1、创建私有CA并进行证书申请
(1) 创建CA相关目录和文件
[root@CentOS8 test]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@CentOS8 test]#tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
(2) 创建CA的私钥
[root@CentOS8 test]#cd /etc/pki/CA
[root@CentOS8 CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................................................+++++
..........................................................+++++
e is 65537 (0x010001)
[root@CentOS8 CA]#ll
total 0
drwxr-xr-x 2 root root 6 Feb 5 22:13 certs
drwxr-xr-x 2 root root 6 Feb 5 22:13 crl
drwxr-xr-x 2 root root 6 Feb 5 22:13 newcerts
drwxr-xr-x 2 root root 23 Feb 5 22:16 private
[root@CentOS8 CA]#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 1 file
[root@CentOS8 CA]#ll private/
total 4
-rw------- 1 root root 1679 Feb 5 22:16 cakey.pem
(3) 给CA颁发自签名证书
[root@CentOS8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:jiaozuo
Organization Name (eg, company) [Default Company Ltd]:DCC
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ca.lirui.org
Email Address []:aaa@lirui.org
[root@CentOS8 CA]#tree `pwd`
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 2 files
**(4) 用户生成私钥和证书申请**
[root@CentOS8 ~]#mkdir /data/app1
[root@CentOS8 app1]#(umask 066; openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
............................................................................................................................................................................................+++++
e is 65537 (0x010001)
[root@CentOS8 app1]#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:jiaozuo
Organization Name (eg, company) [Default Company Ltd]:DCC
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@CentOS8 app1]#ll
total 8
-rw-r--r-- 1 root root 964 Feb 6 23:03 app1.csr
-rw------- 1 root root 1675 Feb 6 23:01 app1.key
默认有三项内容必须和CA一致:国家,省份,组织,如果不同,会出现错误提示
**(5) CA颁发证书**
[root@CentOS8 app1]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 10 (0xa)
Validity
Not Before: Feb 6 15:13:26 2021 GMT
Not After : Nov 3 15:13:26 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
organizationName = DCC
organizationalUnitName = IT
commonName = app1.lirui.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C6:76:BA:AB:AF:2D:F7:50:02:F9:37:A1:18:3B:F5:69:37:61:5F:AA
X509v3 Authority Key Identifier:
keyid:C0:40:4F:D3:4A:1D:E8:33:45:70:4E:1E:31:FD:D2:00:57:1F:35:D7
Certificate is to be certified until Nov 3 15:13:26 2023 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@CentOS8 app1]#cd /etc/pki/CA
[root@CentOS8 CA]#tree
.
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 0A.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
(6) 查看证书
[root@CentOS8 CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = henan, L = jiaozuo, O = DCC, OU = IT, CN = ca.lirui.org, emailAddress = aaa@lirui.org
Validity
Not Before: Feb 6 15:13:26 2021 GMT
Not After : Nov 3 15:13:26 2023 GMT
Subject: C = CN, ST = henan, O = DCC, OU = IT, CN = app1.lirui.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9d:b2:71:a7:57:34:75:43:9c:0b:b5:2f:43:fd:
5d:ee:55:69:e4:f5:a7:c8:03:bb:0b:1f:e5:ab:81:
b8:a2:f1:03:6f:fa:4b:18:ac:1e:ba:ad:ba:3b:39:
2b:4e:fe:c7:49:c8:8f:12:e0:fd:0d:66:87:8e:ab:
70:79:70:be:09:d9:ba:85:77:60:96:35:61:b8:aa:
07:02:a9:c6:7d:c9:44:32:cb:d0:f8:b5:48:2a:65:
30:9a:ce:a5:af:52:02:c8:88:60:ae:ae:fc:a3:96:
e0:0c:85:ab:01:18:ff:af:12:c3:86:16:2d:f1:36:
48:49:73:ca:ba:92:11:41:e4:8b:62:a8:18:15:4c:
e0:1c:b6:9c:b2:45:39:2b:66:43:a6:b5:21:75:45:
b4:6b:11:38:e6:91:f2:28:a3:ee:89:01:4e:85:9e:
dd:70:f6:3d:cf:1d:3b:16:57:96:18:6a:65:41:36:
64:94:4b:b0:4c:3e:63:ca:90:a4:a8:2d:07:58:ee:
6a:cd:ee:69:e3:1f:46:72:a7:64:a7:dc:88:77:5a:
6f:8b:6a:bb:4c:08:fa:bb:2b:68:01:71:e9:b3:92:
8a:83:bd:fd:fc:6c:3d:9a:9c:20:d1:15:c8:f3:cb:
c4:cb:44:c6:2d:42:5f:44:37:67:53:8a:b1:fd:ea:
eb:b1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C6:76:BA:AB:AF:2D:F7:50:02:F9:37:A1:18:3B:F5:69:37:61:5F:AA
X509v3 Authority Key Identifier:
keyid:C0:40:4F:D3:4A:1D:E8:33:45:70:4E:1E:31:FD:D2:00:57:1F:35:D7
Signature Algorithm: sha256WithRSAEncryption
4c:e3:9f:2f:d6:d9:50:85:03:e1:42:14:0e:91:ed:6e:48:e2:
22:4b:75:84:22:ae:10:62:a7:90:66:06:27:24:49:4d:92:73:
15:ca:6e:90:44:40:88:d1:90:bd:83:34:4c:99:97:08:4b:92:
10:40:2f:ad:f6:3e:b2:36:b7:b3:28:ae:17:22:4a:a0:9e:0a:
94:c4:56:5c:5c:fe:2e:26:ef:f0:31:1c:7d:8f:31:28:d6:a6:
60:01:38:29:b8:41:13:2b:3d:2b:f1:7b:99:f1:03:59:b4:68:
6a:23:32:d7:ea:3b:8d:c9:ea:87:cd:d8:04:86:1e:b5:c0:73:
7e:00:a0:bf:da:2c:b7:77:fb:44:f7:87:8c:9b:ad:6d:78:d0:
35:7d:e5:aa:18:e4:8b:6e:44:85:ef:e9:b9:f4:dc:49:47:2e:
bb:ca:53:a8:8b:06:ae:6d:aa:2a:c9:a4:58:89:72:59:77:79:
de:c0:1e:05:23:f6:fa:08:ca:37:90:8d:58:4c:1a:a7:65:44:
82:2b:b4:ef:b3:d7:41:02:f5:b9:b6:e8:9f:01:f7:b7:bf:2f:
6b:b4:9b:88:f3:76:77:c8:d7:02:b1:95:de:00:79:5e:b4:86:
8e:68:df:99:e2:9a:32:be:a6:f5:a8:65:35:00:7a:3d:91:27:
38:40:c0:c1
**(7) 将证书相关文件发送到用户端使用**
[root@CentOS8 CA]#cp /etc/pki/CA/certs/app1.crt /data/app1
[root@CentOS8 CA]#tree /data/app1
/data/app1
├── app1.crt
├── app1.csr
└── app1.key
0 directories, 3 files
2、总结ssh常用参数、用法
命令格式:
ssh [option] [user@]host [COMMAND]
ssh [option] [-l user] host [COMMAND]
常用选项
-p port:远程服务器监听的端口
-b 指定连接的源IP
-v 调试模式
-C 压缩方式
-X 支持x11转发
-t 强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh remoteserver3
-o option 如:-o StrictHostKeyChecking=no
-i <file> 指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa,~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等
3、总结sshd服务常用参数
服务器端的配置文件: /etc/ssh/sshd_config
常用参数:
Port
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes #检查.ssh/文件的所有者,权限等
MaxAuthTries 6 #
MaxSessions 10 #同一个连接最大会话
PubkeyAuthentication yes #基于key验证
PermitEmptyPasswords no #空密码连接
PasswordAuthentication yes #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups #未认证连接最大值,默认值10
Banner /path/file