<DRAFT!>

			OpenSSL 有关密钥的那些事儿(HOWTO keys)

1. 介绍(Introduction)

Keys are the basis of public key algorithms and PKI.  Keys usually

come in pairs, with one half being the public key and the other half

being the private key.  With OpenSSL, the private key contains the

public key information as well, so a public key doesn't need to be

generated separately.

Public keys come in several flavors, using different cryptographic

algorithms.  The most popular ones associated with certificates are

RSA and DSA, and this HOWTO will show how to generate each of them.

2. 生成 RSA 密钥(To generate a RSA key)

A RSA key can be used both for encryption and for signing.

Generating a key for the RSA algorithm is quite easy, all you have to

do is the following:

  openssl genrsa -des3 -out privkey.pem 2048

With this variant, you will be prompted for a protecting password.  If

you don't want your key to be protected by a password, remove the flag

'-des3' from the command line above.

    NOTE: if you intend to use the key together with a server

    certificate, it may be a good thing to avoid protecting it

    with a password, since that would mean someone would have to

    type in the password every time the server needs to access

    the key.

The number 2048 is the size of the key, in bits.  Today, 2048 or

higher is recommended for RSA keys, as fewer amount of bits is

consider insecure or to be insecure pretty soon.

3. 生成 DSA 密钥(To generate a DSA key)

A DSA key can be used for signing only.  This is important to keep

in mind to know what kind of purposes a certificate request with a

DSA key can really be used for.

Generating a key for the DSA algorithm is a two-step process.  First,

you have to generate parameters from which to generate the key:

  openssl dsaparam -out dsaparam.pem 2048

The number 2048 is the size of the key, in bits.  Today, 2048 or

higher is recommended for DSA keys, as fewer amount of bits is

consider insecure or to be insecure pretty soon.

When that is done, you can generate a key using the parameters in

question (actually, several keys can be generated from the same

parameters):

  openssl gendsa -des3 -out privkey.pem dsaparam.pem

With this variant, you will be prompted for a protecting password.  If

you don't want your key to be protected by a password, remove the flag

'-des3' from the command line above.

    NOTE: if you intend to use the key together with a server

    certificate, it may be a good thing to avoid protecting it

    with a password, since that would mean someone would have to

    type in the password every time the server needs to access

    the key.

--

Richard Levitte

OpenSSL 有关密钥的那些事儿(HOWTO keys)的更多相关文章

  1. php openssl 增加密钥

      生成私钥:openssl genrsa 1024 > private.key (注意,1024是密钥的长度,如果密钥较长,相应加密后的密文也会较长) 生成公钥:openssl rsa -in ...

  2. 使用openssl生成密钥、加密和签名

    openssl genrsa -out rsakey.pem 1024  //生成1024bit的RSA密钥,并保存到rsakey.pem,此处未对密钥进行加密 openssl genrsa -aes ...

  3. OpenSSL(1)密钥和证书管理

    OpenSSL是一个开源项目,包括密码库和SSL/TLS工具集. 从项目的官方站点可以看到: OpenSSL项目是安全套接字层( secure sockets layer, SSL)和传输层安全( t ...

  4. openssl RSA密钥格式PKCS1和PKCS8相互转换

    RSA私钥格式PKCS1和PKCS8相互转换 RSA公钥格式PKCS1和PKCS8相互转换 以下转换基于openssl命令的操作: 1. openssl 生成pkcs1格式的私钥,密钥长度1024位, ...

  5. openssl pem密钥文件rsa加密解密例子

    准备工作 命令行加密解密,用与比对代码中的算法和命令行的算法是否一致 C:\openssl_test>openssl rsautl -encrypt -in data.txt -inkey pu ...

  6. 简单使用OpenSSL生成密钥

    一.生成自签名证书 1.1.创建root CA私钥 openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 ...

  7. openssl生成密钥/证书

    一.公钥/私钥/签名/验证签名/加密/解密/非对称加密 对称加密:用同一个密码  加密/解密  文件. 非对称加密:加密用的一个密码,解密用另外一组密码. 加密解密:公钥加密数据,然后私钥解密. 公钥 ...

  8. 基于OpenSSL的RSA加密应用(非算法)

    基于OpenSSL的RSA加密应用(非算法) iOS开发中的小伙伴应该是经常用der和p12进行加密解密,而且在通常加密不止一种加密算法,还可以加点儿盐吧~本文章主要阐述的是在iOS中基于openSL ...

  9. 创建私有CA,我就用openSSL

    目录 简介 搭建root CA 生成root CA 使用CRL 使用OSCP 总结 简介 一般情况下我们使用的证书都是由第三方权威机构来颁发的,如果我们有一个新的https网站,我们需要申请一个世界范 ...

随机推荐

  1. POJ2175:Evacuation Plan(消负圈)

    Evacuation Plan Time Limit: 1000MSMemory Limit: 65536KTotal Submissions: 5665Accepted: 1481Special J ...

  2. codeforces ~ 1009 B Minimum Ternary String(超级恶心的思维题

    http://codeforces.com/problemset/problem/1009/B B. Minimum Ternary String time limit per test 1 seco ...

  3. elementui 日期选择器设置当前默认日期(picker-options),以及当前日期以后的无法选择(default-value)

    目前官方的日期默认是当前日期,打开之后长这样子:现在是三月13日,但是有的需求是当前日期在后面. 就像这样: 代码如下: default-value是设置当前日期默认值的."timeDefa ...

  4. CAN帧格式(标准帧、拓展帧)

    CAN2.0B标准帧 CAN 标准帧信息为11个字节,包括两部分:信息和数据部分.前3个字节为信息部分. 位置 7 6 5 4 3 2 1 0 字节01 FF RTR × × DLC(数据长度) 字节 ...

  5. InnoDB的多版本并发控制(MMVC)

    InnoDB的MVCC之(乐观锁),是通过在每行记录保存两个隐藏列来实现的.这两个列,一个是存创建时间,一个是删除时间,这里的时间指的是,系统版本号,并不是真正的时间值. 每开始一个新的事务,系统版本 ...

  6. img 标签下多余空白的解决方法

    在浏览器中,图片默认的vertical-align是baseline.那么,我们该如何去掉这多余的空白呢? 1)将图片转换为块级 img{display:block;} 2) 设置图片的垂直对齐方式 ...

  7. 01深入理解C指针之---指针含义符号

    该系列文章源于<深入理解C指针>的阅读与理解,由于本人的见识和知识的欠缺可能有误,还望大家批评指教. 1.指针的含义: 指针本身也是变量,与其他一般变量不同的是:指针变量中没有存储具体类型 ...

  8. 华为上机测试题(Excel表格纵列字母数字转换-java)

    PS:这是我刚做的一道题,题目不难,满分60,得分40,大家看看哪里有问题,欢迎提意见,感谢! /* * 题目:Excel表格纵列字母数字转换 * 描述: 在Excel中列的编号为A-Z,AA-AZ, ...

  9. 【排序算法】java实现

    1.冒泡排序 最简单的排序实现,冒泡排序,是一种交换排序,它的基本思想是:两两比较相邻记录的关键字,如果反序则交换,直到没有反序的记录为止. //冒泡排序 private int[] bubbleSo ...

  10. 【原创】Oracle 11g R2 Client安装配置说明(多图详解)

    1. 准备工作 安装Oracle11gR2client的时候,如果刚从网上下载的Oracle client,可能无法再2008 R2或者2012 R2的服务器上面运行. 报错:[INS-13001]环 ...