0
  • 聊天消息
  • 系統(tǒng)消息
  • 評論與回復(fù)
登錄后你可以
  • 下載海量資料
  • 學(xué)習(xí)在線課程
  • 觀看技術(shù)視頻
  • 寫文章/發(fā)帖/加入社區(qū)
會員中心
創(chuàng)作中心

完善資料讓更多小伙伴認(rèn)識你,還能領(lǐng)取20積分哦,立即完善>

3天內(nèi)不再提示

Linux OpenSSL命令詳解

馬哥Linux運(yùn)維 ? 來源:博客園扛槍的書生 ? 2024-08-14 18:22 ? 次閱讀

介紹

密碼學(xué)標(biāo)準(zhǔn)和互聯(lián)網(wǎng)協(xié)議一樣,是一種大家都遵守的約定和標(biāo)準(zhǔn),比如PKCS#中規(guī)定了 RSA 秘鑰是怎么生成的、公私鑰的格式 等內(nèi)容,x509標(biāo)準(zhǔn)規(guī)定了證書的格式等。
命令行OpenSSL 本質(zhì)就是一個工具集,它按照主流的密碼學(xué)標(biāo)準(zhǔn)實(shí)現(xiàn)了常用的對稱加密算法、非對稱加密算法、摘要算法、證書的生成/簽名/驗(yàn)簽等功能。

$ openssl --help
help:

// openssl所有子命令
Standard commands
asn1parse         ca                ciphers           cmp
cms               crl               crl2pkcs7         dgst
dhparam           dsa               dsaparam          ec
ecparam           enc               engine            errstr
fipsinstall       gendsa            genpkey           genrsa
help              info              kdf               list
mac               nseq              ocsp              passwd
pkcs12            pkcs7             pkcs8             pkey
pkeyparam         pkeyutl           prime             rand
rehash            req               rsa               rsautl
s_client          s_server          s_time            sess_id
smime             speed             spkac             srp
storeutl          ts                verify            version
x509

// openssl支持的摘要算法
Message Digest commands (see the `dgst' command for more details)
blake2b512        blake2s256        md4               md5
rmd160            sha1              sha224            sha256
sha3-224          sha3-256          sha3-384          sha3-512
sha384            sha512            sha512-224        sha512-256
shake128          shake256          sm3

// openssl支持的對稱加密算法
Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64
bf                bf-cbc            bf-cfb            bf-ecb
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb
cast5-ofb         des               des-cbc           des-cfb
des-ecb           des-ede           des-ede-cbc       des-ede-cfb
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb
des-ede3-ofb      des-ofb           des3              desx
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc
rc2-cfb           rc2-ecb           rc2-ofb           rc4
rc4-40            seed              seed-cbc          seed-cfb
seed-ecb          seed-ofb          sm4-cbc           sm4-cfb
sm4-ctr           sm4-ecb           sm4-ofb

對稱加密

對稱密鑰算法在加密和解密時使用相同的密鑰進(jìn)行處理,這類算法眾多可通過openssl list -cipher-commands具體查看。

(x)openssl子命令enc為對稱加解密工具。

$ openssl enc --help
Usage: enc [options]

General options:
 -help               Display this summary
 -list               List ciphers
 -ciphers            Alias for -list
 -e                  Encrypt
 -d                  Decrypt
 -p                  Print the iv/key
 -P                  Print the iv/key and exit
 -engine val         Use engine, possibly a hardware device

Input options:
 -in infile          Input file
 -k val              Passphrase
 -kfile infile       Read passphrase from file

Output options:
 -out outfile        Output file
 -pass val           Passphrase source
 -v                  Verbose output
 -a                  Base64 encode/decode, depending on encryption flag
 -base64             Same as option -a
 -A                  Used with -[base64|a] to specify base64 buffer as a single line

Encryption options:
 -nopad              Disable standard block padding
 -salt               Use salt in the KDF (default)
 -nosalt             Do not use salt in the KDF
 -debug              Print debug info
 -bufsize val        Buffer size
 -K val              Raw key, in hex
 -S val              Salt, in hex
 -iv val             IV in hex
 -md val             Use specified digest to create a key from the passphrase
 -iter +int          Specify the iteration count and force use of PBKDF2
 -pbkdf2             Use password-based key derivation function 2
 -none               Don't encrypt
 -*                  Any supported cipher

Random state options:
 -rand val           Load the given file(s) into the random number generator
 -writerand outfile  Write random data to the specified file

Provider options:
 -provider-path val  Provider load path (must be before 'provider' argument if required)
 -provider val       Provider to load (can be specified multiple times)
 -propquery val      Property query used when fetching algorithms

示例一:使用一種加密算法加密文件

// 通過aes-128-cbc對稱密鑰算法對文件test.txt進(jìn)行加密,共享密鑰是pass,輸出文件是test-aes-enc.txt。
openssl enc -e -aes-128-cbc -in test.txt -k pass -out test-aes-enc.txt -v

// 通過aes-128-cbc對稱密鑰算法對文件test-aes-enc.txt進(jìn)行解密,共享密鑰是pass,輸出文件是test-aes-dec.txt。
openssl enc -d -aes-128-cbc -in test-aes-enc.txt -k 123 -out test-aes-dec.txt -v

示例二:使用base64加密算法加密字符串

// 對字符串進(jìn)行base64編碼
echo -n "12345" | openssl enc -e -base64 -in -

// 對字符串進(jìn)行base64解碼
echo "MTIzNDU=" | openssl enc -d -base64 -in -

注意:字符串編碼時如果echo不加-n則會在字符串結(jié)尾添加一個換行符,那么換行符也會一塊編碼。

示例三:加密文件并將密文輸出為base64格式

// 對加密后的數(shù)據(jù)進(jìn)行base64編碼(-a或-base64)
openssl enc -aes-256-cbc -a -salt -in file.txt -out file.enc

// 解密base64格式的加密數(shù)據(jù)
openssl enc -d -aes-256-cbc -a -in file.enc

公鑰加密

公鑰密鑰算法在加密和解密時分別使用不同的密鑰進(jìn)行處理(一般 公鑰加密,私鑰解密;而簽名則相反:私鑰加密,公鑰解密),這類算法目前只支持DH算法、RSA算法、DSA算法和橢圓曲線算法(EC)。DH算法一般用于密鑰交換。RSA算法可用于密鑰交換、數(shù)字簽名及數(shù)據(jù)加密。DSA算法一般只用于數(shù)字簽名。此處只重點(diǎn)介紹RSA相關(guān)指令genrsa、rsa、rsautl的使用。

(1)openssl子命令genrsa主要用于生成RSA私鑰。

$ openssl genrsa --help
Usage: genrsa [options] numbits

General options:
 -help               Display this summary
 -engine val         Use engine, possibly a hardware device

Input options:
 -3                  (deprecated) Use 3 for the E value
 -F4                 Use the Fermat number F4 (0x10001) for the E value
 -f4                 Use the Fermat number F4 (0x10001) for the E value

Output options:
 -out outfile        Output the key to specified file
 -passout val        Output file pass phrase source
 -primes +int        Specify number of primes
 -verbose            Verbose output
 -traditional        Use traditional format for private keys
 -*                  Encrypt the output with any supported cipher

Random state options:
 -rand val           Load the given file(s) into the random number generator
 -writerand outfile  Write random data to the specified file

Provider options:
 -provider-path val  Provider load path (must be before 'provider' argument if required)
 -provider val       Provider to load (can be specified multiple times)
 -propquery val      Property query used when fetching algorithms

Parameters:
 numbits             Size of key in bits

示例一:生成無密碼且1024字節(jié)長度的私鑰

openssl genrsa -out private.pem 1024 -verbose

示例二:生成帶密碼的私鑰(genrsa生成的私鑰格式都是PEM格式)--PEM、DER格式區(qū)別

// 使用aes-128-cbc對稱加密算法對私鑰進(jìn)行加密處理,命令執(zhí)行之后會提示輸入密碼
openssl genrsa -aes-128-cbc -out pri.pem -verbose

(2)openssl子命令rsa用于處理rsa密鑰(提取公鑰、管理保護(hù)密碼)、格式轉(zhuǎn)換和打印信息

$ openssl rsa --help
Usage: rsa [options]

General options:
 -help               Display this summary
 -check              Verify key consistency
 -*                  Any supported cipher
 -engine val         Use engine, possibly a hardware device

Input options:
 -in val             Input file
 -inform format      Input format (DER/PEM/P12/ENGINE
 -pubin              Expect a public key in input file
 -RSAPublicKey_in    Input is an RSAPublicKey
 -passin val         Input file pass phrase source

Output options:
 -out outfile        Output file
 -outform format     Output format, one of DER PEM PVK
 -pubout             Output a public key
 -RSAPublicKey_out   Output is an RSAPublicKey
 -passout val        Output file pass phrase source
 -noout              Don't print key out
 -text               Print the key in text
 -modulus            Print the RSA key modulus
 -traditional        Use traditional format for private keys

PVK options:
 -pvk-strong         Enable 'Strong' PVK encoding level (default)
 -pvk-weak           Enable 'Weak' PVK encoding level
 -pvk-none           Don't enforce PVK encoding

Provider options:
 -provider-path val  Provider load path (must be before 'provider' argument if required)
 -provider val       Provider to load (can be specified multiple times)
 -propquery val      Property query used when fetching algorithms

示例一:私鑰文件內(nèi)容查看

openssl rsa -in priv.pem -text

示例二:給秘鑰添加/去除/修改對稱加密的密碼(注意:此處涉及密碼輸入的格式均為pass:pass_value)

// 為RSA密鑰增加口令保護(hù)
openssl rsa -in RSA.pem -des3 -passout pass:123456 -out E_RSA.pem

// 為RSA密鑰去除口令保護(hù)(去掉-passin選項(xiàng)亦可,只是會詢問密碼)
openssl rsa -in E_RSA.pem -passin pass:123456 -out P_RSA.pem

// 修改加密算法為aes128,口令是123456
openssl rsa -in RSA.pem -passin pass:123456 -aes128 -passout pass:123456 -out E_RSA.pem

示例三:密鑰格式轉(zhuǎn)換

// 把pem格式轉(zhuǎn)化成der格式,使用outform指定der格式
openssl rsa -in RSA.pem -passin pass:123456 -des -passout pass:123456 -outform der -out rsa.der

注意:DER用二進(jìn)制編碼的證書,PEM用ASCLL(BASE64)編碼的證書,一般默認(rèn)都是PEM格式。

示例四:公鑰提取

openssl rsa -in private.pem -pubout -out public.pem

(3)openssl子命令rsautl能夠使用RSA算法簽名、驗(yàn)證身份、加密/解密數(shù)據(jù)。

$ openssl rsautl --help
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
Usage: rsautl [options]

General options:
 -help                    Display this summary
 -sign                    Sign with private key
 -verify                  Verify with public key
 -encrypt                 Encrypt with public key
 -decrypt                 Decrypt with private key
 -engine val              Use engine, possibly a hardware device

Input options:
 -in infile               Input file
 -inkey val               Input key
 -keyform PEM|DER|ENGINE  Private key format (ENGINE, other values ignored)
 -pubin                   Input is an RSA public
 -certin                  Input is a cert carrying an RSA public key
 -rev                     Reverse the order of the input buffer
 -passin val              Input file pass phrase source

Output options:
 -out outfile             Output file
 -raw                     Use no padding
 -pkcs                    Use PKCS#1 v1.5 padding (default)
 -x931                    Use ANSI X9.31 padding
 -oaep                    Use PKCS#1 OAEP
 -asn1parse               Run output through asn1parse; useful with -verify
 -hexdump                 Hex dump output

Random state options:
 -rand val                Load the given file(s) into the random number generator
 -writerand outfile       Write random data to the specified file

Provider options:
 -provider-path val       Provider load path (must be before 'provider' argument if required)
 -provider val            Provider to load (can be specified multiple times)
 -propquery val           Property query used when fetching algorithms

示例一:使用公私鑰加解密文件

// 用公鑰加密文件
openssl rsautl -encrypt -in plain.text -inkey public.pem -out encrypt.text 
// 用私鑰解密文件
openssl rsautl -decrypt -in encrypt.text -inkey private.pem -out replain.text

示例二:使用公私鑰簽名/驗(yàn)簽文件(此處的簽名過程是針對文件的,故不涉及hash計(jì)算步驟)

// 用私鑰簽名
openssl rsautl -sign -in plain.text -inkey private.pem -out signed.text
// 用公鑰驗(yàn)簽
openssl rsautl -verify -in signed.text -pubin -inkey public.pem -out verify.text

信息摘要

信息摘要算法是將任意長度的數(shù)據(jù)轉(zhuǎn)換成固定長度的字符串的過程,它通常用于驗(yàn)證數(shù)據(jù)的完整性和一致性,這類算法可通過命令openssl list -digest-commands具體查看。

(x)openssl子命令dgst為信息摘要計(jì)算工具。

$ openssl dgst --help
Usage: dgst [options] [file...]

General options:
 -help               Display this summary
 -list               List digests
 -engine val         Use engine e, possibly a hardware device
 -engine_impl        Also use engine given by -engine for digest operations
 -passin val         Input file pass phrase source

Output options:
 -c                  Print the digest with separating colons
 -r                  Print the digest in coreutils format
 -out outfile        Output to filename rather than stdout
 -keyform format     Key file format (ENGINE, other values ignored)
 -hex                Print as hex dump
 -binary             Print in binary form
 -xoflen +int        Output length for XOF algorithms
 -d                  Print debug info
 -debug              Print debug info

Signing options:
 -sign val           Sign digest using private key
 -verify val         Verify a signature using public key
 -prverify val       Verify a signature using private key
 -sigopt val         Signature parameter in n:v form
 -signature infile   File with signature to verify
 -hmac val           Create hashed MAC with key
 -mac val            Create MAC (not necessarily HMAC)
 -macopt val         MAC algorithm parameters in n:v form or key
 -*                  Any supported digest
 -fips-fingerprint   Compute HMAC with the key used in OpenSSL-FIPS fingerprint

Random state options:
 -rand val           Load the given file(s) into the random number generator
 -writerand outfile  Write random data to the specified file

Provider options:
 -provider-path val  Provider load path (must be before 'provider' argument if required)
 -provider val       Provider to load (can be specified multiple times)
 -propquery val      Property query used when fetching algorithms

Parameters:
 file                Files to digest (optional; default is stdin)

示例一:計(jì)算文件摘要

// 計(jì)算文件的md5值
openssl dgst -md5 test.txt

示例二:文件簽名及驗(yàn)簽(此處的簽名是針對文件的hash值進(jìn)行的,故一定會經(jīng)歷hash計(jì)算步驟)

// 使用private.pem私鑰對文件plain.txt的哈希值進(jìn)行簽名并輸出到test.text文件
openssl dgst -sign private.pem -out test.text plain.text
// 使用public.pem公鑰對簽名文件進(jìn)行驗(yàn)簽
openssl dgst -verify public.pem -signature test.text plain.text

數(shù)字證書

數(shù)字證書就是用一個權(quán)威的私鑰(一般是CA根的私鑰)對另一個第三方公司的公鑰證書(即證書請求,包含公司信息、網(wǎng)址、自生成的公鑰)進(jìn)行簽名來提升第三方公鑰證書的可信度。

(1)openssl子命令req用于生成和處理證書請求文件及證書

$ openssl req --help
Usage: req [options]

General options:
 -help                 Display this summary
 -engine val           Use engine, possibly a hardware device
 -keygen_engine val    Specify engine to be used for key generation operations
 -in infile            X.509 request input file (default stdin)
 -inform PEM|DER       Input format - DER or PEM
 -verify               Verify self-signature on the request

Certificate options:
 -new                  New request
 -config infile        Request template file
 -section val          Config section to use (default "req")
 -utf8                 Input characters are UTF8 (default ASCII)
 -nameopt val          Certificate subject/issuer name printing options
 -reqopt val           Various request text options
 -text                 Text form of request
 -x509                 Output an X.509 certificate structure instead of a cert request
 -CA infile            Issuer cert to use for signing a cert, implies -x509
 -CAkey val            Issuer private key to use with -CA; default is -CA arg
                       (Required by some CA's)
 -subj val             Set or modify subject of request or cert
 -subject              Print the subject of the output request or cert
 -multivalue-rdn       Deprecated; multi-valued RDNs support is always on.
 -days +int            Number of days cert is valid for
 -set_serial val       Serial number to use
 -copy_extensions val  copy extensions from request when using -x509
 -addext val           Additional cert extension key=value pair (may be given more than once)
 -extensions val       Cert extension section (override value in config file)
 -reqexts val          Request extension section (override value in config file)
 -precert              Add a poison extension to the generated cert (implies -new)

Keys and Signing options:
 -key val              Key for signing, and to include unless -in given
 -keyform format       Key file format (ENGINE, other values ignored)
 -pubkey               Output public key
 -keyout outfile       File to write private key to
 -passin val           Private key and certificate password source
 -passout val          Output file pass phrase source
 -newkey val           Generate new key with [:] or [:] or param:
 -pkeyopt val          Public key options as opt:value
 -sigopt val           Signature parameter in n:v form
 -vfyopt val           Verification parameter in n:v form
 -*                    Any supported digest

Output options:
 -out outfile          Output file
 -outform PEM|DER      Output format - DER or PEM
 -batch                Do not ask anything during request generation
 -verbose              Verbose output
 -noenc                Don't encrypt private keys
 -nodes                Don't encrypt private keys; deprecated
 -noout                Do not output REQ
 -newhdr               Output "NEW" in the header lines
 -modulus              RSA modulus

Random state options:
 -rand val             Load the given file(s) into the random number generator
 -writerand outfile    Write random data to the specified file

Provider options:
 -provider-path val    Provider load path (must be before 'provider' argument if required)
 -provider val         Provider to load (can be specified multiple times)
 -propquery val        Property query used when fetching algorithms

示例一:生成一個證書請求

// 使用已有的private.pem私鑰去生成一個證書請求。(有個人信息問答環(huán)節(jié))
openssl req -new -key private.pem -out request.csr

// 使用自動生成的RSA私鑰去生成一個證書請求文件。(有個人信息問答環(huán)節(jié))
openssl req -new -out request.csr

// 自動生成1024位且不加密并輸出為RSA.pem的私鑰,以及生成免問答的證書請求client.csr。
openssl req -new -newkey rsa:1024 -nodes -out client.csr -keyout RSA.pem -subj /C=AU/ST=Some-State/O=Internet

// 快速生成證書請求,跳過了私鑰加密請求及個人信息問答環(huán)節(jié)。
openssl req -new -nodes -out request.csr -batch

注意:生成證書請求文件雖然一定需要RSA私鑰的參與,但請求文件的內(nèi)容中并未嵌入私鑰的信息,只有從私鑰中提取出來的公鑰。

示例二:查看證書請求文件的內(nèi)容信息

openssl req -in request.csr -text

示例三:從證書請求文件中提取公鑰

openssl req -in client.csr -pubkey -noout >pub.pem

示例四:生成自簽名證書(即根CA,可以拿來給其他證書請求文件做證書簽名,即證書頒發(fā))

// 首先生成一個私鑰ca.pem,然后根據(jù)私鑰直接生成一個自簽根證書ca.cer
openssl genrsa -out ca.pem 2048
openssl req -new -x509 -days 365 -key ca.pem -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.cer

// 自動生成一個自簽證書mycert.cer和它的私鑰prvi.pem(會詢問個人信息)
openssl req -x509 -nodes -days 365 -sha256 -newkey rsa:2048 -keyout prvi.pem -out mycert.cer

// 快捷驗(yàn)證生成的證書是否有效,網(wǎng)址 https://localhost:4433。(-cert所需的文件是一個私鑰與證書的結(jié)合體,即 cat prvi.pem mycert.cer > mycert.pem)
openssl s_server -cert mycert.pem -www -accept 4433

注意:命令中的后綴pem、csr、cer只是為了便于理解文件的類型,在命令行中使用可以是任意值。但在windows或其他一些應(yīng)用中使用的話就需要注意了。

(2)openssl子命令X509命令是一個多用途的證書工具,它可以顯示證書信息、轉(zhuǎn)換證書格式、簽名證書請求以及改變證書的信任設(shè)置等。

$ openssl x509 --help
Usage: x509 [options]

General options:
 -help                      Display this summary
 -in infile                 Certificate input, or CSR input file with -req (default stdin)
 -passin val                Private key and cert file pass-phrase source
 -new                       Generate a certificate from scratch
 -x509toreq                 Output a certification request (rather than a certificate)
 -req                       Input is a CSR file (rather than a certificate)
 -copy_extensions val       copy extensions when converting from CSR to x509 or vice versa
 -inform format             CSR input file format (DER or PEM) - default PEM
 -vfyopt val                CSR verification parameter in n:v form
 -key val                   Key for signing, and to include unless using -force_pubkey
 -signkey val               Same as -key
 -keyform PEM|DER|ENGINE    Key input format (ENGINE, other values ignored)
 -out outfile               Output file - default stdout
 -outform format            Output format (DER or PEM) - default PEM
 -nocert                    No cert output (except for requested printing)
 -noout                     No output (except for requested printing)

Certificate printing options:
 -text                      Print the certificate in text form
 -dateopt val               Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822.
 -certopt val               Various certificate text printing options
 -fingerprint               Print the certificate fingerprint
 -alias                     Print certificate alias
 -serial                    Print serial number value
 -startdate                 Print the notBefore field
 -enddate                   Print the notAfter field
 -dates                     Print both notBefore and notAfter fields
 -subject                   Print subject DN
 -issuer                    Print issuer DN
 -nameopt val               Certificate subject/issuer name printing options
 -email                     Print email address(es)
 -hash                      Synonym for -subject_hash (for backward compat)
 -subject_hash              Print subject hash value
 -subject_hash_old          Print old-style (MD5) subject hash value
 -issuer_hash               Print issuer hash value
 -issuer_hash_old           Print old-style (MD5) issuer hash value
 -ext val                   Restrict which X.509 extensions to print and/or copy
 -ocspid                    Print OCSP hash values for the subject name and public key
 -ocsp_uri                  Print OCSP Responder URL(s)
 -purpose                   Print out certificate purposes
 -pubkey                    Print the public key in PEM format
 -modulus                   Print the RSA key modulus

Certificate checking options:
 -checkend intmax           Check whether cert expires in the next arg seconds
                            Exit 1 (failure) if so, 0 if not
 -checkhost val             Check certificate matches host
 -checkemail val            Check certificate matches email
 -checkip val               Check certificate matches ipaddr

Certificate output options:
 -set_serial val            Serial number to use, overrides -CAserial
 -next_serial               Increment current certificate serial number
 -days int                  Number of days until newly generated certificate expires - default 30
 -preserve_dates            Preserve existing validity dates
 -subj val                  Set or override certificate subject (and issuer)
 -force_pubkey infile       Place the given key in new certificate
 -clrext                    Do not take over any extensions from the source certificate or request
 -extfile infile            Config file with X509V3 extensions to add
 -extensions val            Section of extfile to use - default: unnamed section
 -sigopt val                Signature parameter, in n:v form
 -badsig                    Corrupt last byte of certificate signature (for test)
 -*                         Any supported digest, used for signing and printing

Micro-CA options:
 -CA infile                 Use the given CA certificate, conflicts with -key
 -CAform PEM|DER            CA cert format (PEM/DER/P12); has no effect
 -CAkey val                 The corresponding CA key; default is -CA arg
 -CAkeyform PEM|DER|ENGINE  CA key format (ENGINE, other values ignored)
 -CAserial val              File that keeps track of CA-generated serial number
 -CAcreateserial            Create CA serial number file if it does not exist

Certificate trust output options:
 -trustout                  Mark certificate PEM output as trusted
 -setalias val              Set certificate alias (nickname)
 -clrtrust                  Clear all trusted purposes
 -addtrust val              Trust certificate for a given purpose
 -clrreject                 Clears all the prohibited or rejected uses of the certificate
 -addreject val             Reject certificate for a given purpose

Random state options:
 -rand val                  Load the given file(s) into the random number generator
 -writerand outfile         Write random data to the specified file
 -engine val                Use engine, possibly a hardware device

Provider options:
 -provider-path val         Provider load path (must be before 'provider' argument if required)
 -provider val              Provider to load (can be specified multiple times)
 -propquery val             Property query used when fetching algorithms

示例一:使用自簽根證書為證書請求文件簽名

// 生成請求文件server.csr,然后使用自簽名根證書ca.cer及其私鑰ca.pem為其簽名生成簽名證書server.cer
openssl req -newkey rsa:2048 -nodes -keyout server.pem -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=localhost" -out server.csr
openssl x509 -sha256 -req  -days 365 -in server.csr -CA ca.cer -CAkey ca.pem -CAcreateserial -out server.cer

wKgZoma8hZaAKGTGAASM2WOuvIA955.png

雜項(xiàng)

(1)openssl子命令rand用于生成偽隨機(jī)數(shù)

// 生成3個字節(jié)的隨機(jī)數(shù)
openssl rand -hex 3

注意:由于生成是隨機(jī)的字節(jié),因此如果不通過-base64或-hex編碼的話輸出會顯示亂碼。

(2)openssl子命令passwd用于生成Linux用戶賬戶的密碼格式

// 對明文密碼進(jìn)行加密處理
openssl passwd 12345

// 使用鹽值進(jìn)行密碼加密(默認(rèn)鹽值不固定,導(dǎo)致同一條命令每次執(zhí)行都會產(chǎn)生不同的結(jié)果)
openssl passwd -salt 'z' 12345

(3)openssl子命令verify用于驗(yàn)證授權(quán)機(jī)構(gòu)頒發(fā)的證書

openssl verify cert.pem

// 輸出如下,則表示:驗(yàn)證成功
OK

// 輸出如下,則表示:證書過期,通常證書都是有有效期的,一般是一年
error 10 at 0 depth lookup:certificate has expired

// 輸出如下,則表示:自簽名證書
error 18 at 0 depth lookup:self signed certificate

(4) openssl子命令s_server和s_client的使用

// 運(yùn)行一個TLS服務(wù)端
openssl s_server -cert mycert.pem -www -accept 4433

// 向TLS服務(wù)端發(fā)起連接
openssl s_client -connect remote.host:4433

鏈接:https://www.cnblogs.com/kqdssheng/p/17945857

聲明:本文內(nèi)容及配圖由入駐作者撰寫或者入駐合作網(wǎng)站授權(quán)轉(zhuǎn)載。文章觀點(diǎn)僅代表作者本人,不代表電子發(fā)燒友網(wǎng)立場。文章及其配圖僅供工程師學(xué)習(xí)之用,如有內(nèi)容侵權(quán)或者其他違規(guī)問題,請聯(lián)系本站處理。 舉報(bào)投訴
  • 互聯(lián)網(wǎng)
    +關(guān)注

    關(guān)注

    54

    文章

    11177

    瀏覽量

    103568
  • Linux
    +關(guān)注

    關(guān)注

    87

    文章

    11329

    瀏覽量

    209977
  • 命令
    +關(guān)注

    關(guān)注

    5

    文章

    692

    瀏覽量

    22065

原文標(biāo)題:Linux之OpenSSL命令指南

文章出處:【微信號:magedu-Linux,微信公眾號:馬哥Linux運(yùn)維】歡迎添加關(guān)注!文章轉(zhuǎn)載請注明出處。

收藏 人收藏

    評論

    相關(guān)推薦

    Linux find命令詳解

    find 命令是我們?nèi)粘9ぷ髦斜容^常用的Linux命令。全面的掌握這個命令可以使很多操作達(dá)到事半功倍的效果。如果對find命令有以下這些疑惑
    發(fā)表于 11-30 10:11 ?1602次閱讀

    Linux系統(tǒng)命令及其使用詳解

    Linux系統(tǒng)命令及其使用詳解
    發(fā)表于 08-20 13:38

    Linux的chattr與lsattr命令詳解

    【轉(zhuǎn)】Linux的chattr與lsattr命令詳解
    發(fā)表于 04-20 11:38

    Linux關(guān)機(jī)命令詳解

    Linux關(guān)機(jī)命令詳解linux下一些常用的關(guān)機(jī)/重啟命令有shutdown、halt、reboot、及init,它們都 可以達(dá)到重啟
    發(fā)表于 01-18 12:52 ?3634次閱讀

    Linux系統(tǒng)命令及其使用詳解 _120頁

    電子發(fā)燒友網(wǎng)站提供《Linux系統(tǒng)命令及其使用詳解 _120頁.doc》資料免費(fèi)下載
    發(fā)表于 04-18 13:23 ?3次下載

    linux常用命令實(shí)例詳解

    Linux提供了大量的命令,利用它可以有效地完成大量的工作,如磁盤操作、文件存取、目錄操作、進(jìn)程管理、文件權(quán)限設(shè)定等。所以,在Linux系統(tǒng)上工作離不開使用系統(tǒng)提供的命令。要想真正理解
    發(fā)表于 11-03 10:19 ?5545次閱讀

    Linux命令詳解 [兼容模式]pdf免費(fèi)下載

    linux命令詳解pdf,希望對大家有幫助!
    發(fā)表于 12-15 15:54 ?10次下載

    Linux常用的100+命令大全詳解長文(典藏版)

    Linux提供了大量的命令,利用它可以有效地完成大量的工作,如磁盤操作、文件存取、目錄操作、進(jìn)程管理、文件權(quán)限設(shè)定等。所以,在Linux系統(tǒng)上工作離不開使用系統(tǒng)提供的命令。要想真正理解
    的頭像 發(fā)表于 03-16 10:35 ?5500次閱讀

    密碼學(xué)OpenSSL的入門基礎(chǔ)知識整理合集

    本文是使用 OpenSSL 的密碼學(xué)基礎(chǔ)知識的兩篇文章中的第一篇,OpenSSL 是在 Linux 和其他系統(tǒng)上流行的生產(chǎn)級庫和工具包。(要安裝 OpenSSL 的最新版本,請參閱 這
    的頭像 發(fā)表于 02-07 15:29 ?3717次閱讀
    密碼學(xué)<b class='flag-5'>OpenSSL</b>的入門基礎(chǔ)知識整理合集

    linux的top命令詳解

    top命令是UNIX/Linux系統(tǒng)中,用于查看系統(tǒng)詳情的第一入口,一般我們查看機(jī)器運(yùn)行狀態(tài)的時候,總是第一個使用top命令,而實(shí)際上top命令展示的數(shù)據(jù)很多,對于新手來說這些其實(shí)并不
    發(fā)表于 07-13 11:24 ?3551次閱讀
    <b class='flag-5'>linux</b>的top<b class='flag-5'>命令</b><b class='flag-5'>詳解</b>

    Linux系統(tǒng)中EXP命令詳解質(zhì)量匯總

    Linux系統(tǒng)中EXP命令詳解質(zhì)量匯總
    發(fā)表于 05-14 09:35 ?1次下載

    Linux虛擬機(jī)之tcpdump命令操作詳解

    Linux虛擬機(jī)之tcpdump命令操作詳解
    發(fā)表于 08-12 09:50 ?23次下載

    openssl】利用openssl命令行快速生成RSA私鑰

    openssl】如何利用openssl命令行快速生成RSA私鑰?
    的頭像 發(fā)表于 08-31 12:58 ?3388次閱讀
    【<b class='flag-5'>openssl</b>】利用<b class='flag-5'>openssl</b><b class='flag-5'>命令</b>行快速生成RSA私鑰

    Linux cat命令詳解

    `cat`命令Linux中最常用的命令之一,`cat`命令的名稱來自于con**cat**enate。它可以讀取和連接文件,并將其內(nèi)容寫入到標(biāo)準(zhǔn)輸出。
    的頭像 發(fā)表于 12-14 17:24 ?1w次閱讀

    Linux bash中的printf命令詳解

    Linux 命令行中最簡單的打印方法是使用 echo 命令
    的頭像 發(fā)表于 04-13 16:22 ?3491次閱讀
    <b class='flag-5'>Linux</b> bash中的printf<b class='flag-5'>命令</b><b class='flag-5'>詳解</b>