Linux Basic Notes--[022]--"openssl"

First, the common operation

Symmetric encryption:

OpenSSL enc-e-aes256-base64- in goal. file -out result. file    Encryption,--d-aes256-base64- in result. file -out goal. file    Decrypt

One-way encryption (file integrity, has not been tampered with):

OpenSSL dgst-sha512 goal. file    Generate signatures using the SHA512 algorithm, which defaults to the MD5 algorithm

Generate random numbers

Ten    Random number of ten digits

Manage user passwords (i.e. encrypt and store passwords)

passwd -16'    Note:-1 refers to the use of the MD5 algorithm, and optional-apr1;-1 and-salt are optional

Asymmetric encryption (key pair, private key encryption for signature identification, public key encryption to protect file contents)

OpenSSL Genrsa4096> Pkey.file&&chmod 0600Pkey.fileGenerate the private key, set the key strength to4096, an optional1024x768Or2048; Private key permissions must be thorough to control OpenSSL RSA-inchPkey.file-pubout > PubKey.filegenerate the public key (extracted from the private key)
OpenSSL rsautl-encrypt-inchGoal.file-inkey PubKey.file-pubin-out result.fileUse the public key to goal the file.fileEncryption,-The Pubin declaration uses public key cryptography, the default is the private key OpenSSL rsautl-decrypt-inchResult.file-inkey Pkey.file-out goal.fileUse private key to file result.fileDecrypt

Second, CA-related

Reference information:

• Http://www.cnblogs.com/yjmyzz/p/openssl-tutorial.html
• Http://www.cnblogs.com/LittleHann/p/3738141.html

Explanation of the words:

• Pki:public Key Infrastructure
• Crl:certificate revocation lists, certificate blacklist, certificate revocation List
• Pkcs:public Key Cryptography standards, public key cryptography standard
• The International Telecommunication Union-Telecommunications component (ITU-T) and the ISO certificate format standard, as part of the Itu-iso directory service family Standard, The basic standard of the public key certificate structure is defined in the first chapter. A certificate is a collection of standard fields that contain information about a user or device and its corresponding public key
• Csr:certificate Signing requests, certificate signing request, is the application file that needs to be submitted to CA
• Crt:certificate, which is the certificate
• Pem:privacy Enhanced Mail, letter document encoding format, using Base64 text file method
• Der:distinguished Encoding Rules, another document encoding format, binary coding, common in Windows platform

Configuration file location:/etc/path/to/openssl.cnf different distributions, use the OpenSSL version-d command to view

I. Self-signed certificate (CA service side):

1. corresponding to the location defined in openssl.cnf, create Index.txt, serial file
2. Generating the service-side private key using the OpenSSL Genrsa
3. Generate self-signed certificate: OpenSSL req-new-x509-key/path/to/ca/ca_private_key-out/path/to/ca/ca_cert-days 1000 Note: The-x509 option is used to create a self-signed (root) CA,-days indicates the validity period

II. Application Letter (client):

• Generate request file and send to CA institution: OpenSSL req-new-key/path/to/client_private_key-out/path/to/client_csr-days 100

Iii. Issuance of certificates (service side):

• Certificate issued and sent to client: OpenSSL ca-in/path/to/client_csr-out/path/to/result_client_cst-days 100

Linux Basic Notes--[022]--"openssl"