After installation, the OpenSSL package will generate three important pieces of content: the encryption library
SSL Related library files
OpenSSL command-line tools
Here's a look at the use of the OpenSSL command-line tool:
OpenSSL, like Yum, has dozens of subcommands:
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/74/AB/wKiom1Ylv1XgWou3AADqPubPRXw401.jpg "title=" fz9[8} Wixqwz]ps0i@e82%s.png "alt=" Wkiom1ylv1xgwou3aadqpubprxw401.jpg "/>
If you want to get the relevant man document for these subcommands, first use Whatis to look at the format syntax for determining the use of man
Among the commonly used subcommands are:
1.enc: Implementation of symmetric encryption, decrypted commands
Use format: OpenSSL enc ciphername-a [-e] [-salt]-in filename-out filename
For example: OpenSSL enc-des3-a-in/etc/issue-out/root/issue.des3
-A: Using Base64 encoding
-e: Encryption, default behavior, can be omitted
Ciphername: Encryption Algorithm name
-D: Decryption (using the same format)
2.dgst: Implement command to extract fingerprint of data
Use format: OpenSSL dgst [-MD5|-MD4|-MD2|-SHA1|-SHA|-MDC2|-RIPEMD160|-DSS1] [-out filename]
For example, OpenSSL dgst-md5/etc/login.defs extracts the data fingerprint of the file using the MD5 algorithm to extract the output to the screen
Other implementation commands to extract data fingerprints: md5sum filename
Sha1sum filename
Sha*sum filename
3.Rand: command to generate random numbers
Use format: OpenSSL rand [options] num
For example: OpenSSL rand-base64 9 (random numbers) generates a stochastic number
Can be saved to a file using-out
4.Genrsa: The command that generates the private key (RSA algorithm. The DSA algorithm is GENDSA)
Use format: OpenSSL Genrsa [-out filename][-des] [-DES3] [numbits]
Example: OpenSSL genrsa-out/root/cacert.key 2048
Generates a private key with a length of 2048 saved to the specified file, or you can encrypt the storage using options such as-des
5.RSA: The command to extract the public key from the private key
Use format: OpenSSL rsa-in filename-pubout
Extract the public key from the private key file named filename, either by using output redirection or by using options to save
6.x509: Commands for viewing the contents of a certificate
Use format: OpenSSL x509-text-in filename (certificate)
7.Req: order to generate a certificate signing request or a self-visa
Use format: A. Generate the self-visa book:
OpenSSL req-new -x509 -key/path/to/private.key-out/path/to/cacert.pem
B. Generating a certificate signing request
OpenSSL REQ-NEW-KEY/PATH/TO/PRIVATE.KEY-OUT/PATH/TO/CACERT.CSR
8.ca:certificate Authority command to sign a certificate request
Use format: OpenSSL CA-IN/PATH/TO/CACERT.CSR-OUT/PATH/TO/CACERT.CRT
How to create a private CA on a redhat system:
1. Create a pair of keys
2. Generate a self-signed certificate
On Redhat systems, installing OpenSSL using the RPM package format will generate a series of directories and files such as/etc/pki/
/ETC/PKI/TLS/OPENSSL.CNF defines the working directory of the CA and the files it should have
A. Generate the private key in the/etc/pki/ca/private/directory, which should be saved as a file named Cakey.pem (this name can be changed by modifying the value of the above configuration file)
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/AC/wKioL1YmAoaAoKFIAAFDxFnkcDE043.jpg "title=" C $) D ( FT (V@67NBDGU6QVJWS.png "alt=" Wkiol1ymaoaaokfiaafdxfnkcde043.jpg "/>
, generate a 2048-bit private key, save as the specified file name, and note that permissions should be modified to least privilege
To avoid errors, we define the CA in/ETC/PKI/TLS/OPENSSL.CNF:
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/74/AC/wKioL1YmA6WS7zljAAJLTqa7NrI100.jpg "title=" W ' _ ({P ' V (29n0 ' n9b6k@}2o.png "alt=" Wkiol1yma6ws7zljaajltqa7nri100.jpg "/>
So the private-key should be named Cakey.pem. and placed under the specified directory
b. Generate a self-signed certificate, defined by the configuration file, should be saved in the/etc/pki/ca directory , named Cacert.pem
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/74/AC/wKioL1YmBMaxghHlAAJE2eLNh4Q960.jpg "title=" 3A (~ ~ Kj0vn~[fk06]mg6sv6.png "alt=" Wkiol1ymbmaxghhlaaje2elnh4q960.jpg "/>
OpenSSL req-new -x509 -key./private/cakey.pem -out Cacert.pem
When using the REQ subcommand,-x509 represents a self-signed certificate
-key for specifying the private key
-out for saving certificates
C. Create the relevant file in the/ETC/PKI/CA directory according to the relevant definition of the "Ca_default" segment in/ETC/PKI/TLS/OPENSSL.CNF
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/74/AC/wKioL1YmBdDygPP4AAD8iZjKL8A065.jpg "title=" GYWZHC ]bhlokban_4d7opbe.png "alt=" Wkiol1ymbddygpp4aad8izjkl8a065.jpg "/>
Now that the CA (certificate authority) is created, you can sign a certificate request for someone else
When a certificate request is received, the signing method
OpenSSL ca-i N /PATH/TO/CACERT.CSR -out /path/to/cacert.crt
This article is from the "Zxcvbnm Xuan ye" blog, please be sure to keep this source http://10764546.blog.51cto.com/10754546/1704612
Use of the OpenSSL tool and creation of a private CA