Introduction to OpenSSL command parameters and certificate generation methods

Introduction to OpenSSL
SSL is the abbreviation of Secure Socket Layer (Secure Sockets Layer Protocol). It can provide confidential transmission over the Internet. Netscape released the first web browser and put forward the SSL protocol standard, which currently has version 3.0. SSL uses public key technology. The goal is to ensure the confidentiality and reliability of communications between two applications, and support can be achieved at the same time on the server side and the client side. Currently, the SSL protocol using public key technology has become an industrial standard for secure communication on the Internet. The Secure Sockets Layer Protocol keeps the communication between users and server applications from being eavesdropped by attackers, and always authenticates the server. You can also choose to authenticate the user. The SSL protocol must be built on a reliable transport layer protocol (TCP. The advantage of the SSL protocol is that it is independent from the application layer protocol. The High-level application layer protocol (such as HTTP, FTP, and telnet) can be transparently built on the SSL protocol. The SSL protocol has completed encryption algorithms, communication key negotiation, and server authentication before the application layer protocol communication. After that, the data transmitted by the application layer protocol will be encrypted to ensure the privacy of the communication. As described above, the secure channel provided by the SSL protocol has the following three features:

1. Data Confidentiality: Information Encryption is to convert plaintext input files into encrypted files using encryption algorithms to keep data confidential. The key is used to encrypt the data before decryption. Without a key, the encrypted data cannot be unlocked. After the data is encrypted, only the key must be transmitted in a safe way. Encrypted data can be publicly transmitted.

2. Data Consistency: Encryption can also ensure data consistency. For example, the message Verification Code (MAC) can verify the encrypted information provided by the user. the receiver can use Mac to verify the encrypted data to ensure that the data has not been tampered with during transmission.

3. Security Verification: Another purpose of encryption is to be used as a personal identifier, and the user's key can be used as the identifier for security verification. SSL uses public key encryption technology (RSA) as the encrypted communication protocol between the client and the server when transmitting confidential data.

What is OpenSSL?
Many cryptographic algorithms, public key infrastructure standards, and SSL protocols may give you the idea of implementing all these algorithms and standards. If so, I can't help but remind you that this is a daunting process. This work is no longer as simple as reading several cryptographic monographs and protocol documents, but rather understanding every detail of all these algorithms, standards, and Protocol documents, implement these definitions and processes one by one using the C language characters that you may be familiar. We don't know how much time you will need to complete this interesting and terrible job, but it's definitely not a year or two.

The entire OpenSSL software package can be divided into three main functional parts: cryptographic algorithm library, SSL protocol library, and applications. The directory structure of OpenSSL is naturally planned around these three functional parts.

1. symmetric encryption algorithm

OpenSSL provides eight symmetric encryption algorithms, 7 of which are group encryption algorithms, and the only stream encryption algorithm is RC4. These seven grouping encryption algorithms are AES, Des, blowfish, cast, idea, RC2, and RC5, all of which support the electronic cipher book mode (ECB) and the encrypted group link mode (CBC) the packet encryption mode is commonly used, including the encrypted feedback mode (CFB) and the output feedback mode (ofB. Among them, AES uses the encryption feedback mode (CFB) and output feedback mode (ofB). The group length is 128 bits, while other algorithms use 64 bits. In fact, the DES algorithm is not only a common DES algorithm, but also supports three keys and two key 3DES algorithms.

2. asymmetric encryption algorithm

OpenSSL implements four asymmetric encryption algorithms, including DH algorithm, RSA algorithm, DSA algorithm, and elliptic curve algorithm (EC ). DH algorithms are generally used for User Key Exchange. The RSA algorithm can be used for both key exchange and digital signature. Of course, if you can tolerate its slow speed, it can also be used for data encryption. The DSA algorithm is generally used only for digital signatures.

3. Information Digest algorithm

OpenSSL Implements Five information digest algorithms: md2, MD5, mdc2, Sha (sha1), and ripemd. Sha algorithm actually includes Sha and sha1 information digest algorithms. In addition, OpenSSL implements the two information digest algorithms DSS and dss1.

4. Key and Certificate Management

Key and certificate management is an important component of PKI. OpenSSL provides a wide range of functions and supports various standards.

First, OpenSSL implements the certificate and key-related standards of ASN.1, and provides the DER, PEM, and base64 encoding and decoding functions for certificates, public keys, private keys, certificate requests, CRL, and other data objects. OpenSSL provides methods, functions, and applications for generating various public key pairs and symmetric keys. It also provides der codec functions for public and private keys. The encryption and decoding functions of the private key PKCS #12 and PKCS #8 are also implemented. OpenSSL provides encryption protection for private keys in the standard, allowing keys to be securely stored and distributed.

On this basis, OpenSSL implements the certificate X.509 standard codec, PKCS #12 format codec, and PKCS #7 codec function. It also provides a text database that supports certificate management functions, including certificate key generation, request generation, certificate issuance, revocation and verification.

In fact, the Ca application provided by OpenSSL is a small Certificate Management Center (CA) that implements the entire process of certificate issuance and most of the mechanism of certificate management.

The following describes how to generate a certificate in practical applications.

1. initialize CA: OpenSSL req-X509-config write the path and name of the configuration file-extensions here for the configuration file root certificate Extension Configuration-newkey RSA: here is the encoding size-keyout here is the name of the output key file-out here is the name of the output root certificate-passout pass: Here is the root certificate password-days here is the validity period, is the number of days.

After executing this command, the private key and root certificate of the root certificate are generated.

2. Create a server certificate:

Create a request: OpenSSL req-New-newkey RSA: here is the encoding size-keyout output key-out output request-config configuration file-days validity period-nodes (the output key and request are in the same file)

Create newcert: CIDR Block in the OpenSSL ca-config configuration file-policy configuration file-days validity period-out newcert. PEM file-passin pass: CIDR files in the CA key-batch-extensions configuration file

Create a PKCS12 certificate: randfile = random file path OpenSSL PKCS12-export-In newcert. PEM path-key requested key file-certfile CA certificate file-caname ca name-out output pfx file-clcerts-name CommonName-passout pass:

Randfile = random file path OpenSSL PKCS12-In pfx file-out output PEM Certificate file-passin pass:-passout pass:

Certificate in der format: PEM Certificate file created above OpenSSL X509-in-out der Certificate file-inform PEM-outform der

3. Create a user certificate:

CREATE request: OpenSSL req-New-newkey RSA: key size-keyout output user private key file-out output user request-config configuration file-days validity period (days)-nodes

Create a certificate: OpenSSL ca-config configuration file-in request file-out/dev/null-notext-days validity period-passin pass: Ca password-batch-extensions section in the configuration file

Create a der certificate: OpenSSL-X509-in user certificate (the certificate generated in the previous step is specified in the configuration file)-out output der Certificate-inform PEM-outform der

Create a pfx certificate: randfile = random file path OpenSSL PKCS12-export-in user certificate-inkey User Key-certfile capem Certificate file-caname ca organization name-out output pfx file-name CommonName-passout pass:

The preceding commands are provided for your reference.

The server certificate has a hierarchical relationship with the user certificate, except that the configuration file is different. There are many configuration files for configuring the certificate on the Internet, so we will not repeat them here.

OpenSSL parameters:

OpenSSL dhparam [-inform der | PEM] [-outform der | PEM] [-in Filename]

[-Out filename] [-dsaparam] [-noout] [-text] [-C] [-2] [-5]

[-Rand file (s)] [numbits]
-Inform der | PEM
Specify whether the input format is DEM or der. Der in the Der Standard Format of ASN1. Most of them are in PEM format, which is base64 encoding format. let's see what you did. key ,. CRT files are generally in PEM format. The content in the first and last lines is encoded in the middle.
-Outform der | PEM
Similar to the previous one, the difference is that the specified output format
-In filename
Name of the file to be analyzed.
-Out filename
The name of the file to be output.
-Dsaparam
If this option is set, either input or input will be treated as the DSA parameter. They are then converted into DH parameter formats. In this way, there will be a lot of DH parameters and DH keys. This will shorten the SSL handshake time. Of course, time is at the cost of security. Therefore, it is best to use different parameters each time, so as not to break your key.
-2,-5
Which version of the DH parameter generator is used. Version 2 is the default version. If either option is set, the input file is ignored.

-Rand file (s)
Seed files are used to generate keys. Multiple files can be separated by colons for seed.
Numbits
Specify the length of the generated parameter. It must be the last parameter of this command. If not specified, a-bit long parameter is generated.


-Noout
The version information of the parameter encoding is not printed.
-Text
Print DH parameters in readable mode.
-C
Convert parameters to the C code mode. In this way, you can use the get_dhnumbits () function to call these parameters.

OpenSSL also has two commands, DH and gendh, which are out of date and all functions are implemented by dhparam.
Currently, DH and gendh commands are retained, but may be used for other purposes in the future.

1. OpenSSL genrsa-out ca. Key 1024 creates an RSA key file ca. Key, which contains the public key and a private key of 1024 in length. You must keep the key file carefully.

2. openSSL req-New-X509-days 365-key ca. key-out ca. CA. key to generate an X509 Certificate ca. CRT, CA. the CRT is valid for 365 days, CA. the CRT contains the public key and is retained by the other party.

3. openSSL req-New-key my. key-out my. CSR key file my. key to generate a certificate request file my. CSR, which can be issued to a CA and becomes a certificate trusted by a ca.

4. Sign. Sh my. csrsign. Sh is a CA certificate issuing script. After my. CSR is issued, the my. CRT certificate is generated.

5. OpenSSL X509-in server. pem-noout-pubkey: displays the public key of the server. pem certificate.

6. OpenSSL RSA-In serverkey. pem-pubout displays the public key of the serverkey. pem key file. Generally, the public key of the key file generated for the certificate should be consistent with the public key of the key file. 5th and 6 statements can be used to determine whether the certificate and key file are a pair.

7. OpenSSL X509-in my. CRT-issuer-noout displays the CA that issued the certificate

8. OpenSSL req-In myreq. pem-noout-verify-key mykey. pem verify that the certificate request myreq. pem matches the key file

#cd /usr/local/nginx/conf#openssl genrsa -des3 -out server.key 1024#openssl req -new -key server.key -out server.csr#openssl rsa -in server.key -out server_nopwd.key#openssl x509 -req -days 365 -in server.csr -signkey server_nopwd.key -out server.crt