A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
OpenSSL is an open source SSL implementation. The simplest and most important application based on the OpenSSL directive is to use Req, CAs, and X509 to issue a certificate.
OpenSSL provides command-line options and interactive two ways to perform various operations.
Enter OpenSSL directly on the command line to enter the interactive shell, as follows:
[[email protected] local]# opensslopenssl> helpopenssl:error: ' Help ' was an invalid command. Standard Commandsasn1parse CA ciphers cms CRL CRL2PKCS7 Dgst DH dhparam DSA Dsaparam EC Ecparam ENC engine errstr gendh GENDSA genpkey Genrsa Nseq OCSP passwd pkcs12 pkcs7 pkcs8 Pke Y Pkeyparam pkeyutl Prime rand req RSA Rsautl s_client s_server s_time sess_id smime speed SPKAC TS Verify version x509 Message Digest commands (SE E The ' dgst ' command for more details) MD2 MD4 MD5 rmd160 sha SHA1 Cipher commands (see th E ' enc ' command for more details) AES-128-CBC AES-128-ECB AES-192-CBC AES-192-ECB AES-256-CBC AES-256-ECB base64 BF bf-cbc BF-CFB BF-ECB BF-OFB CAMELLIA-128-CBC CAMELLIA-128-ECB CAMELLIA-192-CBC CAMELLIA-192-ECB CAMELLIA-256-CBC CAMELLIA-256-ECB Cast CAST-CBC CAST5-CBC cast5-cfb cast5-ecb cast5-ofb des des-c BC DES-CFB DES-ECB des-ede DES-EDE-CBC DES-EDE-CFB des-ede-ofb D Es-ede3 DES-EDE3-CBC des-ede3-cfb des-ede3-ofb des-ofb des3 desx Idea IDEA-CBC IDEA-CFB IDEA-ECB idea-ofb RC2 RC2-40-CBC Rc2-64-cbc RC2-CBC RC2-CFB RC2-ECB rc2-ofb RC4 rc4-40 Seed SEED-CBC SEED-CFB SEED-ECB seed-ofb zlib
The command of OpenSSL is generally divided into 3 categories: Standard or general class, message digest class, and encryption and decryption class.
In addition to viewing the manual, enter the command and then add--help to see a detailed description of the options, as follows:
openssl> CA--helpunknown option--HELPUSAGE:CA args-verbose-talk alot while doing things-config file- A config file-name arg-the particular CA definition to use-gencrl-generate a new crl-crldays days- Days was when the next CRL was Due-crlhours Hours-hours was when the next CRL was Due-startdate yymmddhhmmssz-certific Ate validity notbefore-enddate yymmddhhmmssz-certificate validity notafter (overrides-days)-days Arg-numbe R of days to certify the certificate FOR-MD ARG-MD to use, see OpenSSL dgst-h for List-policy arg-the C A ' policy ' to support-keyfile arg-private key file-keyform arg-private key file format (PEM or ENGINE)-key ar G-key to decode the private key if it is Encrypted-cert file-the CA certificate-selfsign-sign A Certificate with the key associated with it-in file-the input PEM encoded certificate request (s)-out file -Where to put the OUTPUT file (s)-outdir dir-where to put output certificates-infiles ....-the last argument, requests to PROCESS-SP KAC File-file contains DN and signed public key and Challenge-ss_cert File-file contains a self signed cert to Sign-preservedn-don ' t re-order the Dn-noemaildn-don ' t add the EMAIL field into certificate ' Subject-batch -Don ' t ask Questions-msie_hack-msie modifications to handle all those universal Strings-revoke file -Revoke a certificate (given in file)-subj Arg-use arg instead of request ' s Subject-utf8-input Char Acters is UTF8 (default ASCII)-multivalue-rdn-enable support for multivalued rdns-extensions: -Extension section (override value in config file)-extfile file-configuration file with X509v3 extentions to ADD-CR Lexts. -CRL Extension section (override value in config file)-engine E-use engine E, possibly a hardware device. -status Serial-shows Certificate STatus given the serial number-updatedb-updates db for expired Certificateserror in CA
You can perform a version-a view version, and if it is Rpm/yum installed, you can do so by Rpm-qa | grep OpenSSL is viewed as follows:
openssl> version-aopenssl 1.0.1e-fips 2013built on:tue Jan 17:30:05 UTC 2015platform:linux-x86_64options:< C0/>bn (64,64) md2 (int) RC4 (16x,int) des (idx,cisc,16,int) idea (int) blowfish (idx) Compiler:gcc-fpic-dopenssl_pic- Dzlib-dopenssl_threads-d_reentrant-ddso_dlfcn-dhave_dlfcn_h-dkrb5_mit-m64-dl_endian-dtermio-wall-o2-g-pipe-wa Ll-wp,-d_fortify_source=2-fexceptions-fstack-protector--param=ssp-buffer-size=4-m64-mtune=generic-wa,-- Noexecstack-dpurify-dopenssl_ia32_sse2-dopenssl_bn_asm_mont-dopenssl_bn_asm_mont5-dopenssl_bn_asm_gf2m-dsha1_ Asm-dsha256_asm-dsha512_asm-dmd5_asm-daes_asm-dvpaes_asm-dbsaes_asm-dwhirlpool_asm-dghash_asmopenssldir: "/etc/ Pki/tls "Engines:
Because using OpenSSL is primarily used to create certificates for asymmetric encryption, such as the typical HTTPS protocol for the web. Asymmetric encryption algorithm mainly has RSA and DSA, the other in use less, so it is best to first understand the difference between the two algorithms, which is beneficial harmless.
Both RSA and DSA are non-symmetric encryption algorithms. The security of RSA is based on the decomposition of the extremely difficult large integer (the product of two primes); the security of DSA is based on the problem of discrete logarithm of integer finite field. Basically, the RSA algorithm with the same key length can be considered to be equal to the DSA algorithm security. in RSA Plus decryption, The public key is used for encryption, it is made public to everyone, the private key is used for decryption, only the recipient of the cipher holds it.
In DSA digital signature and authentication, the sender uses his private key to sign the file or message, and the recipient receives the message and uses the sender's public key to verify the authenticity of the signature.
DSA is just an algorithm that differs from RSA in that it cannot be used for encryption and decryption, or for key exchange, but only for signing, which is much faster than RSA.
So RSA is generally used for encryption and decryption, and DSA is used for signature and verification .
The encryption and decryption process for OpenSSL RSA is as follows:
Generate a key (private key)
Note: It is important to note that this file contains both the public key and the key, which means that the file can be used for encryption or decryption, and the subsequent 1024 is the length of the generated key.
[email protected] openssl]# OpenSSL genrsa-out private.key 1024Generating RSA private key, 1024x768 bit long modulus .... ... ++++++......................++++++e is 65537 (0x10001)-------
Extract public key via key file Private.key [[email protected] openssl]# OpenSSL rsa-in private.key-pubout-out pub.keywriting RSA Key[[email Protected] openssl]# lltotal 8-rw-r--r--1 root root 891 Jan 18:54 private.key-rw-r--r--1 root root 272 Jan 18:55 P Ub.key
Using public key cryptography information The following is only for testing purposes, so the actual system is not used in many [[email protected] openssl]# Echo-n "This is a secret message" | OpenSSL rsautl-encrypt-inkey pub.key-pubin > Encrypt.out[[email protected] openssl]# lltotal 12-rw-r--r--1 root Roo T-Jan 18:56 encrypt.out-rw-r--r--1 root root 891 Jan 18:54 private.key-rw-r--r--1 root root 272 Jan 18:55 P Ub.key[[email protected] openssl]# cat encrypt.out) YB? Sw? ??? L? A|?? i7f (°).? Shells ¤x8tk/?? V￡? Q?? ￠k?? [K Anatomy Ox}? D°[[email protected] openssl]# Xshell-bash:xshell:command not found[[email protected] openssl]#
Using the private key to decrypt information the following is only because of the purpose of the test, the actual system is not a lot of use
[email protected] openssl]# Cat Encrypt.out | OpenSSL Rsautl-decrypt-inkey Private.key This is a secret message[[email protected] openssl]# [[email protected] OpenSSL ]#
The OpenSSL DSA signature and verification process is as follows:
Generate a key (private key)
[[email protected] openssl]# OpenSSL dsaparam-out dsaparam.pem 1024Generating DSA parameters, 1024x768 bit long Primethi s could take some time: +...+..........+.............+......................+...+.....+............+.......+.............................. +.........+.................+......+............+..........+....+.....................................+.......+ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+.. +...+........+......+............................................+.. +.+.........+.........+...+.......+..................+....+...........................+....+...............+.+........... ....+....+.. +..........+...........................................+......+.......+.+........+.........+...+.+.+....+.....+ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*[[email protected] openssl]# lltotal 16- rw-r--r--1 root root 455 Jan 19:00 dsaparam.pem-rw-r--r--1 root root * Jan 18:56 encrypt.out-rw-r--r--1 root ro OT 891 Jan 15 18:54 private.key-rw-r--r--1 root root 272 Jan 18:55 Pub.key
Generate public key [[email protected] openssl]# OpenSSL gendsa-out privkey.pem Dsaparam.pem generating DSA key, 1024x768 bits[[email protect Ed] openssl]# OpenSSL dsa-in privkey.pem-out pubkey.pem-puboutread DSA keywriting DSA Key[[email protected] openssl]# L Ltotal 24-rw-r--r--1 root root 455 Jan 19:00 dsaparam.pem-rw-r--r--1 root root * Jan 18:56 encrypt.out-rw-r--r-- 1 root root 891 Jan 18:54 private.key-rw-r--r--1 root root 668 Jan 19:01 privkey.pem-rw-r--r--1 root root 272 Jan 18:55 pub.key-rw-r--r--1 root root 654 Jan 19:01 Pubkey.pem
The following is only because of the purpose of the test, the actual system is not a lot of use
Signing with a private key [[email protected] openssl]# Echo-n "This is a secret message" | OpenSSL dgst-dss1-sign Privkey.pem > Sign.result
somewhat similar to the Java-to-servlet container, plus decryption and signing are specific implementations that typically use certificates in the run ( referred to as certificates, Most of the usual places to see the most is the largest, in fact, is the ITU Telecommunications Commission (ITU-T) for Single sign-on (Sso-single sing-on) and authorized management infrastructure (Pmi-privilege Management Infrastructure) developed a PKI standard. It defines (but is not limited to) certificate standards such as public key certificates, certificate revocation lists, attribute certificates, and certificate path validation algorithms, as well as the Ethernet standard, as a carrier for secure authentication. in an HTTPS connection, when an SSL session is generated, the server transmits its certificate, and the client browser automatically parses the server certificate and, depending on the version of the browser, produces a 40-bit or 128-bit session key that encrypts the transaction's information. All processes are automatically completed and transparent to the user (if the client is not a browser, it needs to be manually copied to each other and loaded and certified using the respective SDK of the programming language). Therefore, you also need to create the certificate and deploy it to the server to complete the process.
The complete logical process for creating a certificate is (if you apply to a third party, you generally submit the request, and the third party sends the generated certificate message to the requester):
1, create the CA root certificate;
2. Generate CA self-signed certificate;
3. Generate the service-side CSR;
4. Using CA to sign the server certificate;
The process for generating an SSL certificate using OpenSSL is as follows:
Note that you first create the following files in the directory specified in the openssl.conf configuration file, or you will fail to sign the server certificate later.
Index.txt OpenSSL will write an index to this file when it creates a self-visa book.
Database.txt OpenSSL simulates the database and writes some sensitive information in the file.
Serial.txt After you create the file, edit the first line to write down 01
[[email protected] openssl]# OpenSSL genrsa-des3-out ca.key 1024Generating RSA private key, 1024x768 bit long modulus. ++++++...............++++++e is 65537 (0x10001) Enter Pass phrase for Ca.key:verifying-enter Pass phrase for ca.key:# build CA's self-visa book [[email protected] openssl]# OpenSSL req-new-x509-key ca.key-out ca.crt-days 3650Enter pass phrase for C A.key:you is about is asked to enter information that'll be incorporatedinto your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields but can leave some blankfor some fields there would be a default value,if you enter '. ', t He field would be a left blank.-----Country Name (2 letter code) [Xx]:state or province name (full name) :locality name (eg , city) [default city]:organization name (eg, company) [Default company ltd]:organizational Unit Name (eg, section) :com Mon name (eg, your Name or your server ' s hostname) :ldtrader.comemail Address :[[Email protected] openssl]# lltotal 36-rw-r--r--1 root root 928 Jan 19:13 ca.crt-rw-r--r--1 root root 963 Jan 15 19:10 ca.key-rw-r--r--1 root root 455 Jan 19:00 dsaparam.pem-rw-r--r--1 root root * Jan 18:56 encrypt.out-rw-r-- r--1 root root 891 Jan 18:54 private.key-rw-r--r--1 root root 668 Jan 19:01 privkey.pem-rw-r--r--1 root root 272 Jan 18:55 pub.key-rw-r--r--1 root root 654 Jan 19:01 pubkey.pem-rw-r--r--1 root root-Jan-19:04 Sign.result
[[email protected] openssl]# OpenSSL genrsa-out server.key 1024Generating RSA private key, 1024x768 bit long modulus .... ... ++++++.............................++++++e is 65537 (0x10001) [[email protected] OpenSSL]........ # OpenSSL Req-new-key server.key-out server.csryou is about to being asked to enter information that'll be incorporated into your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields but can leave some blankfor some fields there would be a default value,if you enter '. ', t He field would be a left blank.-----Country Name (2 letter code) [Xx]:state or province name (full name) :locality name (eg , city) [default city]:organization name (eg, company) [Default company ltd]:organizational Unit Name (eg, section) :com Mon name (eg, your Name or your server ' s hostname) :ldtrader.comemail Address :P lease Enter the following ' extra ' attr Ibutesto is sent with your certificate Requesta CHallenge Password :secretan optional company name :[[email protected] openssl]# lltotal 44-rw-r--r--1 root root 928 Jan 19:13 ca.crt-rw-r--r--1 root root 963 Jan 19:10 ca.key-rw-r--r--1 root root 455 Jan 19:00 dsaparam.pem- rw-r--r--1 root root 18:56 encrypt.out-rw-r--r--1 root root 891 Jan 18:54 private.key-rw-r--r--1 root Roo T 668 Jan 19:01 privkey.pem-rw-r--r--1 root root 272 Jan 18:55 pub.key-rw-r--r--1 root root 654 Jan 19:01 Pubke y.pem-rw-r--r--1 root root 664 Jan 19:14 server.csr-rw-r--r--1 root root 887 Jan 19:14 server.key-rw-r--r--1 root Root Jan 19:04 sign.result[[email protected] openssl]# OpenSSL ca-in server.csr-out server.crt-keyfile ca. Key-cert ca.crt-days 3650Using Configuration from/etc/pki/tls/openssl.cnfenter pass phrase for Ca.key:/etc/pki/ca/inde X.txt:no such file or directoryunable to open '/etc/pki/ca/index.txt ' 139976169916232:error:02001002:system library: Fopen:no such file or directory: Bss_file.c:398:fopen ('/etc/pki/ca/index.txt ', ' R ') 139976169916232:error:20074002:bio Routines:FILE_CTRL:system Lib:bss_file.c:400:[[email protected] openssl]# OpenSSL ca-in server.csr-out server.crt-keyfile Ca.key-cert ca.c Rt-days 3650Using Configuration From/etc/pki/tls/openssl.cnfenter Pass phrase for ca.key:wrong number of fields in line 1 (Looking for field 6, got 1, "left)
Merging certificate files and private key files (typically, Nginx is required to use PEM format)
Cat Server.crt Server.key > Server.pem
PS: In the files related to OpenSSL and a wider range of certificates, the various file formats and typical file suffix conventions are as follows:
. Key format: Private key
. CSR format: Certificate signing request (certificate request file), containing public key information, certificate signing request abbreviation
. CRT format: Certificate files, certificate abbreviations
. CRL Format: Certificate revocation list, Certificate revocation list abbreviation
. PEM format: The format of the certificate used to export, import the certificate, with the beginning of the certificate, the end of the format
Tomcat/nginx each of the different format requirements for the certificate, the respective configuration is as follows:
To add, generally in the formal financial related systems, will be to the third-party CA institutions to apply for a certificate, in some internal systems or audiences more fixed system, some will use self-signed certificate to save costs, this is no problem, the implementation mechanism and security intensity should not be too much, more management-level considerations.
The programming manual can be seen as follows:
A good summary of the documentation for OpenSSL is:
SSL Certificate Description:
Generate SSL full reference manual using OpenSSL
Start building with 50+ products and up to 12 months usage for Elastic Compute Service