open ssl command line how to.
# openssl command-line HOWTO
- 버전확인
[root@test1 ~]# openssl version
OpenSSL 0.9.8b 04 May 2006
[root@test1 ~]# openssl version -a
OpenSSL 0.9.8b 04 May 2006
built on: Sat Jun 14 19:32:53 EDT 2008
platform: linux-elf
options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT
-I/usr/kerberos/include -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m32 -march=i686 -mtune=generic
-fasynchronous-unwind-tables -Wa,--noexecstack
-DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM
-DRMD160_ASM -DAES_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: dynamic padlock
- 시스템 성능 benchmark
[root@test1 ~]# openssl speed
Doing md2 for 3s on 16 size blocks: 366537 md2's in 2.99s
Doing md2 for 3s on 64 size blocks: 196011 md2's in 2.98s
Doing md2 for 3s on 256 size blocks: 74737 md2's in 2.98s
Doing md2 for 3s on 1024 size blocks: 21167 md2's in 2.99s
Doing md2 for 3s on 8192 size blocks: 2545 md2's in 2.98s
- remote connection benchmark
[root@test1 ~]# openssl s_time -connect mail.google.com:443
No CIPHER specified
Collecting connection statistics for 30 seconds
tttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt
70 connections in 0.07s; 1000.00 connections/user sec, bytes read 0
70 connections in 31 real seconds, 0 bytes read per connection
Now timing with session id reuse.
starting
rtrrrrrrrrttrrrtttrtttrrrrrrrrrtrttttrrrrrtttttttrtrtrttttttrrrrttrttrrtrtrtrtrttttttrttrrrr
92 connections in 0.05s; 1840.00 connections/user sec, bytes read 0
92 connections in 31 real seconds, 0 bytes read per connection
- self-signed certificate 생성
[root@test1 ~]# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
Generating a 1024 bit RSA private key
...................++++++
...........................................................++++++
writing new private key to 'mycert.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:KR
State or Province Name (full name) [Berkshire]:Seoul
Locality Name (eg, city) [Newbury]:Seoul
Organization Name (eg, company) [My Company Ltd]:xxx
Organizational Unit Name (eg, section) []:xxx
Common Name (eg, your name or your server's hostname) []:www.xxx.xxx
Email Address []:xxx@xxx.xxx
[root@test1 ~]# openssl req -x509 -nodes -days 365 -subj
'/C=KR/ST=Seoul/L=Seoul/CN=www.xxx.xxx' -newkey rsa:1024 -keyout
mycert1.pem -out mycert1.pem
Generating a 1024 bit RSA private key
.....................++++++
...........................................++++++
writing new private key to 'mycert1.pem'
- 인증서 발급을 받기위해 certificate generate
[root@test1 ~]# openssl req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem
Generating a 1024 bit RSA private key
.................++++++
...........++++++
writing new private key to 'mykey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:KR
State or Province Name (full name) [Berkshire]:SEOUL
Locality Name (eg, city) [Newbury]:SEOUL
Organization Name (eg, company) [My Company Ltd]:xxx
Organizational Unit Name (eg, section) []:LINUX
Common Name (eg, your name or your server's hostname) []:www.xxx.xxx
Email Address []:xxx@xxx.xxx
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@test1 ~]# openssl req -new -newkey rsa:1024 -nodes -subj
'/CN=www.xxx.xxx/O=My Dom,Inc./C=US/ST=Oregon/L=KOREA' -keyout
mykey1.pem -out myreq1.pem
Generating a 1024 bit RSA private key
........++++++
...++++++
writing new private key to 'mykey1.pem'
-----
- signature,information 확인
[root@test1 ~]# openssl req -in myreq.pem -noout -verify -key mykey.pem
verify OK
[root@test1 ~]# openssl req -in myreq.pem -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=KR, ST=SEOUL, L=SEOUL, O=xxx, OU=LINUX, CN=www.xxx.xxx/emailAddress=xxx@xxx.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a9:d9:49:da:4a:55:2a:60:fc:25:e4:13:26:e2:
a7:91:2c:42:24:87:e3:74:a6:82:44:3a:b8:5b:94:
df:ff:44:60:90:bd:2e:5f:5c:26:a4:e6:5c:59:3d:
a7:2c:51:5e:9c:44:f0:f8:8f:b7:41:b9:41:67:0b:
a7:42:e3:2f:d1:49:12:e2:11:2d:4f:3b:6e:e8:ca:
18:fe:d0:c6:0a:41:ba:3a:08:49:80:ab:f5:5a:e5:
29:f4:eb:ae:39:66:c9:d2:13:c4:da:89:b9:48:20:
88:15:bc:74:8e:de:a7:24:d2:97:03:50:3d:fd:0e:
79:fd:8a:30:74:bd:1b:fe:91
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
86:c5:07:a9:00:d6:c9:83:15:cf:1b:95:9f:1a:ae:7d:37:ef:
81:47:72:ce:77:30:06:ae:0b:53:2d:08:2c:2a:69:ab:e3:e9:
92:08:e6:94:f6:e7:ae:86:3a:ab:47:2c:da:47:a6:e4:90:4a:
fb:5b:73:07:e7:5d:6f:b4:47:1e:bc:f4:5f:d3:4b:f9:6f:df:
b6:23:33:63:29:c8:07:ae:cf:60:c8:e1:30:fd:f4:b4:a5:e9:
d3:53:9f:13:24:66:f1:b4:e3:67:8e:e0:7c:57:56:e1:6d:d4:
e4:10:0c:f1:f5:10:70:bb:eb:5f:6c:62:f6:cb:43:d1:79:77:
52:8a
- test certificate
[root@test1 ~]# openssl s_server -cert mycert.pem -www
Using default temp DH parameters
ACCEPT
[root@test1 ~]# vi mycert.pem ---> 파일 열어서 아무대나 1 을 추가
[root@test1 ~]# openssl s_server -cert mycert.pem -www
unable to load certificate
2612:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:759:
- remote certificate 테스트
#!/bin/sh
#
# usage: retrieve-cert.sh remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}
echo |\
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
[root@test1 ~]# chmod 700 retrieve-cert.sh
[root@test1 ~]# ./retrieve-cert.sh mail.google.com 443
-----BEGIN CERTIFICATE-----
MIIDIjCCAougAwIBAgIQbldpChBPqv+BdPg4iwgN8TANBgkqhkiG9w0BAQUFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wODA1MDIxNjMyNTRaFw0w
OTA1MDIxNjMyNTRaMGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRgw
FgYDVQQDEw9tYWlsLmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBALlkxdh2QXegdElukCSOV2+8PKiONIS+8Tu9K7MQsYpqtLNC860zwOPQ2NLI
3Zp4jwuXVTrtzGuiqf5Jioh35Ig3CqDXtLyZoypjZUQcq4mlLzHlhIQ4EhSjDmA7
Ffw9y3ckSOQgdBQWNLbquHh9AbEUjmhkrYxIqKXeCnRKhv6nAgMBAAGjgecwgeQw
KAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUFBwMCBglghkgBhvhCBAEwNgYDVR0f
BC8wLTAroCmgJ4YlaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVNHQ0NBLmNy
bDByBggrBgEFBQcBAQRmMGQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnRoYXd0
ZS5jb20wPgYIKwYBBQUHMAKGMmh0dHA6Ly93d3cudGhhd3RlLmNvbS9yZXBvc2l0
b3J5L1RoYXd0ZV9TR0NfQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEF
BQADgYEAsRwpLg1dgCR1gYDK185MFGukXMeQFUvhGqF8eT/CjpdvezyKVuz84gSu
6ccMXgcPQZGQN/F4Xug+Q01eccJjRSVfdvR5qwpqCj+6BFl5oiKDBsveSkrmL5dz
s2bn7TdTSYKcLeBkjXxDLHGBqLJ6TNCJ3c4/cbbG5JhGvoema94=
-----END CERTIFICATE-----
- certificate 정보보기
[root@test1 ~]# openssl x509 -text -in mycert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9b:9a:2a:15:19:eb:3f:91
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=KR, ST=Seoul, L=Seoul, O=Hanbiro, OU=LINUX, CN=www.xxx.xxx/emailAddress=xxx@xxx.xxx
Validity
Not Before: Jan 16 07:25:13 2009 GMT
Not After : Jan 16 07:25:13 2010 GMT
Subject: C=KR, ST=Seoul, L=Seoul, O=Hanbiro, OU=LINUX, CN=www.xxx.xxx/emailAddress=xxx@xxx.xxx
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c2:3a:f5:c0:79:f2:85:82:c8:6e:5e:70:f6:e5:
c0:14:34:86:65:8f:47:3c:0e:f8:d5:0a:b4:63:a6:
41:9d:f7:69:af:95:7b:a9:f7:70:6b:d6:3e:8f:96:
5a:ff:65:e2:40:e9:38:90:da:4a:69:55:82:de:69:
3f:fb:8f:87:6d:1a:d3:23:57:d6:c7:2e:9d:b4:a7:
c9:e6:56:54:cb:00:d6:ad:b0:77:c0:d7:64:c4:41:
30:81:bf:6b:e1:e3:9b:89:92:89:0a:10:1f:7b:8e:
0b:5c:ce:cc:be:79:84:ae:84:68:91:e3:9d:4c:37:
07:7f:2d:46:fa:a9:05:6c:0d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
90:C6:AD:4C:DD:8B:2B:5C:C9:F1:5F:49:CF:42:B0:B1:84:E6:50:73
X509v3 Authority Key Identifier:
keyid:90:C6:AD:4C:DD:8B:2B:5C:C9:F1:5F:49:CF:42:B0:B1:84:E6:50:73
DirName:/C=KR/ST=Seoul/L=Seoul/O=Hanbiro/OU=LINUX/CN=www.xxx.xxx/emailAddress=xxx@xxx.xxx
serial:9B:9A:2A:15:19:EB:3F:91
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
0b:90:26:46:b8:89:8f:3e:64:a0:73:fb:9e:3d:a4:46:f3:9b:
64:b2:3a:3a:9f:46:a7:e4:2f:3c:69:15:dc:49:c6:42:c8:80:
92:55:1c:ad:94:1a:74:5b:35:fa:f5:45:0b:4b:08:58:9a:5a:
16:c3:de:b4:fa:46:80:45:ab:8d:fd:49:d0:19:c2:87:4b:bd:
85:40:a3:a4:2e:7d:18:06:9d:71:ba:b2:25:1b:8e:39:f8:84:
7e:50:92:c9:01:5b:19:76:33:6f:fb:f2:62:5d:ae:e7:17:9b:
94:3b:20:b7:79:d3:a0:7c:9a:77:a3:af:94:73:73:97:1a:11:
b6:fe
-----BEGIN CERTIFICATE-----
MIIDkDCCAvmgAwIBAgIJAJuaKhUZ6z+RMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJLUjEOMAwGA1UECBMFU2VvdWwxDjAMBgNVBAcTBVNlb3VsMRAwDgYDVQQK
EwdIYW5iaXJvMQ4wDAYDVQQLEwVMSU5VWDEZMBcGA1UEAxMQd3d3LmxpbnV4dGlw
Lm5ldDEhMB8GCSqGSIb3DQEJARYSamphbmdrYmdAZ21haWwuY29tMB4XDTA5MDEx
NjA3MjUxM1oXDTEwMDExNjA3MjUxM1owgY0xCzAJBgNVBAYTAktSMQ4wDAYDVQQI
EwVTZW91bDEOMAwGA1UEBxMFU2VvdWwxEDAOBgNVBAoTB0hhbmJpcm8xDjAMBgNV
BAsTBUxJTlVYMRkwFwYDVQQDExB3d3cubGludXh0aXAubmV0MSEwHwYJKoZIhvcN
AQkBFhJqamFuZ2tiZ0BnbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAMI69cB58oWCyG5ecPblwBQ0hmWPRzwO+NUKtGOmQZ33aa+Ve6n3cGvWPo+W
Wv9l4kDpOJDaSmlVgt5pP/uPh20a0yNX1scunbSnyeZWVMsA1q2wd8DXZMRBMIG/
a+Hjm4mSiQoQH3uOC1zOzL55hK6EaJHjnUw3B38tRvqpBWwNAgMBAAGjgfUwgfIw
HQYDVR0OBBYEFJDGrUzdiytcyfFfSc9CsLGE5lBzMIHCBgNVHSMEgbowgbeAFJDG
rUzdiytcyfFfSc9CsLGE5lBzoYGTpIGQMIGNMQswCQYDVQQGEwJLUjEOMAwGA1UE
CBMFU2VvdWwxDjAMBgNVBAcTBVNlb3VsMRAwDgYDVQQKEwdIYW5iaXJvMQ4wDAYD
VQQLEwVMSU5VWDEZMBcGA1UEAxMQd3d3LmxpbnV4dGlwLm5ldDEhMB8GCSqGSIb3
DQEJARYSamphbmdrYmdAZ21haWwuY29tggkAm5oqFRnrP5EwDAYDVR0TBAUwAwEB
/zANBgkqhkiG9w0BAQUFAAOBgQALkCZGuImPPmSgc/uePaRG85tksjo6n0an5C88
aRXcScZCyICSVRytlBp0WzX69UULSwhYmloWw960+kaARauN/UnQGcKHS72FQKOk
Ln0YBp1xurIlG445+IR+UJLJAVsZdjNv+/JiXa7nF5uUOyC3edOgfJp3o6+Uc3OX
GhG2/g==
-----END CERTIFICATE-----
- issued cert 누구인지 보기
[root@test1 ~]# openssl x509 -noout -in mycert.pem -issuer
issuer= /C=KR/ST=Seoul/L=Seoul/O=Hanbiro/OU=LINUX/CN=www.xxx.xxx/emailAddress=xxx@xxx.xxx
- to whom was it issued
[root@test1 ~]# openssl x509 -noout -in mycert.pem -subject
subject= /C=KR/ST=Seoul/L=Seoul/O=Hanbiro/OU=LINUX/CN=www.xxx.xxx/emailAddress=xxx@xxx.xxx
- valid date check
[root@test1 ~]# openssl x509 -noout -in mycert.pem -dates
notBefore=Jan 16 07:25:13 2009 GMT
notAfter=Jan 16 07:25:13 2010 GMT
- hash value?
[root@test1 ~]# openssl x509 -noout -in mycert.pem -hash
aca2c8c5
- MD5 fingerprint?
[root@test1 ~]# openssl x509 -noout -in mycert.pem -fingerprint
SHA1 Fingerprint=AF:21:AB:00:1F:2D:12:01:53:63:AE:2F:F5:DD:29:2E:51:4F:70:76
- .pfx (Microsoft IIS)
pem -> pfx
[root@test1 ~]# openssl pkcs12 -export -out mycert2.pfx -in mycert2.pem -name "My Certificate"
Enter Export Password:
Verifying - Enter Export Password:
pfx -> pem
[root@test1 ~]# openssl pkcs12 -in mycert2.pfx -out mycert3.pem -nodes
Enter Import Password:
MAC verified OK
- verify cert
[root@test1 ~]# openssl verify mycert2.pem
mycert2.pem: /C=KR/ST=SEOUL/L=SEOUL/O=HANBIRO/OU=LINUX/CN=xxx.xxx.xxx/emailAddress=xxx@xxx.xxx
error 18 at 0 depth lookup:self signed certificate
OK
- hash-based symlink
#!/bin/sh
#
# usage: certlink.sh filename [filename ...]
for CERTFILE in $*; do
# make sure file exists and is a valid cert
test -f "$CERTFILE" || continue
HASH=$(openssl x509 -noout -hash -in "$CERTFILE")
test -n "$HASH" || continue
# use lowest available iterator for symlink
for ITER in 0 1 2 3 4 5 6 7 8 9; do
test -f "${HASH}.${ITER}" && continue
ln -s "$CERTFILE" "${HASH}.${ITER}"
test -L "${HASH}.${ITER}" && break
done
done
[root@test1 ~]# ./certlink.sh google.pem
lrwxrwxrwx 1 root root 10 Jan 16 18:41 d501b87e.0 -> google.pem
- smtp server check
[root@test1 ~]# openssl s_client -connect smtp2.google.com:25 -starttls smtp
CONNECTED(00000003)
depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailAddress=premium-server@thawte.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp2.google.com
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailAddress=premium-server@thawte.com
1 s:/C=ZA/ST=Western
Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services
Division/CN=Thawte Premium Server
CA/emailAddress=premium-server@thawte.com
i:/C=ZA/ST=Western
Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services
Division/CN=Thawte Premium Server
CA/emailAddress=premium-server@thawte.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID6TCCA1KgAwIBAgIQNyTbUoF4+VYWnBsBTcl4ZTANBgkqhkiG9w0BAQUFADCB
zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh
d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
cnZlckB0aGF3dGUuY29tMB4XDTA4MTAxNTAwMTE1M1oXDTA5MTAxNTAwMTE1M1ow
ajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1v
dW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBJbmMxGTAXBgNVBAMTEHNtdHAy
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqtEc8
qm5xEt4FXKpyQ506nH0IXKFFJmGAxwpOemxHrwMy63z7LG0/28bsNRCLVnvkBZif
5LFFiWczBvv4iSPgNdAaVCePrJNUJKvCBt3cJP/op73glO0ibbJ9EDKANJdmvXdd
I9J/IJF4DBuYOUNXSiKUb/cF3jo6htLuuKjE/45rZVcdEFPNIwsNWkgozttxJeAK
EFHpJMZMCZh2ZU6Ihq90B703N+X9v5LeSs13Nh43CeZ5xnv5USkho9WVYPOKi4ON
BhzkHbC4beMPYgMn0OS8XY2nmtqAe0eOK5fFo9u9QaVQxVPZeJh/2JB/Ir246u9s
vjWBw9Zm8IyuuPSRAgMBAAGjgaYwgaMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMEAGA1UdHwQ5MDcwNaAzoDGGL2h0dHA6Ly9jcmwudGhhd3RlLmNvbS9U
aGF3dGVQcmVtaXVtU2VydmVyQ0EuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEF
BQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqG
SIb3DQEBBQUAA4GBAEb9pr2V9E2wHKAg97BlDldieh4AErC8MlAEh7hfw3rqGOj/
8tQIeA0el/R9acDVoobixo+CApwGZ0/NVjYGh286Zqi9I0dT5pRNWRQgf/eHqgR2
gVTx10pgQ7L2AKjhD0Wi21ps7GAMgcjFLtRX3n8HU7cu39yhufwEYFa7Semp
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp2.google.com
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailAddress=premium-server@thawte.com
---
Acceptable client certificate CA names
/C=US/ST=Utah/L=Salt Lake City/O=Xcert EZ by DST/CN=Xcert EZ by DST/emailAddress=ca@digsigtrust.com
/C=US/O=Digital Signature Trust Co./OU=DST (ANX Network) CA
/C=US/O=American Express Company, Inc./OU=American Express Technologies/CN=American Express Certificate Authority
/C=US/O=American Express Company, Inc./OU=American Express Technologies/CN=American Express Global Certificate Authority
/C=BE/L=Brussels/O=BelSign NV/OU=BelSign Object Publishing Certificate
Authority/CN=BelSign Object Publishing
CA/emailAddress=webmaster@belsign.be
/C=BE/L=Brussels/O=BelSign
NV/OU=BelSign Secure Server Certificate Authority/CN=BelSign Secure
Server CA/emailAddress=webmaster@belsign.be
/C=DE/O=Deutsche Telekom AG/OU=TeleSec Trust Center/CN=Deutsche Telekom Root CA
/C=US/O=Digital Signature Trust Co./OU=DSTCA E1
/C=us/ST=Utah/L=Salt Lake City/O=Digital Signature Trust Co./OU=DSTCA X1/CN=DST RootCA X1/emailAddress=ca@digsigtrust.com
/C=US/O=Digital Signature Trust Co./OU=DSTCA E2
/C=us/ST=Utah/L=Salt Lake City/O=Digital Signature Trust Co./OU=DSTCA X2/CN=DST RootCA X2/emailAddress=ca@digsigtrust.com
/C=US/O=Digital Signature Trust Co./OU=DST-Entrust GTI CA
/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification
Authority (2048)
/C=US/O=Entrust.net/OU=www.entrust.net/Client_CA_Info/CPS incorp. by
ref. limits liab./OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Client
Certification Authority
/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
Certification Authority
/C=US/O=Equifax/OU=Equifax Premium Certificate Authority
/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
/C=JP/O=CyberTrust Japan, Inc./CN=CyberTrust JAPAN Root CA
/C=JP/O=CyberTrust Japan, Inc./CN=CyberTrust JAPAN Secure Server CA
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root 2
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root 3
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root 4
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root 5
/C=US/O=GTE Corporation/CN=GTE CyberTrust Root
/C=BE/O=GlobalSign nv-sa/OU=Partners CA/CN=GlobalSign Partners CA
/C=BE/O=GlobalSign nv-sa/OU=Primary Class 1 CA/CN=GlobalSign Primary Class 1 CA
/C=BE/O=GlobalSign nv-sa/OU=Primary Class 2 CA/CN=GlobalSign Primary Class 2 CA
/C=BE/O=GlobalSign nv-sa/OU=Primary Class 3 CA/CN=GlobalSign Primary Class 3 CA
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
/C=us/ST=Utah/L=Salt Lake City/O=Digital Signature Trust
Co./OU=National Retail Federation/CN=DST (NRF)
RootCA/emailAddress=ca@digsigtrust.com
/C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data
Networks GmbH/OU=TC TrustCenter Class 0
CA/emailAddress=certificate@trustcenter.de
/C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data
Networks GmbH/OU=TC TrustCenter Class 1
CA/emailAddress=certificate@trustcenter.de
/C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data
Networks GmbH/OU=TC TrustCenter Class 2
CA/emailAddress=certificate@trustcenter.de
/C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data
Networks GmbH/OU=TC TrustCenter Class 3
CA/emailAddress=certificate@trustcenter.de
/C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data
Networks GmbH/OU=TC TrustCenter Class 4
CA/emailAddress=certificate@trustcenter.de
/C=ZA/ST=Western
Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services
Division/CN=Thawte Personal Basic
CA/emailAddress=personal-basic@thawte.com
/C=ZA/ST=Western
Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services
Division/CN=Thawte Personal Freemail
CA/emailAddress=personal-freemail@thawte.com
/C=ZA/ST=Western
Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services
Division/CN=Thawte Personal Premium
CA/emailAddress=personal-premium@thawte.com
/C=ZA/ST=Western
Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services
Division/CN=Thawte Premium Server
CA/emailAddress=premium-server@thawte.com
/C=ZA/ST=Western
Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services
Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
/O=Thawte/OU=Thawte Universal CA Root/CN=Thawte Universal CA Root
/C=us/ST=Utah/L=Salt Lake City/O=Digital Signature Trust Co./OU=United
Parcel Service/CN=DST (UPS) RootCA/emailAddress=ca@digsigtrust.com
/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 1
Policy Validation
Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2
Policy Validation
Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 3
Policy Validation
Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification
Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use
only/OU=VeriSign Trust Network
/C=US/O=VeriSign, Inc./OU=VeriSign
Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use
only/CN=VeriSign Class 1 Public Primary Certification Authority - G3
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification
Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use
only/OU=VeriSign Trust Network
/C=US/O=VeriSign, Inc./OU=VeriSign
Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use
only/CN=VeriSign Class 2 Public Primary Certification Authority - G3
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use
only/OU=VeriSign Trust Network
/C=US/O=VeriSign, Inc./OU=VeriSign
Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use
only/CN=VeriSign Class 3 Public Primary Certification Authority - G3
/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification
Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use
only/OU=VeriSign Trust Network
/C=US/O=VeriSign, Inc./OU=VeriSign
Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use
only/CN=VeriSign Class 4 Public Primary Certification Authority - G3
/C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority
/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
/C=US/ST=North Carolina/L=Research Triangle Park/O=Red Hat,
Inc./OU=Red Hat Network Services/CN=RHNS Certificate
Authority/emailAddress=rhns@redhat.com
/C=US/ST=North
Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=RHN Certificate
Authority/emailAddress=rhn-noc@redhat.com
---
SSL handshake has read 11837 bytes and written 289 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 730DCC7BECC0F1F31D5B38A6A50AE7F700E9FA49D5C330E8F2100EA31B6A5002
Session-ID-ctx:
Master-Key: 5632AA4A83C8CC21741F09FF7F5AB4026F1A7A63C6CB8A11DE69BAFE989D5C6849571CAA6CC4E3D1992C2B9FB2480AB6
Key-Arg : None
Krb5 Principal: None
Start Time: 1232099094
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
220 smtp.google.com ESMTP
- ssl 443 check
[root@test1 ~]# openssl s_client -connect mail.google.com:443
CONNECTED(00000003)
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDIjCCAougAwIBAgIQbldpChBPqv+BdPg4iwgN8TANBgkqhkiG9w0BAQUFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wODA1MDIxNjMyNTRaFw0w
OTA1MDIxNjMyNTRaMGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRgw
FgYDVQQDEw9tYWlsLmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBALlkxdh2QXegdElukCSOV2+8PKiONIS+8Tu9K7MQsYpqtLNC860zwOPQ2NLI
3Zp4jwuXVTrtzGuiqf5Jioh35Ig3CqDXtLyZoypjZUQcq4mlLzHlhIQ4EhSjDmA7
Ffw9y3ckSOQgdBQWNLbquHh9AbEUjmhkrYxIqKXeCnRKhv6nAgMBAAGjgecwgeQw
KAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUFBwMCBglghkgBhvhCBAEwNgYDVR0f
BC8wLTAroCmgJ4YlaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVNHQ0NBLmNy
bDByBggrBgEFBQcBAQRmMGQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnRoYXd0
ZS5jb20wPgYIKwYBBQUHMAKGMmh0dHA6Ly93d3cudGhhd3RlLmNvbS9yZXBvc2l0
b3J5L1RoYXd0ZV9TR0NfQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEF
BQADgYEAsRwpLg1dgCR1gYDK185MFGukXMeQFUvhGqF8eT/CjpdvezyKVuz84gSu
6ccMXgcPQZGQN/F4Xug+Q01eccJjRSVfdvR5qwpqCj+6BFl5oiKDBsveSkrmL5dz
s2bn7TdTSYKcLeBkjXxDLHGBqLJ6TNCJ3c4/cbbG5JhGvoema94=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 1766 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: 78A9D743EFD889F2434CC4A183DDA0CC74365D90F6647D90CA81573ACD246E9F
Session-ID-ctx:
Master-Key: BA78DA5CD3D6CDFC4D985ED37DEA863C610C8C7B6191ED24D66FEEDFD823D6609C20464C0D40825142B402E828E67E6C
Key-Arg : None
Krb5 Principal: None
Start Time: 1232099229
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
- kinds of digests
[root@test1 ~]# openssl list-message-digest-commands
md2
md4
md5
rmd160
sha
sha1
- base64 encoding
[root@test1 ~]# cat test1
test1
[root@test1 ~]# openssl enc -base64 -in test1
dGVzdDEK
openssl enc -base64 -in test1 -out test1.enc
[root@test1 ~]# echo "dGVzdDEK" | openssl enc -base64 -d
test1
- 256-bit AES in CBC mode
[root@test1 ~]# openssl enc -aes-256-cbc -salt -in test1 -out test1.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
[root@test1 ~]# cat test1
test1
[root@test1 ~]# cat test1.enc
Salted__殺魚�*FNg<�a硏�씱e'뻼
[root@test1 ~]# openssl enc -d -aes-256-cbc -in test1.enc
enter aes-256-cbc decryption password:
test1
[root@test1 ~]# openssl enc -aes-256-cbc -salt -in test1 -out test2.enc -pass pass:1234
[root@test1 ~]# cat test1
test1
[root@test1 ~]# cat test2.enc
Salted__�D�e嚆퀕Xa귄�%Wgc|�
openssl enc -d -aes-256-cbc -in test2.enc -pass pass:1234
test1
- ssl error message
sshd[31784]: error: RSA_public_decrypt failed: error:0407006A:lib(4):func(112):reason(106)
[root@test1 ~]# openssl errstr 0407006A
error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
- RSA key generate
[root@test1 ~]# openssl genrsa
Generating RSA private key, 512 bit long modulus
.....++++++++++++
................++++++++++++
e is 65537 (0x10001)
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAKQAIr2kHD+AA3rFdT9eaR1ksCmZ2QNyqmSndGFzkpUZ51sOXxuy
Pg7oKneSF9LJaTxuNPxwjA+zmmKpDjKuw0ECAwEAAQJBAIH2dZFxHs2XhapiFiMM
jyIy64NcHuSjlrJDHXAopS2v32iGuwr64aa0qDLXi/LuIb9SYxvFNOqHoItPVpZB
DK0CIQDVcCJF/ZVnPvi9/SCfxmOVgYpKOX5x4hUXiAFqCVsnAwIhAMS0QFsP+dkn
2gQ7d/Jt4MOMz6VY4blUbyud5IhbjCdrAiEAk5EesSNdK2/3TGv5JV5ltZVFhoHv
sU8tZAKNb8GeOv8CIAZMy57fBR6KYzYtfWr7T+6TbPcbwKcB6EmaVf50CCofAiEA
1D36IfNvBI7sIqlN8DlG502D8M17TiKvlFmrJlK4Urc=
-----END RSA PRIVATE KEY-----
[root@test1 ~]# openssl genrsa -out mykey.pem 1024
Generating RSA private key, 1024 bit long modulus
................................................................................................++++++
...............................++++++
e is 65537 (0x10001)
[root@test1 ~]# openssl genrsa -des3 -out mykey.pem 1024
Generating RSA private key, 1024 bit long modulus
................................++++++
.......++++++
e is 65537 (0x10001)
Enter pass phrase for mykey.pem:
Verifying - Enter pass phrase for mykey.pem:
- public RSA key generate
[root@test1 ~]# openssl rsa -in mykey.pem -pubout
Enter pass phrase for mykey.pem:
writing RSA key
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcko+LALRTPEWlTZGWp6y3dL7D
OrT/ufytUmraeHCSHRUGh8voppjoLxQ+mpqmm82Kj0hR+f/vEoA700LChcWF8KIQ
1uErfZTXbyax8C1T2s66eqH5XeDzYKNca2HHPPvVQLmQtip9AwMBu5txLR9GuEER
NdUIoMVTFBZ0IlDaTwIDAQAB
-----END PUBLIC KEY-----
- dsa key generate
[root@test1 ~]# openssl dsaparam -noout -out dsakey.pem -genkey 1024
Generating DSA parameters, 1024 bit long prime
This could take some time
........+++++++++++++++++++++++++++++++++++++++++++++++++++*
+..+.....+........+.+.....+.......................+....................+.....................+..................+........+..............+........+...+..............+.....+.+............+........+................+.........+...+..........................+.+....+.........+...+.+...........+..+++++++++++++++++++++++++++++++++++++++++++++++++++*
[root@test1 ~]# openssl dsaparam -out dsaparam.pem 1024
Generating DSA parameters, 1024 bit long prime
This could take some time
....+......+++++++++++++++++++++++++++++++++++++++++++++++++++*
.................+..+........+.+......+.+......+....+.........................................+......+.....+....................+..+.............+.+...+....+..+.+.....+....................+.............................+..............+..+..+..+.....+...+...........+.......+....+......+.....+.....+++++++++++++++++++++++++++++++++++++++++++++++++++*
[root@test1 ~]# openssl gendsa -out key1.pem dsaparam.pem
Generating DSA key, 1024 bits
[root@test1 ~]# openssl gendsa -out key2.pem dsaparam.pem
Generating DSA key, 1024 bits
[root@test1 ~]# ll key*
-rw-r--r-- 1 root root 668 Jan 16 19:10 key1.pem
-rw-r--r-- 1 root root 668 Jan 16 19:10 key2.pem
- remove passphrase from a key
[root@test1 ~]# openssl rsa -in mycert2.pem -out newkey.pem
writing RSA key
[root@test1 ~]# openssl rsa -in mycert1.pem -out newcert.pem
writing RSA key
[root@test1 ~]# openssl x509 -in mycert.pem >> newcert.pem
- generate crypt-style password hash
[root@test1 ~]# openssl passwd 1234
d.BrHuty1lQKo
[root@test1 ~]# openssl passwd 1234
njZcd/8VolrTQ
- generate random data
[root@test1 ~]# openssl rand -base64 128
0jjMaS/1wNeUI6zj5SJtYnejUI56Hq0RgDWPg0Oiz6kGhTouQqnflQV4VypuuLnt
06N188m7s8xa4Vj/NFwjJpT7phoJc5PB/6hgGqs/26x/Dh7GGpAzi6+Qa34GP/wn
RmKgYPn46XAwEjc6CGrMH3SdwV43nH3dFHPHgNX/JIQ=
[root@test1 ~]# openssl rand -base64 128
xQAeJ/Sf/d8Oi2fYqSYAmSt2eFvjAxkDKcEbih5u0kKe1JgCQervSAkESK5K7cj6
5sVT587ghgGTJS0/2dgs4SHg1QMR6NsS3fTRrFAMr0rqE3G2hlQSWfw5F5KBDxuB
3MVHIRPgfHgdPfTNuXTFkCYPaha71A3+/oisff6gCLs=
[root@test1 ~]# openssl rand -out random-data.bin 1024
댓글 작성
댓글을 작성하시려면 로그인이 필요합니다.
로그인하기