SSL is a Secure Socket Layer (Secure Sockets Layer protocol) abbreviations, OpenSSL the functionality provided is quite powerful and comprehensive, encompassing key cryptographic algorithms, common key and certificate encapsulation management functions, and SSL protocols, and provides a rich application for testing or other purposes to use.
Check that there is no installation OpenSSL package, if it is not installed, install it first OpenSSL, here with Yum Installation:
[Email protected] ~]# rpm-q OpenSSL
Openssl-1.0.1e-30.el6.x86_64
[Email protected] ~]# yum-y install OpenSSL
I. Using OpenSSL for symmetric encryption and decryption of files
Use Enc tool for example, encrypt /tmp/test.txt file Generation Test.aes file
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/56/wKiom1VG0svQ2VlGAACF_-8v1aM279.jpg "style=" float: none; "title=" 1.jpg "alt=" Wkiom1vg0svq2vlgaacf_-8v1am279.jpg "/>
Decrypt The Test.aes file
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/52/wKioL1VG1DnTqU3CAABlqLMfrzM258.jpg "style=" float: none; "title=" 2.jpg "alt=" Wkiol1vg1dntqu3caablqlmfrzm258.jpg "/>
ii. using OpenSSL to generate a key pair
1. generate the private key first
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6C/52/wKioL1VG1I2jnj4dAACO5aCFDMY434.jpg "style=" float: none; "title=" 1.jpg "alt=" Wkiol1vg1i2jnj4daaco5acfdmy434.jpg "/>
2. Extracting the public key from the private key
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6C/57/wKiom1VG0yDjs6DuAALJkA6zYBg711.jpg "style=" float: none; "title=" 2.jpg "alt=" Wkiom1vg0ydjs6duaaljka6zybg711.jpg "/>
third, the use OpenSSL implement one-way encryption to extract file fingerprints
take dgst tool,MD5 algorithm as an example
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/53/wKioL1VG1MuxeHEEAAB_M2CpvCA890.jpg "title=" 5.jpg " alt= "Wkiol1vg1muxeheeaab_m2cpvca890.jpg"/>
Iv. Use of OpenSSL Implement build Private CA
OpenSSL Master profile:/etc/pki/tls/openssl.cnf
[Ca_default]
DIR:CA 's Home directory
Certs: storage location for issued certificates
Crl_dir: Where the revoked certificate is stored
Database: Certificate index file
New_certs_dir: storage location for newly issued certificates
Certificate: CA certificate file
Serial: The current serial number when the certificate is issued
Crlnumber: Revoking the current serial number of the certificate
CRL: CRL currently in use
PRIVATE_KEY:CA private Key
Randfile: Private random number generator file
(1) generate private key
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/53/wKioL1VG1TfxNJrDAACoN2YMZfU468.jpg "style=" float: none; "title=" 1.jpg "alt=" Wkiol1vg1tfxnjrdaacon2ymzfu468.jpg "/>
(2) generate self-signed certificate
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6C/53/wKioL1VG1TejeG65AAEy2jKsEs8332.jpg "style=" float: none; "title=" 2.jpg "alt=" Wkiol1vg1tejeg65aaey2jkses8332.jpg "/>
(3) Follow-up work
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/57/wKiom1VG08mAKDFPAAB9bzv4xC8992.jpg "style=" float: none; "title=" 3.jpg "alt=" Wkiom1vg08makdfpaab9bzv4xc8992.jpg "/>
V. Issue certificates to Nodes
(1) node Request certificate
1. Generate private key
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/53/wKioL1VG1bqQ575GAAB0BmxxZPU634.jpg "style=" float: none; "title=" 1.jpg "alt=" Wkiol1vg1bqq575gaab0bmxxzpu634.jpg "/>
2. Generate Certificate Signing Request
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/53/wKioL1VG1brj9MmEAAGc4uJS3wU188.jpg "style=" float: none; "title=" 2.jpg "alt=" Wkiol1vg1brj9mmeaagc4ujs3wu188.jpg "/>
3. Send the request to the CA
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/57/wKiom1VG1EzB27ZHAABI_euDBJE533.jpg "style=" float: none; "title=" 3.jpg "alt=" Wkiom1vg1ezb27zhaabi_eudbje533.jpg "/>
(2) CA Sign Certificate
1 . Verify the requestor's information and sign the certificate
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6C/57/wKiom1VG1JmREAsLAAHSFY8pzS4728.jpg "title=" 1.jpg " alt= "Wkiom1vg1jmreaslaahsfy8pzs4728.jpg"/>
2. Send the signed certificate to the requestor
(3) View certificate information
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6C/53/wKioL1VG1lPCPmb0AABK8fwoHUY772.jpg "title=" 1.jpg " alt= "Wkiol1vg1lpcpmb0aabk8fwohuy772.jpg"/>
Six, revoking Certificates (nodes)
(1) Obtaining the certificate's serial(certificate holder)
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6C/53/wKioL1VG1sCjKAdwAABnWg4Xu7I354.jpg "style=" float: none; "title=" 1.jpg "alt=" Wkiol1vg1scjkadwaabnwg4xu7i354.jpg "/>
(2) The CA determines whether the certificate is revoked based on the serial and subject information submitted by the certificate holder , consistent with the information in the Index.txt database file
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/57/wKiom1VG1VKB6T-8AAC0qCUBuGg139.jpg "style=" float: none; "title=" 2.jpg "alt=" Wkiom1vg1vkb6t-8aac0qcubugg139.jpg "/>
(3) Subsequent work on the first revocation of the certificate
1. generate the number of revoked certificates
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6C/57/wKiom1VG1VLDmgNaAABZz1-1gi4972.jpg "style=" float: none; "title=" 3.jpg "alt=" Wkiom1vg1vldmgnaaabzz1-1gi4972.jpg "/>
2. Update the certificate revocation list and view the CRL file
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/53/wKioL1VG1sCyZMNUAAIB1YmxJpw045.jpg "style=" float: none; "title=" 4.jpg "alt=" Wkiol1vg1scyzmnuaaib1ymxjpw045.jpg "/>
This article from the "source clean is clear, the shape of the end of the shadow straight" blog, please be sure to keep this source http://zhouxt.blog.51cto.com/8743763/1641579
OpenSSL encryption, decryption, and self-built CAs