OpenSSL操作

OpenSSL是什么不用介绍，都知道。
先用des3做一下文本的加密和解密，密码是secret

[[email protected] ~]# echo  "hello world" > hello[[email protected] ~]# openssl versionOpenSSL 1.1.1k  FIPS 25 Mar 2021[[email protected] ~]# openssl des3 -e -in hello -out hello.des3 -k secret  #警告不管*** WARNING : deprecated key derivation used.Using -iter or -pbkdf2 would be better.[[email protected] ~]# cat hello.des3  #看到的是密文Salted__`'▒o▒#É▒#▒X_▒i▒▒#z#خ▒[[email protected] ~]# file hello.des3hello.des3: openssl enc'd data with salted password[[email protected] ~]# openssl des3 -d -in hello.des3  -k secret*** WARNING : deprecated key derivation used.Using -iter or -pbkdf2 would be better.hello world

再生成RSA私钥，然后根据私钥导出公钥。
然后用公钥加密，用私钥解密。
用私钥加密，再用公钥解密。这里没有做这样的操作。

[[email protected] ~]# openssl genrsa -out keys 1024Generating RSA private key, 1024 bit long modulus (2 primes).................+++++.................................................................+++++e is 65537 (0x010001)[[email protected] ~]# ll keys; file keys-rw------- 1 root root 887 Jul 17 11:03 keyskeys: PEM RSA private key[[email protected] ~]# cat keys-----BEGIN RSA PRIVATE KEY-----MIICXQIBAAKBgQDAGbsAXzu99izN+KD03RTV1g+WDKvlH1c+wkufXmotiNIrXnvl7UuLpjWLgCztc+bkCNHyENH3aAmt4x33LdZk+LftsFPlPd3aFBn6uWlD4J6Ch4pGNLULru8/ZXGXwKtGeyxe/uOQmeEdD9BafTtWjj6273Qg4jSXJbLvJwc3eQIDAQABAoGAE6FNe68/opzKXU3f3MXOwD88nn+y/Rnjx3UBV0rFnNuTZn0kOg2yn5WfeR7i+GzUlk7UbWEMo7SM8Kj5we18L+3r/gwhz7iuLP0x0CV4A0Ah0HSRcdlA+4xtqxNhD1+LrV927opzkDo8I5NOqE0Kv2IUiHjI3PYU4E3PbnNG6dECQQDeFYI6xboFVSOgM+3TZY/EfYlkkgeyjQr3hgFbgHwPVEvsiankJtiQ+EFsHADH56anACMbjl5u4nIQ9NDgaltdAkEA3XAAMSyfGn4FpJsw0fpZUUK0UKdXhRFhaaanAX0Z/NWWK4q9TvM0DEJtzIVis/Lrsgl12Km3VCw/gdmXxPlmzQJBAIS4mfGBxR/2t6nAHvtdEMQ+ueNOmicMv2cZwKnsaTfICu+7fbqJtJc+pepz+ct+F0xqepC3Tpw53C1iAYp8RUkCQQCyM8Ej0boUsthNuMqYIPWiLKE5ywHmx67yPDhoPUodq7FXRybEE3qOZyM/lRRyporBU1WwUByGM7nEAN1fmin9AkBflvgEHdf6ExtOlJt1vvT5Eekv/4SCaolmPppZY8UppVHQfr5QAUoLos1nCd993ef87qB5ielAPBIO4myVzy6+-----END RSA PRIVATE KEY-----[[email protected] ~]# openssl rsa -in keys -pubout -out pkeywriting RSA key[[email protected] ~]# ll pkey ;file pkey-rw-r--r-- 1 root root 272 Jul 17 11:05 pkeypkey: ASCII text[[email protected] ~]# cat pkey-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAGbsAXzu99izN+KD03RTV1g+WDKvlH1c+wkufXmotiNIrXnvl7UuLpjWLgCztc+bkCNHyENH3aAmt4x33LdZk+LftsFPlPd3aFBn6uWlD4J6Ch4pGNLULru8/ZXGXwKtGeyxe/uOQmeEdD9BafTtWjj6273Qg4jSXJbLvJwc3eQIDAQAB-----END PUBLIC KEY-----[[email protected] ~]# openssl rsautl -encrypt -in hello -inkey pkey -pubin -out hello.rsapubenc[[email protected] ~]# ll hello.rsapubenc ;file hello.rsapubenc-rw-r--r-- 1 root root 128 Jul 17 11:09 hello.rsapubenchello.rsapubenc: data[[email protected] ~]# cat hello.rsapubenc▒▒l▒r▒▒ajNx▒D▒▒7A▒▒7▒o▒;▒▒x("[~▒T7X▒e▒▒UZFy&▒▒O▒▒▒&s▒d▒,▒Ts▒Ϯ{y▒i▒▒▒▒▒#FO▒R▒▒▒0▒▒}▒V6▒DnR1}▒▒ɧO▒G>T▒e[[email protected] ~]# xterm-256color-bash: xterm-256color: command not found[[email protected] ~]# openssl rsautl -decrypt -in hello.rsapubenc -inkey keyshello world

然后用md5生成摘要值：

[[email protected] ~]# openssl dgst -md5 helloMD5(hello)= 6f5902ac237024bdd0c176cb93063dc4

看一下默认的openssl.cfg的位置(OPENSSLDIR)：在/etc/pki/tls下面

[[email protected] ~]# openssl version -aOpenSSL 1.1.1k  FIPS 25 Mar 2021built on: Mon Mar 28 15:35:23 2022 UTCplatform: linux-x86_64options:  bn(64,64) md2(char) rc4(16x,int) des(int) idea(int) blowfish(ptr)compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"OPENSSLDIR: "/etc/pki/tls"ENGINESDIR: "/usr/lib64/engines-1.1"Seeding source: os-specificengines:  rdrand dynamic

可以把openssl.cfg打开看一下，我们下面操作的话按cfg文件里配置的证书文件名、私钥文件名来。
然后我们来生成一个CA证书，CA证书是自签名的。
先参照openssl.cfg配置里生成一个自己的目录，建立一些文件和子目录：

[[email protected] ~]# mkdir iCA[[email protected] ~]# cd iCA[[email protected] iCA]# mkdir certs newcerts private crl[[email protected] iCA]# >index.txt[[email protected] iCA]# echo 0001 >serial[[email protected] iCA]# echo 0001 >crlnumber[[email protected] iCA]# tree --dirsfirst.├── certs/├── crl/├── newcerts/├── private/├── crlnumber├── index.txt└── serial4 directories, 3 files

然后一条语句直接生成CA自签名证书（也有分三步的，1生成CA私钥 2为CA创建CSR证书请求 3对证书请求自签名），这里一步搞定，爽快。生成好后看一下自签名证书内容。也可以将证书拷贝到windows平台，将后缀名改为crt，就可以打开，对照着看。

[[email protected] iCA]# openssl req -x509 -newkey rsa:2048 -days 366 -out cacert.pem -outform PEM -keyout private/cakey.pem -subj "/C=CN/CN=iCA"Generating a RSA private key.................+++++........+++++writing new private key to 'private/cakey.pem'Enter PEM pass phrase:Verifying - Enter PEM pass phrase:-----[[email protected] iCA]# openssl x509 -in cacert.pem -text -nooutCertificate:    Data:        Version: 3 (0x2)        Serial Number:            17:4f:00:fb:78:20:9f:b2:7d:2f:2f:e0:9d:d1:f0:0c:3e:33:43:e9        Signature Algorithm: sha256WithRSAEncryption        Issuer: C = CN, CN = iCA        Validity            Not Before: Jul 17 07:42:02 2022 GMT            Not After : Jul 18 07:42:02 2023 GMT        Subject: C = CN, CN = iCA        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                RSA Public-Key: (2048 bit)                Modulus:                    00:cf:ab:4c:d3:ce:16:04:5f:85:d4:c0:70:bf:7a:                    55:52:5a:92:c0:7d:5d:79:20:70:f7:c2:73:ed:cf:                    78:bc:aa:3b:26:29:7f:1b:f3:94:86:ef:48:8b:01:                    4c:8a:3e:a0:92:51:a2:a0:df:5e:c3:d5:3c:68:98:                    2c:5e:52:3b:22:13:d3:e2:a4:17:5e:26:e0:ad:c2:                    d4:12:27:2c:e3:42:5b:07:65:d5:48:01:23:8b:38:                    6b:90:78:46:2f:56:d6:ba:c9:5b:9c:c6:25:76:74:                    20:7a:0c:1c:fb:05:ad:c5:47:8e:23:a9:c3:44:50:                    c7:a5:71:87:5a:2f:c4:b6:cf:80:52:cb:78:19:cb:                    7d:45:3a:bd:10:9e:6d:78:f4:1c:2a:cf:da:ba:2e:                    5e:95:b2:c9:68:cd:ab:12:d3:9d:4a:ab:ad:df:60:                    72:ad:31:5d:79:97:54:31:fe:26:99:1c:6d:c2:3d:                    4e:20:00:42:13:73:cd:72:17:22:2f:6b:e7:9f:51:                    60:44:8c:5d:5c:9d:6f:85:c5:15:9f:26:d8:f8:5d:                    41:d7:44:e7:b2:33:71:45:21:8b:fe:14:83:54:c0:                    4c:95:92:a9:b9:84:13:3d:9a:9f:d4:57:fc:26:f0:                    ac:ad:03:bc:4c:77:19:0b:26:64:9e:c2:88:6e:77:                    10:61                Exponent: 65537 (0x10001)        X509v3 extensions:            X509v3 Subject Key Identifier:                05:68:9C:D5:53:32:77:A0:9C:94:FC:20:A9:F8:B6:BC:D4:60:F9:88            X509v3 Authority Key Identifier:                keyid:05:68:9C:D5:53:32:77:A0:9C:94:FC:20:A9:F8:B6:BC:D4:60:F9:88            X509v3 Basic Constraints: critical                CA:TRUE    Signature Algorithm: sha256WithRSAEncryption         8b:cf:97:5b:be:01:c3:31:16:a3:b3:87:d2:bf:f6:16:ac:6b:         9d:9f:1d:5a:ac:f2:69:53:fd:23:5e:de:59:eb:a4:df:2c:54:         ea:8f:df:b3:0b:b7:b5:79:ac:8c:a3:39:a9:8b:a2:05:b1:c6:         39:26:b8:01:ec:1e:bb:19:e1:56:ef:ad:8f:39:49:f9:d0:ba:         e9:7c:07:ea:04:3f:88:c4:f9:1f:6e:b5:14:72:e7:26:4c:75:         bc:54:27:96:2a:c6:29:f6:96:d0:20:d5:10:c4:13:8c:29:ea:         78:b0:c8:7a:2b:5b:4f:24:17:f8:12:6c:1a:82:0d:d1:a8:6e:         c8:d5:a9:6d:a9:a1:4a:a5:ad:e4:e9:d5:2a:98:0d:5d:ca:22:         47:88:e2:69:a2:ba:02:d2:a6:16:9f:e3:82:28:1f:86:63:a1:         92:c5:54:4f:ac:fb:36:bb:22:f6:9f:bb:8b:5d:06:ed:6a:de:         a6:86:ca:d6:d2:54:23:17:e1:a9:7a:8c:e3:5d:89:52:14:a1:         c8:99:36:a8:50:28:df:91:5b:79:b3:2b:d5:7d:7d:db:6c:eb:         46:3c:d2:c7:4c:54:0c:16:51:c3:6a:69:af:18:78:4a:37:10:         ff:10:25:b8:62:6f:a6:c0:8b:98:40:d5:27:5d:96:00:7f:02:         b4:af:a0:9c

windows下看证书的内容：

可以看到和linux系统上查看的内容是一致的，时间不一致差8个小时是时区的原因。

好了CA自签名证书创建好了，接下来要修改一下openssl.cfg文件，来创建用户证书。

修改如下：
[ CA_default ] 下的 dir 为上面自己创建的目录，policy 修改为 policy_anything，这样减少一些校验。只要CN（Common Name）符合就行。

####################################################################[ ca ]default_ca      = CA_default            # The default ca section####################################################################[ CA_default ]#dir            = /etc/pki/CA           # Where everything is keptdir             = /root/iCA             # Where everything is keptcerts           = $dir/certs            # Where the issued certs are keptcrl_dir         = $dir/crl              # Where the issued crl are keptdatabase        = $dir/index.txt        # database index file.#unique_subject = no                    # Set to 'no' to allow creation of                                        # several certs with same subject.new_certs_dir   = $dir/newcerts         # default place for new certs.certificate     = $dir/cacert.pem       # The CA certificateserial          = $dir/serial           # The current serial numbercrlnumber       = $dir/crlnumber        # the current crl number                                        # must be commented out to leave a V1 CRLcrl             = $dir/crl.pem          # The current CRLprivate_key     = $dir/private/cakey.pem# The private keyx509_extensions = usr_cert              # The extensions to add to the cert# Comment out the following two lines for the "traditional"# (and highly broken) format.name_opt        = ca_default            # Subject Name optionscert_opt        = ca_default            # Certificate field options# Extension copying option: use with caution.# copy_extensions = copy# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs# so this is commented out by default to leave a V1 CRL.# crlnumber must also be commented out to leave a V1 CRL.# crl_extensions        = crl_extdefault_days    = 365                   # how long to certify fordefault_crl_days= 30                    # how long before next CRLdefault_md      = sha256                # use SHA-256 by defaultpreserve        = no                    # keep passed DN ordering# A few difference way of specifying how similar the request should look# For type CA, the listed attributes must be the same, and the optional# and supplied fields are just that :-)#policy         = policy_matchpolicy          = policy_anything# For the CA policy[ policy_match ]countryName             = matchstateOrProvinceName     = matchorganizationName        = matchorganizationalUnitName  = optionalcommonName              = suppliedemailAddress            = optional# For the 'anything' policy# At this point in time, you must list all acceptable 'object'# types.[ policy_anything ]countryName             = optionalstateOrProvinceName     = optionallocalityName            = optionalorganizationName        = optionalorganizationalUnitName  = optionalcommonName              = suppliedemailAddress            = optional####################################################################

然后创建用户证书请求，即CSR。这里也说一下华为云云证书管理服务，华为云SSL证书管理服务中，可以找到免费证书，即DigiCert品牌提供有证书类型为DV（Basic）、域名类型为单域名、有效期1年的免费证书。申请免费证书后，需要提交证书请求文件（Cerificate Signing Request，简称CSR），这个建议让华为云系统自动生成，因为你的网站信息他不会给你填错，以免审核不过，后面签发证书后，证书和私钥都会提供给你下载。当然也是可以自己手工生成CSR的。

回到创建用户CSR，然后CA签发用户证书：

[[email protected] iCA]# openssl req -newkey rsa:2048 -keyout private/user1key.pem -keyform PEM -out user1req.pem -outform PEM -nodes -subj "/C=CN/CN=user1"Generating a RSA private key.............+++++.......+++++writing new private key to 'private/user1key.pem'-----[[email protected] iCA]# openssl ca -in user1req.pem -out user1cert.pemUsing configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for /root/iCA/private/cakey.pem:Check that the request matches the signatureSignature okCertificate Details:        Serial Number: 1 (0x1)        Validity            Not Before: Jul 17 07:53:48 2022 GMT            Not After : Jul 17 07:53:48 2023 GMT        Subject:            countryName               = CN            commonName                = user1        X509v3 extensions:            X509v3 Basic Constraints:                CA:FALSE            Netscape Comment:                OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                6B:80:5F:F5:2E:B3:67:A6:60:58:45:4E:B3:A1:B0:A0:45:29:34:FD            X509v3 Authority Key Identifier:                keyid:05:68:9C:D5:53:32:77:A0:9C:94:FC:20:A9:F8:B6:BC:D4:60:F9:88Certificate is to be certified until Jul 17 07:53:48 2023 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[[email protected] iCA]# tree --dirsfirst.├── certs├── crl├── newcerts│   └── 01.pem├── private│   ├── cakey.pem│   └── user1key.pem├── cacert.pem├── crlnumber├── index.txt├── index.txt.attr├── index.txt.old├── serial├── serial.old├── user1cert.pem└── user1req.pem4 directories, 12 files[[email protected] iCA]# cat index.txtV       230717075348Z           01      unknown /C=CN/CN=user1[[email protected] iCA]# cat serial02[[email protected] iCA]# openssl x509 -in user1cert.pem -text -noout                                                                                                                        Certificate:    Data:        Version: 3 (0x2)        Serial Number: 1 (0x1)        Signature Algorithm: sha256WithRSAEncryption        Issuer: C = CN, CN = iCA        Validity            Not Before: Jul 17 07:53:48 2022 GMT            Not After : Jul 17 07:53:48 2023 GMT        Subject: C = CN, CN = user1        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                RSA Public-Key: (2048 bit)                Modulus:                    00:be:95:03:b6:01:0a:30:18:ae:18:4f:7f:65:7a:                    53:93:85:61:a2:a1:66:16:79:9a:58:73:7c:44:4e:                    b8:2c:b2:30:15:96:1f:f2:c2:08:34:8f:cd:ea:52:                    43:f0:fe:12:63:68:2b:4c:56:f2:74:5e:b5:a0:e4:                    7f:64:fe:9b:4f:aa:b9:96:b7:9c:fa:76:b7:2e:fa:                    58:d9:03:08:eb:a1:01:84:db:84:bf:24:85:ae:db:                    20:b9:a0:70:98:e8:47:88:ae:ef:2f:bc:61:c5:6b:                    ac:3f:d7:5e:45:a2:77:54:b5:2d:0a:f5:71:d0:d9:                    9f:55:40:ed:62:6f:d0:dc:42:e6:23:a4:95:40:2c:                    1b:23:de:c2:4d:a9:cf:04:fb:ad:97:05:29:91:3f:                    42:f3:78:4f:76:46:07:49:2c:01:c3:1b:32:33:97:                    b5:2b:61:11:5f:3b:3b:8e:3a:1c:b8:83:a4:cf:2f:                    47:94:40:f8:ee:bc:9b:9c:14:73:c8:73:b7:26:1f:                    19:1c:88:9b:08:04:be:de:22:af:04:66:c3:4d:ab:                    fb:06:8d:e3:97:4d:9e:76:af:e4:71:59:c2:28:f9:                    df:a0:5c:15:c4:0a:d7:b7:c2:bd:c0:05:9f:b2:85:                    94:58:70:14:85:1e:d8:eb:44:8a:44:d9:06:ef:23:                    71:85                Exponent: 65537 (0x10001)        X509v3 extensions:            X509v3 Basic Constraints:                CA:FALSE            Netscape Comment:                OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                6B:80:5F:F5:2E:B3:67:A6:60:58:45:4E:B3:A1:B0:A0:45:29:34:FD            X509v3 Authority Key Identifier:                keyid:05:68:9C:D5:53:32:77:A0:9C:94:FC:20:A9:F8:B6:BC:D4:60:F9:88    Signature Algorithm: sha256WithRSAEncryption         8d:7f:5c:41:42:ba:cd:29:9c:77:fc:85:6a:21:22:8b:11:e1:         db:3f:32:d1:32:f1:7f:b9:3a:2d:13:ab:c5:d7:78:99:c5:46:         86:8c:ae:1c:c5:1b:e8:6f:8e:17:2a:2c:b5:d6:40:84:76:58:         cb:b3:84:7d:e9:ac:c6:1e:1e:f3:34:fd:27:b2:85:d3:56:a0:         29:74:f3:b3:d7:ec:64:c8:1e:9b:c6:e7:ef:40:fa:49:9b:86:         f2:bc:70:3f:e9:51:51:82:dd:48:08:48:6e:52:ca:bd:fc:9f:         46:93:e2:89:c0:dc:e3:e1:a7:01:54:99:c0:18:ab:ca:73:28:         8e:ff:89:f7:63:c5:a8:b0:f4:bf:d7:d5:b2:cf:94:82:1c:8f:         2b:25:d3:33:4a:ab:4b:d5:8b:6a:22:a4:6c:9f:59:a2:d2:a3:         97:ee:b2:85:41:e9:9a:64:99:f8:57:d8:fe:bf:6d:9f:a0:56:         4a:81:af:d4:43:31:00:2e:cd:46:a3:e5:d4:c2:2a:27:c4:de:         07:f3:00:4f:af:a1:fa:a3:6f:2b:9d:b8:3e:c4:03:13:05:60:         cc:8c:3a:6b:2c:59:2f:1a:32:a0:23:29:84:dd:17:b3:22:53:         63:49:64:f0:75:86:e4:f3:95:66:05:1d:a7:36:e5:59:34:18:         4c:4c:d5:89

这个用户证书的X509v3 Basic Constraints是CA:FALSE，所以它不是CA证书。因为CA证书我们还没有安装到“受信任的根证书颁发机构”，用户证书如果拷贝到windows打开，会说没有足够的信息来验证这个用户证书。

后面还会有证书的作废和列表等操作，这里就不说了。