本文最后更新于 257 天前,其中的信息可能已经过时,如有错误请发送邮件到wuxianglongblog@163.com
实验准备
系统发行版本 ip地址 主机名
CentOS6 172.20.3.6 node1
CentOS7 172.20.3.7 node2
CentOS8 172.20.3.8 node3
安装openssl
[root@centos6 data]# yum -y install openssl
查询openssl包信息
[root@centos6 data]# rpm -qi openssl
1.openssl命令的使用
openssl中对称加密的使⽤
在node1中使⽤openssl的enc 命令对称加密⽂件file1,为file1.ciper
制作实验所用文件
[root@centos6 data]# echo "Nanjing_Bokebi" > file1
查看没加密之前的文件内容
[root@centos6 data]# cat file1
Nanjing_Bokebi
使用openssl给文件加密,密码自己设置自己记住就好
[root@centos6 data]# openssl enc -des3 -a -salt -in file1 -out file1.ciper
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
查看加密后文件内容
[root@centos6 data]# cat file1.ciper
U2FsdGVkX1+kfaMujJo2ee8hy653NgsTk+peF8b8UQI=
enc Encoding with Ciphers.
des3 Triple-DES Cipher
-passin and -passout for input and
output passwords respectively
dgst Message Digest Calculation.
genpkey Generation of Private Key or Parameters.
x509 X.509 Certificate Data Management.
genrsa Generation of RSA Private Key. Superceded
by genpkey.
req PKCS#10 X.509 Certificate Signing Request
(CSR) Management.
ca Certificate Authority (CA) Management.
2.使⽤openssl⽣成信息摘要,对⽐md5sum 命令⽣成的内容,应该⼀样才对
使用md5进行生成摘要信息
[root@centos6 data]# openssl dgst -md5 file1
生成md5摘要信息
[root@centos6 data]# md5sum file1
对比验证结束
3.使⽤openssl ⽣成密码
使⽤相同的密码每次秘钥都不⼀样,因为默认使⽤的salt不⼀样:
[root@centos6 data]# md5sum file1
11c18ad7ba0563f82b7c9ad9ac279116 file1
#此处我们输入的密码为111111
[root@centos6 data]# openssl passwd -1
Password:
Verifying - Password:
$1$/WHzwxCy$.Xfi/hv2Xeo/IrUeip9cb/
#此处我们输入的密码为111111
[root@centos6 data]# openssl passwd -1
Password:
Verifying - Password:
$1$NIoMRvlL$Ku4O4SufXGh0zPETaU1.N/
说明:-1表⽰使⽤md5。
现在我们制定以下使用相同的salt,然后输⼊相同的密码,结果应该⼀样才对:
#此处输入密码为111111
[root@centos6 data]# openssl passwd -1
Password:
Verifying - Password:
$1$7Fycb/Kv$oKuCnE7qivCSAmDQlzc.a.
#此处我们设置相同的salt,输入的密码还是111111,显示生成的秘钥和上次是相同的
[root@centos6 data]# openssl passwd -1 -salt 7Fycb/Kv
Password:
$1$7Fycb/Kv$oKuCnE7qivCSAmDQlzc.a.
4.使⽤openssl⽣成伪随机内容,以base64格式显⽰
查看帮助
[root@centos6 data]# openssl rand help
Usage: rand [options] num
where options are
-out file - write to file
-engine e - use engine e, possibly a hardware device.
-rand file:file:... - seed PRNG from files
-base64 - base64 encode output
-hex - hex encode output
#每次显示的内容都是随机的
[root@centos6 data]# openssl rand -base64 10
9QTadv6i2F1Y5w==
[root@centos6 data]# openssl rand -base64 10
JTiDEQ2XoYfYhg==
[root@centos6 data]# openssl rand -base64 10
3ilQ8y2denWyoQ==
5.使⽤openssl ⽣成公私钥
生成一个rsa的私钥
[root@centos6 data]# (umask 066;openssl genrsa -out private.key 1024)
Generating RSA private key, 1024 bit long modulus
............++++++
......................++++++
e is 65537 (0x10001)
#使⽤des加密过的rsa私钥
[root@centos6 data]# (umask 066;openssl genrsa -out private.key -des 1024)
Generating RSA private key, 1024 bit long modulus
.........++++++
..............................................................++++++
e is 65537 (0x10001)
Enter pass phrase for private.key:
Verifying - Enter pass phrase for private.key:
解密私钥
[root@centos6 data]# openssl rsa -in private.key -out private2.key
使⽤对应的私钥⽣成公钥
[root@centos6 data]# openssl rsa -in private2.key -pubout -out public.key
writing RSA key
6.使⽤openssl ⽣成ca签署的证书
在node1服务器上的/etc/pki/CA⽬录⽣成rsa私钥
[root@centos6 CA]# yum -y install tree
[root@centos6 CA]# cd /etc/pki/CA
[root@centos6 CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
[root@centos6 CA]# cd private/
[root@centos6 private]# (umask 077;openssl genrsa -out cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
......................................................................++
.......................................................................................................................................................................................................++
e is 65537 (0x10001)
⽣成⾃签证书
[root@centos6 private]# openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:M39
Common Name (eg, your name or your server's hostname) []:app1.bokebi.cn
Email Address []:
#国家代码
Country Name
#省
State or Province Name
#城市
Locality Name
#单位
Organization Name
#部门
Organizational Unit Name
#网站
Common Name
#邮箱
Email Address
查看自签证书详细内容
[root@centos6 private]# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 16610345265248671419 (0xe683cd036bbd16bb)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=beijing, L=beijing, O=magedu, OU=M39, CN=app1.bokebi.cn
Validity
Not Before: Nov 7 02:04:48 2019 GMT
Not After : Nov 4 02:04:48 2029 GMT
Subject: C=CN, ST=beijing, L=beijing, O=magedu, OU=M39, CN=app1.bokebi.cn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
...
以下内容省略
查看⾃签证书简要内容,查看证书有效期
[root@centos6 private]# openssl x509 -in cacert.pem -noout -issuer
issuer= /C=CN/ST=beijing/L=beijing/O=magedu/OU=M39/CN=app1.bokebi.cn
[root@centos6 private]# openssl x509 -in cacert.pem -noout -dates
notBefore=Nov 7 02:04:48 2019 GMT
notAfter=Nov 4 02:04:48 2029 GMT
7.客户端向CA申请证书
在node2服务器中⽣成私钥
[root@centos7 ~]# (umask 077;openssl genrsa -out app.key 1024)
Generating RSA private key, 1024 bit long modulus
..++++++
.............................................++++++
e is 65537 (0x10001)
在node2中利⽤私钥⽣成ca证书申请请求⽂件
[root@centos7 ~]# openssl req -new -key app.key -out app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bejing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:M39
Common Name (eg, your name or your server's hostname) []:app2.bokebi.cn
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#国家代码
Country Name
#省
State or Province Name
#城市
Locality Name
#单位
Organization Name
#部门
Organizational Unit Name
#网站
Common Name
#邮箱
Email Address
#密码
A challenge password
#可选公司名
An optional company name
将node2上的CA请求发送到node1上
[root@centos7 ~]# scp app.172.20.3.6:/root/
usage: scp [-12346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]
[-l limit] [-o ssh_option] [-P port] [-S program]
[[user@]host1:]file1 ... [[user@]host2:]file2
[root@centos7 ~]# scp app.csr 172.20.3.6:/root/
The authenticity of host '172.20.3.6 (172.20.3.6)' can't be established.
RSA key fingerprint is SHA256:7zGkQRWLMsj3tHzeRRq/P+I80Uh/yfHMZ/ElDI15ogw.
RSA key fingerprint is MD5:36:2c:35:3f:46:df:69:f2:9a:b3:32:24:ef:cd:e7:bf.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.20.3.6' (RSA) to the list of known hosts.
root@172.20.3.6's password:
app.csr 100% 651 806.8KB/s 00:00
在node1的/etc/pki/CA/创建两⽂件:index.txt和serial
[root@centos6 private]# touch /etc/pki/CA/index.txt
[root@centos6 private]# echo 0F > /etc/pki/CA/serial
给app.csr签署证书
#注意:在这个地方cacert.pem配置文件应该在/CA/目录下
[root@centos6 CA]# openssl ca -in /root/app1.csr -out /etc/pki/CA/certs/app1.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 7 02:48:48 2019 GMT
Not After : Feb 15 02:48:48 2020 GMT
...
以下内容省略
需要输两次y
在node2上使⽤相同的私钥再次⽣成⼀个证书:
在ndoe2中⽣成ca签署请求,并发给node1:
生成证书
[root@centos7 ~]# openssl req -new -key app.key -out app2.csr
发送证书请求至node1
[root@centos7 ~]# scp app2.csr 172.20.3.6:/root/
在node1上签署app2的证书签署请求:
[root@centos6 java]# openssl ca -in /root/app2.csr -out /etc/pki/CA/certs/app2.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 17 (0x11)
Validity
Not Before: Nov 7 03:29:30 2019 GMT
Not After : Feb 15 03:29:30 2020 GMT
...
以下内容省略
需要输两次y
#出现这种报错
failed to update database
TXT_DB error number 2
#解决方案
rm -f /etc/pki/CA/index.txt
touch /etc/pki/CA/index.txt
或者把Common Name网站名设置不一样
8.吊销证书
在node1中查看签署过的证书,并将证书吊销:
[root@centos6 certs]# cat /etc/pki/CA/index.txt
V 200215034233Z 0F unknown /C=CN/ST=beijing/O=magedu/OU=M39/CN=app1.bokebi.cn
V 200215034243Z 10 unknown /C=CN/ST=beijing/O=magedu/OU=M39/CN=app2.bokebi.cn
[root@centos6 certs]# openssl ca -status 10
Using configuration from /etc/pki/tls/openssl.cnf
10=Valid (V)
[root@centos6 certs]# openssl ca -revoke /etc/pki/CA/newcerts/10.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 10.
Data Base Updated
[root@centos6 certs]# cat /etc/pki/CA/index.txt
V 200215034233Z 0F unknown /C=CN/ST=beijing/O=magedu/OU=M39/CN=app1.bokebi.cn
R 200215034243Z 191107034422Z 10 unknown /C=CN/ST=beijing/O=magedu/OU=M39/CN=app2.bokebi.cn
[root@centos6 certs]# openssl ca -status 10
Using configuration from /etc/pki/tls/openssl.cnf
10=Revoked (R)
在node1中⽣成吊销通知证书
[root@centos6 certs]# echo 1F > /etc/pki/CA/crlnumber
[root@centos6 certs]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos6 CA]# cat /etc/pki/CA/crlnumber
20
[root@centos6 CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=CN/ST=beijing/L=beijing/O=magedu/OU=M39/CN=www.bokebi.cn
Last Update: Nov 7 03:54:27 2019 GMT
Next Update: Dec 7 03:54:27 2019 GMT
...
以下内容省略