This is an old revision of the document!
$ openssl speed
$ openssl s_client -CApath /etc/ssl/certs/ -connect student.bmstu.ru:443 $ openssl s_client -CApath /etc/ssl/certs/ -showcerts -connect student.bmstu.ru:443 $ openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -crlf -connect mailhub.bmstu.ru:25 $ openssl s_client -cert user1.crt -key user1.key -connect www.corpX.un:443
GET /cgi-bin/test-cgi HTTP/1.1 Host: www.corpX.un
$ openssl s_client -cert user1.crt -key user1.key -connect server.corpX.un:993
01 AUTHENTICATE EXTERNAL =
# openssl enc -aes-256-cbc -e -md md5 -in /root/spa-000E08NNNNNN.cfg -out spa-000E08NNNNNN.enc -pass pass:spapassword # openssl enc -aes-256-cbc -d -md md5 -in spa-000E08NNNNNN.enc -out spa-000E08NNNNNN.cfg -pass pass:spapassword
user1@server:~$ openssl genrsa 1024 > key.private user1@server:~$ openssl rsa -pubout < key.private > key.public user1@server:~$ scp key.public user2@www:
user2@www:~$ openssl rsautl -encrypt -inkey key.public -pubin < data.txt > data.enc user2@www:~$ scp data.enc user1@server: user1@server:~$ openssl rsautl -decrypt -inkey key.private < data.enc > data.txt
user1@server:~$ openssl dgst -sha256 -sign key.private -out data.sign data.txt user1@server:~$ scp data.* user2@www: user2@www:~$ openssl dgst -sha256 -verify key.public -signature data.sign data.txt
# openssl dhparam -out dh1024.pem 1024
server# openssl genrsa -out server.key 1024 server# chmod 400 server.key
server# openssl req -new -x509 -days 3650 -key server.key -out server.crt
... Country Name (2 letter code) [AU]:RU State or Province Name (full name) [Some-State]:Moscow region Locality Name (eg, city) []:Mosсow Organization Name (eg, company) [Internet Widgits Pty Ltd]:cko Organizational Unit Name (eg, section) []:noc Common Name (eg, YOUR name) []:server.corpX.un Email Address []:noc@corpX.un
server# openssl x509 -text -noout -in server.crt
server# openssl verify server.crt ... error 20 at 0 depth lookup: unable to get local issuer certificate error server.crt: verification failed
server# cp corpX-PDC-CA.crt /usr/local/share/ca-certificates/corpX-PDC-CA.crt # update-ca-certificates Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. ... server# ls /etc/ssl/certs | grep corp ... server# openssl verify server.crt server.crt: OK
server# /usr/local/share/ca-certificates/corpX-PDC-CA.crt server# rm /etc/ssl/certs/corpX-PDC-CA.pem server# update-ca-certificates
lan# cat /etc/ssl/openssl.cnf
... [ CA_default ] dir = /root/CA ... certificate = /var/www/html/ca.crt # for linux certificate = /usr/local/www/apache24/data/ca.crt # for freebsd ... crl = /var/www/html/ca.crl # for linux crl = /usr/local/www/apache24/data/ca.crl # for freebsd private_key = $dir/ca.key ...
cd mkdir CA mkdir CA/certs mkdir CA/newcerts mkdir CA/crl touch CA/index.txt echo "01" > CA/serial echo "01" > CA/crlnumber
lan# openssl genrsa -des3 -out CA/ca.key 1024
Generating RSA key, 1024 bits Enter PEM pass phrase:Pa$$w0rd Verifying - Enter PEM pass phrase:Pa$$w0rd
lan# cat /etc/ssl/openssl.cnf
... [ req_distinguished_name ] countryName_default = RU ... stateOrProvinceName_default = Moscow region ... localityName_default = Moscow ... 0.organizationName_default = cko ... organizationalUnitName_default = noc ... emailAddress_default = userX@isp.un ...
lan# openssl req -new -x509 -days 3650 -key CA/ca.key -out /var/www/html/ca.crt
Enter pass phrase for ca.key:Pa$$w0rd ... Country Name (2 letter code) [AU]:RU State or Province Name (full name) [Some-State]:Moscow region Locality Name (eg, city) []:Moscow Organization Name (eg, company) [Internet Widgits Pty Ltd]:cko Organizational Unit Name (eg, section) []:noc Common Name (eg, YOUR name) []:corpX.un Email Address []:noc@corpX.un
lan# openssl ca -gencrl -out /var/www/html/ca.crl
Enter pass phrase for ./CA/ca.key:Pa$$w0rd
www# openssl genrsa -out www.key 1024 www# chmod 400 www.key
lan# scp /etc/ssl/openssl.cnf www:/etc/ssl/ www# openssl req -new -key www.key -out www.req
... Country Name (2 letter code) [AU]:RU State or Province Name (full name) [Some-State]:Moscow region Locality Name (eg, city) []:Moscow Organization Name (eg, company) [Internet Widgits Pty Ltd]:cko Organizational Unit Name (eg, section) []:noc Common Name (eg, YOUR name) []:www.corpX.un Email Address []:noc@corpX.un Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
www# scp www.req lan: lan# openssl req -text -noout -in www.req
lan# openssl ca -days 365 -in www.req -out www.crt lan# cat CA/index.txt lan# ls CA/newcerts/
lan# scp www.crt www: www# rm www.req
www# wget http://lan.corpX.un/ca.crt www# openssl verify -CAfile ca.crt www.crt
$ openssl x509 -noout -modulus -in www.crt | openssl md5 $ openssl rsa -noout -modulus -in www.key | openssl md5
www# openssl rsa -des3 -in www.clkey -out www.enckey
# cat /etc/ssl/openssl.cnf
... [ req ] ... req_extensions = v3_req ... [ v3_req ] # Extensions to add to a certificate request #basicConstraints = CA:FALSE #keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ alt_names ] DNS.1 = corpX.un DNS.2 = server.corpX.un ...
$ openssl genrsa -out user1.key 1024
$ openssl req -new -key user1.key -out user1.req ... Country Name (2 letter code) [RU]: State or Province Name (full name) [Moscow region]: Locality Name (eg, city) [Moscow]: Organization Name (eg, company) [cko]: Organizational Unit Name (eg, section) []:group1 Common Name (eg, YOUR name) []:user1 Email Address []:user1@corpX.un ...
lan# openssl ca -days 365 -in user1.req -out user1.crt lan# cat CA/index.txt lan# ls CA/newcerts/
!!! Сразу импортировать в хранилище сертификатов на клиенте !!!
$ openssl pkcs12 -export -in user1.crt -inkey user1.key -out user1.p12 -passout pass:ppassword1 $ openssl pkcs12 -info -in user1.p12
lan# less CA/index.txt lan# openssl ca -revoke CA/newcerts/02.pem lan# less CA/index.txt lan# openssl ca -gencrl -out /var/www/html/ca.crl