创建私有CA并进行证书申请。
两台centos主机,一台充当CA,一台充当客户机。
在实现这个实验之前我们先来,看一下openssl的配置文件:/etc/pki/tls/openssl.cnf。在这个文件中定义了CA证书颁发的一些策略和文件命名和存放的规则。
[root@CA ~]# cat /etc/pki/tls/openssl.cnf
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
[root@CA CA]# tree
.
├── certs
├── crl
├── newcerts
└── private # must be commented out to leave a V1 CRL
- 接下来实现OpenSSL证书申请和颁发
在CA主机上
创建所需要的文件,这两个文件默认不存在,必须事先创建好,否则无法颁发证书。
[root@CA CA]# touch /etc/pki/CA/index.txt //生成证书索引数据库文件
[root@CA CA]# echo 01 > /etc/pki/CA/serial //指定第一个颁发证书的序列号
生成私钥
[root@CA ~]# cd /etc/pki/CA/
[root@CA CA]# (umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.........................................................................+++
......................................................+++
e is 65537 (0x10001)
生成自签名证书
[root@CA CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
在申请证书的主机上
在需要使用证书的主机生成证书请求
[root@client pki]# (umask 066; openssl genrsa -out /etc/pki/tls/private/test.key 2048)
Generating RSA private key, 2048 bit long modulus
.....+++
..............................................................................+++
e is 65535、生成证书申请文件
[root@client pki]# openssl req -new -key /etc/pki/tls/private/test.key -days 365 -out /etc/pki/tls/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
将证书请求文件传输给CA
[root@client pki]# scp /etc/pki/tls/test.csr 192.168.239.130:/data/
test.csr 100% 1013 32.2KB/s 00:00
1
2
CA签署证书,并将证书颁发给请求者
[root@CA CA]# openssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 17 14:04:52 2019 GMT
Not After : Oct 16 14:04:52 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = HN
organizationName = hailian
organizationalUnitName = hailian-30
commonName = www.yd.cwj.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
76:F4:4D:C1:96:21:98:A3:D2:6A:70:AF:C8:9E:C1:C4:26:9D:06:7D
X509v3 Authority Key Identifier:
keyid:C7:93:0F:D2:1D:E4:FA:2E:11:52:48:5D:9E:9F:10:98:71:DE:
把证书复制到申请的主机上即可。
[root@CA CA]# scp /etc/pki/CA/certs/test.crt 192.168.239.128:/data
test.crt
注意:默认国家,省,公司名称三项必须和CA一致
证书颁发完成后,可以查看证书中的信息:
[root@CA CA]# openssl x509 -in /etc/pki/CA/certs/test.crt -noout -issuer
issuer= /C=CN/ST=HN/L=wenchang/O=hailian/OU=hailian-30/CN=www.cwj.com
[root@CA CA]# openssl x509 -in /etc/pki/CA/certs/test.crt -noout -subject
subject= /C=CN/ST=HN/O=hailian/OU=hailian-30/CN=www.yd.cwj.com
[root@CA CA]# openssl x509 -in /etc/pki/CA/certs/test.crt -noout -serial -dates
serial=01
notBefore=Oct 17 14:04:52 2019 GMT
notAfter=Oct 16 14:04:52 2020 GMT
也可以查看指定编号的证书状态
[root@CA CA]# openssl ca -status 01 //查看指定编号的证书状态
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
颁发完证书后CA的目录树结构
[root@CA CA]# tree
.
├── cacert.pem
├── certs
│ └── test.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
总结ssh常用参数、用法
ssh命令是ssh客户端,允许实现对远程系统经验证地加密安全访问。ssh客户端配置文件是:/etc/ssh/ssh_config
ssh命令配合的常见选项:
-p port:远程服务器监听的端口
ssh 192.168.1.8 -p 2222
-b 指定连接的源IP
ssh 192.168.1.8 -p 2222 -b 192.168.1.88
-v 调试模式
ssh 192.168.1.8 -p 2222 -v
-C 压缩方式
-X 支持x11转发
支持将远程linux主机上的图形工具在当前设备使用
-t 强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh
remoteserver3
-o option 如:-o StrictHostKeyChecking=no
-i
~/.ssh/id_ecdsa, /.ssh/id_ed25519,/.ssh/id_rsa等
总结sshd服务常用参数。
服务器端的配置文件: /etc/ssh/sshd_config
常用参数:
Port #端口号
ListenAddress ipLoginGraceTime 2m #宽限期
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes #检查.ssh/文件的所有者,权限等
MaxAuthTries 6
MaxSessions 10 #同一个连接最大会话
PubkeyAuthentication yes #基于key验证
PermitEmptyPasswords no #空密码连接
PasswordAuthentication yes #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups #未认证连接最大值,默认值10
Banner /path/file
以下可以限制可登录用户的办法:
AllowUsers user1 user2 user3
DenyUsers
AllowGroups
搭建dhcp服务,实现ip地址申请分发
yum -y install dhcp
- 安装的dhcp服务需要修改配置文件
vim /etc/dhcp/dhcpd.conf
option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers 8.8.8.8, 114.114.114.114;
DNS地址
No service will be given on this subnet, but declaring it helps the
DHCP server to understand the network topology.
subnet 192.168.75.0 netmask 255.255.255.0 #网段和子网掩码
{
range 192.168.75.141 192.168.75.180;#地址范围
option routers 192.168.75.2;#网关
next-server 192.168.1.100; #TFTP服务器地址
filename "pxelinux.0"; #bootloader启动文件的名称
}
- DHCP服务器给指定主机分配固定IP
host test {
hardware ethernet 00:0c:29💿90:10;
fixed-address 10.0.0.123; #固定ip
} - 写好配置文件需重启dhcp服务
dhcp 客户端申请地址的过程
dhclient -d
DHCP服务器的日志
[root@centos8 ~]#tail -f /var/lib/dhcpd/dhcpd.leases
DHCP客户端的日志
[root@centos7 ~]#ls /var/lib/dhclient/
dhclient.leases
[root@centos7 ~]#cat /var/lib/dhclient/dhclient.leases
浙公网安备 33010602011771号