Simple use of OpenSSL to generate secret keys
To add SSL to servers such as Postfix and Apache, enhance the security factor,
You need to use certificate (certificate). This certificate can be obtained from the official ca.
Or you can generate one by yourself,
The first step is to generate a Certificate Signing Request (CSR)
In this way, you can submit the CSR to the official CA to confirm your identity.
The required tool is OpenSSL. Let's just talk about the perceptual knowledge of OpenSSL.
For example, to encrypt a file plain.txt
$ Cat plain.txt
I love OpenSSL!
1. First, check the OpenSSL version.
$ OpenSSL version
OpenSSL 1.0.1c 10 May 2012
2. Check the specific available commands in OpenSSL.
$ OpenSSL list-standard-Commands
Asn1parse
CA
Ciphers
CMS
CRL
Crl2pkcs7
DGST
DH
Dhparam
DSA
Dsaparam
EC
Ecparam
ENC
Engine
Errstr
Gendh
Gendsa
Genpkey
Genrsa
Nseq
OCSP
Passwd
PKCS12
Pkcs7
Pkcs8
Pkey
Pkeyparam
Pkeyutl
Prime
Rand
REQ
RSA
Rsautl
S_client
S_server
S_time
Sess_id
Smime
Speed
Spkac
SRP
TS
Verify
Version
X509
Pick two instructions
CA to create Certificate Authorities.
DGST to compute hash functions.
ENC to encrypt/decrypt using secret key algorithms. It is possible to generate using a password or directly a secret key stored in a file.
Genrsa this command permits to generate a pair of public/private key for the RSA algorithm.
Password generation of "hashed passwords ".
PKCS12 tools to manage information according to the PKCS #12 standard.
Pkcs7 tools to manage information according to the PKCS #7 standard.
Rand generation of pseudo-random bit strings.
RSA Data Management.
Rsautl to encrypt/decrypt or sign/verify signature with RSA.
Verify checkings for x509.
X509 data management for x509.
We want to encrypt plain.txt and use the ENC command.
Then let's look at the number of secret keys Algorithms supported in OpenSSL.
$ OpenSSL list-Cipher-Commands
Aes-128-cbc
Aes-128-ecb
Aes-192-cbc
Aes-192-ecb
Aes-256-cbc
Aes-256-ecb
Base64
......
To encrypt the plain.txt File
3.
$ OpenSSL ENC-aes-256-cbc-In plain.txt-out encrypted. Bin
Enter aes-256-cbc encryption password:
Verifying-enter aes-256-cbc encryption password:
$
Using the-aes-256-cbc encryption algorithm, a 256-bit secret key is generated.
This secret key is calculated using the password you provided.
The generated file is encrypted. Bin.
If you want to decrypt the 256-bit secret key
4.
$ OpenSSL ENC-aes-256-cbc-D-in encrypted. Bin-Pass pass: helloi
Love OpenSSL!
As you can see, the password I just provided is hello
-D indicates that decryption is required.
If we want to generate a pair
The same principle applies to public/private keys,
Only different commands are used.
# OpenSSL genrsa-out key. pem 1024
A 1024-bit RSA key is generated.
Let's take a look at the key. pem attributes.
# Cat key. pem
----- Begin RSA private key -----
Miicwgibaakblw26l3kig8s51kaezvl + mt62dbu9gh0ktzdz625w3a/4hfv4klhj
Rgx9v7qskqpbg2i8qt9uzzqph3nbeflobb1inoyl3mj4jasid + z4nuwrxwxlyvqm
Vsd8nn5uei5tvzvr1xtnkh5qgmn + hfb1eqgzpgctfq2sugshqjodscitmnstebr0
...
Fbu5h93rc8oqjv1ffz5kio1_mszsax84zt3ecbjzaowbosy9f + f0f5m7bzolrdl
9nkp18csfjmctaka4kf664svec/txnwv/m + 2xyxt8sbkm9c9abbahmvmxqtlmkow
Ldt0mhozhlyh44/Vs + LMA + vivgxuei0iiy/beviz/tlx1elce9m =
----- End RSA private key -----
# File key. pem
Key. pem: pem rsa private key
You can also use the hexadecimal notation to display the details of the RSA key.
# OpenSSL RSA-in key. pem-text-noout
-- Noout allows us to avoid using Base 64 for display
In fact, what we want to do next is to use key. pem to extract this pair of keys.
Because we always want private keys to be hidden, we use Triple DES (3-des) here)
To encrypt the secret key
# OpenSSL RSA-in key. pem-des3-out enc-key.pem
Writing RSA key
Enter PEM pass phrase:
Verifying-enter PEM pass phrase:
Public keys do not matter because people use publick keys to send their encrypted messages.
Or use the public key to confirm that the message is from you.
# OpenSSL RSA-in key. pem-pubout-out pub-key.pem