运维开发网
广告位招商联系QQ:123077622
 
广告位招商联系QQ:123077622

Linux学习--第14周

运维开发网 https://www.qedev.com 2021-04-08 21:51 出处:51CTO 作者:水云间学习
1、创建私有CA并进行证书申请(1)创建CA相关目录和文件[[email protected]]#mkdir-pv/etc/pki/CA/{certs,crl,newcerts,private}mkdir:createddirectory'/etc/pki/CA'mkdir:createddirectory'/etc/pki/CA/certs'mkdir:create

1、创建私有CA并进行证书申请

(1) 创建CA相关目录和文件

[[email protected] test]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}

mkdir: created directory '/etc/pki/CA'

mkdir: created directory '/etc/pki/CA/certs'

mkdir: created directory '/etc/pki/CA/crl'

mkdir: created directory '/etc/pki/CA/newcerts'

mkdir: created directory '/etc/pki/CA/private'

[[email protected] test]#tree /etc/pki/CA

/etc/pki/CA

├── certs

├── crl

├── newcerts

└── private

(2) 创建CA的私钥

[[email protected] test]#cd /etc/pki/CA

[[email protected] CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)

Generating RSA private key, 2048 bit long modulus (2 primes)

.................................................................+++++

..........................................................+++++

e is 65537 (0x010001)

[[email protected] CA]#ll

total 0

drwxr-xr-x 2 root root 6 Feb 5 22:13 certs

drwxr-xr-x 2 root root 6 Feb 5 22:13 crl

drwxr-xr-x 2 root root 6 Feb 5 22:13 newcerts

drwxr-xr-x 2 root root 23 Feb 5 22:16 private

[[email protected] CA]#tree /etc/pki/CA/

/etc/pki/CA/

├── certs

├── crl

├── newcerts

└── private

└── cakey.pem

4 directories, 1 file

[[email protected] CA]#ll private/

total 4

-rw------- 1 root root 1679 Feb 5 22:16 cakey.pem

(3) 给CA颁发自签名证书

[[email protected] CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:henan  
    Locality Name (eg, city) [Default City]:jiaozuo
    Organization Name (eg, company) [Default Company Ltd]:DCC
    Organizational Unit Name (eg, section) []:IT
    Common Name (eg, your name or your server's hostname) []:ca.lirui.org  
    Email Address []:[email protected]

    [[email protected] CA]#tree `pwd`
    /etc/pki/CA
    ├── cacert.pem
    ├── certs
    ├── crl
    ├── newcerts
    └── private
        └── cakey.pem   
    4 directories, 2 files
**(4) 用户生成私钥和证书申请**
    [[email protected] ~]#mkdir /data/app1
    [[email protected] app1]#(umask 066; openssl genrsa -out /data/app1/app1.key 2048)
    Generating RSA private key, 2048 bit long modulus (2 primes)
    .........+++++
    ............................................................................................................................................................................................+++++
    e is 65537 (0x010001)

    [[email protected] app1]#openssl req -new -key /data/app1/app1.key  -out /data/app1/app1.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:henan
    Locality Name (eg, city) [Default City]:jiaozuo
    Organization Name (eg, company) [Default Company Ltd]:DCC
    Organizational Unit Name (eg, section) []:it
    Common Name (eg, your name or your server's hostname) []:
    Email Address []:

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    [[email protected] app1]#ll
    total 8
    -rw-r--r-- 1 root root  964 Feb  6 23:03 app1.csr
    -rw------- 1 root root 1675 Feb  6 23:01 app1.key

    默认有三项内容必须和CA一致:国家,省份,组织,如果不同,会出现错误提示

**(5) CA颁发证书**
    [[email protected] app1]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 10 (0xa)
            Validity
                Not Before: Feb  6 15:13:26 2021 GMT
                Not After : Nov  3 15:13:26 2023 GMT
            Subject:
                countryName               = CN
                stateOrProvinceName       = henan
                organizationName          = DCC
                organizationalUnitName    = IT
                commonName                = app1.lirui.org
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    C6:76:BA:AB:AF:2D:F7:50:02:F9:37:A1:18:3B:F5:69:37:61:5F:AA
                X509v3 Authority Key Identifier: 
                    keyid:C0:40:4F:D3:4A:1D:E8:33:45:70:4E:1E:31:FD:D2:00:57:1F:35:D7

    Certificate is to be certified until Nov  3 15:13:26 2023 GMT (1000 days)
    Sign the certificate? [y/n]:y

    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated

    [[email protected] app1]#cd /etc/pki/CA
    [[email protected] CA]#tree
    .
    ├── cacert.pem
    ├── certs
    │   └── app1.crt
    ├── crl
    ├── index.txt
    ├── index.txt.attr
    ├── index.txt.old
    ├── newcerts
    │   └── 0A.pem
    ├── private
    │   └── cakey.pem
    ├── serial
    └── serial.old

    4 directories, 9 files

(6) 查看证书

[[email protected] CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 10 (0xa)

Signature Algorithm: sha256WithRSAEncryption

Issuer: C = CN, ST = henan, L = jiaozuo, O = DCC, OU = IT, CN = ca.lirui.org, emailAddress = [email protected]

Validity

Not Before: Feb 6 15:13:26 2021 GMT

Not After : Nov 3 15:13:26 2023 GMT

Subject: C = CN, ST = henan, O = DCC, OU = IT, CN = app1.lirui.org

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public-Key: (2048 bit)

Modulus:

00:9d:b2:71:a7:57:34:75:43:9c:0b:b5:2f:43:fd:

5d:ee:55:69:e4:f5:a7:c8:03:bb:0b:1f:e5:ab:81:

b8:a2:f1:03:6f:fa:4b:18:ac:1e:ba:ad:ba:3b:39:

2b:4e:fe:c7:49:c8:8f:12:e0:fd:0d:66:87:8e:ab:

70:79:70:be:09:d9:ba:85:77:60:96:35:61:b8:aa:

07:02:a9:c6:7d:c9:44:32:cb:d0:f8:b5:48:2a:65:

30:9a:ce:a5:af:52:02:c8:88:60:ae:ae:fc:a3:96:

e0:0c:85:ab:01:18:ff:af:12:c3:86:16:2d:f1:36:

48:49:73:ca:ba:92:11:41:e4:8b:62:a8:18:15:4c:

e0:1c:b6:9c:b2:45:39:2b:66:43:a6:b5:21:75:45:

b4:6b:11:38:e6:91:f2:28:a3:ee:89:01:4e:85:9e:

dd:70:f6:3d:cf:1d:3b:16:57:96:18:6a:65:41:36:

64:94:4b:b0:4c:3e:63:ca:90:a4:a8:2d:07:58:ee:

6a:cd:ee:69:e3:1f:46:72:a7:64:a7:dc:88:77:5a:

6f:8b:6a:bb:4c:08:fa:bb:2b:68:01:71:e9:b3:92:

8a:83:bd:fd:fc:6c:3d:9a:9c:20:d1:15:c8:f3:cb:

c4:cb:44:c6:2d:42:5f:44:37:67:53:8a:b1:fd:ea:

eb:b1

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

C6:76:BA:AB:AF:2D:F7:50:02:F9:37:A1:18:3B:F5:69:37:61:5F:AA

X509v3 Authority Key Identifier:

keyid:C0:40:4F:D3:4A:1D:E8:33:45:70:4E:1E:31:FD:D2:00:57:1F:35:D7

        Signature Algorithm: sha256WithRSAEncryption
            4c:e3:9f:2f:d6:d9:50:85:03:e1:42:14:0e:91:ed:6e:48:e2:
            22:4b:75:84:22:ae:10:62:a7:90:66:06:27:24:49:4d:92:73:
            15:ca:6e:90:44:40:88:d1:90:bd:83:34:4c:99:97:08:4b:92:
            10:40:2f:ad:f6:3e:b2:36:b7:b3:28:ae:17:22:4a:a0:9e:0a:
            94:c4:56:5c:5c:fe:2e:26:ef:f0:31:1c:7d:8f:31:28:d6:a6:
            60:01:38:29:b8:41:13:2b:3d:2b:f1:7b:99:f1:03:59:b4:68:
            6a:23:32:d7:ea:3b:8d:c9:ea:87:cd:d8:04:86:1e:b5:c0:73:
            7e:00:a0:bf:da:2c:b7:77:fb:44:f7:87:8c:9b:ad:6d:78:d0:
            35:7d:e5:aa:18:e4:8b:6e:44:85:ef:e9:b9:f4:dc:49:47:2e:
            bb:ca:53:a8:8b:06:ae:6d:aa:2a:c9:a4:58:89:72:59:77:79:
            de:c0:1e:05:23:f6:fa:08:ca:37:90:8d:58:4c:1a:a7:65:44:
            82:2b:b4:ef:b3:d7:41:02:f5:b9:b6:e8:9f:01:f7:b7:bf:2f:
            6b:b4:9b:88:f3:76:77:c8:d7:02:b1:95:de:00:79:5e:b4:86:
            8e:68:df:99:e2:9a:32:be:a6:f5:a8:65:35:00:7a:3d:91:27:
            38:40:c0:c1

**(7) 将证书相关文件发送到用户端使用**
    [[email protected] CA]#cp /etc/pki/CA/certs/app1.crt /data/app1
    [[email protected] CA]#tree /data/app1
    /data/app1
    ├── app1.crt
    ├── app1.csr
    └── app1.key

    0 directories, 3 files

2、总结ssh常用参数、用法

命令格式:
    ssh [option] [user@]host [COMMAND]
    ssh [option] [-l user] host [COMMAND]
常用选项
    -p port:远程服务器监听的端口
    -b 指定连接的源IP
    -v 调试模式
    -C 压缩方式
    -X 支持x11转发
    -t 强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh remoteserver3
    -o option 如:-o StrictHostKeyChecking=no
    -i <file> 指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa,~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等

3、总结sshd服务常用参数

服务器端的配置文件: /etc/ssh/sshd_config
常用参数:
    Port
    ListenAddress ip
    LoginGraceTime 2m
    PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
    StrictModes yes #检查.ssh/文件的所有者,权限等
    MaxAuthTries 6 #
    MaxSessions 10 #同一个连接最大会话
    PubkeyAuthentication yes #基于key验证
    PermitEmptyPasswords no #空密码连接
    PasswordAuthentication yes #基于用户名和密码连接
    GatewayPorts no
    ClientAliveInterval 10 #单位:秒
    ClientAliveCountMax 3 #默认3
    UseDNS yes #提高速度可改为no
    GSSAPIAuthentication yes #提高速度可改为no
    MaxStartups #未认证连接最大值,默认值10
    Banner /path/file

扫码领视频副本.gif

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号