OpenSSL相關命令（for Linux）詳細介紹

密碼編譯演算法：

　　對稱式加密演算法：

　　DES、IDEA、RC2、RC4、AES、Skipjack ......

　　非對稱式加密演算法：

　　RSA、DSA、DiffieHellman、PKCS、PGP ......

　　單向的HASH演算法屬於報文摘要演算法，雖然有些也出自OpenSSL庫。
   
　　命令操作：

　　1、產生普通私密金鑰：

[weigw@TEST src]$ openssl genrsa -out privatekey.key 1024 Generating RSA private key, 1024 bit long modulus ....++++++ .......++++++ e is 65537 (0x10001)

　　2、產生帶加密口令的密鑰：

[weigw@TEST src]$ openssl genrsa -des3 -out privatekey.key 1024 Generating RSA private key, 1024 bit long modulus ............++++++ .....................++++++ e is 65537 (0x10001) Enter pass phrase for privatekey.key: Verifying - Enter pass phrase for privatekey.key:

   
　　在產生帶加密口令的密鑰時需要自己去輸入密碼。對於為祕密金鑰加密現在提供了一下幾種演算法：

-des encrypt the generated key with DES in cbc mode -des3 encrypt the generated key with DES in ede cbc mode (168 bit key) -aes128, -aes192, -aes256 encrypt PEM output with cbc aes

　　去除密鑰的口令：

[weigw@TEST src]$ openssl rsa -in privatekey.key -out privatekey.key Enter pass phrase for privatekey.key: writing RSA key

 
　　通過產生的私密金鑰去產生認證：

[weigw@TEST src]$ openssl req -new -x509 -key privatekey.key -out cacert.crt -days 1095 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:beijing Locality Name (eg, city) [Newbury]:beijing Organization Name (eg, company) [My Company Ltd]:wondersoft Organizational Unit Name (eg, section) []:develop Common Name (eg, your name or your server's hostname) []:WeiGW Email Address []:weigongwan@sina.com

　　在產生認證的時候需要按照提示輸入一些個人資訊。

　　通過私密金鑰產生公開金鑰：

[weigw@TEST src]$ openssl rsa -in privatekey.key -pubout -out pubkey.key writing RSA key

　　格式轉換：（認證、私密金鑰、公開金鑰）（PEM <----->DER）

[weigw@TEST src]$ openssl x509 -in cacert.crt -inform PEM -out cacert.der -outform DER [weigw@TEST src]$

 

[weigw@TEST src]$ openssl rsa -in privatekey.key -inform PEM -out privatekey.der -outform DER writing RSA key

[weigw@TEST src]$ openssl rsa -pubin -in pubkey.key -inform PEM -pubout -out pubkey.der -outform DER writing RSA key

　　從DER格式轉換成PEM格式一樣，就是把inform的格式改成DERoutform的格式改成PEM即可。

　　下面是一個伺服器和用戶端認證的認證、私密金鑰產生方法：（server.crt、client.crt、ca.crt）

　　第一步： 產生私密金鑰

 

[weigw@TEST bin]$ openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modulus .++++++ ...........++++++ e is 65537 (0x10001) [weigw@TEST bin]$ openssl genrsa -out client.key 1024 Generating RSA private key, 1024 bit long modulus ...++++++ ................++++++ e is 65537 (0x10001) [weigw@TEST bin]$ openssl genrsa -out ca.key 1024Generating RSA private key, 1024 bit long modulus .........++++++ .........++++++ e is 65537 (0x10001) [weigw@TEST bin]$

 

　　第三步： 申請認證（為請求檔案簽名）

[weigw@TEST bin]$ openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key [weigw@TEST bin]$ openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key

　　如果在這步出現錯誤資訊：

[weigw@TEST bin]$ openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key Using configuration from /usr/share/ssl/openssl.cnf I am unable to access the ./demoCA/newcerts directory ./demoCA/newcerts: No such file or directory [weigw@TEST bin]$

　　自己手動建立一個CA目錄結構：
　　[weigw@TEST bin]$ mkdir ./demoCA
　　[weigw@TEST bin]$ mkdir demoCA/newcerts
　　建立個空檔案：
　　[weigw@TEST bin]$ vi demoCA/index.txt
　　向檔案中寫入01：
　　[weigw@TEST bin]$ vi demoCA/serial

　　合并認證檔案（crt）和私密金鑰檔案（key）：

[weigw@TEST bin]$ cat client.crt client.key > client.pem [weigw@TEST bin]$ cat server.crt server.key > server.pem

　　合并成pfx認證：

[weigw@TEST bin]$ openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 Enter Export Password: Verifying - Enter Export Password: [weigw@TEST bin]$openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12   Enter Export Password: Verifying - Enter Export Password:

　　文本化認證：

[weigw@TEST bin]$ openssl pkcs12 -in client.p12 -out client.txt Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase: [weigw@TEST bin]$openssl pkcs12 -in server.p12 -out server.txt Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase:

　　螢幕模式顯式：（認證、私密金鑰、公開金鑰） 

[weigw@TEST bin]$ openssl x509 -in client.crt -noout -text -modulus [weigw@TEST bin]$ openssl rsa -in server.key -noout -text -modulus [weigw@TEST bin]$ openssl rsa -in server.pub -noout -text -modulus

　　得到DH：

[weigw@TEST bin]$ openssl dhparam -out dh1024.pem 1024