7.1. openssl 命令参数

本文涉及的产品
密钥管理服务KMS,1000个密钥,100个凭据,1个月
简介:

7.1.1. version

[root@netkiller nginx]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
			

7.1.2. 测试加密算法的速度

$ openssl speed
			
$ openssl speed rsa
$ openssl speed aes
			

7.1.3. req

openssl req -new -x509 -days 7300 -key ca.key -out ca.crt
			

7.1.4. x509

openssl x509 -req -in client-req.csr -out client.crt -signkey client-key.pem -CA ca.crt -CAkey ca.key -days 365 -CAserial serial
			

验证一下我们生成的文件。

openssl x509 -in cacert.pem -text -noout
			

-extfile

openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca -signkey key.pem -out cacert.pem
			

7.1.5. ca

# 生成CRL列表
$ openssl ca -gencrl -out exampleca.crl
			

7.1.6. crl

# 查看CRL列表信息
$ openssl crl -in exampleca.crl -text -noout

# 验证CRL列表签名信息
$ openssl crl -in exampleca.crl -noout -CAfile cacert.pem
			

7.1.7. pkcs12

-clcerts 表示仅导出客户证书。

openssl pkcs12 -export -clcerts -in 324.cer -inkey ca.pem -out 324.p12 -name "Email SMIME"
			

转换PEM证书文件和私钥到PKCS#12文件

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
			

7.1.8. passwd

MD5-based password algorithm

# openssl passwd -1 -salt 'random-phrase-here' 'your-password-here'
$1$random-p$AOw9RDIWQm6tfUo9Ediu/0
			

-crypt standard Unix password algorithm (default)

# openssl passwd -crypt -salt 'sa' 'password'
sa3tHJ3/KuYvI
			

7.1.9. digest

如何创建一个文件的 MD5 或 SHA1 摘要?

摘要创建使用 dgst 选项.

7.1.9.1. list-message-digest-commands

列出可用摘要

$ openssl list-message-digest-commands
md2
md4
md5
mdc2
rmd160
sha
sha1
				

7.1.9.2. md5

# MD5 digest
openssl dgst -md5 filename
				
[Note] Note

MD5 信息摘要也同样可以使用md5sum创建

				
$ echo "Hello World!" > message.txt
$ openssl dgst -md5 message.txt
MD5(message.txt)= d9226d4bd8779baa69db272f89a2e05c
				
				

7.1.9.3. sha1

# SHA1 digest
openssl dgst -sha1 filename
				
$ openssl dgst -sha1 /etc/passwd
SHA1(/etc/passwd)= 9d883a9d35fd9a6dc81e6a1717a8e2ecfc49cdd8
				

7.1.10. enc

7.1.10.1. list-cipher-commands

可用的编码/解码方案

# or get a long list, one cipher per line
openssl list-cipher-commands

# openssl list-cipher-commands
aes-128-cbc
aes-128-ecb
aes-192-cbc
aes-192-ecb
aes-256-cbc
aes-256-ecb
base64
bf
bf-cbc
bf-cfb
bf-ecb
bf-ofb
cast
cast-cbc
cast5-cbc
cast5-cfb
cast5-ecb
cast5-ofb
des
des-cbc
des-cfb
des-ecb
des-ede
des-ede-cbc
des-ede-cfb
des-ede-ofb
des-ede3
des-ede3-cbc
des-ede3-cfb
des-ede3-ofb
des-ofb
des3
desx
idea
idea-cbc
idea-cfb
idea-ecb
idea-ofb
rc2
rc2-40-cbc
rc2-64-cbc
rc2-cbc
rc2-cfb
rc2-ecb
rc2-ofb
rc4
rc4-40
rc5
rc5-cbc
rc5-cfb
rc5-ecb
rc5-ofb
				

7.1.10.2. base64

使用 base64-encode 编码/解码?

使用 enc -base64 选项

# send encoded contents of file.txt to stdout
openssl enc -base64 -in file.txt

# same, but write contents to file.txt.enc
openssl enc -base64 -in file.txt -out file.txt.enc
				

命令行

C:\GnuWin32\neo>openssl enc -base64 -in file.txt
SGVsbG8gV29ybGQhDQo=

C:\GnuWin32\neo>openssl enc -base64 -in file.txt -out file.txt.enc

C:\GnuWin32\neo>type file.txt.enc
SGVsbG8gV29ybGQhDQo=

C:\GnuWin32\neo>
				

通过管道操作

C:\GnuWin32\neo>echo "encode me" | openssl enc -base64
ImVuY29kZSBtZSIgDQo=

C:\GnuWin32\neo>echo -n "encode me" | openssl enc -base64
LW4gImVuY29kZSBtZSIgDQo=

C:\GnuWin32\neo>
				

使用 -d (解码) 选项来反转操作.

C:\GnuWin32\neo>openssl enc -base64 -d -in file.txt.enc
Hello World!

C:\GnuWin32\neo>openssl enc -base64 -d -in file.txt.enc -out file.txt
				

快速命令行

C:\GnuWin32\neo>type file.txt.enc | openssl enc -base64 -d
Hello World!

C:\GnuWin32\neo>type file.txt.enc
SGVsbG8gV29ybGQhDQo=

C:\GnuWin32\neo>echo SGVsbG8gV29ybGQhDQo= | openssl enc -base64 -d
Hello World!
				

7.1.10.3. des

对称加密与解密

加密

# openssl enc -des -e -a -in file.txt -out file.txt.des
enter des-cbc encryption password:
Verifying - enter des-cbc encryption password:
				

解密

# openssl enc -des -d -a -in file.txt.des -out file.txt.tmp
enter des-cbc decryption password:
				

7.1.10.4. aes

加密

openssl enc -aes-128-cbc -in filename -out filename.out
				

解密

openssl enc -d -aes-128-cbc -in filename.out -out filename
				

7.1.11. rsa

产生密钥对

生成私钥

openssl genrsa -out private.key 1024
			

根据私钥产生公钥

openssl rsa -in private.key -pubout > public.key
			

用公钥加密明文

$ openssl rsautl -encrypt -pubin -inkey public.key -in filename -out filename.out
			

用私钥解密

$ openssl rsautl -decrypt -inkey private.key -in filename.out -out filename
			

7.1.12. dsa

Example 7.1. dsaparam & gendsa

# create parameters in dsaparam.pem
openssl dsaparam -out dsaparam.pem 1024

# create first key
openssl gendsa -out key1.pem dsaparam.pem

# and second ...
openssl gendsa -out key2.pem dsaparam.pem
				

生成私钥

openssl dsaparam -out dsaparam.pem 1024
openssl gendsa -out private.key dsaparam.pem
			

根据私钥产生公钥

openssl dsa -in private.key -pubout -out public.key
			
$ ls
dsaparam.pem  private.key  public.key

$ cat *
-----BEGIN DSA PARAMETERS-----
MIIBHgKBgQCAkvuZmbK7zgTv3WnYayypdghcNKA+jP7/fdwy82JfqkJeF38FOOu8
4cbrQjzs6XdANeZk3c6BVQfqNfFnUomKARm0gdqeelsmyHMV+0jy7fuX1HHIUZyJ
Rqravmh+o9iYX1aA3jsP5sDoosEEEYKQBAUEi6vwzCnjCra3TBuvmQIVAPYqwKI3
v6nkKAfn+lqPvmHqVDv5AoGAb7vilZ7EtuYpJbpURZtTPOtLpMmpfwXq+g7cKQ7Z
mC+TCwzVUkBv8s/gxwr7r92bCmGTGJGuBVGqI0yEbrkMRGieJwOrS885NNg+AiTW
DB0Xo2klaTg5rFydGxPvWI72cpyds69Ptm4z9Th0xrtDUNIYPdDIR+rVUao5XBS9
U4w=
-----END DSA PARAMETERS-----
-----BEGIN DSA PRIVATE KEY-----
MIIBugIBAAKBgQCAkvuZmbK7zgTv3WnYayypdghcNKA+jP7/fdwy82JfqkJeF38F
OOu84cbrQjzs6XdANeZk3c6BVQfqNfFnUomKARm0gdqeelsmyHMV+0jy7fuX1HHI
UZyJRqravmh+o9iYX1aA3jsP5sDoosEEEYKQBAUEi6vwzCnjCra3TBuvmQIVAPYq
wKI3v6nkKAfn+lqPvmHqVDv5AoGAb7vilZ7EtuYpJbpURZtTPOtLpMmpfwXq+g7c
KQ7ZmC+TCwzVUkBv8s/gxwr7r92bCmGTGJGuBVGqI0yEbrkMRGieJwOrS885NNg+
AiTWDB0Xo2klaTg5rFydGxPvWI72cpyds69Ptm4z9Th0xrtDUNIYPdDIR+rVUao5
XBS9U4wCgYBISbp4/z5JY2OqXVttS6G4GQT0PMAiJZi9pty4H0rKoSmbrgjev/wp
7BW8NqaJnlSjNCzF4SH+DXxZeuktJPNftHYi8BPIrHxR6CG1h7VPDr/IwSoff0Kx
Lhc6vqxcCRpcQoqbhXGG5RxMsczD4nRmdmhXbelPRu10T4qxEiVG7gIUc1KsK+hA
+EzXl80Eyj2Si7UH/wI=
-----END DSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MIIBtjCCASsGByqGSM44BAEwggEeAoGBAICS+5mZsrvOBO/dadhrLKl2CFw0oD6M
/v993DLzYl+qQl4XfwU467zhxutCPOzpd0A15mTdzoFVB+o18WdSiYoBGbSB2p56
WybIcxX7SPLt+5fUcchRnIlGqtq+aH6j2JhfVoDeOw/mwOiiwQQRgpAEBQSLq/DM
KeMKtrdMG6+ZAhUA9irAoje/qeQoB+f6Wo++YepUO/kCgYBvu+KVnsS25iklulRF
m1M860ukyal/Ber6DtwpDtmYL5MLDNVSQG/yz+DHCvuv3ZsKYZMYka4FUaojTIRu
uQxEaJ4nA6tLzzk02D4CJNYMHRejaSVpODmsXJ0bE+9YjvZynJ2zr0+2bjP1OHTG
u0NQ0hg90MhH6tVRqjlcFL1TjAOBhAACgYBISbp4/z5JY2OqXVttS6G4GQT0PMAi
JZi9pty4H0rKoSmbrgjev/wp7BW8NqaJnlSjNCzF4SH+DXxZeuktJPNftHYi8BPI
rHxR6CG1h7VPDr/IwSoff0KxLhc6vqxcCRpcQoqbhXGG5RxMsczD4nRmdmhXbelP
Ru10T4qxEiVG7g==
-----END PUBLIC KEY-----
			

7.1.13. rc4

加密文件

# openssl enc -e -rc4 -in in.txt -out out.txt
enter rc4 encryption password:
Verifying - enter rc4 encryption password:
			

解密文件

# openssl enc -d -rc4 -in out.txt -out test.txt
enter rc4 decryption password:
			

使用 -k 指定密钥

openssl enc -e -rc4 -k passwd -in in.txt -out out.txt
openssl enc -d -rc4 -k passwd -in out.txt -out test.txt
			

7.1.14. -config 指定配置文件

# openssl req -new -newkey rsa:2048 -config openssl.cfg -keyout server.key -nodes -out certreq.csr
			

7.1.15. -subj 指定参数

# openssl req -new -newkey rsa:2048 -keyout server.key -nodes -subj /C=CN/O=example.com/OU=IT/CN=Neo/ST=GD/L=Shenzhen -out certreq.csr

C:\> openssl req -new -newkey rsa:2048 -config openssl.cfg -keyout server.key -nodes -subj /C=CN/O="%OrganizationName%"/OU="%OrganizationUnit%"/CN="%CommonName%"/ST="%StateName%"/L="%LocalityName%" -out certreq.csr

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/nginx/ssl/www.netkiller.cn.key -out /etc/nginx/ssl/www.netkiller.cn.crt -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=Global Security/OU=IT Department/CN=www.netkiller.cn/emailAddress=netkiller@msn.com"

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/nginx/ssl/www.netkiller.cn.key -out /etc/nginx/ssl/www.netkiller.cn.crt -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=Global Security/OU=IT Department/CN=*netkiller.cn/emailAddress=netkiller@msn.com"
			

7.1.16. rand

生成随机数

openssl rand 12 -base64			
			
# openssl rand -base64 24
rgphwqZFFA2tY1QfuBrmw3aN62i6ctFy			
			

7.1.17. 去除私钥的密码

$ openssl rsa -in neo.key -out nopassword.key
Enter pass phrase for neo.key:
writing RSA key
			


原文出处:Netkiller 系列 手札
本文作者:陈景峯
转载请与作者联系,同时请务必标明文章原始出处和作者信息及本声明。

目录
相关文章
|
Perl
安装thrift时,注意openssl参数
在安装基于openssl-1.0.1c的thrift-0.9.0时,正常使用--with-openssl在configure时会出错,报“Error: libcrypto required.
1099 0
|
算法 网络安全 对象存储
openssl编译参数选项
openssl编译参数选项
672 0
|
编解码 应用服务中间件 Linux
最常见的OpenSSL命令(一)
最通用的SSL工具之一是OpenSSL,它是SSL协议的开源实现。几乎每个平台都有OpenSSL版本,包括Windows,Linux和Mac OS X.OpenSSL通常用于为许多不同平台(包括Apache)创建CSR和私钥。但是,它还有数百种不同的功能,允许您查看CSR或证书的详细信息,比较证书的MD5哈希和私钥(以确保它们匹配),验证证书是否在任何网站上正确安装,并将证书转换为其他格式。可以在此处找到OpenSSL for Windows的编译版本。
490 0
|
应用服务中间件 Linux 网络安全
最常见的OpenSSL命令(二)
最通用的SSL工具之一是OpenSSL,它是SSL协议的开源实现。几乎每个平台都有OpenSSL版本,包括Windows,Linux和Mac OS X.OpenSSL通常用于为许多不同平台(包括Apache)创建CSR和私钥。但是,它还有数百种不同的功能,允许您查看CSR或证书的详细信息,比较证书的MD5哈希和私钥(以确保它们匹配),验证证书是否在任何网站上正确安装,并将证书转换为其他格式。可以在此处找到OpenSSL for Windows的编译版本。
442 0
|
应用服务中间件 nginx
|
数据安全/隐私保护 虚拟化