Learn a Linux command every day (106): OpenSSL

Time:2021-9-23

Command introduction

The OpenSSL command is a powerful secure socket layer cipher library. OpenSSL is an open source command line tool, which is usually used to generate private keys, create CSR, install SSL / TLS certificates and identify certificate information.

OpenSSL operation mode
  • Interaction mode

  • Batch mode

Directly enter OpenSSL and enter to enter the interactive mode. Enter OpenSSL with command options to enter the batch mode.

[[email protected] ~]# openssl
OpenSSL> version
OpenSSL 1.0.2k-fips  26 Jan 2017

The whole OpenSSL software package can be divided into three main functional parts: cryptographic algorithm library, SSL protocol library and application.

Main purpose of OpenSSL command
  • Create and manage private keys, public keys and parameters

  • Public key encryption operation

  • Create X.509 certificates, CSR and CRL

  • Calculation of message digest

  • Use passwords for encryption and decryption

  • SSL / TLS client and server testing

  • Process s / MIME signed or encrypted messages

  • Timestamp request, generation and verification

Syntax format

openssl command [ command_opts ] [ command_args ]
 
openssl [ list-standard-commands | list-message-digest-commands | list-cipher-commands | list-cipher-algorithms | list-message-digest-algorithms | list-public-key-algorithms]
 
openssl no-XXX [ arbitrary options ]

Option description

Learn a Linux command every day (106): OpenSSLReaders can refer to the help documents themselveshttps://www.digicert.com/kb/s…

Application examples

Version information

[[email protected] ~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
[[email protected] ~]# openssl version -a
OpenSSL 1.0.2k-fips  26 Jan 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  rdrand dynamic 
#Version number and release date (OpenSSL)   1.0.2k, 26 January 2017)
#Options for building with libraries
#Directory where certificates and private keys are stored (openssldir)

Generate password function

[[email protected] ~]# openssl rand -base64 15
DYmkj+RY9QUcb4m5aoNV
[[email protected] ~]# openssl rand -base64 10
RpyTN5W7BLznjA==
[[email protected] ~]# openssl rand -base64 5
AeQaaBE=

Application of message digest algorithm

#Calculate the Hassi value of the file openssl1.txt with SHA1 algorithm
[[email protected] ~]# openssl dgst -sha1 openssl1.txt
openssl1.txt: No such file or directory
[[email protected] ~]# touch openssl1.txt
[[email protected] ~]# openssl dgst -sha1 openssl1.txt
SHA1(openssl1.txt)= da39a3ee5e6b4b0d3255bfef95601890afd80709
#Calculate the Hassi value of the file openssl1.txt with SHA1 algorithm,输出到文件sha1.txt
[[email protected] ~]# openssl sha1 -out sha1.txt openssl1.txt
[[email protected] ~]# cat sha1.txt
SHA1(openssl1.txt)= da39a3ee5e6b4b0d3255bfef95601890afd80709

Symmetric encryption application

#Encode the file openssl1.txt with Base64 and output it to the file jiami.txt
[[email protected] ~]# cat openssl1.txt 
openssl
[[email protected] ~]# openssl base64 -in openssl1.txt -out jiami.txt
[[email protected] ~]# cat jiami.txt 
b3BlbnNzbAo=

DSA application

#The 1024 bit DSA parameter set is generated and output to the file jm.pem
[[email protected] ~]# openssl dsaparam -out jm.pem 1024
Generating DSA parameters, 1024 bit long prime
This could take some time
........+...........+..................+.....+..............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
.+...+..........+......+.....+..+......+.........+.........+.................+............+...........+..................+...........+........+............+....+.+......+....+...............................+.................+.................+.+......+.......+..........+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
[[email protected] ~]# cat jm.pem 
-----BEGIN DSA PARAMETERS-----
MIIBHgKBgQCR+2rHHnotQERnaw1i3PaeeGyhZHP7Mjih9RAnNRv3oe+HO2AgiLgr
vWLbT/oRNZhdnvuW8u8b1dmm9xPwwAfkNt0cPyH+28HNJ6ImoO9qQCBVlgPnwmah
WPtA9TXIw7kJVOCUImKKXkbQvKOvlXsTgFHhhQ9GAt9gbHxmWVhqjwIVANzDXsuC
hXZDNAR6O0Dke4p/4H1XAoGAHzT3cByKaD0IN0zCXA0yXMNlyDtE8w7dlv37LcaR
7u0ZV1r4zof/g7Pf+GCHbkVUVPzTrrlkn1Wfqtl2QsmT73jMBwPl+z3Oj7DyFb8J
Nm66epCO1uLaXoIubTZa4QFCuuTarWouizo4qDYQg/vYRDBQK8N5nIh8Wfnte9gq
zTY=
-----END DSA PARAMETERS-----

RSA application

#Generate 1024 bit RSA private key, encrypt it with 3DES, the password is mingongge, and output it to the file rsa.pem
[[email protected] ~]# openssl genrsa -out rsa.pem -passout pass:mingongge -des3 1024
Generating RSA private key, 1024 bit long modulus
....................++++++
...............++++++
e is 65537 (0x10001)
[[email protected] ~]# cat rsa.pem 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,34B51F9BE30A3448
uvI8+9g2NGBS+t6VoxUW9JvjiSSnXAHVgJXFsiPtQRIQq3tUEv48QVXOXrLMSTei
DOmScLCrU0X+il+Kl2HtTEqmqzxmP+HlbiahSMthTbXUEcqSnKt/80UxzsKFWsag
lYj5yl+skQoMYLHt0JSc2MlWA6tAHPdEb4/BoEN0zerhgVcXDlLeFXm7ni1tUmVj
mbHmM1TV03kxxzd8KQhFsQkwT/aDtm143rxVrD3NpSS4eXbzm8D4B2A3L0DMaUzk
cAql+iggvH4vS3BCKOX6h5Zr9Vyo4CGjvYSyvkASbc+fVKgvmPM9KP0+hedUH2Hc
55K1ND5S0TWa2qFWk511tKbpBT9RM5P7ipcnr3tyya/RSpVZT7EpEUm+EokOrvHg
SY6AgPSojYdDL3/WrQvJAkMQmuckpEW1lNYGSgFsQmRN8gFb8LXhr+uUf8psT3D9
+Cvo5ynkocW1P1sHpJHuA7WtW7SaRbBGwEoPKjzAfKaV41oz9Sknn1PE5LXpvtIA
zn/vVbKVQvD3ho2I2RuX5vtI7Jvy/TeKDOO9fAuNKqlR7/MmqE7OiKZovuh2xHRk
3d3qif8uH6dCe7l6rElqgONNkYYJ/dBgJ+ZV15ahJFNK10JoBqFgF9dj+vFumWGt
7FuN2kk7Qe1YSn13ZZ7M10EWDPxaMXSnjynazC8MLnokRwf1SwqsZW250J9/dbvt
BEE00IQWC+RmaRgJV+H+3gvCHyMZBRGaxUKiOftrM9Ir3w28wk2jwgSm6v6p/WUg
4JUMPAqjft82lv+MwfKn4OHnuIyfgrZGB6+oR52BToQ=
-----END RSA PRIVATE KEY-----

Learn a Linux command every day (103): dstat

Learn a Linux command every day (104): zcat

Learn a Linux command every day (105): TEE