16.8.OpenSSL

# openssl req -new -nodes -out req.pem -keyout cert.key -sha3-512 -newkey rsa:4096

Generating a RSA private key
..................................................................................................................................+++++
......................................+++++
writing new private key to 'cert.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Valencian Community
Locality Name (eg, city) []:Valencia
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:Systems Administrator
Common Name (e.g. server FQDN or YOUR name) []:localhost.example.org
Email Address []:user@FreeBSD.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456789
An optional company name []:Another name

# openssl req -new -x509 -days 365 -sha3-512 -keyout /etc/ssl/private/cert.key -out /etc/ssl/certs/cert.crt

Generating a RSA private key
........................................+++++
...........+++++
writing new private key to '/etc/ssl/private/cert.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Valencian Community
Locality Name (eg, city) []:Valencia
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:Systems Administrator
Common Name (e.g. server FQDN or YOUR name) []:localhost.example.org
Email Address []:user@FreeBSD.org

# echo test | openssl aes-128-cbc -a -provider fips -pbkdf2

aes-128-cbc: unable to load provider fips
Hint: use -provider-path option or OPENSSL_MODULES environment variable.
00206124D94D0000:error:1C8000D5:Provider routines:SELF_TEST_post:missing config data:crypto/openssl/providers/fips/self_test.c:275:
00206124D94D0000:error:1C8000E0:Provider routines:ossl_set_error_state:fips module entering error state:crypto/openssl/providers/fips/self_test.c:373:
00206124D94D0000:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:crypto/openssl/providers/fips/fipsprov.c:707:
00206124D94D0000:error:078C0105:common libcrypto routines:provider_init:init fail:crypto/openssl/crypto/provider_core.c:932:name=fips

# openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out /etc/ssl/fipsmodule.cnf

INSTALL PASSED

[...]
# 对于 FIPS
# 可选地包含一个由 OpenSSL fipsinstall 应用程序生成的文件。该文件包含 OpenSSL fips 提供者所需的配置数据。
# 它包含一个命名的部分，例如 [fips_sect]，该部分在下面的 [provider_sect] 中被引用。
# 有关更多信息，请参阅 OpenSSL 安全策略。
.include /etc/ssl/fipsmodule.cnf

[...]

# 要加载的提供者列表
[provider_sect]
default = default_sect
# fips 部分名称应与包含的 fipsmodule.cnf 中的部分名称匹配。
fips = fips_sect

# 如果没有显式激活提供者，则默认提供者会被隐式激活。
# 有关更多细节，请参见 man 7 OSSL_PROVIDER-default。
#
# 如果显式添加一个部分来激活任何其他提供者，你很可能需要显式激活默认提供者，否则它
# 将在 openssl 中不可用。结果，依赖于 OpenSSL 的应用程序可能无法正常工作，这可能会导致
# 系统出现重大问题，包括无法远程访问系统。
[default_sect]
activate = 1

# echo test | openssl aes-128-cbc -a -provider fips -pbkdf2

enter AES-128-CBC encryption password:
Verifying - enter AES-128-CBC encryption password:
U2FsdGVkX18idooW6e3LqWeeiKP76kufcOUClh57j8U=