OpenSSL certificate tool user manual

author   | Li Dabai

Container related certificate type

Client Certificate

For server authentication client , for example etcdctl、etcd proxy、fleetctl、docker client .

server certificate

Server use , The client verifies the identity of the server , for example docker Server side 、kube-apiserver. peer certificate: Two way certificate , be used for etcd Communication between cluster members .

Openssl brief introduction

openssl yes web The cornerstone of secure communication , No, openssl, It can be said that all our information is streaking .

If you want to know openssl, There are several pre concepts that need to be familiar with first ：

SSL：SSL My full name is Secure Socket Layer( Secure socket layer ), It was first developed by an Internet company called Netscape , It mainly prevents information from being eavesdropped or tampered with when it is transmitted on the Internet , Later, Netscape submitted SSL to ISOC Organize standardization , Renamed as TLS.

Asymmetric encryption ： Asymmetric encryption is based on the above phenomenon , Encrypt the data with a key , The data can then be decrypted using a different key , These two keys are ： Public and private keys .openssl It also includes the generation of public and private keys 、 Summary generation and other tools .

Openssl command

3.1 Summary command —dgst

Message digest algorithm The main feature of is that the encryption process does not require a key , And encrypted data cannot be decrypted , At present, the only thing that can be decrypted is CRC32 Algorithm , Only by inputting the same plaintext data and passing through the same message digest algorithm can we get the same ciphertext .openssl Realized 5 Kind of Information digest algorithm , Namely MD2、MD5、MDC2、SHA and RIPEMD. Besides ,OpenSSL It's also achieved DSS Two kinds of information summarization algorithms specified in the standard DSS and DSS1.

1) Abstract generally has two functions ：

1） Check the information integrity ;

2） Save password , Some passwords are used directly in the database MD5（ Real password value ） The saved , Some are treated with salt , Make it difficult to , The password can only be reset , I can't tell you the original process , Because abstracts are irreversible .

2) openssl dgst Common options are

      
      

       
       $ openssl dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1]  
       
       # Specify a digest algorithm 
      
      
      
      

       
       
1.
      
      

-out filename： Save the contents of the summary to the specified file

3.2 Symmetric encryption command —encOpenSSL

OpenSSL A total of 8 A symmetric encryption algorithm , among 7 One is block encryption algorithm , The only stream encryption algorithm is RC4.

this 7 The three block encryption algorithms are

• AES
• DES
• Blowfish
• CAST
• IDEA
• RC2
• RC5

All support Electronic codebook mode （ECB）、 Encrypted group link mode （CBC）、 Encrypted feedback mode （CFB） and Output feedback mode （OFB） Four commonly used block cipher encryption modes .

among ,AES Encrypted feedback mode used （CFB） And output feedback mode （OFB） The group length is 128 position , Other algorithms use 64 position . in fact ,DES It's not just common algorithms DES Algorithm , It also supports three keys and two keys 3DES Algorithm . Grammar format ：

      
      

       
       $ openssl enc 
       
       -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64] [-A] 
       
       
[-k password] [-kfile filename] [-K key] [-iv IV] [-S salt] [-salt] [-nosalt] [-z] [-md] [-p] [-P] 
       
       
[-bufsize number] [-nopad] [-debug] [-none]  [-engine id]​
      
      
      
      

       
       
1.
       
       
2.
       
       
3.
      
      

• options are-in Input file
• -out The output file
• -pass password
• -e encrypt Encryption operation
• -d decrypt Decryption operation
• -a/-base64 base64 encode/decode, depending on encryption flag Whether the result is base64 code
• -k passphrase is the next argument-kfile passphrase is the first line of the file argument-md Specify the digest algorithm for key generation Default MD5
• -S salt in hex is the next argument Used for adding salt and encrypting
• -K/-iv key/iv in hex is the next argument Encryption required key and iv vector
• -[pP] print the iv/key (then exit if -P) Whether to output the generated... On the console key and iv vector
• -bufsize buffer size Reading and writing files I/O cache , In general, it is not necessary to specify -nopad disable standard block padding Standard fill is prohibited
• -engine e use engine e, possibly a hardware device Specify a third-party encryption device Cipher Types Here are some algorithms , We can choose which algorithm to use to encrypt -aes-128-cbc -aes-128-cbc-hmac-sha1 -aes-128-cfb -aes-128-cfb1 -aes-128-cfb8 -aes-128-ctr -aes-128-ecb -aes-128-gcm -aes-128-ofb

3.3 Asymmetric encryption command

OpenSSL In all, we have achieved 4 Kind of Asymmetric encryption algorithm ,

• DH Algorithm ： General user key exchange
• RSA Algorithm ： Can be used for key exchange 、 digital signature （ Commonly used ）、 It can also be used for data encryption （ Slow speed ）
• DSA Algorithm
• Elliptic curve algorithm （EC）.

【 Generate private key 】

utilize openssl A subcommand of an order genrsa Generate private key , Then use the subcommand rsa Extract the public key from the private key . Used to generate RSA Private key , No public key will be generated , Because the public key extracts the syntax format from the private key ：

      
      

       
       $ openssl genrsa [-out filename] [-passout arg] [-des] [-des3] [-idea] [numbits]
      
      
      
      

       
       
1.
      
      

-out filename ： Save the generated private key to filename file , If no output file is specified , Standard output .

-numbits ： Specifies the length of the private key to generate , The default is 1024. The entry must be the last argument on the command line .

-des|-des3|-idea： Specifies the algorithm used to encrypt the private key file , In this way, the password will be entered every time the private key file is used , It's too much trouble to use .

-passout args ： When encrypting private key file , Format for passing passwords , If the key is not specified when encrypting the private key file , Then prompt for password . Password passing args The format of 　 　

pass:password ：password Indicates the plaintext password passed 　　

env:var ： From environment variables var Get password value 　 　

file:filename ：filename The first line in the file is the password to pass . if filename At the same time "-passin" and "-passout" Options , be filename Your first act "-passin" Value , Second behavior "-passout" Value 　　

stdin ： Get the password to pass from standard input

【 Extract public key 】

use rsa The subcommand extracts the public key from the generated private key file , Grammar format ：

openssl rsa [-inform PEM|NET|DER] [-outform PEM|NET|DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-sgckey] [-des] [-des3] [-idea] [-text] [-noout] [-modulus] [-check] [-pubin] [-pubout] [-RSAPublicKey_in] [-RSAPublicKey_out] [-engine id]

Options ：

-inform arg Input file encoding format , Only pem and der Two kinds of

-outform arg Output file encoding format , Only pem and der Two kinds of

-in arg input file Indicates the storage path of the private key file

-sgckey   Use IIS SGC key format -passin arg If the input file is encrypted symmetrically , You need to specify the password of the input file

-out arg output file Indicates the path to save the public key

-passout arg If the output file also needs to be encrypted symmetrically , You need to specify the password of the output file

-des The output is encrypted symmetrically des Algorithm

-des3 The output is encrypted symmetrically des3 Algorithm

-seed Use cbc Seed encryption PEM Output

-aes128, -aes192, -aes256 Use cbc aes encryption PEM Output

-camellia128, -camellia192, -camellia256 The above several are the specification of symmetric encryption algorithm , When generating a private key, you usually use

-text Output parameter values in clear text

-noout Do not output the key to any file

-modulus Output modulus value

-check Check the correctness and consistency of the input key

-pubin Specifies that the input file is a public key

-pubout Specifies that the output file is a public key

-engine e Specify a three-party encryption library or hardware

Encryption with public key 、 Private key decrypts data using rsautl Perform encryption and decryption operations , The grammar is as follows ：

 openssl rsautl [-in file] [-out file] [-inkey file] [-pubin] [-certin] [-sign] [-verify] [-encrypt] [-decrypt] [-pkcs] [-ssl] [-raw] [-hexdump] [-asn1parse] openssl rsautl -hUsage: rsautl [options]

-in file Input file

-out file The output file

-inkey file Specify the private key file , The format is RSA Private key file

-keyform Specify the format of the private key ( The default is PEM）

-pubin input is an RSA public Specifies that the input is RSA Public key

-certin input is a certificate carrying an RSA public key Specify that the input is a certificate file

-ssl Use SSLv2 The way of filling

-raw No filling

-pkcs Use V1.5 The way of filling ( Default )

-oaep Use OAEP The way of filling

-sign Use the private key to sign

-verify Sign using public key authentication

-encrypt Use public key encryption

-decrypt Decrypt with private key

-hexdump With 16 Binary printing

-engine e Specify a third-party library or hardware device

-passin arg pass phrase source Pass the password from

Options ：

-subj："/CN=value" The value of is master Host name or IP Address ;

-days： Set the validity period of the certificate .

      
      

       
       $ openssl genrsa 
       
       -out etcd_servr.key  
       
       2048            // Generate 2048 Bit of private key 
       
       

       
       $ openssl req 
       
       -new 
       
       -key etcd_server.key  
       
       -config  etcd_ssl.cnf \
       
       
 
       
       -subj 
       
       "/CN=etcd-server"  
       
       -out etcd_server.csr  \
       
       
 
       
       -new:-key:-config：-subj:-out: \
       
       
 
       
       -out https://blog.csdn.net/caijiwyj/article/details/106840234
       
       ?ops_request_misc
       
       =%257B%2522request%255Fid%2522%253A%2522162814587016780264050658%2522%252C%2522scm%2522%253A%252220140713.130102334..%2522%257D
       
       &request_id
       
       =
       
       162814587016780264050658
       
       &biz_id
       
       =
       
       0
       
       &utm_medium
       
       =distribute.pc_search_result.none-task-blo​​g-2~all~top_positive~default-1-106840234.first_rank_v2_pc_rank_v29
       
       &utm_term
       
       =
       
       openssl
       
       &spm
       
       =
       
       1018.2226.3001.4187
      
      
      
      

       
       
1.
       
       
2.
       
       
3.
       
       
4.
       
       
5.