2. 程式人生 > >Linux初級:openssl建立CA及頒發證書

Linux初級:openssl建立CA及頒發證書

阿新 發佈:2018-11-10

openssl

對稱加密:

工具:openssl enc, gpg
演算法:3des, aes, blowfish, twofish
幫助:man enc

1、 加密:enc對稱演算法加密 -e加密 -des3演算法加密 -a base64編碼 -salt加鹽打亂順序 -in加入檔案 -out輸出檔案

[[email protected] data]#openssl enc -e -des3 -a -salt -in fstab -out fstab.cip
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
[
 
[email protected] data]#ll
total 8
-rw-r--r-- 1 root root  784 Sep 13 14:10 fstab
-rw-r--r-- 1 root root 1097 Sep 13 14:14 fstab.cip
[[email protected] data]#cat fstab.cip
U2FsdGVkX19iCjTL+B6er1QDvT3mnnJHqanodUGbdxtArBfHcJ6Ea8LeDPiZEUa/
nkxw614tKAkMMs0HSihFV2goBu9rWkuLA9GUO51aZ+XIH6QTSNDi6ILZdYEdSC7p
wKSGfJsz2rQOMwcCMSKg9Dfl9jTnm5LG2Kw0DKkdZDNOQW9ycnmBSVgKq+tbFC4V
+1rOAmctrBKwbj4QUqDGqRekfmyIeV7SAXUaOcl3JEPoSbSTeq3DAg8PQGHETyRf
CwamvfBmcdRTS5kMST04smu5cF56ib9c06xEtFfCm5g51nEDHW0hBewV5wy5vTpv
TQPpmI0iiR0tYJlI1fKfIe2XkdF/EX2dru41quGchpQkqlVTVQffjquteU6TFYUV
D5sz+IUzF4A7ObNdJzeYui4X0dT890V1fY6duby3iezxPngB+zIKW5JwK1AGsL4M
pUYdU+6IEcRNKowYtCSEQzzNDIJsNh1gSEmp54ScHuxJ1BFxBvQwV9Uj2YZ28vZw
8Z/IszEZvtIBALaZ0bAfoYeHMCMdEk1nklKwrA0RFqoGYCpXPzf2YgwFYPAQuVr7
l+DXqMs5R3xUheo65xD8sePmQmpJGvPWSTEd3tgrxa4UBGAkjGn9+B1EaFSJ9fM9
dyIYJlA4L5DJQmB/NfgexJQUhJcQTWajxkB0p4mkj7mYb1dqXfvYZyxWrM8Xadoq
T+2yhfErBTetC2S4GAM0WWIjMy2kRrcxmdUty2UcsviCPN6GiEoMslbNCWODa6Bz
dib716UiWEpAR6NuCGv5ERcJ/zkzbIJuQyR8YTG3M7oeqfPy9xkqgYVuVSkb2ofr
NHfGYG7lYM68UhhNkCS0RsGbwWM0hz6Mt2IodYBDn7eD2nY5qGIoezrY//ftjZpf
jX44r67o/w2OfMi4+3aKa9e6ANWgPNBhFezSIkVUi7kJ3CyXsy2XmEVRIdpSPV6v
Kjcu6+EM3H7lKGjAChOzHjMCAiRr/6ijsuKZ4YvtEDZXydIb5XEG3VSITYtD7Hue
A+DpCGPNWwHgnXoSbHilwOgE8N9Dxx55t437bcaSZL6JH3z8n4FLQQ==

可以轉化成二進位制,fstab.cip2檔案才算真正的加密。更安全

[[email protected] data]#base64 -d fstab.cip > fstab.cip2
[[email protected] data]#cat fstab.cip2 
Salted__b
4=AF    
      2EWh(;HH.|31"4
                       NAorry
.g->Ry^[email protected]aqI=8^zm!M閽"}SUߎ3]'7Eu}>x[FSM*`HIq#نv#Mg
W?7`|TBjI$DhTw"&P8/5fj]V74Yb#3-eކ
 
[email protected]|a1*)w`μRM4b(u:~8
׺ՠ<,~

                                                                                       $kqcxyƒdA[[email protected] data]#

2、 解密:enc對稱演算法加密 -d解密 -des3演算法加密 -a base64編碼 -salt加鹽打亂順序 -in加入檔案 -out輸出檔案

[[email protected] data]#openssl enc -d -des3 -a -salt  -in fstab.cip -out fstab2 
enter des-ede3-cbc decryption password:
[[email protected] data]#cat fstab2

#
# /etc/fstab
# Created by anaconda on Wed Jul 18 17:14:35 2018
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=bad06bd2-9f82-4954-b5ad-ea296b82e6df /                       xfs     defaults        0 0
UUID=b0976649-edba-4e94-9c0d-83c2c842ef73 /boot                   xfs     defaults        0 0
UUID=720807ea-75ce-4a96-b9fd-238743f9ec79 /data                   xfs     defaults        0 0
UUID=37083a64-0f7e-426d-bb18-983ad222b2ad swap                    swap    defaults        0 0
UUID=0ce32dee-2a6c-4208-90b6-25db048a609d /home                   xfs     defaults        0 0
UUID=1126bba2-239e-4b19-82e4-e96b47e21d93 swap                    swap    defaults        0 0

單向加密:

工具:openssl dgst
演算法:md5sum, sha1sum, sha224sum,sha256sum…
幫助:man dgst

[[email protected] data]#openssl dgst -md5 fstab
MD5(fstab)= aa204eeffac45ec9019b0738be8cf95c
[[email protected] data]#md5sum fstab
aa204eeffac45ec9019b0738be8cf95c  fstab

生成使用者密碼
工具:openssl passwd
幫助:man sslpasswd

利用鹽隨機生成加密口令:-1通過md5演算法 -salt固定鹽為11111111

[[email protected] data]#openssl passwd -1
Password: 
Verifying - Password: 
$1$3m.Wzvbk$5Nw56eshcwjQNQm43uog90
[[email protected] data]#openssl passwd -1 -salt 11111111
Password: 
$1$11111111$/GA3uQqOZi/rI1U4SK.kb0

生成隨機數
工具:openssl rand
幫助:man sslrand
-hex10 利用16位生成(16位是4個2進製表示的)
-base64 是利用base64生成(base64是6個2進製表示的,所以不能被6整除的最後轉化成=)

[[email protected] data]#openssl rand -base64 12
98/N1kFs+76V8Ulh
[[email protected] data]#openssl rand -base64 13
z3Dx2P5/pSb3qWh6Bg==
[[email protected] data]#openssl rand -base64 18
cBybezlTKSobD9wKBB6W4O+l
[[email protected] data]#openssl rand -base64 19
uEVHIdlYKCKZaVJTdWhkD8ekGw==

提取隨機12位密碼

[[email protected] data]#openssl rand -base64 24|tr -d '/+'|head -c12
8B11Y1Y5ByOX[[email protected] data]#

urandom裝置提取12位密碼

[[email protected] data]#cat /dev/urandom |tr -dc 'A-Za-z0-9' |head -c 12
jYCVlCWWHxUd[[email protected] data]#

非對稱加密

生成祕鑰對兒
工具:openssl genrsa
幫助:man genrsa

生成私鑰加密

[[email protected] data]#(umask 077;openssl genrsa -out test.key -des 2048)
Generating RSA private key, 2048 bit long modulus
.....+++
.................................................................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for test.key:
Verifying - Enter pass phrase for test.key:

私鑰解密

[[email protected] data]#openssl rsa -in test.key -out test2.key
Enter pass phrase for test.key:
writing RSA key

私鑰生成公鑰

[[email protected] data]#openssl rsa -in test.key -pubout -out test.pub
Enter pass phrase for test.key:
writing RSA key
[[email protected] data]#cat test.pub 
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvb4UuLr45f18YAHqkw/9
UWtILOuu11S7+k++ymGd9sZgbeMUoxID+s7O7gimSvpKSoVwNNLF8/ibntuMM+LE
7NpflugKbZHC2YreM1Co07BWNY7GiJjcbc5V7KHAzOlBeWpHYpWI6O+8kZOn6wtf
Lk3DR+JGr3363jq9QmK3PZ6Ciff92Bc6xboWlxeUJT2Gs3AdkMykJ4ISPAq9K2VD
hpAsMqfDgVoekzlXiW8WRQIC/KVxH+G5fvcXoTV+uvSxq183uT8Amj7urVhRlDiX
4ULkPlocr7SWW32g4frYiu6NnaDQOpwkFMOYfmXlus0SgQMt4EtdV7LL7RZU0i24
mwIDAQAB
-----END PUBLIC KEY-----

建立CA和申請證書

配置檔案:/etc/pki/tls/openssl.cnf

1、伺服器端建立檔案(先進入到/etc/pki/CA資料夾中,方便執行)

touch /etc/pki/CA/index.txt 生成證書索引資料庫檔案
echo 01 > /etc/pki/CA/serial 指定第一個頒發證書的序列號

2、 伺服器端生成私鑰(配置檔案中規定好的路徑和檔名/etc/pki/CA/private/cakey.pem)

[[email protected] CA]#(umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.........................................................+++
..................................................................+++
e is 65537 (0x10001)

3、 伺服器端生成自簽名證書,注意新增-x509(配置檔案規定好的路徑和檔名/etc/pki/CA/cacert.pem)

-new: 生成新證書籤署請求
-x509: 專用於CA生成自簽證書
-key: 生成請求時用到的私鑰檔案
-days n:證書的有效期限
-out /PATH/TO/SOMECERTFILE: 證書的儲存路徑

[[email protected] CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:dushan
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.dushan.com
Email Address []:

4、 可檢視自簽名證書內容(如傳送到windows中檢視需新增.crt字尾)

[[email protected] CA]#openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f2:1c:50:12:c1:13:84:e8
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=beijing, L=beijing, O=dushan, OU=opt, CN=www.dushan.com
        Validity
            Not Before: Sep 13 08:41:21 2018 GMT
            Not After : Sep 10 08:41:21 2028 GMT
        Subject: C=CN, ST=beijing, L=beijing, O=dushan, OU=opt, CN=www.dushan.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c7:c6:f1:af:12:f5:0b:f7:8b:42:3a:15:cc:2a:
                    4c:57:ad:1e:1b:b0:ac:dd:e4:aa:03:7e:84:7d:d3:
                    60:a0:72:cf:71:77:f7:f8:df:32:8b:25:ea:39:94:
                    b1:0e:da:6b:fc:6c:fd:e3:1f:8c:d5:e5:b0:a2:24:
                    d8:99:de:c8:ce:1a:88:97:24:4b:46:c0:da:e6:7b:
                    cb:97:1c:38:06:54:77:b7:f2:f7:39:4d:90:01:d3:
                    19:af:40:a6:35:67:bd:3f:61:2a:c3:31:70:22:34:
                    a9:69:fa:f8:3a:66:58:7c:41:18:ec:83:77:47:b8:
                    53:d5:c6:f7:b0:8a:07:8f:c1:0e:fd:97:75:1e:8a:
                    68:ff:83:c9:3e:54:17:62:d2:a1:9f:01:6b:ae:5a:
                    63:d0:29:2c:a3:dd:88:ab:04:05:7a:65:11:38:6c:
                    a8:4b:27:ac:9e:d2:dd:1b:18:57:75:c5:c6:cd:67:
                    ca:07:1a:d9:24:4c:37:79:77:36:37:ef:9f:a2:ea:
                    fd:ee:ee:d0:a9:88:84:03:b6:5a:8c:07:33:84:93:
                    37:a4:10:47:b7:86:08:f5:d2:55:d0:39:5a:1e:70:
                    db:b2:b0:e8:95:2d:7b:ea:92:1f:bd:20:dc:7a:e7:
                    19:8c:30:12:e5:d0:0b:b8:3e:3b:c1:5f:c7:31:7f:
                    48:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                C9:DC:B1:29:8C:0F:3B:11:1D:09:D2:62:95:7D:08:D2:EA:4E:C9:64
            X509v3 Authority Key Identifier: 
                keyid:C9:DC:B1:29:8C:0F:3B:11:1D:09:D2:62:95:7D:08:D2:EA:4E:C9:64

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         2f:d4:2d:04:2a:be:da:62:46:3c:d6:74:d6:94:9a:61:df:59:
         1b:87:01:a3:6f:14:fa:ea:e6:7e:a9:1d:58:f4:1e:29:ad:b0:
         07:23:e9:52:9d:03:5d:8c:c3:71:ba:f8:2c:e7:6f:98:19:c3:
         1c:69:bd:8e:fd:85:dd:24:a9:fa:b5:4e:86:bb:0d:2e:02:38:
         66:90:7f:90:f9:ec:53:7f:0a:fb:b3:1c:c6:fd:b0:fd:c1:a7:
         91:70:e5:5e:03:09:23:f7:a1:39:f1:0f:3b:39:fd:54:05:5c:
         9e:f3:63:36:9f:c6:3f:d5:47:16:20:d6:37:4d:7b:22:09:35:
         f4:8a:1d:66:9d:24:05:29:3a:0a:d0:d7:37:a1:73:5d:93:74:
         38:da:72:1f:15:c5:1f:3e:7b:d7:aa:85:09:ee:7d:23:97:e3:
         75:04:9c:d1:9f:43:f1:76:38:de:cc:68:94:99:ca:de:18:96:
         14:6b:a4:77:59:3c:43:06:0c:22:61:7f:16:73:a5:d4:7e:39:
         24:0b:c6:22:75:65:83:23:b1:b5:64:9c:a1:41:3a:c0:08:ef:
         b7:e4:9d:a5:f0:9d:9f:9d:eb:e5:3c:c5:7d:e6:b6:32:02:b7:
         61:eb:c0:a8:f7:56:a2:2d:2c:9a:30:f7:70:c2:fa:05:3a:63:
         d4:72:9c:07

5.、客戶端生成私鑰:

[[email protected] data]#(umask 066;openssl genrsa -out app.key 2048)
Generating RSA private key, 2048 bit long modulus
...............................................+++
............................................................+++
e is 65537 (0x10001)

6、 客戶端生成csr檔案 (預設國家地區公司三項必須和伺服器端一樣,如需不一樣,需修改配置檔案中policy後面內容)

[[email protected] data]#openssl req -new -key app.key -out app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:dushan
Organizational Unit Name (eg, section) []:sales
Common Name (eg, your name or your server's hostname) []:sale.dushan.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

7、 cp到伺服器端,位置可自定義(也可以製作祕鑰和csr檔案在伺服器端做完傳給客戶端)

[[email protected] data]#scp app.csr 192.168.32.61:/etc/pki/CA     
[email protected]'s password: 
app.csr                                                  100% 1009     1.0KB/s   00:00

8、 頒發證書 (如缺少/etc/index.txt,/etc/serial檔案會失敗,執行第一步)

[[email protected] CA]#openssl ca -in /etc/pki/CA/app.csr -out /etc/pki/CA/certs/app.crt -days 360
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 13 08:52:39 2018 GMT
            Not After : Sep  8 08:52:39 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = dushan
            organizationalUnitName    = sales
            commonName                = sale.dushan.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                01:F6:5B:10:58:30:68:76:D1:7A:26:4E:0E:44:BE:00:AF:91:1F:24
            X509v3 Authority Key Identifier: 
                keyid:C9:DC:B1:29:8C:0F:3B:11:1D:09:D2:62:95:7D:08:D2:EA:4E:C9:64

Certificate is to be certified until Sep  8 08:52:39 2019 GMT (360 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

9、可檢視新證書資訊
可選引數 -text|issuer|subject|serial|dates


[[email protected] CA]#tree
.
├── app.csr
├── cacert.pem
├── certs
│   └── app.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 10 files
[[email protected] CA]#cat index.txt
V       190908085239Z      01   unknown /C=CN/ST=beijing/O=dushan/OU=sales/CN=sale.dushan.com
[[email protected] CA]#cat serial.old
01
[[email protected] CA]#openssl x509 -in certs/app.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=beijing, L=beijing, O=dushan, OU=opt, CN=www.dushan.com
        Validity
            Not Before: Sep 13 08:52:39 2018 GMT
            Not After : Sep  8 08:52:39 2019 GMT
        Subject: C=CN, ST=beijing, O=dushan, OU=sales, CN=sale.dushan.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e5:d2:3b:0b:5f:33:50:12:e6:c0:34:8f:3b:fe:
                    89:9d:e5:db:f1:76:13:70:a7:d8:3a:5a:60:6c:6d:
                    98:e1:15:32:90:18:21:8c:0e:e5:79:4d:8f:7e:43:
                    bb:cb:78:61:72:b8:b7:f1:34:6f:38:b2:38:94:b4:
                    d8:c7:6f:e7:6c:b8:1e:76:ab:3a:29:96:1e:db:15:
                    46:f8:aa:fd:85:cc:9d:61:a1:33:ff:b4:a4:f4:2e:
                    82:e0:03:1b:cf:09:04:d3:45:78:eb:b1:fc:ce:0e:
                    30:39:a9:7b:4d:71:ee:87:31:4a:c6:fe:72:61:b1:
                    f3:ed:42:51:3a:4a:da:7d:e8:fd:dd:97:e8:ca:f7:
                    b9:78:24:15:2e:6e:88:e0:a2:3e:ff:10:a1:b4:8f:
                    af:1c:f0:02:cc:fe:f6:1a:eb:46:92:9f:9f:e1:3e:
                    b3:c1:09:b0:09:07:10:fa:84:83:01:4d:a8:ed:dc:
                    d7:d3:7e:be:0c:96:f9:92:b8:22:e2:36:4d:98:8e:
                    c6:cd:6c:7d:8c:bd:fa:9d:ef:f3:90:67:12:35:da:
                    2f:db:29:2d:f0:b5:54:a9:8c:ae:ca:13:a3:51:37:
                    83:d0:47:65:ae:f2:89:b2:1d:c7:99:d3:c3:88:bd:
                    49:51:4a:e3:33:42:f4:41:93:7b:01:87:c1:a3:6d:
                    e2:f3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                01:F6:5B:10:58:30:68:76:D1:7A:26:4E:0E:44:BE:00:AF:91:1F:24
            X509v3 Authority Key Identifier: 
                keyid:C9:DC:B1:29:8C:0F:3B:11:1D:09:D2:62:95:7D:08:D2:EA:4E:C9:64

    Signature Algorithm: sha256WithRSAEncryption
         17:a7:0c:2c:1d:5a:ae:8d:d9:41:b9:91:c4:14:59:1b:9c:21:
         5c:68:78:5e:95:64:03:79:f5:2f:39:ad:87:14:8f:11:34:c4:
         4d:a1:ef:9c:f7:88:e5:02:ac:78:44:1a:ef:dc:63:53:fc:5e:
         fd:4c:5b:fe:b2:14:02:24:fb:44:ad:6c:37:22:30:fc:b6:99:
         eb:5a:e8:a1:d8:cb:1d:ed:20:32:0e:57:ef:b5:2a:85:e1:de:
         57:80:91:48:a4:f4:63:f2:55:48:db:ad:f9:fd:fd:4a:ce:92:
         59:1d:7a:6c:51:4e:7a:22:7c:8e:0e:5e:6e:28:25:78:10:5f:
         cd:c5:33:c6:12:0c:12:57:50:4e:ec:ac:61:1c:85:5b:54:86:
         72:a1:19:6c:f0:fa:75:23:80:68:02:b8:16:bc:07:8d:5c:80:
         1d:dc:41:ba:23:e7:6a:a0:8d:34:8e:55:82:16:ce:20:1f:74:
         77:13:73:92:eb:25:93:79:db:ba:b4:6a:d2:61:28:d7:2f:ac:
         de:60:2d:88:7c:75:5c:56:6b:13:d2:84:ea:96:e4:9e:2b:37:
         d1:3a:15:48:33:a6:a0:e3:78:ae:c1:32:c3:58:7e:5a:8f:ec:
         be:7d:49:74:59:21:5a:a7:85:ca:21:1c:ee:f5:7d:42:33:d3:
         01:22:b5:76

10、驗證證書的可靠性

[[email protected] CA]#openssl verify -CAfile cacert.pem certs/app.crt 
certs/app.crt: OK

*如一個申請需頒發多個證書需更改檔案index.txt.attr為no(預設唯一)

[[email protected] CA]#cat index.txt.attr 
unique_subject = yes

11、吊銷證書

[[email protected] CA]#openssl ca -revoke  newcerts/01.pem    
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

*指定第一個吊銷證書的編號,注意:第一次更新證書吊銷列表前,才需要執行

echo 01 > /etc/pki/CA/crlnumber

更新證書吊銷列表

openssl ca -gencrl -out /etc/pki/CA/crl.pem

檢視crl檔案

openssl crl -in /etc/pki/CA/crl.pem -noout -text

相關推薦

Linux初級openssl建立CA頒發證書

openssl 對稱加密: 工具:openssl enc, gpg 演算法:3des, aes, blowfish, twofish 幫助:man enc 1、 加密:enc對稱演算法加密 -e加密 -des3演算法加密 -a base64編碼 -salt加鹽打亂順序 -in加

創建私有CA頒發證書

創建 私有 ca 證書申請及簽署步驟:1、生成申請請求 2、RA核驗 3、CA簽署 4、獲取證書三種策略:匹配、支持和可選 ①匹配:指要求申請填寫的信息跟CA設置信息必須一致,默認國家、省、公司信息必須一致 ②支持:指必須填寫這項申請信息,但是可以和CA信息不一致 ③可選

OpenSSL建立CA和簽發證書,轉換成java可以載入的jks

java的keytool工具本來就可以生成互動式認證的證書, 不過其他語言處理互動式認證的流程貌似和java的keytool的認證流程有些差別,  而openssl是比較通用的工具。大部分語言都會支援openssl生成的證書檔案。用openssl簽發的證書如何才能轉化為key

Linux建立私有CA頒發證書管理

name 工具 index country 證書管理 text tex 簽名證書 簽名 建立私有CA和頒發證書及管理 1. 建立私有CA 使用openssl工具實現搭建一個私有CA,打開文件/etc/pki/tls/openssl.cnf ,文件裏的內容是openssl

Linux初級ssh服務基於key驗證方法

ssh 配置檔案: /etc/ssh/ssh_config 客戶端 /etc/ssh/sshd_config 伺服器端 首次連線,系統自動會把公鑰從被連線考到發起連線主機,來做認證 /etc/ssh/ssh_host_rsa_key.pub (被連線的主機) /ro

Linux初級建立指令碼時附帶資訊模板

#!/bin/bash name=Du_shan qq=316722220 cat >$1 <<EOF #!/bin/bash #************************************************** #Author:

https學習筆記三----OpenSSL生成root CA簽發證書

open spa centos7 cisc div encrypt 自簽證書 oca led 在https學習筆記二,已經弄清了數字證書的概念,組成和在https連接過程中,客戶端是如何驗證服務器端的證書的。這一章,主要介紹下如何使用openssl庫來創建

Linux初級軟體包管理(差編譯安裝未整理)

軟體包管理 1、ABI:application binary interfac 應用程式二進位制介面,應用程式要在作業系統上執行必須符合作業系統的介面 Linux:ELF(Executable and Linkable Format) Windows:PE(Portable Executab

Linux初級gpg實現對稱加密和公鑰加密

gpg實現對稱加密 1、對檔案加密(對dushan這個檔案加密)gpg -c dushan 2、對檔案進行解密,(對生成的dushan.gpg並輸出到檔案file.txt中,注意-o選線必須在前-d在選項在後) gpg -o file.txt -d dushan.gpg gpg實

linux驅動自動建立裝置節點

在載入驅動模組後,就要自己使用mknod建立裝置節點,這樣雖然是可行的,但是比較麻煩。我們可以在__init()函式裡面新增一些函式,自動建立裝置節點。建立裝置節點使用了兩個函式 class_create()和device_create(),當然在__exit()函式裡,要使

OpenSSL 自建CA簽發證書

利用 OpenSSL 建立 CA 及自行簽發證書。 1. 建立CA目錄結構 在CA的配置檔案中,有說明預設CA的目錄。 建立預設CA下的目錄及檔案如下圖(.old檔案和.attr檔案是簽發證書後自動生成的檔案)。 其中, newcert

Linux初級Linux(centos7)安裝

一、CentOS 獲取連線地址 官網地址:https://wili.centos.org/Download 國內映象下載地址:(速度相對較快) 進入以上國內網站按照以下檔案路徑找到最新版本下載到本地 二、用VMware workstatio

Linux初級邏輯卷

LVM邏輯卷 以下為本篇中會用到的命令 pvs 檢視物理卷 pvdisplay 檢視物理卷詳細資訊 vgs 檢視卷組 vgdisplay 檢視卷

Linux初級檔案管理

檔案管理相關命令使用 linux檔案系統上的檔案型別如下: -:表示普通檔案 d:表示目錄檔案 b:表示塊裝置檔案 c:表示字元裝置檔案 l:表示軟連結檔案 p:表示管道檔案 s:表示套接字檔案 【例1】檢視檔案型別 [[email protec

openssl自建CA生成證書

檢視openssl版本 openssl version 使用openssl加密和解密檔案 加密檔案 opnessl有一個子命令enc,他可以用來加密檔案,具體引數如下: -ciphername:指定加密演算法 -in fil

Centos7建立CA和申請證書 轉自https://www.cnblogs.com/mingzhang/p/8949541.html

Centos7.3建立CA和申請證書 openssl 的配置檔案:/etc/pki/tls/openssl.cnf 重要引數配置路徑 dir   = /etc/pki/CA          &

Linux下如何頒發證書學習使用openssl搭建一個CA

這兩天學習了openssl在LInux中的使用,openssl是一款開源的加密工具,在Linux環境下,我們能夠利用它來搭建一個CA來實現證書的發放,可以用於企業內部使用的加密工具。在介紹openssl之前,首先描述一下關於“身份認證+資料加密”的實現方法原理。 如何

linux初級學習筆記九linux I/O管理,重定向管道!(視頻序號04_3)

font 運算 bsp 輸出 指令 所有 inittab tput bin 本節學習的命令:tr,tee,wc 本節學習的技能:       計算機的組成       I/O管理及重定向      管道的使用   知識點九:管理及IO重定向(4_3) 計算機組成:  

linux安全和加密篇(四)—openssl證書申請和建立CA

OpenSSL證書申請 1、PKI: Public Key Infrastructure CA            證書頒發機構 RA            證書請求機構 request CRL          2、建立私有CA: 搭建CA OpenCA

【configure】如何用automake、autoconf指令生成configure並建立自己的linux tar.gz安裝包【初級簡單建立-測試】

$ tree 2048-c/ 2048-c/ ├── 2048.c ├── 2048.h └── main.c 0 directories, 3 files 然後進入資料夾,執行autoscan生成configure.scan檔案 $ cd 2048-c/ $ ls