zoukankan      html  css  js  c++  java
  • Linux操作系统安全-OpenSSL工具常用命令介绍

                Linux操作系统安全-OpenSSL工具常用命令介绍

                                              作者:尹正杰

    版权声明:原创作品,谢绝转载!否则将追究法律责任。

    一.OpenSSL开源项目有三个组件

      openssl:
        多用途的命令行工具,包openssl   libcrypto:
        加密算法库,包openssl-libs   libssl:
        加密模块应用库,实现了ssl及tls,包nss
    [root@node101.yinzhengjie.org.cn ~]# yum search openssl
    Loaded plugins: fastestmirror
    Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
    Determining fastest mirrors
     * base: mirrors.huaweicloud.com
     * extras: mirrors.tuna.tsinghua.edu.cn
     * updates: mirrors.huaweicloud.com
    =========================================================================== N/S matched: openssl ===========================================================================
    apr-util-openssl.x86_64 : APR utility library OpenSSL crytpo support
    openssl-devel.i686 : Files for development of applications which will use OpenSSL
    openssl-devel.x86_64 : Files for development of applications which will use OpenSSL
    openssl-perl.x86_64 : Perl scripts provided with OpenSSL
    openssl-static.i686 : Libraries for static linking of applications which will use OpenSSL
    openssl-static.x86_64 : Libraries for static linking of applications which will use OpenSSL
    perl-Crypt-OpenSSL-Bignum.x86_64 : Perl interface to OpenSSL for Bignum
    perl-Crypt-OpenSSL-RSA.x86_64 : Perl interface to OpenSSL for RSA
    perl-Crypt-OpenSSL-Random.x86_64 : Perl interface to OpenSSL for Random
    pyOpenSSL.x86_64 : Python wrapper module around the OpenSSL library
    pyOpenSSL-doc.noarch : Documentation for pyOpenSSL
    xmlsec1-openssl.i686 : OpenSSL crypto plugin for XML Security Library
    xmlsec1-openssl.x86_64 : OpenSSL crypto plugin for XML Security Library
    xmlsec1-openssl-devel.i686 : OpenSSL crypto plugin for XML Security Library
    xmlsec1-openssl-devel.x86_64 : OpenSSL crypto plugin for XML Security Library
    m2crypto.x86_64 : Support for using OpenSSL in python scripts
    nss_compat_ossl.i686 : Source-level compatibility library for OpenSSL to NSS porting
    nss_compat_ossl.x86_64 : Source-level compatibility library for OpenSSL to NSS porting
    openssl.x86_64 : Utilities from the general purpose cryptography library with TLS implementation
    openssl-libs.i686 : A general purpose cryptography library with TLS implementation
    openssl-libs.x86_64 : A general purpose cryptography library with TLS implementation
    openssl098e.i686 : A compatibility version of a general cryptography and TLS library
    openssl098e.x86_64 : A compatibility version of a general cryptography and TLS library
    perl-Crypt-SSLeay.x86_64 : Crypt::SSLeay - OpenSSL glue that provides LWP https support
    perl-Net-SSLeay.x86_64 : Perl extension for using OpenSSL
    qca-ossl.i686 : OpenSSL plugin for the Qt Cryptographic Architecture v2
    qca-ossl.x86_64 : OpenSSL plugin for the Qt Cryptographic Architecture v2
    
      Name and summary matches only, use "search all" for everything.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# yum search openssl
    [root@node101.yinzhengjie.org.cn ~]# yum info openssl-libs
    Loaded plugins: fastestmirror
    Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
    Loading mirror speeds from cached hostfile
     * base: mirrors.huaweicloud.com
     * extras: mirrors.tuna.tsinghua.edu.cn
     * updates: mirrors.huaweicloud.com
    Installed Packages
    Name        : openssl-libs
    Arch        : x86_64
    Epoch       : 1
    Version     : 1.0.2k
    Release     : 16.el7
    Size        : 3.1 M
    Repo        : installed
    From repo   : anaconda
    Summary     : A general purpose cryptography library with TLS implementation
    URL         : http://www.openssl.org/
    License     : OpenSSL
    Description : OpenSSL is a toolkit for supporting cryptography. The openssl-libs
                : package contains the libraries that are used by various applications which
                : support cryptographic algorithms and protocols.
    
    Available Packages
    Name        : openssl-libs
    Arch        : i686
    Epoch       : 1
    Version     : 1.0.2k
    Release     : 16.el7_6.1
    Size        : 994 k
    Repo        : updates/7/x86_64
    Summary     : A general purpose cryptography library with TLS implementation
    URL         : http://www.openssl.org/
    License     : OpenSSL
    Description : OpenSSL is a toolkit for supporting cryptography. The openssl-libs
                : package contains the libraries that are used by various applications which
                : support cryptographic algorithms and protocols.
    
    Name        : openssl-libs
    Arch        : x86_64
    Epoch       : 1
    Version     : 1.0.2k
    Release     : 16.el7_6.1
    Size        : 1.2 M
    Repo        : updates/7/x86_64
    Summary     : A general purpose cryptography library with TLS implementation
    URL         : http://www.openssl.org/
    License     : OpenSSL
    Description : OpenSSL is a toolkit for supporting cryptography. The openssl-libs
                : package contains the libraries that are used by various applications which
                : support cryptographic algorithms and protocols.
    
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# yum info openssl-libs

    二.openssl命令

    1>.查看openssl软件包及默认版本号

    [root@node101.yinzhengjie.org.cn ~]# which openssl 
    /usr/bin/openssl
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# rpm -qf /usr/bin/openssl 
    openssl-1.0.2k-16.el7.x86_64
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# openssl version            #程序版本号
    OpenSSL 1.0.2k-fips  26 Jan 2017
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# openssl 
    OpenSSL> ?
    openssl:Error: '?' is an invalid command.
    
    Standard commands
    asn1parse         ca                ciphers           cms               
    crl               crl2pkcs7         dgst              dh                
    dhparam           dsa               dsaparam          ec                
    ecparam           enc               engine            errstr            
    gendh             gendsa            genpkey           genrsa            
    nseq              ocsp              passwd            pkcs12            
    pkcs7             pkcs8             pkey              pkeyparam         
    pkeyutl           prime             rand              req               
    rsa               rsautl            s_client          s_server          
    s_time            sess_id           smime             speed             
    spkac             ts                verify            version           
    x509              
    
    Message Digest commands (see the `dgst' command for more details)
    md2               md4               md5               rmd160            
    sha               sha1              
    
    Cipher commands (see the `enc' command for more details)
    aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
    aes-256-cbc       aes-256-ecb       base64            bf                
    bf-cbc            bf-cfb            bf-ecb            bf-ofb            
    camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb  
    camellia-256-cbc  camellia-256-ecb  cast              cast-cbc          
    cast5-cbc         cast5-cfb         cast5-ecb         cast5-ofb         
    des               des-cbc           des-cfb           des-ecb           
    des-ede           des-ede-cbc       des-ede-cfb       des-ede-ofb       
    des-ede3          des-ede3-cbc      des-ede3-cfb      des-ede3-ofb      
    des-ofb           des3              desx              idea              
    idea-cbc          idea-cfb          idea-ecb          idea-ofb          
    rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc           
    rc2-cfb           rc2-ecb           rc2-ofb           rc4               
    rc4-40            rc5               rc5-cbc           rc5-cfb           
    rc5-ecb           rc5-ofb           seed              seed-cbc          
    seed-cfb          seed-ecb          seed-ofb          zlib              
    
    OpenSSL> quit
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# openssl              #可以支持命令行交互式

    2>.enc命令

    对称加密:
      工具:
        openssl enc, gpg   算法:
        3des, aes, blowfish, twofish
    [root@node101.yinzhengjie.org.cn ~]# man enc
    ENC(1)                                                                          OpenSSL                                                                          ENC(1)
    
    NAME
           enc - symmetric cipher routines
    
    SYNOPSIS
           openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64] [-A] [-k password] [-kfile filename] [-K key] [-iv IV] [-S salt]
           [-salt] [-nosalt] [-z] [-md] [-p] [-P] [-bufsize number] [-nopad] [-debug] [-none] [-engine id]
    
    DESCRIPTION
           The symmetric cipher commands allow data to be encrypted or decrypted using various block and stream ciphers using keys based on passwords or explicitly
           provided. Base64 encoding or decoding can also be performed either by itself or in addition to the encryption or decryption.
    
    OPTIONS
           -in filename
               the input filename, standard input by default.
    
           -out filename
               the output filename, standard output by default.
    
           -pass arg
               the password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).
    
           -salt
               use a salt in the key derivation routines. This is the default.
    
           -nosalt
               don't use a salt in the key derivation routines. This option SHOULD NOT be used except for test purposes or compatibility with ancient versions of OpenSSL
               and SSLeay.
    
           -e  encrypt the input data: this is the default.
    
           -d  decrypt the input data.
          -a  base64 process the data. This means that if encryption is taking place the data is base64 encoded after encryption. If decryption is set then the input data
               is base64 decoded before being decrypted.
    
           -base64
               same as -a
    
           -A  if the -a option is set then base64 process the data on one line.
    
           -k password
               the password to derive the key from. This is for compatibility with previous versions of OpenSSL. Superseded by the -pass argument.
    
           -kfile filename
               read the password to derive the key from the first line of filename.  This is for compatibility with previous versions of OpenSSL. Superseded by the -pass
               argument.
    
           -nosalt
               do not use a salt
    
           -salt
               use salt (randomly generated or provide with -S option) when encrypting (this is the default).
    
           -S salt
               the actual salt to use: this must be represented as a string of hex digits.
    
           -K key
               the actual key to use: this must be represented as a string comprised only of hex digits. If only the key is specified, the IV must additionally specified
               using the -iv option. When both a key and a password are specified, the key given with the -K option will be used and the IV generated from the password
               will be taken. It probably does not make much sense to specify both key and password.
    
           -iv IV
               the actual IV to use: this must be represented as a string comprised only of hex digits. When only the key is specified using the -K option, the IV must
               explicitly be defined. When a password is being specified using one of the other options, the IV is generated from this password.
    
           -p  print out the key and IV used.
    
           -P  print out the key and IV used then immediately exit: don't do any encryption or decryption.
    
           -bufsize number
               set the buffer size for I/O
    
           -nopad
               disable standard block padding
    
           -debug
               debug the BIOs used for I/O.
    
           -z  Compress or decompress clear text using zlib before encryption or after decryption. This option exists only if OpenSSL with compiled with zlib or zlib-
               dynamic option.
    
           -none
               Use NULL cipher (no encryption or decryption of input).
    
    NOTES
           The program can be called either as openssl ciphername or openssl enc -ciphername. But the first form doesn't work with engine-provided ciphers, because this
           form is processed before the configuration file is read and any ENGINEs loaded.
    
           Engines which provide entirely new encryption algorithms (such as ccgost engine which provides gost89 algorithm) should be configured in the configuration file.
           Engines, specified in the command line using -engine options can only be used for hadrware-assisted implementations of ciphers, which are supported by OpenSSL
           core or other engine, specified in the configuration file.
    
           When enc command lists supported ciphers, ciphers provided by engines, specified in the configuration files are listed too.
    
           A password will be prompted for to derive the key and IV if necessary.
    
           The -salt option should ALWAYS be used if the key is being derived from a password unless you want compatibility with previous versions of OpenSSL and SSLeay.
    
           Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this
           is that without the salt the same password always generates the same encryption key. When the salt is being used the first eight bytes of the encrypted data are
           reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.
    
           Some of the ciphers do not have large keys and others have security implications if not used correctly. A beginner is advised to just use a strong block cipher
           in CBC mode such as bf or des3.
    
           All the block ciphers normally use PKCS#5 padding also known as standard block padding: this allows a rudimentary integrity or password check to be performed.
           However since the chance of random data passing the test is better than 1 in 256 it isn't a very good test.
    
           If padding is disabled then the input data must be a multiple of the cipher block length.
    
           All RC2 ciphers have the same key and effective key length.
    
           Blowfish and RC5 algorithms use a 128 bit key.
    
    SUPPORTED CIPHERS
           Note that some of these ciphers can be disabled at compile time and some are available only if an appropriate engine is configured in the configuration file.
           The output of the enc command run with unsupported options (for example openssl enc -help) includes a list of ciphers, supported by your versesion of OpenSSL,
           including ones provided by configured engines.
    
           The enc program does not support authenticated encryption modes like CCM and GCM. The utility does not store or retrieve the authentication tag.
    
            base64             Base 64
    
            bf-cbc             Blowfish in CBC mode
            bf                 Alias for bf-cbc
            bf-cfb             Blowfish in CFB mode
            bf-ecb             Blowfish in ECB mode
            bf-ofb             Blowfish in OFB mode
    
            cast-cbc           CAST in CBC mode
            cast               Alias for cast-cbc
            cast5-cbc          CAST5 in CBC mode
            cast5-cfb          CAST5 in CFB mode
            cast5-ecb          CAST5 in ECB mode
         cast5-ofb          CAST5 in OFB mode
    
            des-cbc            DES in CBC mode
            des                Alias for des-cbc
            des-cfb            DES in CBC mode
            des-ofb            DES in OFB mode
            des-ecb            DES in ECB mode
    
            des-ede-cbc        Two key triple DES EDE in CBC mode
            des-ede            Two key triple DES EDE in ECB mode
            des-ede-cfb        Two key triple DES EDE in CFB mode
            des-ede-ofb        Two key triple DES EDE in OFB mode
    
            des-ede3-cbc       Three key triple DES EDE in CBC mode
            des-ede3           Three key triple DES EDE in ECB mode
            des3               Alias for des-ede3-cbc
            des-ede3-cfb       Three key triple DES EDE CFB mode
            des-ede3-ofb       Three key triple DES EDE in OFB mode
    
            desx               DESX algorithm.
    
            gost89             GOST 28147-89 in CFB mode (provided by ccgost engine)
            gost89-cnt        `GOST 28147-89 in CNT mode (provided by ccgost engine)
    
            idea-cbc           IDEA algorithm in CBC mode
            idea               same as idea-cbc
            idea-cfb           IDEA in CFB mode
            idea-ecb           IDEA in ECB mode
            idea-ofb           IDEA in OFB mode
    
            rc2-cbc            128 bit RC2 in CBC mode
            rc2                Alias for rc2-cbc
            rc2-cfb            128 bit RC2 in CFB mode
            rc2-ecb            128 bit RC2 in ECB mode
           rc2-ofb            128 bit RC2 in OFB mode
            rc2-64-cbc         64 bit RC2 in CBC mode
            rc2-40-cbc         40 bit RC2 in CBC mode
    
            rc4                128 bit RC4
            rc4-64             64 bit RC4
            rc4-40             40 bit RC4
    
            rc5-cbc            RC5 cipher in CBC mode
            rc5                Alias for rc5-cbc
            rc5-cfb            RC5 cipher in CFB mode
            rc5-ecb            RC5 cipher in ECB mode
            rc5-ofb            RC5 cipher in OFB mode
    
            aes-[128|192|256]-cbc  128/192/256 bit AES in CBC mode
            aes-[128|192|256]      Alias for aes-[128|192|256]-cbc
            aes-[128|192|256]-cfb  128/192/256 bit AES in 128 bit CFB mode
            aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode
            aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode
            aes-[128|192|256]-ecb  128/192/256 bit AES in ECB mode
            aes-[128|192|256]-ofb  128/192/256 bit AES in OFB mode
    
    EXAMPLES
           Just base64 encode a binary file:
    
            openssl base64 -in file.bin -out file.b64
    
           Decode the same file
    
            openssl base64 -d -in file.b64 -out file.bin
    
           Encrypt a file using triple DES in CBC mode using a prompted password:
    
            openssl des3 -salt -in file.txt -out file.des3
    
           Decrypt a file using a supplied password:
    
            openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword
    
           Encrypt a file then base64 encode it (so it can be sent via mail for example) using Blowfish in CBC mode:
    
            openssl bf -a -salt -in file.txt -out file.bf
    
           Base64 decode a file then decrypt it:
    
            openssl bf -d -salt -a -in file.bf -out file.txt
    
           Decrypt some data using a supplied 40 bit RC4 key:
    
            openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405
    
    BUGS
           The -A option when used with large files doesn't work properly.
    
           There should be an option to allow an iteration count to be included.
    
           The enc program only supports a fixed number of algorithms with certain parameters. So if, for example, you want to use RC2 with a 76 bit key or RC4 with an 84
           bit key you can't use this program.
    
    1.0.2k                                                                         2017-01-26                                                                        ENC(1)
    [root@node101.yinzhengjie.org.cn ~]# man enc                    #查看帮助信息
    [root@node101.yinzhengjie.org.cn ~]# cp /etc/sysctl.conf  ./
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 4
    -rw-r--r-- 1 root root 735 Dec 21 09:48 sysctl.conf
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# openssl enc -e -des3 -in sysctl.conf -out my_sysctl.conf            #指定des3对称加密算法进行加密
    enter des-ede3-cbc encryption password:
    Verifying - enter des-ede3-cbc encryption password:
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 8
    -rw-r--r-- 1 root root 752 Dec 21 09:50 my_sysctl.conf
    -rw-r--r-- 1 root root 735 Dec 21 09:48 sysctl.conf
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# openssl enc -d -des3 -in my_sysctl.conf -out my_sysctl.conf.bak        #指定des3对称加密算法进行解密
    enter des-ede3-cbc decryption password:
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 12
    -rw-r--r-- 1 root root 752 Dec 21 09:50 my_sysctl.conf
    -rw-r--r-- 1 root root 735 Dec 21 09:50 my_sysctl.conf.bak
    -rw-r--r-- 1 root root 735 Dec 21 09:48 sysctl.conf
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# file my_sysctl.conf          #该文件已经被加密了,我们直接查看了,需要进行解密后才能查看
    my_sysctl.conf: data
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# file my_sysctl.conf.bak 
    my_sysctl.conf.bak: ASCII text
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# file sysctl.conf 
    sysctl.conf: ASCII text
    [root@node101.yinzhengjie.org.cn ~]# 

    3>.dgst命令

    单向加密:
      工具:
        md5sum, sha1sum, sha224sum,sha256sum,openssl dgst,...
    
    MAC: 
      Message Authentication Code,单向加密的一种延伸应用,用于实现网络通信中保证所传输数据的完整性机制   CBC-MAC   HMAC:使用md5或sha1算法
    [root@node101.yinzhengjie.org.cn ~]# man dgst 
    DGST(1)                                                                         OpenSSL                                                                         DGST(1)
    
    NAME
           dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md2, md4, md5, dss1 - message digests
    
    SYNOPSIS
           openssl dgst [-sha|-sha1|-mdc2|-ripemd160|-sha224|-sha256|-sha384|-sha512|-md2|-md4|-md5|-dss1] [-c] [-d] [-hex] [-binary] [-r] [-non-fips-allow] [-out
           filename] [-sign filename] [-keyform arg] [-passin arg] [-verify filename] [-prverify filename] [-signature filename] [-hmac key] [-non-fips-allow]
           [-fips-fingerprint] [file...]
    
           openssl [digest] [...]
    
    DESCRIPTION
           The digest functions output the message digest of a supplied file or files in hexadecimal.  The digest functions also generate and verify digital signatures
           using message digests.
    
    OPTIONS
           -c  print out the digest in two digit groups separated by colons, only relevant if hex format output is used.
    
           -d  print out BIO debugging information.
    
           -hex
               digest is to be output as a hex dump. This is the default case for a "normal" digest as opposed to a digital signature.  See NOTES below for digital
               signatures using -hex.
    
           -binary
               output the digest or signature in binary form.
    
           -r  output the digest in the "coreutils" format used by programs like sha1sum.
    
           -non-fips-allow
               Allow use of non FIPS digest when in FIPS mode.  This has no effect when not in FIPS mode.
    
           -out filename
               filename to output to, or standard output by default.
    
           -sign filename
               digitally sign the digest using the private key in "filename".
    
           -keyform arg
               Specifies the key format to sign digest with. The DER, PEM, P12, and ENGINE formats are supported.
    
           -engine id
               Use engine id for operations (including private key storage).  This engine is not used as source for digest algorithms, unless it is also specified in the
               configuration file.
    
           -sigopt nm:v
               Pass options to the signature algorithm during sign or verify operations.  Names and values of these options are algorithm-specific.
    
           -passin arg
               the private key password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).
    
           -verify filename
               verify the signature using the the public key in "filename".  The output is either "Verification OK" or "Verification Failure".
    
           -prverify filename
               verify the signature using the  the private key in "filename".
    
           -signature filename
               the actual signature to verify.
    
           -hmac key
               create a hashed MAC using "key".
    
           -mac alg
               create MAC (keyed Message Authentication Code). The most popular MAC algorithm is HMAC (hash-based MAC), but there are other MAC algorithms which are not
               based on hash, for instance gost-mac algorithm, supported by ccgost engine. MAC keys and other options should be set via -macopt parameter.
         -macopt nm:v
               Passes options to MAC algorithm, specified by -mac key.  Following options are supported by both by HMAC and gost-mac:
    
               key:string
                       Specifies MAC key as alphnumeric string (use if key contain printable characters only). String length must conform to any restrictions of the MAC
                       algorithm for example exactly 32 chars for gost-mac.
    
               hexkey:string
                       Specifies MAC key in hexadecimal form (two hex digits per byte).  Key length must conform to any restrictions of the MAC algorithm for example
                       exactly 32 chars for gost-mac.
    
           -rand file(s)
               a file or files containing random data used to seed the random number generator, or an EGD socket (see RAND_egd(3)).  Multiple files can be specified
               separated by a OS-dependent character.  The separator is ; for MS-Windows, , for OpenVMS, and : for all others.
    
           -non-fips-allow
               enable use of non-FIPS algorithms such as MD5 even in FIPS mode.
    
           -fips-fingerprint
               compute HMAC using a specific key for certain OpenSSL-FIPS operations.
    
           file...
               file or files to digest. If no files are specified then standard input is used.
    
    EXAMPLES
           To create a hex-encoded message digest of a file:
            openssl dgst -md5 -hex file.txt
    
           To sign a file using SHA-256 with binary file output:
            openssl dgst -sha256 -sign privatekey.pem -out signature.sign file.txt
    
           To verify a signature:
            openssl dgst -sha256 -verify publickey.pem 
            -signature signature.sign 
            file.txt
    
    NOTES
           The digest of choice for all new applications is SHA1. Other digests are however still widely used.
    
           When signing a file, dgst will automatically determine the algorithm (RSA, ECC, etc) to use for signing based on the private key's ASN.1 info.  When verifying
           signatures, it only handles the RSA, DSA, or ECDSA signature itself, not the related data to identify the signer and algorithm used in formats such as x.509,
           CMS, and S/MIME.
    
           A source of random numbers is required for certain signing algorithms, in particular ECDSA and DSA.
    
           The signing and verify options should only be used if a single file is being signed or verified.
    
           Hex signatures cannot be verified using openssl.  Instead, use "xxd -r" or similar program to transform the hex signature into a binary signature prior to
           verification.
    
    1.0.2k                                                                         2017-01-26                                                                       DGST(1)
    [root@node101.yinzhengjie.org.cn ~]# man dgst                    #查看帮助信息
    [root@node101.yinzhengjie.org.cn ~]# cp /etc/fstab ./
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 4
    -rw-r--r-- 1 root root 541 Dec 21 09:54 fstab
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# openssl dgst -md5 fstab           #指定md5单项散列算法,可以很快得到的一个hash摘要值
    MD5(fstab)= 964ddd7a410b74512ea8dfaa11ac5157
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# md5sum fstab 
    964ddd7a410b74512ea8dfaa11ac5157  fstab
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 

    4>.生成用户密码

    [root@node101.yinzhengjie.org.cn ~]# man sslpasswd
    PASSWD(1)                                                                       OpenSSL                                                                       PASSWD(1)
    
    NAME
           passwd - compute password hashes
    
    SYNOPSIS
           openssl passwd [-crypt] [-1] [-apr1] [-salt string] [-in file] [-stdin] [-noverify] [-quiet] [-table] {password}
    
    DESCRIPTION
           The passwd command computes the hash of a password typed at run-time or the hash of each password in a list.  The password list is taken from the named file for
           option -in file, from stdin for option -stdin, or from the command line, or from the terminal otherwise.  The Unix standard algorithm crypt and the MD5-based
           BSD password algorithm 1 and its Apache variant apr1 are available.
    
    OPTIONS
           -crypt
               Use the crypt algorithm (default).
    
           -1  Use the MD5 based BSD password algorithm 1.
    
           -apr1
               Use the apr1 algorithm (Apache variant of the BSD algorithm).
    
           -salt string
               Use the specified salt.  When reading a password from the terminal, this implies -noverify.
    
           -in file
               Read passwords from file.
    
           -stdin
               Read passwords from stdin.
    
           -noverify
               Don't verify when reading a password from the terminal.
    
    
           -quiet
               Don't output warnings when passwords given at the command line are truncated.
    
           -table
               In the output list, prepend the cleartext password and a TAB character to each password hash.
    
    EXAMPLES
           openssl passwd -crypt -salt xx password prints xxj31ZMTZzkVA.
    
           openssl passwd -1 -salt xxxxxxxx password prints $1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a..
    
           openssl passwd -apr1 -salt xxxxxxxx password prints $apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0.
    
    1.0.2k                                                                         2017-01-26                                                                     PASSWD(1)
    [root@node101.yinzhengjie.org.cn ~]# man sslpasswd
    [root@node101.yinzhengjie.org.cn ~]# openssl passwd -1            #此处我输入的是"yinzhengjie"得到一个密码如下
    Password: 
    Verifying - Password: 
    $1$IetQRS9t$hoCuehrhgRASJxU08nQBE.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# openssl passwd -1            #此处我依旧输入的是"yinzhengjie"得到一个新的密码如下,我擦,是不是很神奇?输入相同的密码得到的结果却不一致!这是因为我们没有指定盐,默认是一个随机值
    Password: 
    Verifying - Password: 
    $1$VsdAqm1E$2aQXCaV7SSu8gCl9YitHI.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# openssl passwd -1 -salt "IetQRS9t"    #上面标记红色的就是指定的盐,我们使用指定的盐进行加密,发现使用相同的盐且密码一直时得到的结果是一致的
    Password: 
    $1$IetQRS9t$hoCuehrhgRASJxU08nQBE.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# openssl passwd -1 -salt "VsdAqm1E"    #再次印证了使用相同的盐且密码相同的情况下,得到的结果是一致的。
    Password: 
    $1$VsdAqm1E$2aQXCaV7SSu8gCl9YitHI.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 

    5>.生成随机数

    语法:
      openssl rand -base64|-hex NUM     NUM:
          表示字节数,使用-hex,每个字符为十六进制,相当于4位二进制,出现的字符数为NUM*2
    [root@node101.yinzhengjie.org.cn ~]# man sslrand
    
    
    
    RAND(1)                                                                         OpenSSL                                                                         RAND(1)
    
    NAME
           rand - generate pseudo-random bytes
    
    SYNOPSIS
           openssl rand [-out file] [-rand file(s)] [-base64] [-hex] num
    
    DESCRIPTION
           The rand command outputs num pseudo-random bytes after seeding the random number generator once.  As in other openssl command line tools, PRNG seeding uses the
           file $HOME/.rnd or .rnd in addition to the files given in the -rand option.  A new $HOME/.rnd or .rnd file will be written back if enough seeding was obtained
           from these sources.
    
    OPTIONS
           -out file
               Write to file instead of standard output.
    
           -rand file(s)
               Use specified file or files or EGD socket (see RAND_egd(3)) for seeding the random number generator.  Multiple files can be specified separated by a OS-
               dependent character.  The separator is ; for MS-Windows, , for OpenVMS, and : for all others.
    
           -base64
               Perform base64 encoding on the output.
    
           -hex
               Show the output as a hex string.
    
    SEE ALSO
           RAND_bytes(3)
    
    1.0.2k                                                                         2017-01-26                                                                       RAND(1)
    [root@node101.yinzhengjie.org.cn ~]# man sslrand
    [root@node101.yinzhengjie.org.cn ~]# openssl rand  -hex 6
    3c3f702525c1
    [root@node101.yinzhengjie.org.cn ~]# openssl rand  -hex 6
    5da7fe82a1d6
    [root@node101.yinzhengjie.org.cn ~]# openssl rand  -hex 6
    2064b6e40f46
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 6
    cno1an+B
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 6
    k1KMD3+N
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 6
    yCMifZfM
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# openssl rand  -hex 9
    18c1541b7e4f63cb44
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 9
    WS7G4KPNu0Jt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 

    6>. 生成密钥对儿

    公钥加密:
      算法:
        RSA, ELGamal   工具:
        gpg, openssl rsautl(man rsautl)
    数字签名:   算法:
        RSA, DSA, ELGamal   
    密钥交换:   算法:
        dh   DSA:
        Digital Signature Algorithm   DSS:
        Digital Signature Standard   RSA:
    [root@node101.yinzhengjie.org.cn ~]# man genrsa
    GENRSA(1)                                                                       OpenSSL                                                                       GENRSA(1)
    
    NAME
           genrsa - generate an RSA private key
    
    SYNOPSIS
           openssl genrsa [-out filename] [-passout arg] [-aes128] [-aes192] [-aes256] [-camellia128] [-camellia192] [-camellia256] [-des] [-des3] [-idea] [-f4] [-3]
           [-rand file(s)] [-engine id] [numbits]
    
    DESCRIPTION
           The genrsa command generates an RSA private key.
    
    OPTIONS
           -out filename
               the output filename. If this argument is not specified then standard output is used.
    
           -passout arg
               the output file password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).
    
           -aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea
               These options encrypt the private key with specified cipher before outputting it. If none of these options is specified no encryption is used. If encryption
               is used a pass phrase is prompted for if it is not supplied via the -passout argument.
    
           -F4|-3
               the public exponent to use, either 65537 or 3. The default is 65537.
    
           -rand file(s)
               a file or files containing random data used to seed the random number generator, or an EGD socket (see RAND_egd(3)).  Multiple files can be specified
               separated by a OS-dependent character.  The separator is ; for MS-Windows, , for OpenVMS, and : for all others.
    
           -engine id
               specifying an engine (by its unique id string) will cause genrsa to attempt to obtain a functional reference to the specified engine, thus initialising it
               if needed. The engine will then be set as the default for all available algorithms.
    
           numbits
               the size of the private key to generate in bits. This must be the last option specified. The default is 512.
    
    NOTES
           RSA private key generation essentially involves the generation of two prime numbers. When generating a private key various symbols will be output to indicate
           the progress of the generation. A . represents each number which has passed an initial sieve test, + means a number has passed a single round of the Miller-
           Rabin primality test. A newline means that the number has passed all the prime tests (the actual number depends on the key size).
    
           Because key generation is a random process the time taken to generate a key may vary somewhat.
    
    BUGS
           A quirk of the prime generation algorithm is that it cannot generate small primes. Therefore the number of bits should not be less that 64. For typical private
           keys this will not matter because for security reasons they will be much larger (typically 1024 bits).
    
    SEE ALSO
           gendsa(1)
    
    1.0.2k                                                                         2017-01-26                                                                     GENRSA(1)
    [root@node101.yinzhengjie.org.cn ~]# man genrsa
    [root@node101.yinzhengjie.org.cn ~]# mkdir ssl && cd ssl
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# (umask 066;openssl genrsa -out test.key 1024)    
    Generating RSA private key, 1024 bit long modulus
    .................++++++
    ..........++++++
    e is 65537 (0x10001)
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# ll
    total 4
    -rw------- 1 root root 887 Dec 21 10:22 test.key
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# (umask 066;openssl genrsa -out test2.key -des3 1024)
    Generating RSA private key, 1024 bit long modulus
    ..............................................++++++
    ......++++++
    e is 65537 (0x10001)
    Enter pass phrase for test2.key:
    Verifying - Enter pass phrase for test2.key:
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# ll
    total 8
    -rw------- 1 root root 963 Dec 21 10:23 test2.key
    -rw------- 1 root root 887 Dec 21 10:22 test.key
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# cat test.key 
    -----BEGIN RSA PRIVATE KEY-----
    MIICXQIBAAKBgQC7n9G30qtd+8kr4Z4lFskT5aS+6/7DYr10k9TI+fgbWBpRbsnc
    wPPQV+YVMn12KYtVoglgIAbDeRTfygS4q8NFqk9kYRKRlzcBIsVkem5I5P5BM9y0
    2CaYZDohwOniTK5yc886EjBkvTCcglWo2oCcUdjN8+4ZoQaauoK6T0K72QIDAQAB
    AoGAcpM9SWkf9wusJNzpazLH5huliGWrNPvWQBuKpJRpm6EoqTPjl6hI+6DBw44K
    qZ7jFI8X9Jh6KOKHCcZfLbrOSm/KMjjVsb/3YCG174wyI+U7RCqWU/xH8FMhmOeG
    LlSJIycwOnWq6CGDOsmWyhbepYX3+uoucIHU3qxUG1/p+FECQQDi6CXV0/bmBb6O
    2odsgY047m5Q35tFR1ZrzhTJ1ZNfwaizFbfl0Mt4Fstm8Ie3dQAp3HjR+686NXNc
    M6VN5QklAkEA065JDAj6PAzHhmnn0bCG/k8NUii9ksUuXT8WotdmgVzIUWHbiPtO
    mws3v6nbZYBy0tSSX34/itpwQB5Agj5LpQJBAL7DoZuF2ttEFRMQ0i39NPeaLRC9
    DVNPSG7WEVAmyQIGVIhLSBJkWcuajmL68X7hVMPc4Y7YZFcxvMzVdrJoTikCQQC6
    jHHbpV3B5hFAp7yg001keQ5oRXcsDZHao2qzf9jaUIZJElCC29ZeVPiAdJThUt3e
    Z2/HsF8XY4JhP0figDvxAkAcszHvpgCIV+831m8kv4XrXLL2yMqqALV8CzAXBtWX
    X8gZ+pbI4yC+QfMg4Hj2h4HRPN/qRfs3zkeinsnhGZ0Y
    -----END RSA PRIVATE KEY-----
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# cat test.key          #私钥未被加密
    [root@node101.yinzhengjie.org.cn ~/ssl]# cat test2.key 
    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,A10A88A3A65686C4
    
    g2uwaR6TgLObrkEAz/VNGzWhmH4IHd3XHceYnP8M0ReMARjk/keiATkQ1MmBY++M
    dP+f77+g/u3Oq8SbqqJNwBKHC+rZeWjcRI0nDJ7gcDtxxq0VsAno6aUeRxRt5xrV
    HsjoohpVjty9K0/ioE7y69JcYaxhuGotvxmReKWoL8DKvo73EJh5ZP/wMNNBtl7w
    8Xh4SD/QqsmJ8HLX/O0rmo2INT8ahvHrhBA4cnAvnjqjPpt8BJbhYZakDbG3pAg6
    abd9o6X0Tr3jWI9YxV8KkXZTpIsmbL4lhWE2pdLafDDDCd+zoVTbrRbA9vm76A1+
    Jl0mX1ndl5DwC/S6gs4pW2EQX99tmWad/xYMVpB1j3UdBRsi+1LG8oFS0ngStGxv
    RjNl1zGPUhm226SnM5P2Urj2X7TiwRQbLirqI0iJlELhvK8AVAsG2UWPpy1B8y4p
    2Gkvu9l4YDBP3iH5OsctzI14aU3NWTRhUUNwVZZbRo+YfjQ6bDx6/8ZUf9iNYGQW
    vlbuXLl3/SzaDjhoigXke5JxH31cN4IbQMbhzCZP5uemYaFdcPRSKGt5hyIj/Uxj
    moZHfyk21pCtiCV2KipK8hOjXXJmu1yvtrvmtbg7mKiE4wt2G7qTeVFSN/KwF6kf
    TJnPonWgqliaO20bg3a0nNgmpkdb/qKmj1xt7HCDQt+xVM98JFVPfuFtcjhDi75L
    5BQ+Qt0IXVh1QkSvaB4QdU4ZICozX5cJYWO1EPBvuqOr2BL8bFapAvsADZRaXP+b
    wuUVHkUc7+vCzFyvNaorVKQFB0+TBJYib6ycjpCRxqY5AcqcY9HHWQ==
    -----END RSA PRIVATE KEY-----
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# cat test2.key          #私钥已被des3加密
    [root@node101.yinzhengjie.org.cn ~/ssl]# cat test2.key 
    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,A10A88A3A65686C4
    
    g2uwaR6TgLObrkEAz/VNGzWhmH4IHd3XHceYnP8M0ReMARjk/keiATkQ1MmBY++M
    dP+f77+g/u3Oq8SbqqJNwBKHC+rZeWjcRI0nDJ7gcDtxxq0VsAno6aUeRxRt5xrV
    HsjoohpVjty9K0/ioE7y69JcYaxhuGotvxmReKWoL8DKvo73EJh5ZP/wMNNBtl7w
    8Xh4SD/QqsmJ8HLX/O0rmo2INT8ahvHrhBA4cnAvnjqjPpt8BJbhYZakDbG3pAg6
    abd9o6X0Tr3jWI9YxV8KkXZTpIsmbL4lhWE2pdLafDDDCd+zoVTbrRbA9vm76A1+
    Jl0mX1ndl5DwC/S6gs4pW2EQX99tmWad/xYMVpB1j3UdBRsi+1LG8oFS0ngStGxv
    RjNl1zGPUhm226SnM5P2Urj2X7TiwRQbLirqI0iJlELhvK8AVAsG2UWPpy1B8y4p
    2Gkvu9l4YDBP3iH5OsctzI14aU3NWTRhUUNwVZZbRo+YfjQ6bDx6/8ZUf9iNYGQW
    vlbuXLl3/SzaDjhoigXke5JxH31cN4IbQMbhzCZP5uemYaFdcPRSKGt5hyIj/Uxj
    moZHfyk21pCtiCV2KipK8hOjXXJmu1yvtrvmtbg7mKiE4wt2G7qTeVFSN/KwF6kf
    TJnPonWgqliaO20bg3a0nNgmpkdb/qKmj1xt7HCDQt+xVM98JFVPfuFtcjhDi75L
    5BQ+Qt0IXVh1QkSvaB4QdU4ZICozX5cJYWO1EPBvuqOr2BL8bFapAvsADZRaXP+b
    wuUVHkUc7+vCzFyvNaorVKQFB0+TBJYib6ycjpCRxqY5AcqcY9HHWQ==
    -----END RSA PRIVATE KEY-----
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# openssl rsa -in test2.key -out test2.bak.key 
    Enter pass phrase for test2.key:
    writing RSA key
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# ll
    total 12
    -rw-r--r-- 1 root root 887 Dec 21 10:28 test2.bak.key
    -rw------- 1 root root 963 Dec 21 10:23 test2.key
    -rw------- 1 root root 887 Dec 21 10:24 test.key
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# cat test2.bak.key 
    -----BEGIN RSA PRIVATE KEY-----
    MIICXQIBAAKBgQC0X5rHhleCbl3XxD8ygpOHtXCTADc8eJIvigc0pUqGFJGBAlHq
    I/GMho1SvDYDKO7zxhztd6h807wQiRmmr9gCExJButPJENmZ4CJcbguVjVnySMxc
    3Tm8JQiGerMsP654bh0+yYEwPnAqFHC8Ca9mxJLmtNokDSKP78e9LDYt8QIDAQAB
    AoGAbIgiT/BL85WJLe1NwYzETKImLK2yjtZVz/kTwN+8adUygBfvRh1+mHnVy3So
    Y1pb/Z61hUW8we99d82m+59PL1zZf/aQ1FBgfiyv8WXEnWsEs8J1PpvlDKfGr9X4
    3KqEd8KnHHnrFI0sRXwk9AK3IFce3L7jCqpztlrG35R9eukCQQDpyhtBcW7KJtYW
    pQHk3NOO0pLD6Lf/Re38e+SBuc2ijvpDpt+ZEAPl6hkkTVJDcczlTucNQE7O3vwN
    V/Tsb3AvAkEAxYJj1bTOeP3zLtb+IfLyc64ciqJuzvIF4RC0o4y3uZ1rjYxpLhT5
    CFFjDq+pjXSX3vwzFbebiKvU6rMFyHmb3wJBAJlGlz39t4wzkBMClc5NdSpjJjPp
    JJDpcREizPq8LXSRVsT56Ai69kNLirZBN1jeiF4ir9sBOWnpyciZzQsiOKMCQC8n
    zWw1ieJLR2dUf0JdvdMuq7PRykDwecTddzNhInBXjFk0P9x3t2lr/QmBmSqjvqrH
    be7uclz0IZaTfXr6xeMCQQCoQ9cgHu8SPQIXXXNrwuwlHmHqs4dURNLa6jJycsLQ
    xIYVn3x5vl1mywwalMFQRzu4PWwydDHFosfAUpOSMZ0z
    -----END RSA PRIVATE KEY-----
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# openssl rsa -in test2.key -out test2.bak.key        #将加密的私钥进行解密 
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# cd /etc/pki/tls/certs/
    [root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# 
    [root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# ll
    total 12
    lrwxrwxrwx. 1 root root   49 Jul  8 16:23 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    lrwxrwxrwx. 1 root root   55 Jul  8 16:23 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
    -rwxr-xr-x. 1 root root  610 Oct 31  2018 make-dummy-cert
    -rw-r--r--. 1 root root 2516 Oct 31  2018 Makefile
    -rwxr-xr-x. 1 root root  829 Oct 31  2018 renew-dummy-cert
    [root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# 
    [root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# make ~/ssl/test100.key      #进入到"/etc/pki/tls/certs"目录后使用make命令可以生成加密的私钥,主要是该目录有一个Makefile文件
    umask 77 ; 
    /usr/bin/openssl genrsa -aes128 2048 > /root/ssl/test100.key
    Generating RSA private key, 2048 bit long modulus
    .....................................................+++
    ...........................................................+++
    e is 65537 (0x10001)
    Enter pass phrase:
    Verifying - Enter pass phrase:
    [root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# 
    [root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# ll ~/ssl/test100.key 
    -rw------- 1 root root 1766 Dec 21 10:31 /root/ssl/test100.key
    [root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# 
    [root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# cat ~/ssl/test100.key 
    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: AES-128-CBC,72305F310C826FAD49FF9DF021894C36
    
    zs69lfGhV8a/GF6h6EJTKoBvCKSHs0Dn3jubW0FNUrh0IFC/RSn+Yhu2TWPdMp/j
    3wZUbNYj8RTJ43yIfsoWTuBgTU1zlL2e1aTR5YO8VpfPHBT4hh5xnq9QWCTRPzk2
    +FS2kpj/Iod3qmnOA2L8D00QMAQrc2anJYAJV8mQaRNfFaTw4Ka8zttgI6DiO6Pk
    WYlPaD6e4EJkfUZF6kTm0CrUlRK+RRPoz4RzzBj33tXGxOCV4d6n0n2X07RnbRuE
    Vayigy0p1jnW2ovC/IXWp13zYNXA4nWMqtljuqRN8ovrFdxY8DGkkUgPvYGQtKPZ
    EfaIBctvgQtDrmmeOtcGLARoqGzTESPC5mzlMtU9Hc+UJnQZ87r/SUDhfrjWWC2m
    4hmPzGaNcNjlW3zEs9jATnHjeHcAwvu1jGrhgGgrno2xsQv3eJzILRV7BQP5myiS
    wl6whWB4SW5D/U5BHouM82Y4QJ6SX3MI3rG1PQ8M3dtyg9Miou5cVSbIF8BXBW7n
    cfVjI7/B1HVQ4NIO89Sv15+fr+PGf46o2Ig8axep287itInEBZjCsmgLN0x9cC6T
    W0P8NwjIXdrBOtCnuLxrlhrU2s0c2XfH4+Pal65QUkOWizLK88Y1RkLLXmGDb09D
    1LYVcz2A2uM75Yh4zrFLtvJla/An/Qu9jvKGbgL7plB1dSSz4ajyeyYCnnM13A31
    jmi2CmwAxJwTEbUSzCFtcGVCL7kvd7ETtnKZLgwAgXuEy3mxHu0aNYN2blc5222w
    j19MLYBmbN4rd/Remhk2Y9vsBtygSJRNVoOEVEcnz4u12vsPIUO6HgAVbAARRXOK
    rqaZD8+2qZxZq/um3pSt1VNufg66NIcP5f4Uww+F6AqC5XqOvCvoPxbqcqAEbxP/
    wigmsPiqagfnpv/rtKArY/sHcpLeSUOrNGd6bDt7rVDY7zZdjgMmLbhxoaNCD8M3
    CpFYhVEGH9A0hzY8KO+O/XZEMqwbsq1rMyjPQ2Rpz1CjpGG7/gVbPVlv7OoBEEqy
    FvsP1v97kNG4SSFhAgIQdRsYKsSrM6Fj1k9BB0XVKGQK34o3r2WB9k2/IpYHZvPI
    qam8LCFLI150L315gJJVKk453ZklQVKpZoI7voX4FG9x3XPuYKpywsjf/y/ErMpG
    g52seo7igYHj5u63fbgpHGJRGpNAeMhKCxvXOkCUjl8e0OyowdpRmt61HVkHARae
    q/BC+AX4KmOYEeHfytPe9vB74xERWy86wHGa6KU3IqcVWh/sWsTrDEuhwO0Kl3dD
    6Trrw85PCv3l6NpU9I06sI2roNrtCPYXXMYPVcrmbnAxS2tpoqmevXrjf1cDocCl
    1Bd2vdjIdYT92H3cB9My0RpgLb2cqPMP6GtjitJAIGWVmTPixcQsFjRpyhthuddX
    DauxAzZh6X/DtjjeIPNXCkYnck6xWz8vU+fqr6kd1AXLyDA0MUJr8YuEXGn7SlFK
    S9TgZY22S3waLHfVEBNp/u6m4b/BO4ZeSzqAu4cRfmFH7Lw49pRQebTPEOMchfO2
    uZMvNYYiyjqwk00PcKBcX/yJHJyD/uUJ+yj2MGftUWBUY4elPUZ6EKLMSEPjf6SA
    -----END RSA PRIVATE KEY-----
    [root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# 
    [root@node101.yinzhengjie.org.cn /etc/pki/tls/certs]# make ~/ssl/test100.key   #进入到"/etc/pki/tls/certs"目录后使用make命令可以生成加密的私钥,主要是该目录有一个Makefile文件
    [root@node101.yinzhengjie.org.cn ~/ssl]# ll
    total 16
    -rw------- 1 root root 1766 Dec 21 10:31 test100.key
    -rw-r--r-- 1 root root  887 Dec 21 10:28 test2.bak.key
    -rw------- 1 root root  963 Dec 21 10:23 test2.key
    -rw------- 1 root root  887 Dec 21 10:24 test.key
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# openssl rsa -in test100.key -pubout -out test100.pubkey       #从私钥中导出公钥,如果私钥设置的有密码需要验证密码后才能生成公钥文件
    Enter pass phrase for test100.key:
    writing RSA key
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# ll
    total 20
    -rw------- 1 root root 1766 Dec 21 10:31 test100.key
    -rw-r--r-- 1 root root  451 Dec 21 10:35 test100.pubkey
    -rw-r--r-- 1 root root  887 Dec 21 10:28 test2.bak.key
    -rw------- 1 root root  963 Dec 21 10:23 test2.key
    -rw------- 1 root root  887 Dec 21 10:24 test.key
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# openssl rsa -in test.key -pubout -out test.pubkey         #如果私钥文件没有设置密码则直接可以导出公钥
    writing RSA key
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# ll
    total 24
    -rw------- 1 root root 1766 Dec 21 10:31 test100.key
    -rw-r--r-- 1 root root  451 Dec 21 10:35 test100.pubkey
    -rw-r--r-- 1 root root  887 Dec 21 10:28 test2.bak.key
    -rw------- 1 root root  963 Dec 21 10:23 test2.key
    -rw------- 1 root root  887 Dec 21 10:24 test.key
    -rw-r--r-- 1 root root  272 Dec 21 10:36 test.pubkey
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# cat test100.pubkey 
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtt0fSFIhcbLMrObFw1nf
    rp4HnL8s72RxtIKIrf0rEVRsgHt5AaW/wUFzeIn8nN0xrPwAwJFg2lNj+xBapXxu
    61UU1CkLGblpdn1G+/eWWGsgkEw14UCg79Ifc5FLuaStraBOjAEYpXB5ge+KcFXE
    IIULBUhBlmgzwXNFIM47ucy484JiwD4dXr3YTDRxWeVs0LMST3RmSJb5rq/ZnZJQ
    n3t+wHfrUH8uoHnSpOaWrrLwGxdrNws8jUXFDv+T+63B8QGXjlQFEgs+sxyUo2n1
    WO/9Sgop0CvSegjofKBD5bxVJsbrUAkYVD1sXEWhYb6juDLROECtxTfxV78evnW1
    IwIDAQAB
    -----END PUBLIC KEY-----
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# cat test.pubkey 
    -----BEGIN PUBLIC KEY-----
    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7n9G30qtd+8kr4Z4lFskT5aS+
    6/7DYr10k9TI+fgbWBpRbsncwPPQV+YVMn12KYtVoglgIAbDeRTfygS4q8NFqk9k
    YRKRlzcBIsVkem5I5P5BM9y02CaYZDohwOniTK5yc886EjBkvTCcglWo2oCcUdjN
    8+4ZoQaauoK6T0K72QIDAQAB
    -----END PUBLIC KEY-----
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# 
    [root@node101.yinzhengjie.org.cn ~/ssl]# openssl rsa -in test100.key -pubout -out test100.pubkey       #从私钥中导出公钥,如果私钥设置的有密码需要验证密码后才能生成公钥文件

    7>. 随机数生成器(伪随机数字)

    键盘和鼠标,块设备中断
    /dev/random:
      仅从熵池返回随机数;随机数用尽,阻塞 /dev/urandom:
      从熵池返回随机数;随机数用尽,会利用软件生成伪随机数,非阻塞
    [root@node101.yinzhengjie.org.cn ~]# tr -dc 'a-zA-Z0-9' </dev/urandom       #可以从操纵系统中获取随机数
    
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 6            #使用openssl也可以说去随机数
    C73Eji13
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 6
    yhYfP1qL
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# openssl rand -base64 6
    7+2gmWNK
    [root@node101.yinzhengjie.org.cn ~]# 

    三.使用openssl创建私有CA和证书申请颁发

    博主推荐阅读:
        https://www.cnblogs.com/yinzhengjie/p/12075752.html
  • 相关阅读:
    MySQL------索引
    分组数据
    聚集函数
    Web的Java开发基础分享——学生信息管理系统(二)
    Web的Java开发基础分享——学生信息管理系统(一)
    shiny酷酷的第一篇CSDN博客
    vue2.0.js
    vue1.0.js的初步学习
    layui新手使用
    前端兼容性的一些问题
  • 原文地址:https://www.cnblogs.com/yinzhengjie/p/12075540.html
Copyright © 2011-2022 走看看