Brief introduction to OpenSSL usage

Source: Internet
Author: User
Tags gpg mkdir openssl openssl enc openssl rsa openssl x509 rand time interval
OpenSSL Usage details

 

OpenSSL :

 

Components: libcrypto and libssl

 

Openssl

 

Openssl

 

Many sub-commands can be divided into three types:

 

Standard Commands

 

Message Digest command (dgst subcommand)

 

Encryption command (enc subcommand)

 

Standard Commands: enc, ca, reeq, genrsa...

 

Random number generator in linux

 

/Dev/random: only the random number is returned from the entropy pool. The random number is exhausted and the process is blocked.

 

/Dev/urandom: returns a random number from the entropy pool. When the random number is exhausted, the software is used to generate a pseudo random number, which does not block the process, but is not safe enough.

 

Source of random number in entropy pool: time interval of hard disk IO interruption

 

Use openssl to complete symmetric encryption

 

Supported algorithms: 3des, aes, blowfish, and towfish

 

1. enc subcommands:

 

Encryption:
] # Openssl enc-e-des3-a-salt-in fstab-out fstab. cipher

 

Decryption:
] # Openssl enc-d-des3-a-salt-out fstab. out-in fstab. cipher

 

Use openssl for one-way encryption

 

2. dgst subcommands
] # Md5sum fstab] # openssl dgst-md5 fstab

 

 

Use openssl to generate user encryption

 

Generate random number:
] # Openssl rand-base64 6 # Random octal number
] # Openssl rand-hex 30 # hexadecimal random number
] # Openssl passwd-1-salt $ (openssl rand-hex 6)

 

 

Use openssl to encrypt public keys

 

Encryption and decryption

 

Supported algorithms: RSA and ELGamal

 

Tool: openssl rsautl, gpg

 

Digital signature

 

Supported algorithms: RSA, ELGamal, and DSA

 

Tool: openssl rsautl, gpg

 

Key Exchange

 

Supported algorithms: RSA and DH

 

How to generate a key pair

 

How to generate a private key:
] # (Umask 077; openssl genrsa-out/root/mykey. private 2048)

 

 

         Note: Except for the owner of the generated private key, no other user shall have any permissions.

 

How to extract a private key from a public key
] # Openssl rsa-in/root/mykey. private-pubout-out/root/mykey. public

 

 

CA

 

Public Authority CA

 

Private CA

 

How to build a CA:

 

Openssl

 

OpenCA: the second-encapsulated openssl.

 

Configuration File:/etc/pki/tls/openssl. cnf

 

 

How to build a private CA:

 

Generate a self-signed certificate on the server that is configured as CA and provide the required directories and files to the CA.

 

Steps:

 

1. Generate a private key:
] # (Umask 077; openssl genrsa-out/etc/pki/CA/private/cakey. Pem4096)

 

2. Generate a self-signed certificate:
] # Openssl req-new-x509-key/etc/pki/CA/private/cakey. pem-out/etc/pki/CA/cacert. pem-days 3655

 

-New: generate a certificate signing request

 

-X509: generate a self-signed certificate for private CA creation

 

-Key: the path of the private key file used to generate the request

 

-Out: the path of the generated request file. If the self-signed operation is performed, the signed certificate will be generated directly.

 

-Days: the validity period of the certificate. The unit is day.

 

 

 

3. Provide required directories and files for CA
] # Mkdir-pv/etc/pki/CA/{certs, crl, newcerts}] # touch/etc/pki/CA/{serial,index.txt}] # echo 01>/etc/pki/CA/serial

 

 

To use a certificate for secure communication, you need to request the CA to sign the certificate.

 

Steps:

 

1. Generate a private key on the host that uses the certificate
~] # Mkdir/etc/httpd/ssl ~] # Cd/etc/httpd/ssl ~] # (Umask 077; openssl genrsa-out/etc/httpd/ssl/httpd. key 2048)

 

 

2. Generate a certificate signing request
] # Openssl req-new-key httpd. key-out httpd. csr-days 365

 

 

3. Send the request to the CA server
# Scp httpd. csr root@10.1.154.97:/etc/pki/CA/certs

 

4. Sign a certificate request on the CA
] # Openssl ca-in httpd. csr-out httpd. crt-days 365

 

 

5. After signing the certificate, copy the certificate to the requested host.
] # Scp httpd. crt root@10.1.154.94:/etc/httpd/ssl

 

 

6. View information in the certificate
] # Openssl x509-in httpd. crt-noout-serial-subject

 

-Serial: view the certificate serial number

 

-Subject: view the certificate subject information

 

 

7. How to revoke a certificate must be executed on the CA

 

(1) the client obtains the serial of the certificate to be revoked
] # Openssl x509-in httpd. crt-noout-serial-subject

 

(2) CA certificate revocation

 

First, upload the serialand subjectinformation provided by the customer. If the information is consistent with that stored in the local data warehouse index.txt, the request is revoked.
] # Openssl ca-revoke./certs/httpd. crt

 

 

(3) generate a certificate revocation list
] # Echo 01>/etc/pki/CA/crlnumber

 

(4) update the certificate revocation list
] # Openssl ca-gencrl-out./certs/httpd. crt

 

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.