (Transport Layer Security): is modeled after SSL and is used to provide confidentiality and data integrity between two communication applications.

3. The OpenSSL command line tool is simple to apply

OpenSSL is a strong Secure Sockets Layer cipher library that includes key cryptographic algorithms, common key and certificate encapsulation management functions, and SSL protocols, and provides a rich set of applications for testing or other purposes.

To view the native OpenSSL version:

#openssl version

3.1 Symmetric encryption of files:

Tool: OpenSSL ENC

Algorithm: DES, 3DES, AES, Blowfish, Twofish, RC6, Idea, CAST5

# OpenSSL Enc-des3-a-salt-in/path/from/somefile-out/path/to/somecipherfile

# OpenSSL enc-d-des3-a-salt-in/path/from/somecipherfile-out/path/to/somefile

3.2 Use OpenSSL to do one-way encryption:

Tool: OpenSSL dgst

# OpenSSL DGST [-MD5|-SHA1] [-out/path/to/filename]/path/from/somefile

MAC: Message digest Code, application of one-way encryption extension class

Application: Used to ensure the integrity of the transmitted data in network communication

Mechanism:

Cbc-mac

HMAC: Using the MD5 or SHA1 algorithm

3.3 Generate user password:

Tool: OpenSSL passwd

Get help:

#whatis passwd

passwd (1)-Update user ' s authentication tokens

passwd (5)-Password file

passwd [sslpasswd] (1SSL)-Compute password hashes

Select the last one, and then:

#man passwd sslpasswd

#openssl passwd-1-salt jingming

Password: After entering the password, enter

$1$jingming$jmhxxflxswhguht5qbkgk/#这里显示的第一段 $$ content is salt, followed by a password

3.4 Generating Random numbers:

Generate random numbers, mostly used to generate passwords as dynamic salt

#openssl Rand

#openssl rand-hex|-base64 num

#openssl Rand-base64 4

For example: Generate a user password for a random salt:

#oepnssl passwd-1-salt ' OpenSSL rand-hex 4 '

3.5 Public Key Cryptography (asymmetric encryption)

Public key cryptography is not much, because public key encryption is slow ...

Algorithm: RSA, Eigamal

Tools: GPG, OpenSSL Rsatul

3.6 Digital Signatures

Algorithm: RSA, Eigamal, DSA (can only be used for signing, cannot be used for encryption)

Both of these statements are used for digital signatures.

Dsa:digital Signature algorithm

Dss:digital Signature Standard

3.7 Generate key (Private key):

#openssl Genrsa-out/path/to/keyfile numberofbits (number of digits: 1024/2048/4096 ...)

#生成的是私钥, but the public key is contained within the private key. The generated private key is important, so after the build, be sure to change the permissions to 600 or 400

However, we can modify the permissions in the following way:

# (Umask 077; OpenSSL genrsa-out/path/to/keyfile numberofbits)

Use () to run the umask command in a child shell, and to create a private key so that umask will only be valid for these two commands, and returning the parent Shell,umask 077 setting will not work.

Present public key:

#openssl Rsa-in/path/from/private_key_file-pubout

4. Using the OpenSSL self-built CA

4.1 Establishing the CA server:

1. Generate key

# (Umask 077; OpenSSL Genrsa-out/etc/pki/ca/private/cakey.pem 2048)

2. Self-signed certificate

# OpenSSL Req-new-x509-key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days 3655

Req: Generate certificate Signing request

-news: New Request

-key/path/to/keyfile: Specifying a private key file

-out/path/to/somefile:

-x509: Generate self-signed certificate

-days N: Active days

3. Initializing the Working environment

# touch/etc/pki/ca/{index.txt,serial}

# echo >/etc/pki/ca/serial

4.2 Node Request Certificate:

(i) Node generation requests

1, generate key pair child

# (Umask 077; OpenSSL genrsa-out/etc/httpd/ssl/httpd.key 2048)

2. Generate Certificate Signing request

# OpenSSL REQ-NEW-KEY/ETC/HTTPD/SSL/HTTPD.KEY-OUT/ETC/HTTPD/SSL/HTTPD.CSR

3. Send the signature request file to the CA service

# SCP

(ii) CA sign Certificate

1. Verify the information in the certificate;

2. Signing certificate

# OpenSSL Ca-in/path/to/somefile.csr-out/path/to/somefile.crt-days N

3, sent to the requestor;

4.3 Revoking a certificate

(a) node

1, obtain the certificate serial

# OpenSSL X509-in/path/to/certificate_file.crt-noout-serial-subject

(ii) CA

2, according to the serial and subject information submitted by the node to verify that the information in the Index.txt file is consistent;

3. Revocation of certificates

# OpenSSL Ca-revoke/etc/pki/ca/newcerts/serial.pem

4. Generate the number of the revocation certificate (if it is the first revocation)

# echo >/etc/pki/ca/crlnumber

5. Update the certificate revocation List

# cd/etc/pki/ca/crl/

# OpenSSL Ca-gencrl-out thisca.crl

If necessary, view the contents of the CRL file:

# OpenSSL Crl-in/path/to/crlfile.crl-noout-text

This article is from the "Richier" blog, make sure to keep this source http://richier.blog.51cto.com/1447532/1669883

A detailed description of OpenSSL tools and a self-built CA method