What is linux openssl

In Linux, openssl is an extremely powerful command line tool that can be used to complete many tasks related to the public key system and HTTPS. openssl has two operating modes: interactive mode and batch mode; directly enter openssl and press Enter to enter interactive mode, enter openssl with command options to enter batch mode.

#The operating environment of this tutorial: linux7.3 system, Dell G3 computer.

1. Introduction to openssl command

openssl is an extremely powerful command line tool that can be used to complete the public key system (Public Key Infrastructure) and many tasks related to HTTPS. openssl is a powerful Secure Sockets Layer cryptographic library, including major cryptographic algorithms, commonly used key and certificate encapsulation management functions, and SSL protocols, and provides a wealth of applications for testing or other purposes.
 Openssl has two operating modes: interactive mode and batch mode. Directly enter openssl and press Enter to enter interactive mode, enter openssl with command options to enter batch mode.
 The entire openssl software package can be roughly divided into three main functional parts: cryptographic algorithm library, SSL protocol library and applications. The directory structure of openssl is naturally planned around these three functional parts. The role of the openssl command:

• Creation and management of private keys, public keys and parameters
• Public key encryption operations
• Create X.509 certificates, CSR and CRL
• Computation of message digests
• Using passwords for encryption and decryption
• SSL/TLS client and server testing
• Handling S/MIME signing or encryption Email
• Time stamp request, generation and verification

2. Usage examples

1. Get command help in interactive mode

OpenSSL> help
 Standard commands
 asn1parse ca ciphers cms
 crl crl2pkcs7 dgst dhparam
 dsa dsaparam ec ecparam
 enc engine errstr gendsa
 genpkey genrsa help list
 nseq ocsp passwd pkcs12
 pkcs7 pkcs8 pkey pkeyparam
 pkeyutl prime rand rehash
 req rsa rsautl s_client
 s_server s_time sess_id smime
 speed spkac srp storeutl
 ts verify version x509
 Message Digest commands (see the `dgst’ command for more details)
 blake2b512 blake2s256 gost md4
 md5 mdc2 rmd160 sha1
 sha224 sha256 sha3-224 sha3-256
 sha3-384 sha3-512 sha384 sha512
 sha512-224 sha512-256 shake128 shake256
 sm3
 Cipher commands (see the `enc’ command for more details)
 aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
 aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
 aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
 aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
 aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
 aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
 aria-256-ctr aria-256-ecb aria-256-ofb base64
 bf bf-cbc bf-cfb bf-ecb
 bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
 camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
 cast-cbc cast5-cbc cast5-cfb cast5-ecb
 cast5-ofb des des-cbc des-cfb
 des-ecb des-ede des-ede-cbc des-ede-cfb
 des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
 des-ede3-ofb des-ofb des3 desx
 idea idea-cbc idea-cfb idea-ecb
 idea-ofb rc2 rc2-40-cbc rc2-64-cbc
 rc2-cbc rc2-cfb rc2-ecb rc2-ofb
 rc4 rc4-40 seed seed-cbc
 seed-cfb seed-ecb seed-ofb sm4-cbc
 sm4-cfb sm4-ctr sm4-ecb sm4-ofb

2. Check the command version

OpenSSL> version
 OpenSSL 1.1.1h 22 Sep 2020

3. Use openssl commands to perform base64 encoding and decoding

##base64 encoding

• (base) [root@sun-site certs]# echo “wuhs” |openssl base64
   d3Vocwo=
   (base) [root@sun-site certs]# echo “wuhs” > 1.txt
   (base) [root@sun-site certs]# openssl base64 -in 1.txt
   d3Vocwo=

base64 decoding

• (base) [root@sun-site certs]# echo “d3Vocwo=” | openssl base64 -d
   wuhs
   (base) [root@sun-site certs]# openssl base64 -d -in 1.base64
   wuhs

4. Use openssl to generate a random password

Generate a 12-digit random password

• (base) [root@sun-site certs]# openssl rand -base64 10 |cut -c 1-12
   PGznlV5Og0Us

5. Use openssl command to generate summary

Perform md5 summary calculation on the string "wuhs"

• (base) [root@sun-site certs]# echo wuhs | openssl md5
   (stdin)= 4cdb1fbd6a34ff27dc8c10913fab3e7e
   (base) [root@sun-site certs]# openssl md5 1.txt
   MD5(1.txt)= 4cdb1fbd6a34ff27dc8c10913fab3e7e

Perform sha1 digest calculation on the string "wuhs"

• (base) [root@sun-site certs]# openssl sha1 1.txt
   SHA1(1.txt)= bd8f0b20de17d623608218d05e8741502cf42302
   (base) [root@sun-site certs]# echo wuhs | openssl sha1
   (stdin)= bd8f0b20de17d623608218d05e8741502cf42302

6. Use openssl command to perform AES encryption and decryption

Encrypt the string "wuhs" with aes, use key 123, and the output result is given in base64 encoding format

• (base) [root@sun-site certs]# openssl aes-128-cbc -in 1.txt -k 123 -base64
   *** WARNING : deprecated key derivation used.
   Using -iter or -pbkdf2 would be better.
   U2FsdGVkX194Z8P5c7C8vmXbA39omlqU/ET8xaehVFk=

Decrypt the aes encrypted file data and encrypt it Key 123

• (base) [root@sun-site certs]# openssl aes-128-cbc -d -k 123 -base64 -in 2.txt
   *** WARNING : deprecated key derivation used.
   Using -iter or -pbkdf2 would be better.
   wuhs

7. Key generation and verification

Create an encrypted private key

• (base) [root@sun-site tmp]# openssl genrsa -des3 -out sunsite.key 2048
   Generating RSA private key, 2048 bit long modulus (2 primes)
   …+++++
   …+++++
   e is 65537 (0x010001)
   Enter pass phrase for sunsite.key:
   Verifying - Enter pass phrase for sunsite.key:
   (base) [root@sun-site tmp]# ll
   total 16
   -rw------- 1 root root 1751 Oct 25 14:43 sunsite.key

Verify private key

• (base) [root@sun-site tmp]# openssl rsa -check -in sunsite.key
   Enter pass phrase for sunsite.key:
   RSA key ok
   writing RSA key
   -----BEGIN RSA PRIVATE KEY-----
   MIIEpAIBAAKCAQEA1jDreCAjX5kpNmnyNayQB/GUvyIRvZZM2WoKAIjne91JupgP
   OKmBdYSWeWsf0h0XU9ubhCHpgCss2hdRKxLN3rJLlFD98TUKpb9S2XkfrT9s3cLN
   PQyCELK60zrs1sE52I4pDj4nTZPZCL9mykzqwNa5rcGuHN/lLnvJxFPJOJwVWbVE
   Bvh+jGioJbi+Ar0rs37/8naGBYz5k4BFn5sCKrhssoMEpDWjMz4yJMpycTlEFITa
   …

Encrypt the private key, enter the password and complete the encryption of the private key file

• (base) [root@sun-site tmp]# openssl rsa -des3 -in sunsite.key -out sunsite.key
   writing RSA key
   Enter PEM pass phrase:
   Verifying - Enter PEM pass phrase:

Decrypt Private key, the private key file will be decrypted after entering the password

• (base) [root@sun-site tmp]# openssl rsa -in sunsite.key -out sunsite2.key
   Enter pass phrase for sunsite.key:
   writing RSA key

8. Generate certificate signature

Use the specified private key Key file to generate csr file

• (base) [root@sun-site tmp]# openssl req \
   -key sunsite.key \
   -new -out sunsite.csr
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter ‘.’, the field will be left blank.
   -----
   Country Name (2 letter code) [AU]:CN
   State or Province Name (full name) [Some-State]:HuNan
   Locality Name (eg, city) []:changsha
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite
   Organizational Unit Name (eg, section) []:jsb
   Common Name (e.g. server FQDN or YOUR name) []:wuhs
   Email Address []:524627027@qq.com
   Please enter the following ‘extra’ attributes
   to be sent with your certificate request
   A challenge password []:123456
   An optional company name []:123456

Generate private key and CSR

• (base) [root@sun-site tmp]# openssl req \
   -newkey rsa:2048 -nodes -keyout s.key \
   -out s.csr
   Generating a RSA private key
   …+++++
   .+++++
   writing new private key to ‘s.key’
   -----
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter ‘.’, the field will be left blank.
   -----
   Country Name (2 letter code) [AU]:cn
   State or Province Name (full name) [Some-State]:hunan
   Locality Name (eg, city) []:changsha
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite
   Organizational Unit Name (eg, section) []:jsb
   Common Name (e.g. server FQDN or YOUR name) []:wuhs
   Email Address []:524627027@qq.com
   Please enter the following ‘extra’ attributes
   to be sent with your certificate request
   A challenge password []:123456
   An optional company name []:123456
   (base) [root@sun-site tmp]# ll
   total 28
   -rw-r–r-- 1 root root 1102 Oct 25 15:37 s.csr
   -rw------- 1 root root 1708 Oct 25 15:37 s.key

Use existing certificate and private key to generate CSR

• openssl x509 \
   -in domain.crt \
   -signkey domain.key 
   -x509toreq -out domain.csr

View CSR file

• (base) [root@sun-site tmp]# openssl req -text -noout -verify -in sunsite.csr

##9. Make and view SSL certificate

Generate a self-signed certificate

• (base) [root@sun-site tmp]# openssl req \
   -newkey rsa:2048 -nodes -keyout sunsite.key \
   -x509 -days 365 -out sunsite.crt
   Generating a RSA private key
   …+++++
   …+++++
   writing new private key to ‘sunsite.key’
   -----
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter ‘.’, the field will be left blank.
   -----
   Country Name (2 letter code) [AU]:cn
   State or Province Name (full name) [Some-State]:hn
   Locality Name (eg, city) []:cs
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite
   Organizational Unit Name (eg, section) []:jsb
   Common Name (e.g. server FQDN or YOUR name) []:wuhs
   Email Address []:524627027@qq.com
   (base) [root@sun-site tmp]# ll
   -rw-r–r-- 1 root root 1383 Oct 25 16:03 sunsite.crt
   -rw-r–r-- 1 root root 1102 Oct 25 15:05 sunsite.csr
   -rw------- 1 root root 1708 Oct 25 16:03 sunsite.key

Use an existing private key to generate a self-signed certificate

• (base) [root@sun-site tmp]# openssl req \
   -key sunsite.key -new \
   -x509 -days 365 -out sunsite.crt
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter ‘.’, the field will be left blank.
   -----
   Country Name (2 letter code) [AU]:cn
   State or Province Name (full name) [Some-State]:hn
   Locality Name (eg, city) []:cs
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:sunsite
   Organizational Unit Name (eg, section) []:jsb
   Common Name (e.g. server FQDN or YOUR name) []:wuhs
   Email Address []:wuhs@qq.com

Use the existing private key and CSR to generate a self-signed certificate

• (base) [root@sun-site tmp]# openssl x509 \
   -signkey sunsite.key \
   -in sunsite.csr \
   -req -days 365 -out sunsite.crt
   Signature ok
   subject=C = CN, ST = HuNan, L = changsha, O = sunsite, OU = jsb, CN = wuhs, emailAddress = 524627027@qq.com
   Getting Private key

View the certificate

• (base) [root@sun-site tmp ]# openssl x509 -text -noout -in sunsite.crt

Verify whether the certificate is issued by ca

• (base) [root@sun-site tmp]# openssl verify -verbose -CAfile ca.crt sunsite.crt
   Error loading file ca.crt
   #需要ca证书

Verify whether the private key, certificate, and CSR match

• (base) [root@sun-site tmp]# openssl x509 -noout -modulus -in sunsite.crt |openssl md5
   (stdin)= e26905e973af69aed4e4d707f882de61
   (base) [root@sun-site tmp]# openssl rsa -noout -modulus -in sunsite.key |openssl md5
   (stdin)= e26905e973af69aed4e4d707f882de61
   (base) [root@sun-site tmp]# openssl req -noout -modulus -in sunsite.csr |openssl md5
   (stdin)= e26905e973af69aed4e4d707f882de61
   #md5校验和一致说明，三者匹配

10. Certificate format conversion

PEM to DER

• (base) [root@sun-site tmp]# openssl x509 -in sunsite.crt -outform der -out sunsite.der

DER to PEM

• (base) [root@sun-site tmp]# openssl x509 -in sunsite.der -inform der -out sunsite.crt

PEM to PKCS7

• (base) [root@sun-site tmp]# openssl crl2pkcs7 -nocrl -certfile sunsite.crt -certfile ca-chain.crt -out sunsite.p7b

PKCS7 to PEM

• #openssl pkcs7 -in domain.p7b -print_certs -out domain.crt

PEM to PKCS12

• openssl pkcs12 -inkey domain.key -in domain.crt -export -out domain.pfx

PKCS12 to PEM

• openssl pkcs12 -in domain.pfx -nodes -out domain.combined.crt

11. Certificate Revocation

#The client obtains the serial of the certificate to be revoked (executed on the host using the certificate)

• (base) [root@sun-site tmp]# openssl x509 -in sunsite.crt -noout -serial -subject
   serial=2DA086B4B14ECE63535734049A4BCF70290446C9
   subject=C = CN, ST = HuNan, L = changsha, O = sunsite, OU = jsb, CN = wuhs, emailAddress = 524627027@qq.com

12. Get command help

Take openssl x509 command as an example

• (base) [root@sun-site tmp] # openssl x509 --help

三、使用语法及命令介绍

1、使用语法

openssl command [ command_opts ] [ command_args ]

2、标准命令

命令	命令介绍
asn1parse	解析ASN.1序列。
ca	证书颁发机构（ca）管理。
ciphers	密码套件描述确定。
cms	cms（加密消息语法）实用程序
crl	证书撤销列表（crl）管理。
crl2pkcs7	CRL到PKCS#7的转换。
dgst	消息摘要计算。
dh	Diffie-Hellman参数管理。被dhparam淘汰。
dhparam	Diffie-Hellman参数的生成和管理。由genpkey和pkeyparam取代
dsa	dsa数据管理。
dsaparam	DSA参数生成和管理。由genpkey和pkeyparam取代
ec	ec（椭圆曲线）密钥处理
ecparam	EC参数操作和生成
enc	使用密码进行编码。
engine	引擎（可加载模块）信息和操作。
errstr	错误编号到错误字符串的转换。
gendh	Diffie-Hellman参数的生成。被dhparam淘汰。
gendsa	根据参数生成DSA私钥。由genpkey和pkey取代
genpkey	生成私钥或参数。
genrsa	生成RSA私钥。由根普基取代。
nseq	创建或检查netscape证书序列
ocsp	在线证书状态协议实用程序。
passwd	生成哈希密码。
pkcs12	PKCS#12数据管理。
pkcs7	PKCS#7数据管理。
pkey	公钥和私钥管理。
pkeyparam	公钥算法参数管理。
pkeyutl	公钥算法加密操作实用程序。
rand	生成伪随机字节。
req	PKCS#10 X.509证书签名请求（CSR）管理。
rsa	rsa密钥管理。
rsautl	RSA实用程序，用于签名、验证、加密和解密。被pkeyutl取代
s_client	这实现了一个通用的SSL/TLS客户端，它可以与使用SSL/TLS的远程服务器建立透明连接。它仅用于测试目的，只提供基本的接口功能，但在内部主要使用OpenSSL库的所有功能。
s_server
s_time	SSL连接计时器。
sess_id	SSL会话数据管理。
smime	S/MIME邮件处理。
speed	算法速度测量。
spkac	spkac打印和生成实用程序
ts	时间戳授权工具（客户端/服务器）
verify	X.509证书验证。
version	OpenSSL版本信息。
x509	X.509证书数据管理。

3. Message summary command

Command	Command introduction
md2	MD2 Digest
md5	MD5 Digest
mdc2	MDC2 Digest
rmd160	RMD-160 Digest
sha	SHA Digest
sha1	SHA-1 Digest
sha224	SHA-224 Digest
sha256	SHA-256 Digest
sha384	SHA-384 Digest
sha512	SHA-512 Digest

4. Encoding and password commands

##CommandCommand introductionbase64base64 encodingbf bf-cbc bf-cfb bf-ecb bf-ofbBlowfish Passwordcast cast-cbcForce passwordcast5-cbc cast5-cfb cast5-ecb cast5-ofb CAST5 Passworddes des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des- ofbDES passworddes3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofbTriple DES password idea idea-cbc idea-cfb idea-ecb idea-ofbIDEA passwordrc2 rc2-cbc rc2 -cfb rc2-ecb rc2-ofbRC2 passwordrc4RC4 passwordrc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofbRC5 passwordRelated recommendations: "

Linux Video Tutorial"

The above is the detailed content of What is linux openssl. For more information, please follow other related articles on the PHP Chinese website!