OpenSSL命令

1
openssl command [ command_opts ] [ command_args ]

两种运行模式:交互模式、批处理模式

直接输入 openssl 回车进入交互模式,输入带命令选项的 openssl 进入批处理模式。

OpenSSL 整个软件包大概可以分成三个主要的功能部分:密码算法库SSL 协议库以及应用程序。OpenSSL 的目录结构自然也是围绕这三个功能部分进行规划的。

openssl 子命令分为三类:1、标准命令、2、消息摘要命令、3、加密命令

标准命令:

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@centos8 data]$openssl list -commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dhparam
dsa dsaparam ec ecparam
enc engine errstr gendsa
genpkey genrsa help list
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand rehash
req rsa rsautl s_client
s_server s_time sess_id smime
speed spkac srp storeutl
ts verify version x509

消息摘要命令:

1
2
3
4
5
6
7
[root@centos8 data]$openssl list -digest-commands
blake2b512 blake2s256 gost md2
md4 md5 rmd160 sha1
sha224 sha256 sha3-224 sha3-256
sha3-384 sha3-512 sha384 sha512
sha512-224 sha512-256 shake128 shake256
sm3

加密命令:对称加密和 base64 编码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[root@centos8 data]$openssl list -cipher-commands
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
idea idea-cbc idea-cfb idea-ecb
idea-ofb rc2 rc2-40-cbc rc2-64-cbc
rc2-cbc rc2-cfb rc2-ecb rc2-ofb
rc4 rc4-40 rc5 rc5-cbc
rc5-cfb rc5-ecb rc5-ofb seed
seed-cbc seed-cfb seed-ecb seed-ofb
zlib

消息摘要命令和加密命令初学不推荐直接使用,推荐通过标准命令 dgst 和 enc 调用。

command

1
2
3
4
5
6
7
8
9
10
11
12
version  # 查看版本信息
enc # 对称加密
dgst # 摘要
dhparam # 生成DH参数文件
dsaparam # 生成DSA参数文件
gendsa # 从DSA参数文件生成DSA私钥
dsa # 管理DSA密钥,可以给解密加密的私钥,可以给私钥设置密码,还可以从DSA私钥中生成公钥
passwd # 生成密码
rand # 生成随机数
ca # CA管理,例如对证书进行签名
req # 主要用于创建和处理PKCS#10格式的证书请求,可以创建自签名证书
x509 # 显示证书信息、将证书转换为各种形式、签署类似“迷你CA”的证书请求或编辑证书信任设置

http://linux.51yip.com/search/openssl

1. 对称加密:

OpenSSL 一共提供了 8 种对称加密算法,DES 是最常用的。

2. 非对称加密:

OpenSSL 一共实现了 4 种非对称加密算法,包括 DH 算法、RSA 算法、DSA 算法和椭圆曲线算法(EC)。DH 算法一般用户密钥交换。RSA 算法既可以用于密钥交换,也可以用于数字签名,当然,如果你能够忍受其缓慢的速度,那么也可以用于数据加密。DSA 算法则一般只用于数字签名。

3. 信息摘要算法:

OpenSSL 实现了 5 种信息摘要算法,分别是 MD2、MD5、MDC2、SHA(SHA1)和 RIPEMD。SHA 算法事实上包括了 SHA 和 SHA1 两种信息摘要算法,此外,OpenSSL 还实现了 DSS 标准中规定的两种信息摘要算法 DSS 和 DSS1。

4. 密钥和证书管理:

OpenSSL 为密钥和证书提供了丰富的功能,支持多种标准。

首先,OpenSSL 实现了 ASN.1 的证书和密钥相关标准,提供了对证书、公钥、私钥、证书请求以及 CRL 等数据对象的 DER、PEM 和 BASE64 的编解码功能。OpenSSL 提供了产生各种公开密钥对和对称密钥的方法、函数和应用程序,同时提供了对公钥和私钥的 DER 编解码功能。并实现了私钥的 PKCS#12 和 PKCS#8 的编解码功能。OpenSSL 在标准中提供了对私钥的加密保护功能,使得密钥可以安全地进行存储和分发。

在此基础上,OpenSSL 实现了对证书的 X.509 标准编解码、PKCS#12 格式的编解码以及 PKCS#7 的编解码功能。并提供了一种文本数据库,支持证书的管理功能,包括证书密钥产生、请求产生、证书签发、吊销和验证等功能。

事实上,OpenSSL 提供的 CA 应用程序就是一个小型的证书管理中心(CA),实现了证书签发的整个流程和证书管理的大部分机制。

对称加密

openssl 提供了两种方式调用对称加密算法:

一种就是直接调用对称加密指令;一种是使用 enc,对称加密指令作为 enc 的参数。例如下面两种写法是完全一样的:

1
openssl des-cbc -in plain.txt -out encrypt.txt -pass pass:12345678
1
openssl enc -des-cbc -in plain.txt -out encrypt.txt -pass pass:12345678

初学推荐使用 enc,更宜读

1
openssl enc [option]...
  • -help

  • -ciphers:列出所有 enc 的对称加密算法 option,上面的示例中的 -des-cba 就在其中

  • -in file:从 file 中读取内容,默认是从标准输入中读取

  • -out file:输出到 file,默认是输出到标准输出

  • -pass arg:设置加密或解密密码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    # 加密
    openssl enc -des3 -in a.log -out b.bin -pass pass:123456
    # 解密
    openssl enc -des3 -d -in b.bin -out b.log -pass pass:123456
    # 命令行输入密码
    pass:123456
    # 文件输入密码
    file:passwd.txt
    # 环境变量输入密码
    export passwd=123456
    env:passwd
    # 从文件描述符输入密码
    fd:1
    # 从标准输入输入密码
    # stdin
  • -e:加密,默认选项,可以省略

  • -d:解密

  • -a:base64 虽然不是加密,但是 enc 也支持了 base64 编码

  • -base64:同 -a

  • -A:如果设置了-a,则-A 让 base64 输出的结果不分行

  • -k:已淘汰

  • -md:指定 hash 算法,将 hash 处理后的 passwd 作为密码

  • -S:手动指定盐值

摘要算法

支持的摘要算法命令使用openssl list -digest-commands查看,可以作为 openssl 的子命令直接调用,也可以作为 dgst 的短选项调用。

1
2
3
4
5
6
7
[root@centos8 data]$openssl list -digest-commands
blake2b512 blake2s256 gost md2
md4 md5 rmd160 sha1
sha224 sha256 sha3-224 sha3-256
sha3-384 sha3-512 sha384 sha512
sha512-224 sha512-256 shake128 shake256
sm3
1
dgst [options] [file...]

file…:files to digest (default is stdin)

  • -help Display this summary
  • -c 输出的摘要信息以分号隔离,和-hex 同时使用
  • -out outfile 指定输出文件,默认标准输出
  • -、、、
1
2
3
4
5
6
7
8
9
10
11
12
# 标准输入 生成摘要
[root@centos8 data]$echo {0..10} | openssl md5
(stdin)= da0feb828a99053332f6d08e0a58f33e
[root@centos8 data]$echo {0..10} | openssl dgst -md5
(stdin)= da0feb828a99053332f6d08e0a58f33e
# 文件内容 生成摘要
[root@centos8 data]$echo {0..10} > a.log
[root@centos8 data]$openssl dgst -md5 ./a.log
MD5(./a.log)= da0feb828a99053332f6d08e0a58f33e
[root@centos8 data]$openssl dgst -out a.md5 -md5 ./a.log
[root@centos8 data]$cat a.md5
MD5(./a.log)= da0feb828a99053332f6d08e0a58f33e

补充:coreutils 包提供了很多核心工具,例如 cat、cp、ls 等等,其中也有摘要算法相关的工具:md5sum,sha1sum,sha224sum,sha256sum ,sha384sum,sha512sum 等,以 md5 为例:

1
md5sum [OPTION]... [FILE]...

非对称加密

非对称加密相关命令都是 openssl 的标准命令,没有额外再单独设置一个命令管理它们。

  • dhparam:生成 DH 参数文件
  • dsaparam:生成 DSA 参数文件
  • gendsa:从 DSA 参数文件生成 DSA 私钥
  • dsa:管理 DSA 密钥,可以给解密加密的私钥,可以给私钥设置密码,还可以从 DSA 私钥中生成公钥
  • genrsa:生成 RSA 私钥
  • rsa:管理 RSA 密钥

DH(Diffie-Hellman)

1
2
3
4
5
6
7
# 使用生成因子2和随机的1024-bit的素数产生D0ffie-Hellman参数
# 输出保存到文件dhparam.pem
openssl dhparam -out dhparam.pem -2 1024

# 从dhparam.pem中读取Diffie-Hell参数,以C代码的形式
# 输出到stdout
penssl dhparam -in dhparam.pem -noout -C

DSA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 生成1024位DSA参数集,并输出到文件dsaparam.pem
openssl dsaparam -out dsaparam.pem 1024

# 使用参数文件dsaparam.pem生成DSA私钥匙,
# 采用3DES加密后输出到文件dsaprivatekey.pem
openssl gendsa -out dsaprivatekey.pem -des3 dsaparam.pem

# 使用私钥匙dsaprivatekey.pem生成公钥匙,
# 输出到dsapublickey.pem
openssl dsa -in dsaprivatekey.pem -pubout -out dsapublickey.pem

# 从dsaprivatekey.pem中读取私钥匙,解密并输入新口令进行加密,
# 然后写回文件dsaprivatekey.pem
openssl dsa -in dsaprivatekey.pem -out dsaprivatekey.pem -des3 -passin

RSA

生成私钥,并 3des 加密:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[root@centos8 data]$openssl genrsa -out rsa.key -des3 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
...............+++++
............+++++
e is 65537 (0x010001)
Enter pass phrase for rsa.key:
Verifying - Enter pass phrase for rsa.key:
[root@centos8 data]$cat rsa.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B81F9992681E3346

fi2XSHajJUAhKHNeUFB+nJqog0R8qiBfQ3yEljQHadyq7U7P+7evDV9JQxpwtDC1
gZ3BpjY1+4NmN1lXbzoADLwx/tRIgHqQXgkIgY/tSeKTOtaaFbRsg7DZXjcq3YMX
seo8DoZEbyyzAVIYVdR/Z40niYNoaEWiXiwzT8Wz11BORftqJER+07s2NRDSpQNj
8Q7R9L6uT+RWnde5IeCZjZ9X9cj9ZBlMw1trKpiwbqTeq1YtRHcpKLSyg69f5ERy
sW9qaf00qNHR6LTHL3Hgw+EBo9JYmspflvhGWO0QmWKNbBLnjEGS6QgbxgxQT0mP
d0Imwn/3Xit8c/ACdoHZiqwYkzrreR9K7CHD2USiMlun08vcWyal3EzPOAfshZWq
g6MXdLSs3nOA03dkP4mjjb3iCca8xxSFKQPWb3viZzg14gWRAlVo1Fp9+0d+U1An
hHpqX/64MiPZakRPyGfPA6uycJgxIxKzhnam/mKSAFkQoxt61zKst9JFKWwCnEAv
ucKZXIGPJGsMW5bXkVFdMdnx3iUZDHFBQmFLuA5+w8CQTBw3wLY1PKfvtpoLY2S3
qP9xnqqjPzg+RzBgNvWPIQ+y5SECZq5CdnGK/vLrysUBy3eUdfgiyZ5h7i2Bugnu
wieFH5FvaGHAljN6tcGo4xPjfPb+SEujkl+Ot6R1lCzHXvEgvaCBVBN5qx5rFH9H
CQ8ZeIKjs/jscCvgMhqhzRfOkhzvKruShQ1G3t1prvZ5JNZCy0ePkh/g9PMxIaVv
DIZbEiA+Yy5NrXmkCxHmVIACg4mxetPJCtg7yTG4P/dQKE/3PPLwZA==
-----END RSA PRIVATE KEY-----

解密私钥:

不需要指定加密用的算法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[root@centos8 data]$openssl rsa -in rsa.key
Enter pass phrase for rsa.key:
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC3SFoUHD+Jk8dt2l7MWqDvhDUF/jMlzCMs2VhnWytPdWWjTHeO
zNj0rt6L8uMq45C3CmTzaBz6v6fdAH5RKLkv78ZqjhxfRwIgRtUCRCa+b+lqq0qc
9paKTFl+gAnSAkx0ua90XAx65DAs9XpL5HkGHI7Jj7Cb0ERluZNV0Sv8YwIDAQAB
AoGAfB61UfUnWiYH4m8Fz+J4Jnwj5GEXhjtOfurZoXTuSas5H3ODa+Nx8ZITCDd+
e+cMc8jIQMZ7CZyNM29IG/I2JgkXEk6apyLy7UAiQF0CbYljLOy7qBkrcYCo2RBa
IGUoTX7RJwC+3Dxa3/12Tx4ufqZ5/+RAJoqqV90rx8EFLnECQQDat+/KaEte9xJ0
+NgmOGna68p4B1zNR/LQ5/n3yEweBLaseOke2o3BnsIAcL5LLNC5d3jun9UWyl2R
Xtflcly/AkEA1oYgAs//M4M/o3bZxYBaQkWiC+u+YsKMwMA+DPYs/H2fzwprP+4N
mjoKYrjL214nchuDE1fM1YErcvkn5AN1XQJBAJCDVBbizloS2ckb2oV2ZMrXXNHt
221vioppnAoR9+klqCVRRoayVVOHOBveYn19QPQqcmcIiF0knKo+hlv+MjUCQDw/
syHXFM983xSjvomvgKn4MIi0juXhyfIgi8zMHtpS1d0qCfEMhJl6D4ymZeqYSO/N
NkTqdcbI3lEOFNv+9KkCQHGLnBuVcZ6IaneTIl6Dj5fuSH4JcTgWpeXJNbfWO+iR
7bpy5LnVqTM2rrvEjAdhMOD5xLbaxwRxSAMnG9lDyD8=
-----END RSA PRIVATE KEY-----

从私钥中生成公钥:

1
2
3
4
5
6
7
8
9
10
[root@centos8 data]$openssl rsa -in rsa.key -pubout -out rsa.key.pub
Enter pass phrase for rsa.key:
writing RSA key
[root@centos8 data]$cat rsa.key.pub
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3SFoUHD+Jk8dt2l7MWqDvhDUF
/jMlzCMs2VhnWytPdWWjTHeOzNj0rt6L8uMq45C3CmTzaBz6v6fdAH5RKLkv78Zq
jhxfRwIgRtUCRCa+b+lqq0qc9paKTFl+gAnSAkx0ua90XAx65DAs9XpL5HkGHI7J
j7Cb0ERluZNV0Sv8YwIDAQAB
-----END PUBLIC KEY-----

生成用户密码

1
passwd [options] {passwords}

默认使用 标准 Unix 密码算法 生成密码:

1
2
3
4
5
6
7
[root@centos8 data]$openssl passwd 123456
pPVKzob9muWhI
[root@centos8 data]$openssl passwd 123456
RGMogKjCYuqRo
[root@centos8 data]$openssl passwd 123456 admin
RmxJ4CJbLmGUs
ziknRF1V5vFSs

options:

  • -in file:从文件中读入密码,默认交互式输入
  • -stdin:从标准输入读取密码,默认交互式输入
  • -salt val:加盐,指定盐值
  • -6:SHA512
  • -5:SHA256
  • -1:MD5
  • -、、、

生成随机数

/dev/random 和/dev/urandom 根据硬件信息生成随机数,是伪随机数生成器,openssl rand 是真随机数生成器

1
rand [options] num

num:指定随机数的字节数。

options:

  • -out file:将输出的随机数写入到文件
  • -base64:将输出的随机数转成 base64 格式
  • -hex:将输出的随机数转成 16 进制格式

范例:生成 10 位随机数

1
2
3
4
[root@centos7 ~]#openssl rand -hex 5
2ce882e4e7
[root@centos7 ~]#openssl rand -base64 9 |head -c10
7yTjuE+FAC

在 CentOS8 上实现私有 CA 和证书申请颁发

相关文件:

1
2
3
4
5
6
7
[root@centos8 tls]$rpm -ql openssl-libs
/etc/pki/tls
/etc/pki/tls/certs
/etc/pki/tls/ct_log_list.cnf
/etc/pki/tls/misc
/etc/pki/tls/openssl.cnf # 配置文件
/etc/pki/tls/private
1
2
3
4
5
6
7
8
9
10
11
# 私有CA 目录

./demoCA - main CA directory
./demoCA/cacert.pem - 证书,也就是自签名公钥
./demoCA/private/cakey.pem - 自签名私钥
./demoCA/serial - CA serial number file
./demoCA/serial.old - CA serial number backup file
./demoCA/index.txt - 数据库文件
./demoCA/index.txt.old - CA text database backup file
./demoCA/certs - 颁发的证书存放目录
./demoCA/.rnd - CA random seed information

1. 创建私有 CA

私有 CA 的目录位置在 openssl.conf 中可以更改,默认设置如下,我们就不改了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[ CA_default ]

dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
  1. 按照 openssl.conf 中的设置,创建私有 CA 目录及相关文件
1
2
3
4
5
[root@centos8 ~]$mkdir /etc/pki/CA
[root@centos8 ~]$cd /etc/pki/CA
[root@centos8 CA]$mkdir certs crl newcerts private
[root@centos8 CA]$touch index.txt
[root@centos8 CA]$echo 01 > serial # 指定第一个颁发证书的序列号
  1. 生成私钥,这里选择 RSA 私钥,比较简单
1
2
3
4
5
[root@centos8 CA]$openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................+++++
..................+++++
e is 65537 (0x010001)
  1. 生成 CA 自签名证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
[root@centos8 CA]$openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ljk
Email Address []:ljk@qq.com
[root@centos8 CA]$
[root@centos8 CA]$openssl x509 -noout -in cacert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
26:c2:97:d3:b0:0e:f4:8d:d7:3e:1c:a1:e2:95:08:31:20:aa:f1:b7
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = henan, L = Default City, O = Default Company Ltd, CN = ljk, emailAddress = ljk@qq.com
Validity
Not Before: Sep 8 08:17:04 2020 GMT
Not After : Sep 6 08:17:04 2030 GMT
Subject: C = CN, ST = henan, L = Default City, O = Default Company Ltd, CN = ljk, emailAddress = ljk@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bc:30:93:e4:81:8f:aa:ed:c7:27:c3:66:6b:17:
7d:f2:40:f2:1c:5e:12:86:89:5a:ca:e1:d2:6d:61:
fa:3c:0e:36:d6:88:bc:c3:1c:e9:a3:a4:f7:28:14:
4b:7f:5a:48:e0:1f:3e:3a:dc:45:12:27:a9:ef:94:
51:95:1b:84:79:ae:6b:11:3d:77:92:a4:72:ee:4a:
47:c9:c6:13:84:03:f7:be:48:48:8d:ac:d4:b5:7b:
fd:36:04:6a:90:22:6f:5d:06:cc:52:c6:21:a2:0f:
48:fb:d1:cb:5b:66:f7:05:e5:35:10:14:6a:07:bc:
35:66:fd:d9:c4:30:35:91:bb:ca:6c:bb:77:79:4d:
e2:9e:03:71:72:e4:bd:7b:cf:2e:96:30:0e:7e:2d:
10:c4:5a:b3:66:03:7a:68:95:78:e1:31:28:86:35:
43:f6:be:7c:b8:d2:36:8f:ed:d0:0e:0a:98:49:59:
63:42:45:70:f2:a1:8d:30:b9:6b:6f:b2:49:c9:e2:
ae:0c:08:b2:47:bf:48:c7:be:d6:e8:26:8c:21:07:
e4:a9:16:e9:f1:c6:30:e0:41:de:3c:d8:81:fd:fe:
86:b2:6f:b1:04:35:73:ac:67:36:a8:39:ee:ff:15:
6b:4c:30:7e:6f:dd:9e:02:16:af:ae:46:e1:5c:e9:
b1:e5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
62:CE:34:13:29:DA:F0:67:D8:CB:8D:6C:90:1A:3C:C8:E5:15:4D:D9
X509v3 Authority Key Identifier:
keyid:62:CE:34:13:29:DA:F0:67:D8:CB:8D:6C:90:1A:3C:C8:E5:15:4D:D9

X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
4c:87:4d:25:3f:3d:5f:b9:9e:b1:35:2f:7e:be:26:da:6b:e0:
4a:77:56:79:80:9e:a7:8b:80:02:71:75:1c:12:28:e7:73:49:
c8:b4:44:41:3f:1a:b4:b6:db:8e:33:8e:29:8f:01:2f:9e:dc:
34:1c:45:78:a2:8c:82:25:9e:da:5f:69:fb:3c:15:98:db:36:
d7:a7:41:09:bc:b0:36:b7:ae:77:10:7a:7a:0e:00:ed:cd:22:
28:99:d3:a1:28:47:cd:6a:01:88:e5:d4:cc:42:be:d5:2a:16:
72:af:44:d8:b0:b9:83:99:e9:f3:08:c1:ea:f6:b1:11:ee:51:
d7:83:b8:1e:7c:45:47:25:0d:bc:5e:9d:78:cc:c1:26:0c:33:
5b:78:e5:1a:5f:31:79:11:54:a7:42:3a:dc:ed:43:66:b5:6c:
e1:f5:61:82:d5:92:19:f6:6c:e8:20:01:b4:0a:07:9f:5b:63:
1e:29:49:f0:58:4a:ed:ef:1a:67:a3:f1:ec:e3:e6:b3:50:3a:
c4:5b:ef:23:55:13:69:0a:ac:42:77:22:4b:0b:34:c1:f4:e9:
80:89:ff:ff:43:af:84:4e:a7:ef:f0:28:7a:14:c0:ce:f9:4b:
aa:db:29:4b:fb:5c:ac:bf:c9:5f:ce:cd:45:62:dc:6e:18:a0:
cc:f5:07:e9
[root@centos8 CA]$
[root@centos8 CA]$tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial

4 directories, 4 files

req:主要用于创建和处理 PKCS#10 格式的证书请求,可以创建自签名证书

  • -new:生成新证书签署请求
  • -x509:专用于 CA 生成自签证书
  • -key:生成请求时用到的私钥文件
  • -days n:证书的有效期限
  • -out /PATH/TO/SOMECERTFILE: 证书的保存路径
  • -key val:指定已有的秘钥文件生成秘钥请求,只与-new 配合
  • -newkey:与 -key 互斥,在生成证书请求或者自签名证书的时候自动生成密钥,生成的密钥名称由 -keyout 参数指定。当指定-newkey 选项时,后面指定 rsa:bits 说明产生 rsa 密钥,位数由 bits 指定。 如果没有指定选项-key-newkey,默认-newkey
  • -nodes:如果指定 -newkey,那么 -nodes 选项说明生成的秘钥不需要加密

x509:显示证书信息、将证书转换为各种形式、签署类似“迷你 CA”的证书请求或编辑证书信任设置

2. 申请证书并颁发证书

  1. 申请证书,就是申请一个认证过的公钥,首先生成私钥
1
2
3
4
5
[root@centos8 data]$openssl genrsa -out test.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................................................................................+++++
........................................................................................................+++++
e is 65537 (0x010001)
  1. 使用私钥生成证书申请文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@centos8 data]$openssl req -new -key ./test.key -out ./test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ljk
Email Address []:ljk@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:ljk

三种策略:默认是 match

  • match:要求申请填写的信息跟 CA 设置信息必须一致,
  • optional:可有可无,跟 CA 设置信息可不一致
  • supplied:必须填写这项申请信息
  1. CA 签署证书
1
[root@centos8 data]$openssl ca -in ./test.csr -out /etc/pki/CA/certs/test.pem -days 100
  1. 吊销证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# 查看serial与subject信息,对比检验是否与index.txt文件中的信息一致,一致则删除
[root@centos8 certs]$openssl x509 -in ./test.crt -noout -serial -subject
serial=01
subject=C = CN, ST = henan, O = Default Company Ltd, CN = ljk, emailAddress = ljk@qq.com
[root@centos8 certs]$
[root@centos8 certs]$cat ../index.txt
V 201217092506Z 01 unknown /C=CN/ST=henan/O=Default Company Ltd/CN=ljk/emailAddress=ljk@qq.com

# 吊销之前,查看一下状态
[root@centos8 certs]$openssl ca -status 1
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)

# 吊销,注意目录
[root@centos8 certs]$openssl ca -revoke ../newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

# 吊销之后,再看一下状态
[root@centos8 certs]$openssl ca -status 1
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)

# 指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行
[root@centos8 certs]$echo 01 > /etc/pki/CA/crlnumber
# 更新证书吊销列表
[root@centos8 certs]$openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf

# 查看crl文件
[root@centos8 certs]$openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = henan, L = Default City, O = Default Company Ltd, CN = ljk, emailAddress = ljk@qq.com
Last Update: Sep 8 09:39:42 2020 GMT
Next Update: Oct 8 09:39:42 2020 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Sep 8 09:35:55 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
09:a1:00:89:ed:5a:4d:71:3d:39:f0:34:72:7a:df:49:91:a1:
82:86:4f:76:7f:f9:b9:54:13:b1:b5:05:18:aa:4b:88:28:33:
7a:cf:0e:e5:ff:e4:41:36:33:62:95:82:20:aa:de:1e:76:f5:
61:10:11:d7:1e:da:19:2e:cc:b5:3a:96:17:4d:98:b2:f3:23:
78:1a:af:20:7b:e9:f9:eb:3a:a7:b5:58:46:67:c1:60:8c:e6:
2f:79:3b:16:24:f6:09:fc:09:12:96:de:60:09:2e:78:60:e4:
18:1a:36:aa:b2:eb:a1:31:23:7c:33:9a:dc:59:7c:b0:dd:a6:
fa:a6:72:23:9b:35:b7:4e:d3:98:44:49:44:66:9c:d4:82:56:
07:0d:23:da:1e:62:3e:6e:87:de:9e:6e:88:0f:0d:e7:50:3f:
67:9f:3f:86:89:c3:6a:bc:b8:bc:89:c4:8e:e8:d6:7b:12:81:
7f:85:07:3b:e0:34:d7:29:fd:67:fb:cb:7f:f3:51:f2:3f:a4:
68:ce:e2:f1:3c:c2:49:fd:72:e0:27:f5:e6:23:e8:ae:a6:8f:
b4:ba:eb:bc:1b:c3:4b:dd:1b:9e:39:5e:a8:ed:87:1d:5b:9f:
ef:42:02:68:2a:b4:c3:2d:31:24:3c:85:e7:d7:66:40:e2:07:
2e:61:77:0f

3. 说明

以上是常规的步骤,为了方便,还有其他简单的操作,例如在一个目录中创建 CA,并给 harbor 主机颁发证书,只需要三步:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
root@u1:~$ mkdir -p /usr/local/harbor/certs
root@u1:~$ cd /usr/local/harbor/certs
root@u1:/usr/local/harbor/certs$
# 1. 创建私有CA
root@u1:/usr/local/harbor/certs$ openssl req \
-newkey rsa:1024 -nodes -sha256 -keyout ca.key -x509 -subj "/CN=ca.ljk.org" -days 3650 -out ca.crt
Generating a RSA private key
..............+++++
...................................+++++
writing new private key to 'ca.key'
-----
root@u1:/usr/local/harbor/certs$ ls
ca.crt ca.key
# 2. 生成harbor主机的证书申请
root@u1:/usr/local/harbor/certs$ openssl req \
-newkey rsa:1024 -nodes -sha256 -subj "/CN=harbor.ljk.org" -keyout harbor.ljk.org.key -out harbor.ljk.org.csr
Generating a RSA private key
.....................................................................+++++
..........+++++
writing new private key to 'harbor.ljk.org.key'
-----
root@u1:/usr/local/harbor/certs$ ls
ca.crt ca.key harbor.ljk.org.csr harbor.ljk.org.key
# 3. 给harbor主机颁发证书
root@u1:/usr/local/harbor/certs$ openssl x509 -req -in harbor.ljk.org.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out harbor.ljk.org.crt
Signature ok
subject=CN = harbor.ljk.org
Getting CA Private Key
root@u1:/usr/local/harbor/certs$ tree
.
├── ca.crt
├── ca.key
├── ca.srl
├── harbor.ljk.org.crt
├── harbor.ljk.org.csr
└── harbor.ljk.org.key

0 directories, 6 files

CentOS7 创建自签名证书

CentOS7 和 8 步骤不一样。