OPENSSL基础使用实验步骤
创建一个文件,用于被加密,文件内容为12345,文件名为test
[root@bogon shang]# echo 12345 > test.txt
一、对称加密
1.使用rc4加解密
加密:openssl enc -e -rc4 -in test.txt -out test_rc4.encopenssl enc -e -rc4 -in test.txt -out test_rc4.enc
[root@bogon shang]# openssl enc -e -rc4 -in test.txt -out test_rc4.enc
enter rc4 encryption password: //输入加密密码
Verifying - enter rc4 encryption password: //输入加密密码
解密:openssl enc -d -rc4 -in test_rc4.enc -out test_rc4.dm
[root@bogon shang]# openssl enc -d -rc4 -in test_rc4.enc -out test_rc4.dm
enter rc4 decryption password: // 输入解密密码
2.使用AES加解密
加密:openssl enc -e -aes-128-cbc -a -salt -in test.txt -out test_aes128.enc
[root@bogon shang]# openssl enc -e -aes-128-cbc -a -salt -in test.txt -out test_aes128.enc
enter aes-128-cbc encryption password: //输入加密密码
Verifying - enter aes-128-cbc encryption password: //输入加密密码
[root@bogon shang]#
解密:openssl enc -d -aes-128-cbc -a -salt -in test_aes128.enc -out test_aes128.d
[root@bogon shang]# openssl enc -d -aes-128-cbc -a -salt -in test_aes128.enc -out test_aes128.d
enter aes-128-cbc decryption password: //输入解密密码
[root@bogon shang]#
3.使用3DES加解密
加密:openssl enc -e -des3 -a -salt -in test.txt -out test_des3.enc
[root@bogon shang]# openssl enc -e -des3 -a -salt -in test.txt -out test_des3.enc
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
[root@bogon shang]#
解密:openssl enc -d -des3 -a -salt -in test_des3.enc -out test_des3.d
[root@bogon shang]# openssl enc -d -des3 -a -salt -in test_des3.enc -out test_des3.d
enter des-ede3-cbc decryption password:
[root@bogon shang]#
二、非对称加密
1.RSA加密解密
生成RSA密钥对:openssl genrsa -out rsa.key 1024
[root@bogon shang]# openssl genrsa -out rsa.key 1024
Generating RSA private key, 1024 bit long modulus
.....++++++
....++++++
e is 65537 (0x10001)
[root@bogon shang]#
导出公钥:openssl rsa -in rsa.key -pubout -out rsa_pub.key
[root@bogon shang]# openssl rsa -in rsa.key -pubout -out rsa_pub.key
writing RSA key
[root@bogon shang]#
使用公钥加密文件:openssl rsautl -encrypt -in test.txt -inkey rsa_pub.key -pubin -out test_rsa.enc
[root@bogon shang]# openssl rsautl -encrypt -in test.txt -inkey rsa_pub.key -pubin -out test_rsa.enc
使用私解解密文件:openssl rsautl -decrypt -in test_rsa.enc -inkey rsa.key -out test_rsa.c
[root@bogon shang]# openssl rsautl -decrypt -in test_rsa.enc -inkey rsa.key -out test_rsa.c
使用密钥登录SSH服务器
一、配置服务器SSH密钥登录
1.编辑SSH配置文件:vim /etc/ssh/sshd_config
[root@bogon shang]# vim /etc/ssh/sshd_config2.删除#号,保存文件并退出
删除PubkeyAuthentication yes此行前面的#号
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
3.重启SSH服务:systemctl restart sshd
[root@bogon shang]# systemctl restart sshd
二、使用客户端生成密钥
1.生成SSH登录的密钥对:ssh-keygen -t rsa
[root@bogon shang]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): y
Enter passphrase (empty for no passphrase): //直接按回车
Enter same passphrase again: //直接按回车
2.查看生成的密钥:ls -l /root/.ssh/ 确保两个文件是新生成的
[root@bogon shang]# ls -l /root/.ssh
总用量 8
-rw-------. 1 root root 1679 12月 6 19:01 id_rsa
-rw-r--r--. 1 root root 392 12月 6 19:01 id_rsa.pub
[root@bogon shang]#
三、上传客户端公钥证书到服务器
1.使sftp链接服务器:
sftp root@虚拟机IP
输入yes
输入服务器密码
[root@bogon shang]# sftp root@192.168.109.128
The authenticity of host '192.168.109.128 (192.168.109.128)' can't be established.
ECDSA key fingerprint is SHA256:tSZL+B8CzIX90TFcArCSDIkb+w3EFmVAn7fqVMAXXDY.
ECDSA key fingerprint is MD5:ee:d1:e2:78:bd:fe:a3:d5:ac:98:21:34:14:81:93:ba.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.109.128' (ECDSA) to the list of known hosts.
root@192.168.109.128's password: //服务器密码
Connected to 192.168.109.128.
sftp>
2.上传公钥文件:put /root/.ssh/id_rsa.pub
sftp> put /root/.ssh/id_rsa.pub
Uploading /root/.ssh/id_rsa.pub to /root/id_rsa.pub
/root/.ssh/id_rsa.pub 100% 392 1.9MB/s 00:00
sftp>
3.退出sftp客户端:exit
sftp> exit
[root@bogon shang]#
四、配置服务器公钥
通过第三步,我们已经将公钥证书放到了/root/id_rsa.pub
这里我们将公钥文件输出到服务器配置文件中
输入:cat /root/id_rsa.pub >> ~/.ssh/authorized_keys
[root@bogon shang]# cat /root/id_rsa.pub >> ~/.ssh/authorized_keys
五、验证密钥登录
指定私钥文件登录:ssh -i /root/.ssh/id_rsa root@虚拟机IP
[root@bogon shang]# ssh -i /root/.ssh/id_rsa root@192.168.109.128
Last login: Mon Dec 6 14:09:10 2021
[root@bogon ~]#
apache部署https
一、生成独立的CA
1.生成ca的key:openssl genrsa -des3 -out ca.key 4096
[root@bogon ~]# openssl genrsa -des3 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
................................................................................................................................................................................................................................++
.....................................................................................++
e is 65537 (0x10001)
Enter pass phrase for ca.key: // 输入私钥加密密码
Verifying - Enter pass phrase for ca.key: //输入私钥加密密码
[root@bogon ~]#
2.生成CA的证书:openssl req -new -x509 -days 365 -key ca.key -out ca.crt
[root@bogon ~]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Country Name (2 letter code) [XX]:qq
State or Province Name (full name) []:qq
Locality Name (eg, city) [Default City]:qq
Organization Name (eg, company) [Default Company Ltd]:qq
Organizational Unit Name (eg, section) []:qq
Common Name (eg, your name or your server's hostname) []:qq
Email Address []:qq@.com
[root@bogon ~]#
二、生成服务器的私钥key和签名请求文件csr
1.生成https服务器私钥:openssl genrsa -des3 -out myserver.key 4096
[root@bogon ~]# openssl genrsa -des3 -out myserver.key 4096
Generating RSA private key, 4096 bit long modulus
...................................++
......................++
e is 65537 (0x10001)
Enter pass phrase for myserver.key: //输入密钥加密密码
Verifying - Enter pass phrase for myserver.key: // 输入密钥加密密码
[root@bogon ~]#
2.生成https服务器证书请求文件:openssl req -new -key myserver.key -out myserver.csr
[root@bogon ~]# openssl req -new -key myserver.key -out myserver.csr
Enter pass phrase for myserver.key: //输入密钥的加密密码
Country Name (2 letter code) [XX]:qq
State or Province Name (full name) []:qq
Locality Name (eg, city) [Default City]:qq
Organization Name (eg, company) [Default Company Ltd]:qq
Organizational Unit Name (eg, section) []:q
Common Name (eg, your name or your server's hostname) []:qq
Email Address []:qq@.com
A challenge password []: // 直接回车
An optional company name []: //直接回车
3.利用ca的证书和key,生成我们的证书:
openssl x509 -req -days 365 -in myserver.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out myserver.crt
Set_serial设置的证书编号
[root@bogon ~]# openssl x509 -req -days 365 -in myserver.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out myserver.crt
Signature ok
subject=/C=qq/ST=qq/L=qq/O=qq/OU=q/CN=qq/emailAddress=qq@.com
Getting CA Private Key
Enter pass phrase for ca.key: //输入CA私钥密码
三、安装apache的ssl模块
1.服务器上已经安装有apache,要实现apache的https功能,需要安装ssl模块:
yum install -y mod_ssl
[root@bogon ~]# yum install -y mod_ssl
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: ftp.sjtu.edu.cn
* extras: mirror.lzu.edu.cn
* updates: ftp.sjtu.edu.cn
正在解决依赖关系
四、复制证书到对应路径:
cp myserver.crt /etc/pki/tls/certs/
cp myserver.key /etc/pki/tls/private/
完毕!
[root@bogon ~]# cp myserver.crt /etc/pki/tls/certs/
[root@bogon ~]# cp myserver.key /etc/pki/tls/private/五、修改apache配置文件,让证书生效
vim /etc/httpd/conf.d/ssl.conf
[root@bogon ~]# vim /etc/httpd/conf.d/ssl.conf
将证书个私钥路径改为如下图保存并退出:
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/myserver.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/myserver.key
六、重启apache服务
systemctl restart httpd
注意输入myserver.key的加密密码
[root@bogon ~]# systemctl restart httpd
Enter SSL pass phrase for 127.0.0.1:443 (RSA) : ******
[root@bogon ~]#
七、测试网站证书
使用客户端Chrome浏览器访问服务器https页面
https://ip