Use of the OpenSSL tool and creation of a private CA

Source: Internet
Author: User
Tags openssl enc openssl rsa openssl x509 least privilege

After installation, the OpenSSL package will generate three important pieces of content: the encryption library

SSL Related library files

OpenSSL command-line tools

Here's a look at the use of the OpenSSL command-line tool:

OpenSSL, like Yum, has dozens of subcommands:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/74/AB/wKiom1Ylv1XgWou3AADqPubPRXw401.jpg "title=" fz9[8} Wixqwz]ps0i@e82%s.png "alt=" Wkiom1ylv1xgwou3aadqpubprxw401.jpg "/>

If you want to get the relevant man document for these subcommands, first use Whatis to look at the format syntax for determining the use of man

Among the commonly used subcommands are:

1.enc: Implementation of symmetric encryption, decrypted commands

Use format: OpenSSL enc ciphername-a [-e] [-salt]-in filename-out filename

For example: OpenSSL enc-des3-a-in/etc/issue-out/root/issue.des3

-A: Using Base64 encoding

-e: Encryption, default behavior, can be omitted

Ciphername: Encryption Algorithm name

-D: Decryption (using the same format)

2.dgst: Implement command to extract fingerprint of data

Use format: OpenSSL dgst [-MD5|-MD4|-MD2|-SHA1|-SHA|-MDC2|-RIPEMD160|-DSS1] [-out filename]

For example, OpenSSL dgst-md5/etc/login.defs extracts the data fingerprint of the file using the MD5 algorithm to extract the output to the screen

Other implementation commands to extract data fingerprints: md5sum filename

Sha1sum filename

Sha*sum filename

3.Rand: command to generate random numbers

Use format: OpenSSL rand [options] num

For example: OpenSSL rand-base64 9 (random numbers) generates a stochastic number

Can be saved to a file using-out

4.Genrsa: The command that generates the private key (RSA algorithm. The DSA algorithm is GENDSA)

Use format: OpenSSL Genrsa [-out filename][-des] [-DES3] [numbits]

Example: OpenSSL genrsa-out/root/cacert.key 2048

Generates a private key with a length of 2048 saved to the specified file, or you can encrypt the storage using options such as-des

5.RSA: The command to extract the public key from the private key

Use format: OpenSSL rsa-in filename-pubout

Extract the public key from the private key file named filename, either by using output redirection or by using options to save

6.x509: Commands for viewing the contents of a certificate

Use format: OpenSSL x509-text-in filename (certificate)

7.Req: order to generate a certificate signing request or a self-visa

Use format: A. Generate the self-visa book:

OpenSSL req-new -x509 -key/path/to/private.key-out/path/to/cacert.pem

B. Generating a certificate signing request

OpenSSL REQ-NEW-KEY/PATH/TO/PRIVATE.KEY-OUT/PATH/TO/CACERT.CSR

8.ca:certificate Authority command to sign a certificate request

Use format: OpenSSL CA-IN/PATH/TO/CACERT.CSR-OUT/PATH/TO/CACERT.CRT


How to create a private CA on a redhat system:

1. Create a pair of keys

2. Generate a self-signed certificate

On Redhat systems, installing OpenSSL using the RPM package format will generate a series of directories and files such as/etc/pki/

/ETC/PKI/TLS/OPENSSL.CNF defines the working directory of the CA and the files it should have

A. Generate the private key in the/etc/pki/ca/private/directory, which should be saved as a file named Cakey.pem (this name can be changed by modifying the value of the above configuration file)

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/AC/wKioL1YmAoaAoKFIAAFDxFnkcDE043.jpg "title=" C $) D ( FT (V@67NBDGU6QVJWS.png "alt=" Wkiol1ymaoaaokfiaafdxfnkcde043.jpg "/>

, generate a 2048-bit private key, save as the specified file name, and note that permissions should be modified to least privilege

To avoid errors, we define the CA in/ETC/PKI/TLS/OPENSSL.CNF:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/74/AC/wKioL1YmA6WS7zljAAJLTqa7NrI100.jpg "title=" W ' _ ({P ' V (29n0 ' n9b6k@}2o.png "alt=" Wkiol1yma6ws7zljaajltqa7nri100.jpg "/>

So the private-key should be named Cakey.pem. and placed under the specified directory

b. Generate a self-signed certificate, defined by the configuration file, should be saved in the/etc/pki/ca directory , named Cacert.pem

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/74/AC/wKioL1YmBMaxghHlAAJE2eLNh4Q960.jpg "title=" 3A (~ ~ Kj0vn~[fk06]mg6sv6.png "alt=" Wkiol1ymbmaxghhlaaje2elnh4q960.jpg "/>

OpenSSL req-new -x509 -key./private/cakey.pem -out Cacert.pem

When using the REQ subcommand,-x509 represents a self-signed certificate

-key for specifying the private key

-out for saving certificates

C. Create the relevant file in the/ETC/PKI/CA directory according to the relevant definition of the "Ca_default" segment in/ETC/PKI/TLS/OPENSSL.CNF

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/74/AC/wKioL1YmBdDygPP4AAD8iZjKL8A065.jpg "title=" GYWZHC ]bhlokban_4d7opbe.png "alt=" Wkiol1ymbddygpp4aad8izjkl8a065.jpg "/>

Now that the CA (certificate authority) is created, you can sign a certificate request for someone else

When a certificate request is received, the signing method

OpenSSL ca-i N /PATH/TO/CACERT.CSR -out /path/to/cacert.crt

This article is from the "Zxcvbnm Xuan ye" blog, please be sure to keep this source http://10764546.blog.51cto.com/10754546/1704612

Use of the OpenSSL tool and creation of a private CA

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.