The editor in this article will introduce in detail what the function of linux openssl is. The content is detailed, the steps are clear, and the details are handled properly. I hope this article on what is the function of linux openssl can help you solve your doubts. Slow down, let's learn new knowledge together.
In linux, openssl is an extremely powerful command-line tool that can be used to complete many tasks related to the public key system and HTTPS. openssl has two operating modes: interactive mode and batch processing mode; directly enter openssl and press Enter to enter interactive mode, and enter openssl with command options to enter batch processing mode.
openssl is an extremely powerful command line tool that can be used to complete the public key system (Public Key Infrastructure) and many tasks related to HTTPS. openssl is a powerful Secure Sockets Layer cryptographic library, including main cryptographic algorithms, commonly used key and certificate encapsulation management functions and SSL protocol, and provides rich applications for testing or other purposes.
openssl has two operating modes: interactive mode and batch mode. Directly enter openssl and press Enter to enter the interactive mode, and enter openssl with command options to enter the batch mode.
The entire package of openssl can be roughly divided into three main functional parts: cryptographic algorithm library, SSL protocol library and application program. The directory structure of openssl is naturally planned around these three functional parts. The role of the openssl command:
Creation and management of private key, public key and parameters
Public key encryption operation
Create X.509 certificates, CSR and CRL
Calculation of information digest
Using passwords for encryption and decryption
SSL/TLS client and server testing
Handling S/MIME signatures Or encrypted mail
Timestamp request, generation and verification
1. Obtain command help in interactive mode
OpenSSL> help Standard commands asn1parse ca ciphers cms crl crl2pkcs7 dgst dhparam dsa dsaparam ec ecparam enc engine errstr gendsa genpkey genrsa help list nseq ocsp passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand rehash req rsa rsautl s_client s_server s_time sess_id smime speed spkac srp storeutl ts verify version x509 Message Digest commands (see the `dgst’ command for more details) blake2b512 blake2s256 gost md4 md5 mdc2 rmd160 sha1 sha224 sha256 sha3-224 sha3-256 sha3-384 sha3-512 sha384 sha512 sha512-224 sha512-256 shake128 shake256 sm3 Cipher commands (see the `enc’ command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1 aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8 aria-256-ctr aria-256-ecb aria-256-ofb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 seed seed-cbc seed-cfb seed-ecb seed-ofb sm4-cbc sm4-cfb sm4-ctr sm4-ecb sm4-ofb
2. Check the command version
OpenSSL> version OpenSSL 1.1.1h 22 Sep 2020
3. Use openssl command for base64 encoding and decoding
base64 encoding
(base) [root@sun-site certs]# echo wuhs |openssl base64 d3Vocwo= (base) [root@sun-site certs]# echo wuhs > 1.txt (base) [root@sun-site certs]# openssl base64 -in 1.txt d3Vocwo=
base64 decoding
(base) [root@sun-site certs]# echo d3Vocwo= | openssl base64 -d wuhs (base) [root@sun-site certs]# openssl base64 -d -in 1.base64 wuhs
4. Use openssl to generate a random password
Generate a 12-digit random password
(base) [root@sun-site certs]# openssl rand -base64 10 |cut -c 1-12 PGznlV5Og0Us
5. Use the openssl command to generate a summary
Calculate the md5 summary of the string wuhs
(base) [root@sun-site certs]# echo wuhs | openssl md5 (stdin)= 4cdb1fbd6a34ff27dc8c10913fab3e7e (base) [root@sun-site certs]# openssl md5 1.txt MD5(1.txt)= 4cdb1fbd6a34ff27dc8c10913fab3e7e
Compute the sha1 digest of the string wuhs
(base) [root@ sun-site certs]# openssl sha1 1.txt SHA1(1.txt)= bd8f0b20de17d623608218d05e8741502cf42302 (base) [root@sun-site certs]# echo wuhs | openssl sha1 (stdin)= bd8f0b20de17d623608218d05e8741502cf42302
6. Use the openssl command to perform AES encryption and decryption
Encrypt the string wuhs with aes, use Key 123, the output result is given in base64 encoding format
(base) [root@sun-site certs]# openssl aes-128-cbc -in 1.txt -k 123 -base64 *** WARNING : deprecated key derivation used. Using -iter or-pbkdf2 would be better. U2FsdGVkX194Z8P5c7C8vmXbA39omlqU/ET8xaehVFk=
Decrypt the aes encrypted file data, key 123
(base) [root@sun -site certs]# openssl aes-128-cbc -d -k 123 -base64 -in 2.txt *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. wuhs
7. Key generation and verification
Create encrypted private key
(base) [root@sun-site tmp]# openssl genrsa -des3 -out sunsite.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ...++++ ...++++ e is 65537 (0x010001) Enter pass phrase for sunsite.key: Verifying - Enter pass phrase for sunsite.key: (base) [root@sun-site tmp]# ll total 16 -rw------- 1 root root 1751 Oct 25 14:43 sunsite.key
Verify private key
Encrypt the private key, the private key file is encrypted after entering the password
(base) [root@sun-site tmp]# openssl rsa -des3 -in sunsite.key -out sunsite.key writing RSA key Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
Decrypt the private key, the private key file will be decrypted after entering the password
(base) [root@sun-site tmp]# openssl rsa -in sunsite.key -out sunsite2.key Enter pass phrase for sunsite.key: writing RSA key
8. Generate certificate signature
Use the specified private key file to generate csr file
(base) [root@sun-site tmp]# openssl req \ -key sunsite.key \ -new -out sunsite.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:HuNan Locality Name (eg, city) []:changsha Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite Organizational Unit Name (eg, section) []:jsb Common Name (e.g. server FQDN or YOUR name) []:wuhs Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:123456
Generate private key and CSR
(base) [root@sun-site tmp]# openssl req \ -newkey rsa:2048 -nodes -keyout s.key \ -out s.csr Generating a RSA private key ...++++ .++++++ writing new private key to 's.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields butyou can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. ----- Country Name (2 letter code) [AU]:cn State or Province Name (full name) [Some-State]:hunan Locality Name (eg, city) []:changsha Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite Organizational Unit Name (eg, section) []:jsb Common Name (e.g. server FQDN or YOUR name) []:wuhs Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:123456 (base) [root@sun-site tmp]# ll total 28 -rw-r–r-- 1 root root 1102 Oct 25 15:37 s.csr -rw------- 1 root root 1708 Oct 25 15:37 s.key
Use existing certificate and private key to generate CSR
openssl x509 \ -in domain.crt \ -signkey domain.key -x509toreq -out domain.csr
View CSR file
(base) [root@sun-site tmp]# openssl req -text -noout -verify -in sunsite.csr
9. Make and view SSL certificate
Generate self-signed certificate
< /li>(base) [root@sun-site tmp]# openssl req \ -newkey rsa:2048 -nodes -keyout sunsite.key \ -x509 -days 365 -out sunsite.crt Generating a RSA private key ...++++ ...++++ writing new private key to 'sunsite.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. ----- Country Name (2 letter code) [AU]:cn State or Province Name (full name) [Some-State]:hn Locality Name (eg, city) []: cs Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite Organizational Unit Name (eg, section) []:jsb Common Name (e.g. server FQDN or YOUR name) []:wuhs Email Address []:[email protected] (base) [root@sun-site tmp]#ll -rw-r–r-- 1 root root 1383 Oct 25 16:03 sunsite.crt -rw-r–r-- 1 root root 1102 Oct 25 15:05 sunsite.csr -rw------- 1 root root 1708 Oct 25 16:03 sunsite.key
Use an existing private key to generate a self-signed certificate
(base) [root@sun-site tmp]# openssl req \ -key sunsite.key -new \ -x509 -days 365 -out sunsite.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. ----- Country Name (2 letter code) [AU]:cn State or Province Name (full name) [Some-State]:hn Locality Name (eg, city) []: cs Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite Organizational Unit Name (eg, section) []:jsb Common Name (e.g. server FQDN or YOUR name) []:wuhs Email Address []:[email protected]
Use the existing private key and CSR to generateinto a self-signed certificate
(base) [root@sun-site tmp]# openssl x509 \ -signkey sunsite.key \ -in sunsite.csr \ -req -days 365 -out sunsite.crt Signature ok subject=C = CN, ST = HuNan, L = changsha, O = sunsite, OU = jsb, CN = wuhs, emailAddress = [email protected] Getting Private key
View Certificate
(base) [root@sun-site tmp]# openssl x509 -text - noout -in sunsite.crt
Verify whether the certificate is issued by CA
(base) [root@sun-site tmp]# openssl verify -verbose -CAfile ca.crt sunsite.crt Error loading file ca.crt #Need ca certificate
Verify whether the private key, certificate, and CSR match
(base) [root@sun-site tmp]# openssl x509 -noout -modulus -in sunsite.crt |openssl md5 (stdin)= e26905e973af69aed4e4d707f882de61 (base) [root@sun-site tmp]# openssl rsa -noout -modulus -in sunsite.key |openssl md5 (stdin)= e26905e973af69aed4e4d707f882de61 (base) [root@sun-site tmp]# openssl req -noout -modulus -in sunsite.csr |openssl md5 (stdin)= e26905e973af69aed4e4d707f882de61 #md5 checksum consistency description, the three match
10, certificate format conversion
PEM to DER
(base) [root@sun-site tmp]# openssl x509 -in sunsite.crt -outform der -out sunsite.der
DER to PEM
(base) [root@sun-site tmp]# openssl x509 -in sunsite.der -inform der -out sunsite.crt
(base) [root@sun-site tmp]# openssl crl2pkcs7 -nocrl -certfile sunsite.crt -certfile ca-chain.crt -out sunsite.p7b
PKCS7 to PEM
#openssl pkcs7 -in domain.p7b -print_certs -out domain.crt
PEM to PKCS12
openssl pkcs12 -inkey domain.key -in domain.crt -export -out domain. pfx
PKCS12 to PEM
openssl pkcs12 -in domain.pfx -nodes -out domain.combined.crt< /p>
11. Certificate revocation
The client obtains the serial of the certificate to be revoked (executed on the host using the certificate)
(base) [root@sun-site tmp]# openssl x509 -in sunsite.crt -noout -serial -subject serial=2DA086B4B14ECE63535734049A4BCF70290446C9 subject=C = CN, ST = HuNan, L = changsha, O = sunsite, OU = jsb, CN = wuhs, emailAddress = [email protected]
12. Get command help
Take the openssl x509 command as an example
(base) [root@sun-site tmp]# openssl x509 --help
1. Grammar
openssl command [ command_opts ] [ command_args ]
2. Standard commands
| Command | Command Introduction |
|---|---|
| asn1parse | Parse ASN.1 sequence. |
| ca | Certificate Authority (ca) management. |
| ciphers | Cipher suite description OK. |
| cms | cms (Cryptographic Message Syntax) Utility |
| crl | Certificate revocation list (crl) management. |
| crl2pkcs7 | CRL to PKCS#7 conversion. |
| dgst | Message digest calculation. |
| dh | Diffie-Hellman parameter management. Eliminated by dhparam. |
| dhparam | Diffie-Hellman parameter generation and management. Replaced by genpkey and pkeyparam |
| dsa | dsa data management. |
| dsaparam | DSA parameter generation and management. replaced by genpkey and pkeyparam |
| ec | ec (elliptic curve) key handling | < /tr>
| ecparam | EC parameter operation and generation |
| enc | Encode with a password. |
| engine | Engine (loadable module) information and operations. |
| errstr | Error number to error string conversion. |
| gendh | Generation of Diffie-Hellman parameters. Eliminated by dhparam. |
| gendsa | Generate DSA private key according to parameters. Replaced by genpkey and pkey |
| genpkey | Generate private key or parameters. |
| genrsa | Generate RSA private key. Replaced by Gen Puji. |
| nseq | Create or check netscape certificate sequence |
| ocsp | Online certificate status Protocol utility. |
| passwd | Generate hashed passwords. | pkcs12 | PKCS#12 data management. |
| pkcs7< /td> | PKCS#7 data management. |
| pkey | public Key and private key management. |
| pkeyparam | Public key algorithm parameter management. |
| pkeyutl | Public key algorithm encryption operation utility. |
| rand | Generate pseudo-random bytes. |
| req | PKCS#10 X.509 Certificate Signing Request (CSR) management. |
| rsa | rsa key management. |
| rsautl | RSA utility for signing, verifying, encrypting and decrypting .replaced by pkeyutl |
| s_client | This implements a generic SSL/TLS client that can establish transparent connections with remote servers using SSL/TLS. It is only used for testing purposes and only provides basic interface functions, but internally mainly uses all functions of the OpenSSL library. |
| s_server | |
| s_time | SSL connection timer. |
| sess_id | SSL session data management. |
| smime | S/MIME mail handling. |
| speed | Algorithmic speed measurement. |
| spkac | spkac print and generate utility |
| Timestamp authorization tool (client/server) | |
| verify | X.509 certificate verification. |
| version | OpenSSL version information. |
| x509 | X.509 certificate data management. |
3. Message summary command
| Command | Command Introduction |
|---|---|
| md2 | MD2 Digest |
| md5 | MD5 Digest |
| mdc2 | MDC2 Digest | rmd160 | RMD-160 Digest |
| sha | SHA Digest |
| sha1 | SHA-1 Digest |
| sha224 | SHA-224 Digest |
| sha256 | SHA-256 Digest |
| sha384 | SHA-384 Digest |
| sha512 | SHA-512 Digest |
4, encoding and password commands
| command | < th align="center">command introduction|
|---|---|
| base64 | base64 encoding |
| bf bf-cbc bf-cfb bf-ecb bf-ofb | Blowfish password |
| cast cast-cbc | Cast cipher |
| cast5-cbc cast5-cfb cast5-ecb cast5-ofb | CAST5 cipher |
| des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb | DES password |
| des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3- ofb | triple DES password |
| idea idea-cbc idea-cfb idea-ecb idea-ofb | IDEA password |
| rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb | RC2 cipher |
| rc4 | RC4 cipher |
| rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb | RC5 password |
After reading this, what is the function of linux openssl has been introduced. If you want to master the knowledge points of this article, you need to practice it yourself before you can understand it. If you want to know more about Content articles, welcome to pay attention to Yisu cloud industry information channel.
Copyright Description:No reproduction without permission。
Knowledge sharing community for developers。
Let more developers benefit from it。
Help developers share knowledge through the Internet。
Follow us
Español
Português