Shulou(Shulou.com)06/01 Report--

1. Openssl common commands:

# openssl? # View openssl commands and subcommands # man enc # you can view subcommand help directly

Encryption:

# openssl enc-des3-e-salt-in / lee/sh/test.sh-out / lee/sh/test.sh.des3-des3: specify the encryption algorithm, which can be found in openssl? See the supported encryption algorithm-e: encryption, default parameter-salt: salt-in: input file, that is, file to be encrypted-out: output file, that is, encrypted ciphertext enter des-ede3-cbc encryption password: # enter encryption password Verifying-enter des-ede3-cbc encryption password: # confirm to enter encryption password

Decryption:

# openssl enc-des3-d-salt-in / lee/sh/test.sh.des3-out / lee/sh/test1.sh-d: decrypt enter des-ede3-cbc decryption password:

Hash:

# md5sum / lee/sh/test.sh # use MD5 hash 590c2fdc61a76337dd2e1df91a217a27 / lee/sh/test.sh # sha1sum / lee/sh/test.sh # SHA1 hash 40554fd040b5a54821280603a67e5c07818aff65 / lee/sh/test.sh # openssl dgst-sha1 / lee/sh/test.sh # SHA1 hash SHA1 (/ lee/sh/test.sh) = 40554fd040b5a54821280603a67e5c07818aff65 # openssl dgst-md5 / lee/sh/test.sh with openssl command # use the openssl command to hash MD5 MD5 (/ lee/sh/test.sh) = 590c2fdc61a76337dd2e1df91a217a27 # openssl dgst -? # so that you can output the supported command unknown option'-?' Options are-c to output the digest with separating colons-r to output the digest in coreutils format-d to output debug info-hex output as hex dump-binary output in binary form-hmac arg set the HMAC key to arg-non-fips-allow allow use of non FIPS digest-sign file sign digest using private key in file- Verify file verify a signature using public key in file-prverify file verify a signature using private key in file-keyform arg key file format (PEM or ENGINE)-out filename output to filename rather than stdout-signature file signature to verify-sigopt nm:v signature parameter-hmac key create hashed MAC with key-mac algorithm create MAC (not neccessarily HMAC)-macopt nm:v MAC algorithm parameters or key-engine e use engine e Possibly a hardware device. -md4 to use the md4 message digest algorithm-md5 to use the md5 message digest algorithm-ripemd160 to use the ripemd160 message digest algorithm-sha to use the sha message digest algorithm-sha1 to use the sha1 message digest algorithm-sha224 to use the sha224 message digest algorithm-sha256 to use the sha256 message digest algorithm-sha384 to use the sha384 message digest algorithm -sha512 to use the sha512 message digest algorithm-whirlpool to use the whirlpool message digest algorithm

Generate a password string (hash value):

# openssl passwd -? # detailed help or check out man Usage: passwd [options] [passwords] where options are-crypt standard Unix password algorithm (default)-1 MD5-based password algorithm # MD5 algorithm-apr1 MD5-based password algorithm Apache variant-salt string use provided salt-in file read passwords from file-stdin read passwords from stdin-noverify never verify when reading password from terminal-quiet no warnings-table format output as table-reverse switch table columns

However, passwd itself is an operating system command, and you are looking at the help of the operating system passwd with man, so whatis:

# whatis passwd sslpasswd (1ssl)-compute password hashes # you can see that it is sslpasswd passwd (1)-update user's authentication tokens passwd (5)-password file # man sslpasswd # so you can see # openssl passwd-1 # the hash value (string) of the password calculated using the MD5 algorithm Password: Verifying-Password: $1$ VAehBGE.$vSHYjZqz4O3xLXgqaWTL70

Note: salt is added by default in this command, so the result of executing the same password string multiple times will be different.

# openssl passwd-1-salt VAehBGE. # specify salt value Password: $1$ VAehBGE.$vSHYjZqz4O3xLXgqaWTL70 # the same salt result output is the same

Generate an asymmetric key:

# openssl genrsa # generate RSA private key Generating RSA private key 2048 bit long modulus. + +.... + + e is 65537 (0x10001)-BEGIN RSA PRIVATE KEY- MIIEpQIBAAKCAQEA9armbPLhXtJc70Ktvw0JJEZtWaA6MtWGjL6sr51WGhrC2wcu XVdrQlpWXWxFjO7zlwfIs2Oo9+6LmQdmRbqlt0Jmh0RG9XxB51cKR1s8c71k/u2A Jm6Ccg8wsxLgBVKrpFB9bZ7WsLAJ7n61mkJul49Vp/uIuGX+3HEgmgoOWObw6xiC tMSR9c5ksobz3oI6R9ccwpOfcXBWUzVo2fc+KnuKyM1saR8HXrHBPpoyP6DT2GOv CyLjw1l1c4jPKO6PC2CJMyM4q6EuTow/j8y+X2vCVPzferYRixH8b96HGisxqD2f UxK1H3RPOCk8L/NiWyE2L5950FgDxUB1gRXANwIDAQABAoIBABg0S1mmoG/QOBnW rvmo1iK90Z5H/BPwF76cNrViwg32XwZncbj+mPHDpsizlzKohFV4Dd0mz4oF9bkR EpGCLzucDi/7mSYspO2fFMMtCQq6OU4opjyjHLUSLBEopevAVmrtBz6arLphzciy sT/OlcjW9XCEhtbsLa0YdEbZAMrfXKdpR88CX8zIKn5ZTG2BO6vP6tfLrSVPM/Rl 5dJVLFkB4cgoZKLYDzllYPn9YerUFJnl1H+2ky/skEWf+jDoIw+zVQPhUn/kdBpU gFEbp60FvJK5iRx81fK0liOhZHFefNGsiSSqPVVvP7qRmqgCamZYqfQdRujzZ4Io sW4Q5FECgYEA/iTMjxSnE3x5d8jzR/s5rotEq08XlfVlkAYSxFOje0lOtdlX/ OJv 02+4lf0btEOHPcdCbHIuhx6zMlx2TPaXcfgMvowKe+/bfcX76VldhQxj/xJvXzVx acCYY2fRZc69GPsXR+PHANMjI4AZWoDeGYaqxEtMafSQnFiagatyx1kCgYEA93ZA kHUDBHlpkg+bQLrlimMGqXGj4m7TasW/PTxEWe1WbgKuN9o7grGdnAlhKDhdAi9S 4eCNzKA4CTK8Zx9WH6izgq9oushDSofTgzozuPXiJ2PFxDl0nGQLvg2UrgzzBmSK 0GO0Il7tkkDKfZdApFgqyWbA7CrShs1rF9fsYg8CgYEA00kau5Vq9btVbO2mvGAz a1YjZ9ygei6DGkLCVXBHiNbAVlT0XqyOVZUbO68q2ioOBKFlKq2e2vz988+FFqUn 8TtMtRnOGY2myCDSNwTxyAwuEkBsURYoTMguqO4F24MOGPefOkg3CQt/uiLkcSaT / 1rDG+CSDcCifSj4gvdbvDkCgYEAorch7xrVuhpvfXg/mMeL6XwFxGMR5PEEmT+f 6Q74zrzNyRaAIf+gg+ZwgUp1lTHCjo45jIbQFo3/aqTu10v2oGiYaMUYM0E9ZgN7 49zgZ61eYJItV0KEV9U9F2HssqmXH0v7Lt1wc+1Bf5qUyxIqkiXbNIUZM/FQbw0h bxMuvqcCgYEA8JMQHjmx9NCUAH9ShHrrqO4qw9NCvAteShx0D/AbQALP5L56QfWQ L0h41nNpL1E2AHAME/ZcWQzeHhrPY0+gOklBRG+mQS2MNOD31bZNUgh7LF20s4M/ 1Qb1srzf9qKbhD2PG3PSSuj1UuFGTAccording to L3QOnv4UuFGL, Iyl7HAgs =-END RSA PRIVATE KEY- # openssl genrsa-out / lee/my.key # generates the RSA private key while outputting # openssl rsa-in / lee/my.key-pubout # to see the public of the private key The key writing RSA key-BEGIN PUBLIC KEY- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9armbPLhXtJc70Ktvw0J JEZtWaA6MtWGjL6sr51WGhrC2wcuXVdrQlpWXWxFjO7zlwfIs2Oo9+6LmQdmRbql t0Jmh0RG9XxB51cKR1s8c71k/u2AJm6Ccg8wsxLgBVKrpFB9bZ7WsLAJ7n61mkJu l49VpanduIuGXroom3HEgmgoOWObw6xiCtMSR9c5ksobz3oI6R9cccpOfcXB Vo2fc + KnuKyM1saR8HXrHBPpoyP6DT2GOvCyLjw1l1c4jPKO6PC2CJMyM4q6EuTow/j8y+ X2vCVPzferYRixH8b96HGisxqD2fUxK1H3RPOCk8L/NiWyE2L5950FgDxUB1gRXA NwIDAQAB-END PUBLIC KEY- # openssl rsa-in / lee/my.key-pubout-out / lee/mypub.key # outputs the public key of the private key

2. Configure CA:

1): view and modify the CA configuration file:

# cat / etc/pki/tls/openssl.cnf # the main content is the following # [ca] default_ca= CA_default# The default ca section # # [CA_default] dir= / etc/pki/CA# Where everything is kept # default main working directory certs= $dir/certs# Where the issued certs are kept # client certificate Book storage directory crl_dir= $dir/crl# Where the issued crl are kept # certificate revocation list location database= $dir/index.txt# database index file. # the list of issued certificates does not have this file by default. You need to create # unique_subject= no# Set to 'no' to allow creation of # several ctificates with same subject. New_certs_dir= $dir/newcerts# default place for new certs. # newly generated certificate certificate= $dir/cacert.pem # The CA certificate # CA own certificate (self-signed certificate) serial= $dir/serial # The current serial number # serial number. There is no such file by default. You need to create the private key storage location of crlnumber= $dir/crlnumber# the current crlnumber# must be commented out to leave a V1 CRL crl= $dir/crl.pem # The current CRL private_key= $dir/private/cakey.pem# The private key # CA RANDFILE= $dir/private/.rand# private random number file x509 private extensions = usr_cert# The extentions to add to the cert# Comment out the following two lines for the "traditional" # (and highly broken) format. Name_opt = ca_default# Subject Name options cert_opt = ca_default# Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions= crl_ext default_days= 36 certificate how long to certify for # the default validity period of the certificate is default_crl_days= 3 how long before next CRL default_md= sha256# use SHA-256 by default preserve= no# keep passed DN ordering

2): generate an asymmetric private key of CA:

# openssl genrsa-out / etc/pki/CA/private/cakey.pem

3): generate self-signed certificate:

# openssl req-new-x509-key / etc/pki/CA/private/cakey.pem-out / etc/pki/CA/cacert.pem-new: create-x509: specify self-signed certificate-key: specify asymmetric key (private key)-out: output file-days: certificate validity You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter'.', the field will be left blank. -Country Name (2 letter code) [XX]: CN State or Province Name (full name) []: GuangDong Locality Name (eg, city) [Default City]: ShenZhen Organization Name (eg, company) [Default Company Ltd]: test Organizational Unit Name (eg, section) []: test Common Name (eg) Your name or your server's hostname) []: ca.test.com Email Address []: admin@test.com# openssl x509-text-in cacert.pem # View certificate information Certificate: Data: Version: 3 (0x2) Serial Number: ae:af:f9:0e:f3:0e:96:bd Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=GuangDong, L=ShenZhen, O=test, OU=test CN=ca.test.com/emailAddress=admin@test.com Validity Not Before: Feb 3 07:38:39 2018 GMT Not After: Mar 5 07:38:39 2018 GMT Subject: C=CN, ST=GuangDong, L=ShenZhen, O=test, OU=test CN=ca.test.com/emailAddress=admin@test.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c3:91:60:ee:17:d2:14:36:75:1c:d3:95:ac:43: 69: 5c:f0:7f:a6:00:cb:7f:b2:45:5c:1e:0a:da:a9: ba:82:37:7f:36:9c:49:c3:2a:23:2e:b1:fa:78:87: aa:a5:cc:91:2f:55:0f:e5:dd:de:e8:07:46:61:9e: C3:dd:33:12:a1:98:f2:cb:62:00:45:1d:54:89:cb: 28:cb:4f:b4:eb:46:df:df:ca:5b:94:81:64:c0:4f: fe:91:23:a0:33:cf:b8:05:27:63:cc:d2:87:c0:42: 30:d7:1f:d6:e0:3d:61:61:6d:46:2a:99:63:b3:7f: 70:6a:f8:96:5f:9e:f6:b6:9f:8e:44:09:cc:eb:3e: ac:e0:d0:97:5e:43:9a:8d:b2:f9:18:08:73: 7f:39: d9:9b:a5:b2:4e:c7:25:93:ce:a6:ee:36:bc:22:e9: 08:8b:17:c0:5e:af:ff:c6:ce:ea:0b:f5:a6:d3:bc: f7:77:76:48:f1:57:25:56:88:6b: 73:bf:65:44:59: aa:a4:94:cd:d5:7c:4a:ca:fd:77:19:8e:42:62:3a: d3:4c:7c:b3:2d:73:ac:1c:70:4b:a5:26:cf:62:c0: 2f:e0:c3:06:eb:37:6e: 1d:7b:df:53:08:09:bf:e0: 6d:d8:ee:95:6d:1f:d9:df:3e:11:8b:e0:3d:0e:7b: 940x10001 0f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 30:2F:BF:46:D3:E2:89:32:F3:76:D8:59:72:E5:06:79:65:E3:FF:2B X509v3 Authority Key Identifier: keyid:30:2F:BF:46:D3:E2:89:32:F3:76:D8:59:72:E5:06:79:65:E3:FF:2B X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption c0:d5:cc:e8:65:34:82:b5:99:f5:5d:e9:6d:43:42:c1:8c:01: 0c:09:34:df:d0:46:ca:01:7c:9b:f8:a1:08:e4:99:b1:5c:ef: eb:6d:2d:d5:82:fa:3f:10 : c9:96:ac:35:3a:1a:de:a7:37:69: 9d:20:d3:4f:19:3b:29:e8:e1:4a:7e:29:cd:5f:a1:81:f5:3e: 5d:c4:55:e6:e5:5d:c5:87:bd:4f:45:d0:3c:2c:5a:60:9b:2e: 79:23:0d:fa:80 : bf:80:83:f2:09:ce:6f:94:5c:c6:21:53:f7: 58:8e:cf:8d:88:7e:c1:57:38:a3:1c:e5:02:16:af:56:51:04: 9e:ad:54:e4:70:1f:76:d9:bf:1d:38:95:e4:94:91:6d:36:87: c4:fa : 75:3d:87:53:c9:10:8d:46:81:34:44:e3:53:12:cf:31: ca:10:48:14:c0:6f:d3:7a:3a:62:3f:04:90:f7:00:d6:c0:ce: ea:2f:44:ad:70:36:58:20:04:f9:2a:98:b4:af:fe:b4:67:35: 1d:3b:3e:ea:ba:e4:70:8b:56:f4:d5:bd:61:05:d4:30:23:64: c9:54:cd:96:bf:86:dd:38:41:6a:b1:4e:8d:72:ce:79:b7:fa: 51:53:c5:08:e2:d6:2f:43:b0:39:d4:c3:3c:84:b6:83:23 : 60: 4b:c0:9e:9d-BEGIN CERTIFICATE- MIID4zCCAsugAwIBAgIJAK6v+Q7zDpa9MA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD VQQGEwJDTjESMBAGA1UECAwJR3VhbmdEb25nMREwDwYDVQQHDAhTaGVuWmhlbjEN MAsGA1UECgwEdGVzdDENMAsGA1UECwwEdGVzdDEUMBIGA1UEAwwLY2EudGVzdC5j b20xHTAbBgkqhkiG9w0BCQEWDmFkbWluQHRlc3QuY29tMB4XDTE4MDIwMzA3Mzgz OVoXDTE4MDMwNTA3MzgzOVowgYcxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFu Z0RvbmcxETAPBgNVBAcMCFNoZW5aaGVuMQ0wCwYDVQQKDAR0ZXN0MQ0wCwYDVQQL DAR0ZXN0MRQwEgYDVQQDDAtjYS50ZXN0LmNvbTEdMBsGCSqGSIb3DQEJARYOYWRt aW5AdGVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDkWDu F9IUNnUc05WsQ2lc8H+mAMt/skVcHgraqbqCN382nEnDKiMusfp4h7qlzJEvVQ/l 3d7oB0ZhnsPdMxKhmPLLYgBFHVSJyyjLT7TrRt/fyluUgWTAT/6RI6Azz7gFJ2PM 0ofAQjDXH9bgPWFhbUYqmWOzf3Bq+JZfnva2n45ECczrPqzg0JdeQ5qNsvkYCHN/ OdmbpbJOxyWTzqbuNrwi6QiLF8Ber//GzuoL9abTvPd3dkjxVyVWiGtzv2VEWaqk lM3VfErK/XcZjkJiOtNMfLMtc6wccEulJs9iwC/gwwbrN24de99TCAm/4G3Y7pVt H9nfPhGL4D0Oe5QPAgMBAAGjUDBOMB0GA1UdDgQWBBQwL79G0+KJMvN22Fly5QZ5 ZeP/KzAfBgNVHSMEGDAWgBQwL79G0+KJMvN22Fly5QZ5ZeP/KzAMBgNVHRMEBTAD AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDA1czoZTSCtZn1XeltQ0LBjAEMCTTf0EbK AXyb+KEI5JmxXO/rbS3Vgvo/EMmWrDU6Gt6nN2mdINNPGTsp6OFKfinNX6GB9T5d xFXm5V3Fh71PRdA8LFpgmy55Iw36gL+Ag/IJzm+UXMYhU/dYjs+NiH7BVzijHOUC Fq9WUQSerVTkcB922b8dOJXklJFtNofE+nU9h2PJEI1GgTRE41MSzzHKEEgUwG/T ejpiPwSQ9wDWwM7qL0StcDZYIAT5Kpi0r/60ZzUdOz7quuRwi1b01b1hBdQwI2TJ VM2Wv4bdOEFqsU6Ncs55t/pRU8UI4tYvQ7A51MM8hLaDI2BLwJ6d-END CERTIFICATE-

4): create the necessary files under the CA working directory

# touch / etc/pki/CA/index.txt # create a certificate issuance list file # touch / etc/pki/CA/serial # create a sequence number file # echo "01" > / etc/pki/CA/serial # write the starting number

Apply for a certificate from CA:

1): generate your own asymmetric key

# openssl genrsa-out / lee/my.key

2): apply for a certificate (here the private CA application process is a certificate generation step)

# openssl req-new-key / lee/my.key-out / lee/my.crt # Note there is no option for-x509, which stands for self-signed You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter'.', the field will be left blank. -Country Name (2 letter code) [XX]: CN State or Province Name (full name) []: GuangDong Locality Name (eg, city) [Default City]: ShenZhen Organization Name (eg, company) [Default Company Ltd]: test Organizational Unit Name (eg, section) []: test Common Name (eg) Your name or your server's hostname) []: www.test.com Email Address []: www@test.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

3): CA signed certificate:

# openssl ca-in / lee/my.crt-out www.test.com.crt Using configuration from / etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Feb 3 08:29:30 2018 GMT Not After: Feb 3 08:29:30 2019 GMT Subject: CountryName = CN stateOrProvinceName = GuangDong organizationName = test organizationalUnitName = test commonName = www.test.com emailAddress = www@test.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 36:1E:30:68:9A:42:75:DE:EA:BE:F3:FF:EB:3C:26:5F:5B:30:4B:30 X509v3 Authority Key Identifier: keyid:30:2F:BF:46: D3:E2:89:32:F3:76:D8:59:72:E5:06:79:65:E3:FF:2B Certificate is to be certified until Feb 3 08:29:30 2019 GMT (365days) Sign the certificate? [y/n]: y 1 out of 1 certificate requests certified, commit? [YBO] y Write out database with 1 new entries Data Base Updated [root@localhost CA] # cat index.txt # look at the certificate issuance list and find that there is already a message. "01" is the V190203082930Z01unknown/C=CN/ST=GuangDong/O=test/OU=test/CN=www.test.com/emailAddress=www@test.com inherited from the serial just now.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.