The OpenSSL tool in Linux

OpenSSL command-line tools:

Numerous sub-commands to achieve a variety of security encryption functions;

Standard command:

ENC,DGST,CA,REQ,GENRSA,RAND,RSA,X509,PASSWD, ...

Symmetric encryption Command: ENC

A symmetric encryption algorithm is provided for manual encryption of data or files;

OpenSSL enc-ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64] [-A] [-k password] [-kfile filen AME] [-K key] [-iv IV] [-s salt] [-salt]

-ciphername: Name of the cryptographic algorithm

-in filename:opensll The file path to be read;

-out FileName: The file path used to save the result after the encryption or decryption operation;

-E: Cryptographic operations

-D: Decryption operation

-A/-BASE64: Ciphertext encoding in plain text format;

-salt: Randomly add salt

Example:

Encrypt files:

~]# OpenSSL enc-e-des3-in anaconda-ks.cfg-a-out anconda-ks.cfg.encryptfile

Decrypt file:

~]# OpenSSL enc-d-des3-in anconda-ks.cfg.encryptfile-a-out anaconda-ks.cfg.plaintext

One-way encryption: DGST

~]# OpenSSL Dgst-sha1/etc/fstab

Generate random number command: Rand

OpenSSL rand [-out file] [-rand file (s)] [-base64] [-hex] num

Example:

~]# OpenSSL rand-base64 8

Generate a password with salt: passwd

OpenSSL passwd-1-salt salt_string

Example:

~]# OpenSSL passwd-1-salt 01234567

Public Key cryptography algorithm: Genrsa

Generate the private key of the RSA algorithm:

OpenSSL genrsa [-out filename] [-des] [-DES3] [-idea] [-F4] [-3] [-rand file (s)] [-engine ID] [numbits]

For security reasons, it is necessary to give the private key that is created to a permission that only the owner can read or write to, and the following methods are recommended for generating the private key:

~]# (umask 077; OpenSSL genrsa-out/tmp/my.key 4096)

~]# (umask 077; OpenSSL genrsa >/tmp/my.key 4096)

To read the public key from a private key file that has been generated: RSA

OpenSSL RSA [-in filename] [-out filename] [-pubout]

-pubout: Extracting the public key

-in FileName: path to the private key file

-out FileName: path to the public key file

~]# OpenSSL rsa-in my.key-out my.key.pub-pubout

To establish a private CA with OpenSSL:

1. Create a private file for the host on which the CA resides;

2. Generate self-signed certificate;

3. Must provide the necessary directory-level files and text-level files for the CA;

Directory-level files:

/etc/pki/ca/certs

/etc/pki/ca/crl

/etc/pki/ca/newcerts

Text-level files:

/etc/pki/ca/serial: Save certificate serial number, general initial serial number AH is 01;

/etc/pki/ca/index.txt: Certificate index;

/ETC/PKI/TLS/OPENSSL.CNF: Configuration file;

Steps to create a private CA:

1. Create the CA's private key file:

(Umask 077; OpenSSL Genrsa-out/etc/pki/ca/private/cakey.pem 2048)

2. Generate the self-visa book:

OpenSSL req

OpenSSL req [-out filename] [-new] [-x509] [-days n] [-key filename]

3. Perfect directory and text file structure:

Touch/etc/pki/ca/index.txt

echo >/etc/pki/ca/serial

View the contents of the certificate on the CA:

OpenSSL X509-in/etc/pki/ca/cacert.perm-noout-serial-subject

Revocation Certificate: Must be performed on the CA:

1. Get the serial number corresponding to the client certificate

OpenSSL x509-in/etc/pki/ca/certificate-noout-serial

2. Revoke the certificate:

OpenSSL Ca-revoke/etc/pki/ca/newcerts/serial.pem

Note: the "SERIAL" in the above command is replaced by the serial number of the certificate that prepares the revocation;

3. Generate revocation index files for revoked certificates; only if you need to revoke the certificate the first time;

echo "SERIAL" >/etc/pki/ca/crl/crlnumber

4. Update the certificate revocation list:

OpenSSL ca-genctl-out/etc/pki/ca/crl/ca.crl

5. View CRLs:

OpenSSL Crl-in/etc/pki/ca/crl/ca.crl-noout-text

The OpenSSL tool in Linux