openssl 實現認證

一個至關全的OpenSSL相關命令，供給你們分享！ 加密算法： 對稱加密算法： DES、IDEA、RC二、RC四、AES、Skipjack ...... 非對稱加密算法： RSA、DSA、DiffieHellman、PKCS、PGP ...... 單向的HASH算法屬於報文摘要算法，雖然有些也出自OpenSSL庫。 命令操做： 一、生成普通私鑰： [weigw @TEST src]$ openssl genrsa -out privatekey.key 1024 Generating RSA private key, 1024 bit long modulus .... ....... e is 65537 (0x10001) 二、生成帶加密口令的密鑰： [weigw @TEST src]$ openssl genrsa -des3 -out privatekey.key 1024 Generating RSA private key, 1024 bit long modulus ............ ..................... e is 65537 (0x10001) Enter pass phrase for privatekey.key: Verifying - Enter pass phrase for privatekey.key: 在生成帶加密口令的密鑰時須要本身去輸入密碼。對於爲密鑰加密如今提供了一下幾種算法： -des encrypt the generated key with DES in cbc mode -des3 encrypt the generated key with DES in ede cbc mode (168 bit key) -aes128, -aes192, -aes256 encrypt PEM output with cbc aes 去除密鑰的口令： [weigw @TEST src]$ openssl rsa -in privatekey.key -out privatekey.key Enter pass phrase for privatekey.key: writing RSA key 經過生成的私鑰去生成證書： [weigw @TEST src]$ openssl req -new -x509 -key privatekey.key -out cacert.crt -days 1095 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:beijing Locality Name (eg, city) [Newbury]:beijing Organization Name (eg, company) [My Company Ltd]:wondersoft Organizational Unit Name (eg, section) []:develop Common Name (eg, your name or your server's hostname) []:WeiGW Email Address []:weigongwan@sina.com 在生成證書的時候須要按照提示輸入一些我的信息。 經過私鑰生成公鑰： [weigw @TEST src]$ openssl rsa -in privatekey.key -pubout -out pubkey.key writing RSA key 格式轉換：（證書、私鑰、公鑰）（PEM DER） [weigw @TEST src]$ openssl x509 -in cacert.crt -inform PEM -out cacert.der -outform DER [weigw @TEST src]$ [weigw @TEST src]$ openssl rsa -in privatekey.key -inform PEM -out privatekey.der -outform DER writing RSA key [weigw @TEST src]$ openssl rsa -pubin -in pubkey.key -inform PEM -pubout -out pubkey.der -outform DER writing RSA key 從DER格式轉換成PEM格式同樣，就是把inform的格式改爲DERoutform的格式改爲PEM便可。 下面是一個服務器和客戶端認證的證書、私鑰生成方法：（server.crt、client.crt、ca.crt） 第一步： 生成私鑰 [weigw @TEST bin]$ openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modulus . .......................... e is 65537 (0x10001) [weigw @TEST bin]$ openssl genrsa -out client.key 1024 Generating RSA private key, 1024 bit long modulus ... .................................................... e is 65537 (0x10001) [weigw @TEST bin]$ openssl genrsa -out ca.key 1024 Generating RSA private key, 1024 bit long modulus ............................................................. ......... e is 65537 (0x10001) [weigw @TEST bin]$ 第二步： 證書請求 [weigw @TEST bin]$ openssl req -new -key server.key -out server.csr -days 1095 [weigw @TEST bin]$ openssl req -new -key client.key -out client.csr -days 1095 [weigw @TEST bin]$ openssl req -new -x509 -key ca.key -out ca.crt -days 1095 第三步： 申請證書（爲請求文件簽名） [weigw @TEST bin]$ openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key [weigw @TEST bin]$ openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key 若是在這步出現錯誤信息： [weigw @TEST bin]$ openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key Using configuration from /usr/share/ssl/openssl.cnf I am unable to access the ./demoCA/newcerts directory ./demoCA/newcerts: No such file or directory [weigw @TEST bin]$ 本身手動建立一個CA目錄結構： [weigw @TEST bin]$ mkdir ./demoCA [weigw @TEST bin]$ mkdir demoCA/newcerts 建立個空文件： [weigw @TEST bin]$ vi demoCA/index.txt 向文件中寫入01： [weigw @TEST bin]$ vi demoCA/serial 合併證書文件（crt）和私鑰文件（key）： [weigw @TEST bin]$ cat client.crt client.key > client.pem [weigw @TEST bin]$ cat server.crt server.key > server.pem 合併成pfx證書： [weigw @TEST bin]$ openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 Enter Export Password: Verifying - Enter Export Password: [weigw @TEST bin]$openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12 Enter Export Password: Verifying - Enter Export Password: 文本化證書： [weigw @TEST bin]$ openssl pkcs12 -in client.p12 -out client.txt Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase: [weigw @TEST bin]$openssl pkcs12 -in server.p12 -out server.txt Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase: 屏幕模式顯式：（證書、私鑰、公鑰） [weigw @TEST bin]$ openssl x509 -in client.crt -noout -text -modulus [weigw @TEST bin]$ openssl rsa -in server.key -noout -text -modulus [weigw @TEST bin]$ openssl rsa -in server.pub -noout -text -modulus 獲得DH： [weigw @TEST bin]$ openssl dhparam -out dh1024.pem 1024