OpenSSL
Usage details
OpenSSL
:
Components: libcrypto and libssl
Openssl
Openssl
Many sub-commands can be divided into three types:
Standard Commands
Message Digest command (dgst subcommand)
Encryption command (enc subcommand)
Standard Commands: enc, ca, reeq, genrsa...
Random number generator in linux
/Dev/random: only the random number is returned from the entropy pool. The random number is exhausted and the process is blocked.
/Dev/urandom: returns a random number from the entropy pool. When the random number is exhausted, the software is used to generate a pseudo random number, which does not block the process, but is not safe enough.
Source of random number in entropy pool: time interval of hard disk IO interruption
Use openssl to complete symmetric encryption
Supported algorithms: 3des, aes, blowfish, and towfish
1. enc subcommands:
Encryption:
] # Openssl enc-e-des3-a-salt-in fstab-out fstab. cipher
Decryption:
] # Openssl enc-d-des3-a-salt-out fstab. out-in fstab. cipher
Use openssl for one-way encryption
2. dgst subcommands
] # Md5sum fstab] # openssl dgst-md5 fstab
Use openssl to generate user encryption
Generate random number:
] # Openssl rand-base64 6 # Random octal number
] # Openssl rand-hex 30 # hexadecimal random number
] # Openssl passwd-1-salt $ (openssl rand-hex 6)
Use openssl to encrypt public keys
Encryption and decryption
Supported algorithms: RSA and ELGamal
Tool: openssl rsautl, gpg
Digital signature
Supported algorithms: RSA, ELGamal, and DSA
Tool: openssl rsautl, gpg
Key Exchange
Supported algorithms: RSA and DH
How to generate a key pair
How to generate a private key:
] # (Umask 077; openssl genrsa-out/root/mykey. private 2048)
Note: Except for the owner of the generated private key, no other user shall have any permissions.
How to extract a private key from a public key
] # Openssl rsa-in/root/mykey. private-pubout-out/root/mykey. public
CA
Public Authority CA
Private CA
How to build a CA:
Openssl
OpenCA: the second-encapsulated openssl.
Configuration File:/etc/pki/tls/openssl. cnf
How to build a private CA:
Generate a self-signed certificate on the server that is configured as CA and provide the required directories and files to the CA.
Steps:
1. Generate a private key:
] # (Umask 077; openssl genrsa-out/etc/pki/CA/private/cakey. Pem4096)
2. Generate a self-signed certificate:
] # Openssl req-new-x509-key/etc/pki/CA/private/cakey. pem-out/etc/pki/CA/cacert. pem-days 3655
-New: generate a certificate signing request
-X509: generate a self-signed certificate for private CA creation
-Key: the path of the private key file used to generate the request
-Out: the path of the generated request file. If the self-signed operation is performed, the signed certificate will be generated directly.
-Days: the validity period of the certificate. The unit is day.
3. Provide required directories and files for CA
] # Mkdir-pv/etc/pki/CA/{certs, crl, newcerts}] # touch/etc/pki/CA/{serial,index.txt}] # echo 01>/etc/pki/CA/serial
To use a certificate for secure communication, you need to request the CA to sign the certificate.
Steps:
1. Generate a private key on the host that uses the certificate
~] # Mkdir/etc/httpd/ssl ~] # Cd/etc/httpd/ssl ~] # (Umask 077; openssl genrsa-out/etc/httpd/ssl/httpd. key 2048)
2. Generate a certificate signing request
] # Openssl req-new-key httpd. key-out httpd. csr-days 365
3. Send the request to the CA server
# Scp httpd. csr root@10.1.154.97:/etc/pki/CA/certs
4. Sign a certificate request on the CA
] # Openssl ca-in httpd. csr-out httpd. crt-days 365
5. After signing the certificate, copy the certificate to the requested host.
] # Scp httpd. crt root@10.1.154.94:/etc/httpd/ssl
6. View information in the certificate
] # Openssl x509-in httpd. crt-noout-serial-subject
-Serial: view the certificate serial number
-Subject: view the certificate subject information
7. How to revoke a certificate must be executed on the CA
(1) the client obtains the serial of the certificate to be revoked
] # Openssl x509-in httpd. crt-noout-serial-subject
(2) CA certificate revocation
First, upload the serialand subjectinformation provided by the customer. If the information is consistent with that stored in the local data warehouse index.txt, the request is revoked.
] # Openssl ca-revoke./certs/httpd. crt
(3) generate a certificate revocation list
] # Echo 01>/etc/pki/CA/crlnumber
(4) update the certificate revocation list
] # Openssl ca-gencrl-out./certs/httpd. crt