一、openssl genrsa 命令介紹
openssl genrsa 命令是會用來生成 RSA 私有秘鑰,不會生成公鑰,因為公鑰提取自私鑰。生成時是可以指定私鑰長度和密碼保護。
如果需要查看公鑰或生成公鑰,可以使用 openssl rsa 命令。
通過 man openssl 命令,可以看到 genrsa 命令的介紹:
genrsa Generation of RSA Private Key. Superceded by genpkey.
二、openssl genrsa 命令的語法及選項
語法:
openssl genrsa [-out filename] [-passout arg] [-f4] [-3] [-rand file(s)] [-engine id] [numbits] [-des] [-des3] [-idea]
查看 openssl genrsa 命令的選項:
[root@tvweb01 ~]# openssl genrsa ? usage: genrsa [args] [numbits] -des encrypt the generated key with DES in cbc mode -des3 encrypt the generated key with DES in ede cbc mode (168 bit key) -idea encrypt the generated key with IDEA in cbc mode -seed encrypt PEM output with cbc seed -aes128, -aes192, -aes256 encrypt PEM output with cbc aes -camellia128, -camellia192, -camellia256 encrypt PEM output with cbc camellia -out file output the key to 'file -passout arg output file pass phrase source -f4 use F4 (0x10001) for the E value -3 use 3 for the E value -engine e use engine e, possibly a hardware device. -rand file:file:... load the file (or the files in the directory) into the random number generator
使用 man genrsa 查看詳細用法:
[root@nginx ~]# man genrsa GENRSA(1) OpenSSL GENRSA(1) NAME genrsa - generate an RSA private key SYNOPSIS openssl genrsa [-out filename] [-passout arg] [-des] [-des3] [-idea] [-f4] [-3] [-rand file(s)] [-engine id] [numbits] DESCRIPTION The genrsa command generates an RSA private key. OPTIONS -out filename the output filename. If this argument is not specified then standard output is used. -passout arg the output file password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1). -des|-des3|-idea These options encrypt the private key with the DES, triple DES, or the IDEA ciphers respectively before outputting it. If none of these options is specified no encryption is used. If encryption is used a pass phrase is prompted for if it is not supplied via the -passout argument. -F4|-3 the public exponent to use, either 65537 or 3. The default is 65537. -rand file(s) a file or files containing random data used to seed the random number generator, or an EGD socket (see RAND_egd(3)). Multiple files can be specified separated by a OS-dependent character. The separator is ; for MS-Windows, , for OpenVMS, and : for all others. -engine id specifying an engine (by its unique id string) will cause genrsa to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. numbits the size of the private key to generate in bits. This must be the last option specified. The default is 512. NOTES RSA private key generation essentially involves the generation of two prime numbers. When generating a private key various symbols will be output to indicate the progress of the generation. A . represents each number which has passed an initial sieve test, + means a number has passed a single round of the Miller-Rabin primality test. A newline means that the number has passed all the prime tests (the actual number depends on the key size). Because key generation is a random process the time taken to generate a key may vary somewhat. BUGS A quirk of the prime generation algorithm is that it cannot generate small primes. Therefore the number of bits should not be less that 64. For typical private keys this will not matter because for security reasons they will be much larger (typically 1024 bits). SEE ALSO gendsa(1) 1.0.1e 2013-02-11 GENRSA(1)
-out filename :將生成的私鑰保存至filename文件,若未指定輸出文件,則為標准輸出。
-numbits :指定要生成的私鑰的長度(單位 bit),默認為1024。該項必須為命令行的最后一項參數。
-des|-des3|-idea:指定加密私鑰文件用的算法,這樣每次使用私鑰文件都將輸入密碼,太麻煩所以很少使用。
-passout args :加密私鑰文件時,傳遞密碼的格式,如果要加密私鑰文件時單未指定該項,則提示輸入密碼。傳遞密碼的args的格式見openssl密碼格式。
-passout arg :對生成的RSA秘鑰文件施加密碼保護,例如:使用idea算法對私鑰文件進行密碼保護。
[root@nginx ~]# openssl genrsa -idea -passout pass:123 -out rsa_pri.pem Generating RSA private key, 1024 bit long modulus ..............++++++ .....++++++ e is 65537 (0x10001)
-F4 / -3 : 指數,默認是 65537,例如上例輸出的最后一句話,e is 65537(0x10001)
[root@nginx ~]# openssl genrsa -3 -out rsa_pri.pem 2000 Generating RSA private key, 2000 bit long modulus ..+++ ...................+++ e is 3 (0x3)
三、實例
1、生成512位的 RSA 秘鑰,輸出到屏幕。
[root@nginx ~]# openssl genrsa 512 Generating RSA private key, 512 bit long modulus .++++++++++++ ............++++++++++++ e is 65537 (0x10001) -----BEGIN RSA PRIVATE KEY----- MIIBOgIBAAJBANTZudAiqSAV7yJBo/7XMVF7cktFi6bcEAk79EObzboR7k4sCOYu tl3Fn6/BLUzAnTaYTozpIxfILYnz/9Dx/rMCAwEAAQJAPDUiNFe5k1PhAsWih/GD B9NtbxFLAXX6K0KEQ6OMu/bWZ7Q40xwPQWL+cerIeNE1xjI1qKnxTRpW+C6uigSo sQIhAO1pyZCkP0XY/PH4Jmjetd8d2beUUUWhA9pFRGkMahwnAiEA5YOniZV4bKjg 4Aa+Vcs7kI+sARIsgr+2pyPL6n+pBJUCIEjrQgaT+/8XC3HCVwHEzbWOtI0nF+M7 9jP3LHDbaEfnAiA/rYpjMtRJmYViwpw2Y3+wORxo46jz0csUjmr6MdcsDQIhAM30 zGSj4rrTHVWz73v8af2ITHYufLKYClNN
2、生成512位 RSA 私鑰,輸出到指定的文件 genrsa.txt
[root@nginx ~]# openssl genrsa -out genrsa.txt 512 Generating RSA private key, 512 bit long modulus ..............++++++++++++ .................++++++++++++ e is 65537 (0x10001) [root@nginx ~]# cat genrsa.txt -----BEGIN RSA PRIVATE KEY----- MIIBOgIBAAJBAKUwGTXGWqvOx2Vp2gMczQCyscerZTqrPYxKcxm4+18aw2JwCNwj CPwtM6la8c97KPxCS0EefMu89PXTKyM9i7sCAwEAAQJAB3+idVV2wjvVw13FvsRs 7e4usdCu/LXPSnIKvY0vJAcBTRDvNo/RTpF3/UcexlInhhmhwFceyje3wqYA1sre mQIhANc8XRtuFfvOm65mrko89VS60GpWEO1WG01bxIOum0VdAiEAxHktqkSScOCS l1pUMLLiQrj0mhngHVPbI2WWOkZzK/cCIBSK51wJ2sFIy+UOWc4uGUA4AFJV2pG8 aSit/IiQ7rLlAiBTPJdpHFYCNlJEhwNGAnMzG1KderrlEeK0M1Sa6b/fbwIhAMjp Q6lcPnCkz5/nIlTlpv14NRqa+/YLBPD8uuFLyWtF -----END RSA PRIVATE KEY-----
3、生成 1024 位 RSA 秘鑰,采用 des 算法加密,加密密碼為 123456
[root@nginx ~]# openssl genrsa -des -passout pass:"123456" -out prikey.pem 1024 Generating RSA private key, 1024 bit long modulus ....++++++ ..........++++++ e is 65537 (0x10001)
# 從輸出可以看出,秘鑰長度是 1024 bit。(從 OpenSSL 1.0.1e 開始,默認秘鑰長度為 1024 bit。)
# 我們也可以設定自己所需的秘鑰長度,秘鑰長度越長越安全,
# 但使用秘鑰進行加密解密時所耗費的時間也會越長。
# 非對稱秘鑰提高安全性的同時也帶來了算法所耗費的大量時間,非對稱秘鑰不對大塊數據進行加密,
# 應用領域是數字簽名,秘鑰分發等小數據加密。
[root@nginx ~]# ll prikey.pem -rw-r--r--. 1 root root 958 May 26 14:26 prikey.pem
[root@nginx ~]# cat prikey.pem -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-CBC,C632EA92B103B8F8 i9OuC7U5YCK+8PTlnNOs4G5ShvpEkGLv7sEkZXb5UYWQhmG5eJHv8MjGP6sNvDbH 1c36LmWhTlosaney9zgw3SLUOYwhcj/ocCULtVYHBC+oqmQzlLn0pj3JHunTxdF8 OAjJlwL16OKzArfCXDXWfqs4kmpZnPb0B7RgVPRwTAOnJ54BS0B1t4ytua8xfxtS fCE/PBSPywzC9EZdd9TEQ3GwRjim37RSwPHqW28Tb6Inq9IXGcwVqkvTk2F5N3NT By7Z/hIh2bBOjYj44X5G1qw0fZXP/6muD/w8KHjNlrancPiNs6oTUHAzDS0xK90y gJ9XTdxEQLwwd3MLQZ3AVuIr/Iazk6juj7vMJ6bfzblSJDuqubopM/QiLS2LI5Uz yLvFSwdezTjq0RylqYNlWCnCYj+HtZ8oeuusqN7gAnFr/rDCvSPvqveS7QuW4JAG P6su1rAL0Uamv8fjq01W9865wctx/a60zMGM8go1H8l1g7nvaRgalQPDZLNQhUog A4mqh8jiXEBLnA81cL7f0yDBlPkYM7SvuPYtUAtA9RXxw66+IHSYu6Vr+nhOplZw h7V08d78KZG8Bghx0YXqPL57qvTFRu9sJJmvN5NWPh+sMxTsTLsFll8psB4mZ4EU iMU3TiGn3pHaunmHzY+ibKSqNfOtAKpbIVhSqLKkkV6DlHBKjw1iQ2GqKRm0ilBo 7yRxVG1Ldy+cVEkKTE3hHVLP2BCdoXV8dmUimjH8F+B/voi9rYfDwqXNqnXum6kN +WmN86LJr75jTiHSs8OswunvBfedsVhsuRppBqCgsBlG5lEcLuSylg== -----END RSA PRIVATE KEY-----
一般情況下,能用的選項是: -out 或 numbits。
根據私鑰生成公鑰:
[root@nginx ~]# openssl rsa -in prikey.pem -out pubkey.pem -pubout Enter pass phrase for prikey.pem: 123456 writing RSA key [root@nginx ~]# ll pubkey.pem -rw-r--r--. 1 root root 272 May 26 14:36 pubkey.pem [root@nginx ~]# cat pubkey.pem -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCHNF9c7EE35RmZRdze2G55i3R 6Kvxvh/NC2IlEXfOrCttwlxfrJkaPvKr98Jn0KAFTp+em6X3nDzX1oOH/tkSS4ql h4+oTHNzT0aS3sLRnqBnALgge0M7ePIxfyhyC4npdPIpj6jsII5OCCVn1CVD3GZy QfDwhh2I+lKh5BDopQIDAQAB -----END PUBLIC KEY-----
4、生成 2048 位 RAS 秘鑰,采用 des3 算法加密
[root@nginx ~]# openssl genrsa -des3 -out private_server.key 2048 Generating RSA private key, 2048 bit long modulus .......................................................................................................................+++ .......................................+++ e is 65537 (0x10001) Enter pass phrase for private_server.key:123456 Verifying - Enter pass phrase for private_server.key:123456
[root@nginx ~]# ll private_server.key -rw-r--r--. 1 root root 1743 May 26 14:29 private_server.key
[root@nginx ~]# cat private_server.key -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,75141B9977BB10C1 zsI6SDzNbsfnn8C8VYNxRXNuW3It4aZmhc1b/gslTIq1JifMlG8456k6EN2nBFIH AqZeIdf8qgK3F65yPqTxxXX7T1SKYyN6EP15VAFnXQqDlFJrSXYNSUhYiILr+8lH qLJZwnnciTDOK5ERz17RPM+RZHVDkW4ER2Mrmf+OENDgbsL8l4GbCB5L4IXYvGIs v0d3kcnWpPOIqhYWWQqfMtkXsbbSZAKx3IAmmgIHUFWt/V8TVb5hBs2HrJz2zJkl TdL8K9LHsztI5pBWsh8MyVMBgwl5Uh/th9lfSJON4D1IobHup9K8c8mueF+Zzj7c fiW4ZEbsKt2891ihIpTRsDIDPvSs35BMXD6X11fipMhQj7KFbLZo//Kno7yuCvZw aIEP6t6flYdsw8MiH0wd+3IkGxFuN9SNesRJkQJLahjOkvaG9so08AC49skWAjnF HrhRMT537nVwp4UHaRAKgyJv4fC2lUVqTQ04bPx8ddxPB/I+7KvOkTAVW9Fod+dd +1EyEI56ZAmLtiZcZ0ZKPUL/BSEndGF4jdUgMcX1mW1qN8iQtKVBlcddUWLjPyb6 B3kKo2R1XHn4FsywPTXu8jk5MyQePrsjHW/bPASHPXU4TRVPwqgDnz4jUiKuYcnG 9EZ0zwTYsKFA1cU2pQNbF8y26/ud4WQSdY8dXi8yl2x/LsVyDwhY3gihk6R2NiA1 GBMs1yDqjj6ir0mnmdGVMn4oqjPDzvOHouGeYPj+6vHcltqJXhEsNpzhr2nJru88 UiUNLuemkxaJ5OA2ek0nKv1qnY/KB0d/X1DX/xFTZo9vS8Wtz8WDhF61rKCTfm/s ehpa9vCDr33n8OApJteQRnXcs25mO5tfuLGyq/59y2AT17Nu9EAE+K3FUpcZKro3 oImv57MKU5eQMvb2JYyVUOv/sMtAtNwU7mjKM7lG8Zr240zFaiNnILRYsbLq4ae8 d8c4AExXhOPj1HMyLBnh9Gh605BOd6nZt7H45s2HqXc7k8POpo3xS80/4Tc4uMOA UoXabgvR46+XUsVeFgz37aTdzZdmpm9VUxMbUkP9N9Ut6M5erqvv83UURgpoF6X8 +pK/JoAVgerQz92fsy0K6giHqYqchO24PijwcMdc5WZi0ghBbbe3iuOpyjj/I/af qIi/Edbru0LW3AlPsU9kzUvpg/PHnO4Gcwt+LP5Kfropxh6OW08/ArMBP9+jtKlQ kZbMKxS/FoyvQrDhqa8/AgI/kWnj6v+7cq/uBFRsbP5L1Ps5dEqhlCDgM6CS5C/O N+gsS56sfCwLDtXD9CjQSiJ0758VdTFkpg1P64vU1SZEgUdgw1KRnWh8G9PlgLux tZnnv09kFTlcmx/Y5b7FIXeicOStWIqQrWy8ux4rwm3MgSlq1MxSblMmu9o6Um5c HJEoWNCtnSNU7OmSbGq9czZZ+eolFDieMQBf9M+UtyXq+PIn07Jb3rUmcrj5/Uh2 uT4IFox4xzzNeS1T/vxMvPwRxgo3CLRhatEYTu1GtwyuHCFNJmYlKnqU/19w+GIQ HXV/X2jcCi78EKC/aEicQQ7PDpzydzn9vS3bhyVhnLl3IIrb1F89ng== -----END RSA PRIVATE KEY-----