OpenSSL naredbeni varalica

Najčešće naredbe OpenSSL i slučajevi upotrebe

Što se tiče zadataka povezanih sa sigurnošću, poput generiranja ključeva, CSR-ova, certifikata, izračunavanja sažetka, otklanjanje pogrešaka u TLS vezama i drugih zadataka povezanih s PKI-om i HTTPS-om, najvjerojatnije biste na kraju koristili alat OpenSSL.

OpenSSL uključuje tone značajki koje pokrivaju širok raspon slučajeva korištenja, a teško je zapamtiti njegovu sintaksu za sve njih i vrlo se lako izgubiti. manstranice ovdje nisu toliko korisne, pa često samo Google "openssl kako [koristiti ovdje slučaj]" ili potražimo neku vrstu "openssl cheatsheet" da bismo se prisjetili upotrebe naredbe i vidjeli primjere.

Ovaj je post moja osobna zbirka opensslisječaka naredbi i primjera, grupiranih prema slučaju korištenja.

Slučajevi upotrebe

Evo popisa slučajeva korištenja koje ću pokriti:

  1. Rad s RSA i ECDSA tipkama
  2. Stvaranje zahtjeva za potpisivanje certifikata (CSR)
  3. Stvorite certifikate X.509
  4. Provjerite CSR-ove ili certifikate
  5. Izračunajte sažetke poruka i kodiranje base64
  6. TLS klijent za povezivanje s udaljenim poslužiteljem
  7. Izmjerite TLS vezu i vrijeme rukovanja
  8. Pretvori između kodiranja (PEM, DER) i formata spremnika (PKCS12, PKCS7)
  9. Navedite apartmane za šifre
  10. Ručno provjerite status opoziva certifikata od OCSP odgovornika

To zasigurno nije cjelovit popis, ali obuhvaća najčešće slučajeve uporabe i uključuje one s kojima sam radio. Na primjer, preskačem šifriranje i dešifriranje ili koristim openssl za CA upravljanje. opensslje poput svemira. Nikad ne znate gdje završava. ?

Rad s RSA i ECDSA tipkama

U naredbama u nastavku zamijenite [bits]veličinom ključa (na primjer, 2048, 4096, 8192).

Generirajte RSA ključ:

openssl genrsa -out example.key [bits]

Ispis samo javnog ključa ili modula:

openssl rsa -in example.key -pubout

openssl rsa -in example.key -noout -modulus

Ispis tekstualnog prikaza RSA ključa:

openssl rsa -in example.key -text -noout

Generirajte novi RSA ključ i šifrirajte lozinkom na temelju AES CBC 256 šifriranja:

openssl genrsa -aes256 -out example.key [bits]

Provjerite svoj privatni ključ. Ako ključ ima pristupnu frazu, od vas će se zatražiti:

openssl rsa -check -in example.key

Uklonite zaporku s ključa:

openssl rsa -in example.key -out example.key

Šifrirajte postojeći privatni ključ frazom za prosljeđivanje:

openssl rsa -des3 -in example.key -out example_with_pass.key

Generirajte ECDSA ključ. curvese zamijeniti sa: prime256v1, secp384r1, secp521r1, ili bilo kojem podržanom eliptičkih krivulja:

openssl ecparam -genkey -name [curve] | openssl ec -out example.ec.key

Ispis tekstualnog predstavljanja ECDSA ključa:

openssl ec -in example.ec.key -text -noout

Navedite dostupne EC krivulje koje OpenSSL knjižnica podržava:

openssl ecparam -list_curves

Generiraj DH paramere zadane duljine:

openssl dhparam -out dhparams.pem [bits]

Stvaranje zahtjeva za potpisivanje certifikata (CSR)

U nastavku naredbi, zamijenite [digest]s nazivom podržanog funkcije hash: md5, sha1, sha224, sha256, sha384ili sha512, itd To je bolje izbjegavati slabe funkcije kao md5i sha1, i staviti na sha256i iznad.

Stvorite CSR iz postojećeg privatnog ključa.

openssl req -new -key example.key -out example.csr -[digest]

Stvorite CSR i privatni ključ bez lozinke u jednoj naredbi:

openssl req -nodes -newkey rsa:[bits] -keyout example.key -out example.csr

Navedite CSR informacije o subjektu na naredbenom retku, a ne putem interaktivnog upita.

openssl req -nodes -newkey rsa:[bits] -keyout example.key -out example.csr -subj "/C=UA/ST=Kharkov/L=Kharkov/O=Super Secure Company/OU=IT Department/CN=example.com"

Stvorite CSR od postojećeg certifikata i privatnog ključa:

openssl x509 -x509toreq -in cert.pem -out example.csr -signkey example.key

Generirajte CSR za SAN s više domena tako što ćete dostaviti datoteku s konfiguracijom openssl:

openssl req -new -key example.key -out example.csr -config req.conf

gdje req.conf:

[req]prompt=nodefault_md = sha256distinguished_name = dnreq_extensions = req_ext
[dn]CN=example.com
[req_ext][email protected]_names
[alt_names]DNS.1=example.comDNS.2=www.example.comDNS.3=ftp.example.com

Stvorite certifikate X.509

Stvorite samopotpisani certifikat i novi privatni ključ od nule:

openssl req -nodes -newkey rsa:2048 -keyout example.key -out example.crt -x509 -days 365

Stvorite samopotpisani certifikat koristeći postojeći CSR i privatni ključ:

openssl x509 -req -in example.csr -signkey example.key -out example.crt -days 365

Potpišite dječji certifikat vlastitim certifikatom "CA" i to je privatni ključ. Ako ste CA tvrtka, ovo pokazuje vrlo naivan primjer kako biste mogli izdavati nove certifikate.

openssl x509 -req -in child.csr -days 365 -CA ca.crt -CAkey ca.key -set_serial 01 -out child.crt

Ispis tekstualnog prikaza certifikata

openssl x509 -in example.crt -text -noout

Ispis otiska certifikata kao md5, sha1, sha256 sažetak:

openssl x509 -in cert.pem -fingerprint -sha256 -noout

Provjerite CSR-ove ili certifikate

Potvrdite CSR potpis:

openssl req -in example.csr -verify

Provjerite odgovara li privatni ključ certifikatu i CSR-u:

openssl rsa -noout -modulus -in example.key | openssl sha256

openssl x509 -noout -modulus -in example.crt | openssl sha256

openssl req -noout -modulus -in example.csr | openssl sha256

Potvrdite certifikat, pod uvjetom da imate root i sve posredničke certifikate konfigurirane kao pouzdane na vašem računalu:

openssl verify example.crt

Potvrdite certifikat kad imate srednji lanac certifikata. Root certifikat nije dio paketa i trebao bi biti konfiguriran kao pouzdan na vašem računalu.

openssl verify -untrusted intermediate-ca-chain.pem example.crt

Potvrdite certifikat kada imate srednji lanac certifikata i korijenski certifikat koji nije konfiguriran kao pouzdan.

openssl verify -CAFile root.crt -untrusted intermediate-ca-chain.pem child.crt

Potvrdite da certifikat koji poslužuje udaljeni poslužitelj pokriva dano ime hosta. Korisno za provjeru da li vaš certifikat o višestrukim domenama ispravno pokriva sva imena hosta.

openssl s_client -verify_hostname www.example.com -connect example.com:443

Izračunajte sažetke poruka i kodiranje base64

Izračunajte md5, sha1, sha256, sha384, sha512probavlja:

openssl dgst -[hash_function] ile

cat input.file | openssl [hash_function]

Base64 encoding and decoding:

cat /dev/urandom | head -c 50 | openssl base64 | openssl base64 -d

TLS client to connect to a remote server

Connect to a server supporting TLS:

openssl s_client -connect example.com:443

openssl s_client -host example.com -port 443

Connect to a server and show full certificate chain:

openssl s_client -showcerts -host example.com -port 443 ull

Extract the certificate:

openssl s_client -connect example.com:443 2>&1 certificate.pem

Override SNI (Server Name Indication) extension with another server name. Useful for testing when multiple secure sites are hosted on same IP address:

openssl s_client -servername www.example.com -host example.com -port 443

Test TLS connection by forcibly using specific cipher suite, e.g. ECDHE-RSA-AES128-GCM-SHA256. Useful to check if a server can properly talk via different configured cipher suites, not one it prefers.

openssl s_client -host example.com -port 443 -cipher ECDHE-RSA-AES128-GCM-SHA256 2>&1 v/null

Measure TLS connection and handshake time

Measure SSL connection time without/with session reuse:

openssl s_time -connect example.com:443 -new

openssl s_time -connect example.com:443 -reuse

Roughly examine TCP and SSL handshake times using curl:

curl -kso /dev/null -w "tcp:%{time_connect}, ssldone:%{time_appconnect}\n" //example.com

Measure speed of various security algorithms:

openssl speed rsa2048

openssl speed ecdsap256

Convert between encoding and container formats

Convert certificate between DER and PEM formats:

openssl x509 -in example.pem -outform der -out example.der

openssl x509 -in example.der -inform der -out example.pem

Combine several certificates in PKCS7 (P7B) file:

openssl crl2pkcs7 -nocrl -certfile child.crt -certfile ca.crt -out example.p7b

Convert from PKCS7 back to PEM. If PKCS7 file has multiple certificates, the PEM file will contain all of the items in it.

openssl pkcs7 -in example.p7b -print_certs -out example.crt

Combine a PEM certificate file and a private key to PKCS#12 (.pfx .p12). Also, you can add a chain of certificates to PKCS12 file.

openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in certificate.pem -certfile ca-chain.pem

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates back to PEM:

openssl pkcs12 -in keystore.pfx -out keystore.pem -nodes

List cipher suites

List available TLS cipher suites, openssl client is capable of:

openssl ciphers -v

Enumerate all individual cipher suites, which are described by a short-hand OpenSSL cipher list string. This is useful when you’re configuring server (like Nginx), and you need to test your ssl_ciphers string.

openssl ciphers -v 'EECDH+ECDSA+AESGCM:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4'

Manually check certificate revocation status from OCSP responder

This is a multi-step process:

  1. Retrieve the certificate from a remote server
  2. Obtain the intermediate CA certificate chain
  3. Read OCSP endpoint URI from the certificate
  4. Request a remote OCSP responder for certificate revocation status

First, retrieve the certificate from a remote server:

openssl s_client -connect example.com:443 2>&1 cert.pem

You’d also need to obtain intermediate CA certificate chain. Use -showcerts flag to show full certificate chain, and manually save all intermediate certificates to chain.pem file:

openssl s_client -showcerts -host example.com -port 443 ull

Read OCSP endpoint URI from the certificate:

openssl x509 -in cert.pem -noout -ocsp_uri

Request a remote OCSP responder for certificate revocation status using the URI from the above step (e.g. //ocsp.stg-int-x1.letsencrypt.org).

openssl ocsp -header "Host" "ocsp.stg-int-x1.letsencrypt.org" -issuer chain.pem -VAfile chain.pem -cert cert.pem -text -url //ocsp.stg-int-x1.letsencrypt.org

Resources

I’ve put together a few resources about OpenSSL that you may find useful.

OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs | DigitalOcean — //www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

The Most Common OpenSSL Commands — //www.sslshopper.com/article-most-common-openssl-commands.html

OpenSSL: Working with SSL Certificates, Private Keys and CSRs — //www.dynacont.net/documentation/linux/openssl/

Original text