Linux学习--第14周

1、创建私有CA并进行证书申请

(1) 创建CA相关目录和文件
[root@CentOS8 test]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@CentOS8 test]#tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
(2) 创建CA的私钥
[root@CentOS8 test]#cd /etc/pki/CA
[root@CentOS8 CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................................................+++++
..........................................................+++++
e is 65537 (0x010001)
[root@CentOS8 CA]#ll
total 0
drwxr-xr-x 2 root root 6 Feb 5 22:13 certs
drwxr-xr-x 2 root root 6 Feb 5 22:13 crl
drwxr-xr-x 2 root root 6 Feb 5 22:13 newcerts
drwxr-xr-x 2 root root 23 Feb 5 22:16 private
[root@CentOS8 CA]#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 1 file
[root@CentOS8 CA]#ll private/
total 4
-rw------- 1 root root 1679 Feb 5 22:16 cakey.pem
(3) 给CA颁发自签名证书
[root@CentOS8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:henan  
    Locality Name (eg, city) [Default City]:jiaozuo
    Organization Name (eg, company) [Default Company Ltd]:DCC
    Organizational Unit Name (eg, section) []:IT
    Common Name (eg, your name or your server's hostname) []:ca.lirui.org  
    Email Address []:aaa@lirui.org

    [root@CentOS8 CA]#tree `pwd`
    /etc/pki/CA
    ├── cacert.pem
    ├── certs
    ├── crl
    ├── newcerts
    └── private
        └── cakey.pem   
    4 directories, 2 files
**(4) 用户生成私钥和证书申请**
    [root@CentOS8 ~]#mkdir /data/app1
    [root@CentOS8 app1]#(umask 066; openssl genrsa -out /data/app1/app1.key 2048)
    Generating RSA private key, 2048 bit long modulus (2 primes)
    .........+++++
    ............................................................................................................................................................................................+++++
    e is 65537 (0x010001)

    [root@CentOS8 app1]#openssl req -new -key /data/app1/app1.key  -out /data/app1/app1.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:henan
    Locality Name (eg, city) [Default City]:jiaozuo
    Organization Name (eg, company) [Default Company Ltd]:DCC
    Organizational Unit Name (eg, section) []:it
    Common Name (eg, your name or your server's hostname) []:
    Email Address []:

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    [root@CentOS8 app1]#ll
    total 8
    -rw-r--r-- 1 root root  964 Feb  6 23:03 app1.csr
    -rw------- 1 root root 1675 Feb  6 23:01 app1.key

    默认有三项内容必须和CA一致:国家,省份,组织,如果不同,会出现错误提示

**(5) CA颁发证书**
    [root@CentOS8 app1]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 10 (0xa)
            Validity
                Not Before: Feb  6 15:13:26 2021 GMT
                Not After : Nov  3 15:13:26 2023 GMT
            Subject:
                countryName               = CN
                stateOrProvinceName       = henan
                organizationName          = DCC
                organizationalUnitName    = IT
                commonName                = app1.lirui.org
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    C6:76:BA:AB:AF:2D:F7:50:02:F9:37:A1:18:3B:F5:69:37:61:5F:AA
                X509v3 Authority Key Identifier: 
                    keyid:C0:40:4F:D3:4A:1D:E8:33:45:70:4E:1E:31:FD:D2:00:57:1F:35:D7

    Certificate is to be certified until Nov  3 15:13:26 2023 GMT (1000 days)
    Sign the certificate? [y/n]:y

    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated

    [root@CentOS8 app1]#cd /etc/pki/CA
    [root@CentOS8 CA]#tree
    .
    ├── cacert.pem
    ├── certs
    │   └── app1.crt
    ├── crl
    ├── index.txt
    ├── index.txt.attr
    ├── index.txt.old
    ├── newcerts
    │   └── 0A.pem
    ├── private
    │   └── cakey.pem
    ├── serial
    └── serial.old

    4 directories, 9 files

(6) 查看证书
[root@CentOS8 CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = henan, L = jiaozuo, O = DCC, OU = IT, CN = ca.lirui.org, emailAddress = aaa@lirui.org
Validity
Not Before: Feb 6 15:13:26 2021 GMT
Not After : Nov 3 15:13:26 2023 GMT
Subject: C = CN, ST = henan, O = DCC, OU = IT, CN = app1.lirui.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9d:b2:71:a7:57:34:75:43:9c:0b:b5:2f:43:fd:
5d:ee:55:69:e4:f5:a7:c8:03:bb:0b:1f:e5:ab:81:
b8:a2:f1:03:6f:fa:4b:18:ac:1e:ba:ad:ba:3b:39:
2b:4e:fe:c7:49:c8:8f:12:e0:fd:0d:66:87:8e:ab:
70:79:70:be:09:d9:ba:85:77:60:96:35:61:b8:aa:
07:02:a9:c6:7d:c9:44:32:cb:d0:f8:b5:48:2a:65:
30:9a:ce:a5:af:52:02:c8:88:60:ae:ae:fc:a3:96:
e0:0c:85:ab:01:18:ff:af:12:c3:86:16:2d:f1:36:
48:49:73:ca:ba:92:11:41:e4:8b:62:a8:18:15:4c:
e0:1c:b6:9c:b2:45:39:2b:66:43:a6:b5:21:75:45:
b4:6b:11:38:e6:91:f2:28:a3:ee:89:01:4e:85:9e:
dd:70:f6:3d:cf:1d:3b:16:57:96:18:6a:65:41:36:
64:94:4b:b0:4c:3e:63:ca:90:a4:a8:2d:07:58:ee:
6a:cd:ee:69:e3:1f:46:72:a7:64:a7:dc:88:77:5a:
6f:8b:6a:bb:4c:08:fa:bb:2b:68:01:71:e9:b3:92:
8a:83:bd:fd:fc:6c:3d:9a:9c:20:d1:15:c8:f3:cb:
c4:cb:44:c6:2d:42:5f:44:37:67:53:8a:b1:fd:ea:
eb:b1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C6:76:BA:AB:AF:2D:F7:50:02:F9:37:A1:18:3B:F5:69:37:61:5F:AA
X509v3 Authority Key Identifier:
keyid:C0:40:4F:D3:4A:1D:E8:33:45:70:4E:1E:31:FD:D2:00:57:1F:35:D7

        Signature Algorithm: sha256WithRSAEncryption
            4c:e3:9f:2f:d6:d9:50:85:03:e1:42:14:0e:91:ed:6e:48:e2:
            22:4b:75:84:22:ae:10:62:a7:90:66:06:27:24:49:4d:92:73:
            15:ca:6e:90:44:40:88:d1:90:bd:83:34:4c:99:97:08:4b:92:
            10:40:2f:ad:f6:3e:b2:36:b7:b3:28:ae:17:22:4a:a0:9e:0a:
            94:c4:56:5c:5c:fe:2e:26:ef:f0:31:1c:7d:8f:31:28:d6:a6:
            60:01:38:29:b8:41:13:2b:3d:2b:f1:7b:99:f1:03:59:b4:68:
            6a:23:32:d7:ea:3b:8d:c9:ea:87:cd:d8:04:86:1e:b5:c0:73:
            7e:00:a0:bf:da:2c:b7:77:fb:44:f7:87:8c:9b:ad:6d:78:d0:
            35:7d:e5:aa:18:e4:8b:6e:44:85:ef:e9:b9:f4:dc:49:47:2e:
            bb:ca:53:a8:8b:06:ae:6d:aa:2a:c9:a4:58:89:72:59:77:79:
            de:c0:1e:05:23:f6:fa:08:ca:37:90:8d:58:4c:1a:a7:65:44:
            82:2b:b4:ef:b3:d7:41:02:f5:b9:b6:e8:9f:01:f7:b7:bf:2f:
            6b:b4:9b:88:f3:76:77:c8:d7:02:b1:95:de:00:79:5e:b4:86:
            8e:68:df:99:e2:9a:32:be:a6:f5:a8:65:35:00:7a:3d:91:27:
            38:40:c0:c1

**(7) 将证书相关文件发送到用户端使用**
    [root@CentOS8 CA]#cp /etc/pki/CA/certs/app1.crt /data/app1
    [root@CentOS8 CA]#tree /data/app1
    /data/app1
    ├── app1.crt
    ├── app1.csr
    └── app1.key

    0 directories, 3 files

2、总结ssh常用参数、用法

命令格式:
    ssh [option] [user@]host [COMMAND]
    ssh [option] [-l user] host [COMMAND]
常用选项
    -p port:远程服务器监听的端口
    -b 指定连接的源IP
    -v 调试模式
    -C 压缩方式
    -X 支持x11转发
    -t 强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh remoteserver3
    -o option 如:-o StrictHostKeyChecking=no
    -i <file> 指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa,~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等

3、总结sshd服务常用参数

服务器端的配置文件: /etc/ssh/sshd_config
常用参数:
    Port
    ListenAddress ip
    LoginGraceTime 2m
    PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
    StrictModes yes #检查.ssh/文件的所有者,权限等
    MaxAuthTries 6 #
    MaxSessions 10 #同一个连接最大会话
    PubkeyAuthentication yes #基于key验证
    PermitEmptyPasswords no #空密码连接
    PasswordAuthentication yes #基于用户名和密码连接
    GatewayPorts no
    ClientAliveInterval 10 #单位:秒
    ClientAliveCountMax 3 #默认3
    UseDNS yes #提高速度可改为no
    GSSAPIAuthentication yes #提高速度可改为no
    MaxStartups #未认证连接最大值,默认值10
    Banner /path/file
上一篇:搭建私有CA


下一篇:ORA-65096: invalid common user or role 解决方法