Linux with Operating System Concepts

Download 5,65 Mb.

Pdf ko'rish

bet	70/254
Sana	22.07.2022
Hajmi	5,65 Mb.
	#840170

1 ... 66 67 68 69 70 71 72 73 ... 254

Bog'liq
Linux-with-Operating-System-Concepts-Fox-Richard-CRC-Press-2014

cipher
–in
filename
–out
file-
name2
. When run, you will be asked to input the passphrase. You can avoid having to type
the passphrase separately by adding
–pass pass:
passphrase
to the command. One
advantage of this is that you can remove the need for interactive access if, for instance, you
are calling openssl from a shell script.
The encryption/decryption component of openssl uses a private key based on the algo-
rithm selected and the passphrase. You can also use openssl to generate a public key. The
public key is generated from the private key; so, you must first generate the private key.
We will demonstrate this using RSA (you can also use DSA but it is more complicated). To
generate a private key, we specify genrsa as the openssl command, the output file to store
the key into, and the number of bits for the key. The default is 512 bits.
openssl genrsa –out mykey.key 2048
This produces a key stored in the file mykey.key.
If you look at the key created from the command, it will contain seemingly random letters,
digits, and punctuation marks. For instance, the following was produced as a 128-bit key.
-------BEGIN RSA PRIVATE KEY-------
MGICAQACEQDNctpZY1qIZUDJWhrFdownAgMBAA ECEET6rv0cMqVgXwjwipD
+
L
+
EC
CQD6mQIPqBDcYwIJANHgrXHN21JtAggfZ49nkONU CwIJAIbd/Fb/VArZAggGaPTtzAuzkg
=
=
-------END RSA PRIVATE KEY-------
We can also encode a passphrase into the key by adding an option such as –des or
–des3. Alternatively, you can add the option
–passout
value
where
value
is the pass-
phrase. Now, given the private key, you can generate a public key using the following
instruction.
openssl rsa –in mykey.key –pubout
This outputs the public key to the terminal window. You can redirect it to a file using
openssl rsa –in mykey.key –pubout
>
mykey.pub
This produced the following public key:
-------BEGIN PUBLIC KEY-------
MCwwDQYJKoZIhvcNAQEBBQADGwAwGAIRAMbq
Zr43A
+
UEI/Aio2r0dKkCAwEAAQ
=
=
-------END PUBLIC KEY-------

Linux Applications
◾
179
With the public and private keys available, there are several things we can now do. We
can generate a certificate, which you might use as part of a website to indicate that it is
secure and can handle the HTTPS (secure HTTP) protocol, or you might use it for ssh or
email. Here, we look at generating a
self-signed
certificate.
Normally, a certificate should be signed by a
certificate authority
to ensure its authen-
ticity. This can cost thousands of dollars. A self-signed certificate may be used by an
organization that requires a login to reach some specific web content and where the
users know that the organization is trusted (e.g., employees of the company, students of
a university).
We will use the x509 algorithm to generate a certificate. When generating a certificate,
you can either have openssl generate a new private key or use an existing private key. We
will look at both approaches. To generate a self-signed certificate with the key from above,
you might specify the following:
openssl req –x509 –new –key mykey.key –days 365 –out mycert.pem
The 365 indicates the number of days that the certificate will be valid for. If the certifi-
cate is in use beyond this time period, it expires and any web browser is warned.
Issuing the above command places you into an interactive session where openssl queries
you for information about the organization that this certificate will be used for:
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:
Email Address []:
With your certificate generated, you would place it on your webserver in a directory
requiring https access. Before doing so, you might want to test your certificate. You can
view your certificate’s key as it is in Ascii text. However, you might want to examine the
entire contents, including the information you entered when generating the certificate. For
that, use the operation
openssl x509 –text –in mycert.pem
Notice in this case that there is no hyphen preceding x509 unlike the previous instruc-
tion where you generated the certificate. Shown below is the informational portion of what
is returned. You would also see the public key in hexadecimal notation and the certificate
encoded using the public key (not shown here). Notice the expiration date that is 365 days
after the creation date.

180
◾
Linux with Operating System Concepts
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
99:d0:2f:8c:d2:ec:cd:a9
Signature Algorithm: sha1WithRSAEncryption
Issuer: C
=
US, ST
=
Kentucky, L
=
Highland Heights,
O
=
ZappaFrank Industries, OU
=
Sales,
CN
=
ns1.zappafrank.com/emailAddress
=
sales@zappafrank.com
Validity
Not Before: Feb 14 13:08:12 2013 GMT
Not After : Feb 14 13:08:12 2014 GMT
Subject: C
=
US, ST
=
Kentucky, L
=
Highland Heights, O
=
ZappaFrank
Industries, OU
=
Sales,
CN
=
ns1.zappafrank.com/emailAddress
=
sales@zappafrank.com
As with the use of a passphrase, you can avoid the interaction in entering the country,
state, city, and so on, by specifying all of the information from the command line. This is
done by adding
-subj ‘/C
=
US/ST
=
Kentucky/L
=
Highland Heights/
O
=
ZappaFrank Industries/OU
=
Sales/CN
=
ns1.zappafrank.com/
emailAddress
=
sales@zappafrank.com’
If you wish to generate a new key when you generate your certificate, the syntax changes
somewhat drastically. Instead of using
–key

Download 5,65 Mb.

Do'stlaringiz bilan baham:

1 ... 66 67 68 69 70 71 72 73 ... 254