OpenSSL commands (for Linux)

Encryption Algorithm:

Symmetric encryption algorithm:

Des, idea, RC2, RC4, AES, Skipjack ......

Asymmetric encryption algorithm:

RSA, DSA, diffiehellman, PKCS, PGP ......

The one-way hash algorithm is a packet Digest algorithm, although some are also from the OpenSSL library.

Command operation:

1. generate a common private key:

[Weigw @ test SRC] $ OpenSSL genrsa-out privatekey. Key 1024 Generating RSA private key, 1024 bit long modulus... ++... e is 65537 (0x10001)

2. Generate a key with an encrypted password:

[Weigw @ test SRC] $ OpenSSL genrsa-des3-out privatekey. Key 1024 Generating RSA private key, 1024 bit long modulus ............ ++ ..................... ++ e is 65537 (0x10001) enter pass phrase for privatekey. key: verifying-enter pass phrase for privatekey. key:

When generating a key with an encrypted password, you must enter the password yourself. The following algorithms are provided for key encryption:

-DES encrypt the generated key with DES in CBC Mode -Des3 encrypt the generated key with DES in Ede CBC mode (168 bit key) -Aes128,-aes192,-aes256 encrypt PEM output with CBC AES

Password for removing the key:

[Weigw @ test SRC] $ OpenSSL RSA-In privatekey. Key-out Privatekey. Key enter pass phrase for privatekey. Key: Writing RSA key

Generate a certificate using the generated private key:

[Weigw @ test SRC] $ OpenSSL req-New-X509-key privatekey. Key-out cacert. CRT-days 1095 You are about to be asked to enter information that will be ininitialized into your certificate request. What you are about to enter is what is called a distinguished name or a DN. there are quite a few fields but you can leave some blank for some fields there will be a default value, if you enter '. ', the field will be left blank. ----- Country name (2 letter code) [GB]: CN State or province name (full name) [Berkshire]: Beijing Locality name (eg, city) [Newbury]: Beijing Organization Name (eg, company) [My Company Ltd]: wondersoft Organizational unit name (eg, section) []: Develop Common name (eg, your name or your server's hostname) []: weigw Email Address []: weigongwan@sina.com

Enter personal information as prompted when generating the certificate.

Generate a public key using the private key:

[Weigw @ test SRC] $ OpenSSL RSA-In privatekey. Key-pubout-out pubkey. Key writing RSA key

Format conversion: (certificate, private key, Public Key) (PEM <-----> der)

[Weigw @ test SRC] $ OpenSSL X509-In cacert. CRT-inform PEM-out cacert. Der-outform der [Weigw @ test SRC] $

 

[Weigw @ test SRC] $ OpenSSL RSA-In privatekey. Key-inform PEM-out privatekey. Der-outform der Writing RSA key

[Weigw @ test SRC] $ OpenSSL RSA-pubin-In pubkey. Key-inform PEM-pubout-out pubkey. Der-outform der Writing RSA key

Convert the DER format to the PEM format, that is, change the inform format to the deroutform format to the PEM format.

The following is a certificate and Private Key Generation Method for server and client authentication: (server. CRT, client. CRT, Ca. CRT)

Step 1: generate a private key

 

[weigw@TEST bin]$ openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modulus .++++++ ...........++++++ e is 65537 (0x10001) [weigw@TEST bin]$ openssl genrsa -out client.key 1024 Generating RSA private key, 1024 bit long modulus ...++++++ ................++++++ e is 65537 (0x10001) [weigw@TEST bin]$ openssl genrsa -out ca.key 1024Generating RSA private key, 1024 bit long modulus .........++++++ .........++++++ e is 65537 (0x10001) [weigw@TEST bin]$

 

Step 3: apply for a certificate (sign the request file)

[Weigw @ test bin] $ OpenSSL ca-in server. CSR-out server. CRT-Cert CA. CRT-Keyfile ca. Key [Weigw @ test bin] $ OpenSSL ca-in client. CSR-out client. CRT-Cert CA. CRT-Keyfile ca. Key

If an error occurs in this step:

[Weigw @ test bin] $ OpenSSL ca-in client. CSR-out client. CRT-Cert CA. CRT-Keyfile ca. Key Using configuration from/usr/share/SSL/OpenSSL. cnf I am unable to access the./democa/newcerts directory./democa/newcerts: no such file or directory [Weigw @ test bin] $

Manually create a ca directory structure:
[Weigw @ test bin] $ mkdir./democa
[Weigw @ test bin] $ mkdir democa/newcerts
Create an empty file:
[Weigw @ test bin] $ VI democa/index.txt
Write 01 to the file:
[Weigw @ test bin] $ VI democa/serial

Merge the Certificate file (CRT) and private key file (key ):

[Weigw @ test bin] $ cat client. CRT client. Key> client. pem [weigw @ test bin] $ cat server. CRT server. Key> server. pem

Merged into a pfx certificate:

[Weigw @ test bin] $ OpenSSL PKCS12-export-clcerts-in client. CRT-inkey client. Key-out client. p12 Enter export password: Verifying-enter export password: [Weigw @ test bin] $ OpenSSL PKCS12-export-clcerts-in server. CRT-inkey server. Key-out server. p12 Enter export password: Verifying-enter export password:

Trusted certificate:

[Weigw @ test bin] $ OpenSSL PKCS12-in client. p12-out client.txt enter import password: Mac verified OK Enter PEM pass phrase: verifying-enter PEM pass phrase: [Weigw @ test bin] $ OpenSSL PKCS12-in server. p12-out server.txt Enter import password: Mac verified OK Enter PEM pass phrase: verifying-enter PEM pass phrase:

Screen mode: (certificate, private key, public key)

[Weigw @ test bin] $ OpenSSL X509-in client. CRT-noout-text-Modulus [Weigw @ test bin] $ OpenSSL RSA-in server. Key-noout-text-Modulus [Weigw @ test bin] $ OpenSSL RSA-in server. Pub-noout-text-Modulus

Obtain DH:

[Weigw @ test bin] $ OpenSSL dhparam-out dh1024.pem 1024