1、创建私有CA并进行证书申请(利用openssl工具)
##创建CA
1、查看CA证书存放目录是否存在
[02:15:01 root@lvs-rs2 ~]#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
2、创建CA的私钥文件
[02:15:12 root@lvs-rs2 ~]#cd /etc/pki/CA/
[02:17:44 root@lvs-rs2 CA]#openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
..................+++
..+++
e is 65537 (0x10001)
[02:18:46 root@lvs-rs2 CA]#ls -l private/cakey.pem
-rw-r--r-- 1 root root 1675 Apr 27 02:18 private/cakey.pem
[02:19:02 root@lvs-rs2 CA]#chmod 600 private/cakey.pem
3、生成CA自签名证书并查看自签名文件
[02:19:26 root@lvs-rs2 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SJZ
Locality Name (eg, city) [Default City]:SJZ
Organization Name (eg, company) [Default Company Ltd]:zf
Organizational Unit Name (eg, section) []:zf.com
Common Name (eg, your name or your server's hostname) []:zf.com
Email Address []:
[02:26:23 root@lvs-rs2 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
99:22:b1:f6:6c:a9:9b:2a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=SJZ, L=SJZ, O=zf, OU=zf.com, CN=zf.com
Validity
Not Before: Apr 27 06:26:17 2021 GMT
Not After : Apr 25 06:26:17 2031 GMT
Subject: C=CN, ST=SJZ, L=SJZ, O=zf, OU=zf.com, CN=zf.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9b:20:50:52:9d:ad:d9:b5:a6:6f:3a:bd:45:8f:
42:0c:37:7f:af:80:b1:52:29:e2:79:3f:13:a7:af:
76:fb:0b:b8:47:46:79:6b:31:48:20:de:3a:1c:3b:
8f:55:1e:63:7d:82:66:55:90:a7:9c:de:a6:09:22:
e5:29:41:03:3a:c2:77:3c:05:cb:18:72:2d:72:29:
8e:aa:86:09:bf:45:5b:8c:10:05:03:12:02:67:ab:
1a:8c:f0:c6:13:0e:ec:13:79:1e:9a:4c:02:72:4a:
57:de:d7:20:a4:22:1b:1f:e5:a0:37:f6:12:1b:95:
a2:5e:24:87:3d:d0:a7:62:2c:33:70:39:0f:07:78:
2f:f6:57:97:03:65:84:85:5e:f7:52:3e:07:b1:24:
9c:64:4e:db:15:91:c5:74:f9:bf:39:73:6e:29:c7:
32:21:ba:d3:f0:71:a4:fb:06:af:1f:b5:f8:7d:4a:
09:25:67:11:ab:43:41:80:55:40:fa:6a:e4:7f:84:
16:06:be:09:34:8e:43:dc:65:d0:f3:b7:c0:4b:07:
c0:d5:e3:cc:36:cc:5c:6c:3a:e1:b3:b6:1d:b6:7c:
0d:13:e4:e3:bc:3e:c0:05:3c:d1:c1:f2:75:dd:36:
05:9c:49:70:18:46:a3:3d:b9:33:bc:7d:3f:30:4a:
99:21
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
11:B5:29:90:41:5A:64:69:4E:01:D9:34:B9:9D:CD:96:2F:B9:AE:57
X509v3 Authority Key Identifier:
keyid:11:B5:29:90:41:5A:64:69:4E:01:D9:34:B9:9D:CD:96:2F:B9:AE:57
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
20:54:43:8b:62:37:2e:d9:0f:bd:b1:09:29:3e:67:3b:b3:94:
b9:6f:39:dc:17:55:2d:11:65:74:6d:16:a1:c1:35:92:aa:2d:
25:e7:fc:8f:0f:f8:d2:db:2f:75:c8:2f:70:a8:00:25:ff:26:
d4:4f:5f:8e:61:03:29:f0:e4:e0:83:18:25:be:29:84:fe:c0:
28:40:c5:94:a9:4e:86:3f:42:74:b5:78:83:ec:3b:f3:78:89:
be:ce:81:4d:f2:f7:10:8d:f8:d3:5a:d0:d8:ea:41:13:ec:f7:
52:78:97:e9:69:e3:f1:96:b7:a8:f6:eb:c0:b9:11:11:38:dd:
b7:da:fa:1c:6c:47:a4:e4:98:88:ea:76:8e:21:26:13:77:46:
99:ec:51:dc:11:7b:a4:c6:c2:92:4c:b2:db:5d:05:67:a2:ec:
b4:d7:78:f9:85:ad:97:69:f4:99:80:64:a9:45:db:bd:d7:24:
fa:40:44:68:1b:f3:4f:40:d3:f5:b4:9c:87:30:85:87:a5:f5:
2c:f5:f5:73:8f:99:ff:c7:9b:06:08:05:3c:a7:e9:8d:76:18:
97:d5:8f:d4:63:4c:df:2d:20:93:f8:0a:d2:75:c1:c1:72:3d:
03:f9:67:02:ec:9e:8b:ad:71:ce:fb:7a:8a:b0:a2:31:ff:d6:
27:5f:54:3e
##申请并颁发证书
1、创建申请主机的私钥证书
[03:32:27 root@lvs-rs2 CA]#openssl genrsa -out /data/http.pub.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................................+++
.................+++
e is 65537 (0x10001)
[04:49:36 root@lvs-rs2 CA]#chmod 600 /data/http.pub.key
2、创建所需证书主机的申请文件
[04:51:11 root@lvs-rs2 CA]#openssl req -new -key /data/http.pub.key -out /data/http.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SJZ
Locality Name (eg, city) [Default City]:SJZ
Organization Name (eg, company) [Default Company Ltd]:zf
Organizational Unit Name (eg, section) []:www.zf.com
Common Name (eg, your name or your server's hostname) []:zf
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3、CA签署证书并颁发给请求者
[04:58:28 root@lvs-rs2 CA]#openssl ca -in /data/http.csr -out /etc/pki/CA/certs/http.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 27 08:58:36 2021 GMT
Not After : Apr 25 08:58:36 2031 GMT
Subject:
countryName = CN
stateOrProvinceName = SJZ
organizationName = zf
organizationalUnitName = www.zf.com
commonName = zf
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E7:9C:2B:2A:5F:A0:99:05:BB:26:9B:3B:D8:3C:7D:C6:E7:27:20:6F
X509v3 Authority Key Identifier:
keyid:11:B5:29:90:41:5A:64:69:4E:01:D9:34:B9:9D:CD:96:2F:B9:AE:57
Certificate is to be certified until Apr 25 08:58:36 2031 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
###备注:存放目录不全,颁发证书会报相对应的错误
[04:54:31 root@lvs-rs2 CA]#openssl ca -in /data/http.csr -out /etc/pki/CA/certs/http.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
139769883940752:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
139769883940752:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[04:56:19 root@lvs-rs2 CA]#touch index.txt
[04:56:29 root@lvs-rs2 CA]#openssl ca -in /data/http.csr -out /etc/pki/CA/certs/http.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140340128941968:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')
140340128941968:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
###生成目录参考文件
[05:00:38 root@lvs-rs2 CA]#cat /etc/pki/tls/openssl.cnf
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
ssh服务得相关介绍
1、客户端ssh常用参数、用法
1、ssh命令基础总结
1.1、客户端ssh相关介绍
ssh命令是ssh客户端允许实现对远程系统验证地加密安全访问
用户在远程连接ssh服务器时,会复制ssh服务器/etc/ssh/ssh_host*key.pub文件中的公钥到客户机得~./ssh/know_hosts中,下次连接时,会自动匹配相对应私钥,不能匹配,将拒绝连接。
1.2、ssh命令相关软件包
[23:28:59 root@lvs-rs2 ~]#rpm -qa openssh*
openssh-clients-7.4p1-16.el7.x86_64
openssh-server-7.4p1-16.el7.x86_64
openssh-7.4p1-16.el7.x86_64
1.3、ssh命令格式总结
ssh [user@]host [command]
ssh [-l user] host [command]
1.4、ssh名令常见选项总结
-p port:指定远程服务器得端口
-b:指定连接得源ip
-v:调试模式
-C:压缩方式
-x:支持×11抓发
-t:强制伪tty分配
-o:option(配置文件中选项)
-i <file>:指定私钥文件路径,实现基于key验证,默认使用文件~/.ssh/id_dsa,~/.ssh/id_ecdsa,~/.ssh/id_ed25519,~/.ssh/id_rsa等
2、服务端sshd服务常用参数
2.1、服务器端的配文件路径
/etc/ssh/sshd_config
2.2、服务端配置文件帮助手册
man 5 sshd_config
2.3、服务器端常用配置参数选项
Port 22
ListenAddress 0.0.0.0
LoginGraceTime 2m
PermitRootLogin yes ubuntu不允许root远程ssh登陆
MaxAuthTries 6
MaxSessions 10 同一个连接最大会话
PubkeyAuthentication yes 基于key验证PermitEmptyPasswords no 空密码连接
PasswordAuthentication yes 基于用户名和密码的连接
GatewayPorts no
ClientAliveCountMax 3
UseDNS yes 提高连接速度建议修改
GSSAPIAuthentication yes 提高连接速度建议修改
MaxStartups 未认证连接最大值,默认值10
Banner /path/file
3、ssh服务优化相关案例
3.1、设置ssh空闲60秒后自动退出登录
[01:43:37 root@lvs-rs2 ~]#vim /etc/ssh/sshd_config
ClientAliveInterval 60
ClientAliveCountMax 0
[01:59:51 root@lvs-rs2 ~]#systemctl restart sshd
3.2、解决ssh登陆缓慢问题
[01:43:37 root@lvs-rs2 ~]#vim /etc/ssh/sshd_config
UseDNS no
GSSAPIAuthentication no
[01:59:51 root@lvs-rs2 ~]#systemctl restart sshd
生成12位随机密码
[02:03:40 root@lvs-rs2 ~]#tr -dc A-Za-z0-9_ < /dev/urandom | head -c 12| xargs
iosSyXBKVqRg
[02:03:41 root@lvs-rs2 ~]#openssl rand -base64 9
G9t8UmyzYO8i