1、 openSSL
官网:https://www.openssl.org/OpenSSL计划在1998年开始,其目标是发明一套自由的加密工具,在互联网上使用。OpenSSL以EricYoung以及Tim Hudson两人开发的SSLeay为基础,随着两人前往RSA公司任职,SSLeay在1998年12月停止开发。因此在1998年12月,社群另外分支出OpenSSL,继续开发下去OpenSSL管理委员会当前由7人组成有13个开发人员[3]具有提交权限(其中许多人也是OpenSSL管理委员会的一部分)。只有两名全职员工(研究员),其余的是志愿者该项目每年的预算不到100万美元,主要依靠捐款。 TLS 1.3的开发由 Akamai 赞助OpenSSL是一个开放源代码的软件库包,应用程序可以使用这个包来进行安全通信,同时确认另一端连线者的身份。这个包广泛被应用在互联网的网页服务器上其主要库是以C语言所写成,实现了基本的加密功能,实现了SSL与TLS协议。OpenSSL可以运行OpenVMS、 Microsoft Windows以及绝大多数类Unix操作系统上(包括Solaris,Linux,Mac OS X与各种版本的开放源代码BSD操作系统)心脏出血漏洞:OpenSSL 1.0.1版本(不含1.0.1g)含有一个严重漏洞,可允许***者读取服务器的内存信息。该漏洞于2014年4月被公诸于世,影响三分之二的活跃网站包括三个组件:libcrypto:用于实现加密和解密的库libssl:用于实现ssl通信协议的安全库openssl:多用途命令行工具
1.2 在centos8上实现私有CA和证书申请
1.2.1 创建CA相关目录和文件
[root@CentOS8 pki]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private} mkdir: created directory '/etc/pki/CA' mkdir: created directory '/etc/pki/CA/certs' mkdir: created directory '/etc/pki/CA/crl' mkdir: created directory '/etc/pki/CA/newcerts' mkdir: created directory '/etc/pki/CA/private' [root@CentOS8 pki]#tree /etc/pki/CA /etc/pki/CA ├── certs ├── crl ├── newcerts └── private 4 directories, 0 files #生成证书索引数据库文件 [root@CentOS8 pki]#touch /etc/pki/CA/index.txt #指定第一个颁发证书的序列号 [root@CentOS8 pki]#echo 01 > /etc/pki/CA/serialindex.txt和serial文件在颁发证书时需要使用,如果不存在,会出现以下错误提示
[root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000 Using configuration from /etc/pki/tls/openssl.cnf 140040142845760:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt','r') 140040142845760:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79: [root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000 Using configuration from /etc/pki/tls/openssl.cnf /etc/pki/CA/serial: No such file or directory error while loading serial number 140240559408960:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/serial','r') 140240559408960:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:1.2.2 创建CA的私钥
[root@CentOS8 pki]#cd /etc/pki/CA/ [root@CentOS8 CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus (2 primes) ....................................+++++ .............+++++ e is 65537 (0x010001) [root@CentOS8 CA]#tree . ├── certs ├── crl ├── index.txt ├── newcerts ├── private │ └── cakey.pem └── serial 4 directories, 3 files [root@CentOS8 CA]#ll private/cakey.pem -rw------- 1 root root 1679 Jun 14 20:17 private/cakey.pem [root@CentOS8 CA]#cat private/cakey.pem -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA4AyF5Z8utDHOkwRTSUN6pfRSrL5luDLP/+RkEFqQXNywAsqO WS9i8qsSLw768SmbGPiTvRezrADkk4ouZhfKsf5nZjc3c/xXi0Jh19FD10cllJ2T FfGcBV32a/TspuYaPnMebLNndYTVesY9VsWOxszccjCMDhb2utoItwRXrq0/zS3v qLy5iBZu5kVUxvYFug/5/b2X6+1ZwbQPRwcS/6T5HnRR1zzlEjfNJH/L38kV2DdI cDsyP45QZuArw7nchV/TXDEStYD+pPzFQQyVuOZ0ZxGuny3AkoMcN3ddC9SCGJbN J7wDtyZjWVv81dWsCOSaxzcEnnokLLQgKUsWpwIDAQABAoIBAQDW8ey7YL4Tzfza +rlUflJ6SC3Q4FECKG14mAqPzfLVxDtwUhfC5D1PhmPJlduV5k6P5FsIfGa5S5n/ GgBtncGuhd15KNwggCUUyzjHLlKhg/Y/3/Suhr8iPwUciTtI21SuOQ8lRfCpxChy wyEx0BKsEvoi6wRSuCE5HdhijN36CxyxwAcFddtPw9nBAkDmnqrdRhBpbc2O5P1M aw/+zmEPqa5O8R6HCqgr+eRgNGIg9PICAG6Qer4VvQjLpTAR2oRioNdmdDAl5JC7 9UScFrx6Cyrule23Ac36zMLtJYK28Zc3tt8mO+klCuj6HdeIG9owgb2lGxOgsYP1 f7Dyi1sRAoGBAPFcgfnm4dLfv/mDzUU2igfz0ArS8OXixO5ZWFYDkkQQVh9zmzwJ YZ6SODBoYrViCH1NsnAMNfzM80WCURUF30l8EUyF7sepRV54ams01izbsdBcpv/z yscabSxrhJ20rthid3AxVIZnuKruqVhMfAiXy5CNz2bOK8nfm+/hijulAoGBAO2j NsyzcjESg1q2QUw0GnRwOoUvQMpAQtwnVTMBhMk1vHNee5QCBHvJd4ESXTLO3PJh xr8YEA+79rvNdvYjzh9Q2TkH5upBrJ6Aqs/TkhN8otLKzl75wmjbwZ0/q6QVQjiB qcdoJz3aoSMMehKmaGi8SPAjTQzU84MLwy/0HudbAoGAEzDy2McF77mAzzsuqDE0 +nrlcObi5rSIShdqkbRI/gZ6gpezoStxyqT/uMGkD54S5Lu303b1F/vH4CADiHNm FLa7vWTs3o1UCbXzaEDUQs7ZLaMgWDuvRPOR+LU33z5NpMD3lEEn4mP+6ACAEJhM SHahZgYQlrEQBEY2ZPV/A00CgYBny183H7XjyzNGXs68ixF3BEH7RD1nWZQadq+W /LXT8L2kIoOVjSAKNWAWJ0A/3ezRjXVyp/7z8GR/eOnZ7p+sO/L1Hwd0EEVmYcq5 xa5LBqhTq7Nh9nM8u6egmFvO6l4nMjNG3q4tLR4uodd75+U4weyVvsV7slO+TFfv zQ/mewKBgQDAxXLlVw9I2nFEl7MWkNwk2FzZ5J0NPUL9fTc1/tsthgE3Z4bm8vzR en3S99/btlCEPX1JXJ2pXUmTvXyOo4ZzK1KlfX85Iid45NjATSY5NrafgR7714TX jHtFdr4MZsbrss/4jatBBOWxZybYX1h+biaD/+tVLtcyKOO6blwlGg== -----END RSA PRIVATE KEY-----1.2.3 给CA颁发自签名证书
[root@CentOS8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:JiangXi Locality Name (eg, city) [Default City]:NanChang Organization Name (eg, company) [Default Company Ltd]:magedu Organizational Unit Name (eg, section) []:devops Common Name (eg, your name or your server's hostname) []:ca.magedu.org Email Address []:admin@magedu.org [root@CentOS8 CA]#tree . ├── cacert.pem ├── certs ├── crl ├── index.txt ├── newcerts ├── private │ └── cakey.pem └── serial 4 directories, 4 files [root@CentOS8 CA]#cat cacert.pem -----BEGIN CERTIFICATE----- MIID/TCCAuWgAwIBAgIUVBlKcy1c7uBtYCfgMnh0KcpZGzQwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdKaWFuZ1hpMREwDwYDVQQHDAhO YW5DaGFuZzEPMA0GA1UECgwGbWFnZWR1MQ8wDQYDVQQLDAZkZXZvcHMxFjAUBgNV BAMMDWNhLm1hZ2VkdS5vcmcxHzAdBgkqhkiG9w0BCQEWEGFkbWluQG1hZ2VkdS5v cmcwHhcNMjEwNjE0MTIyNjM2WhcNMzEwNjEyMTIyNjM2WjCBjTELMAkGA1UEBhMC Q04xEDAOBgNVBAgMB0ppYW5nWGkxETAPBgNVBAcMCE5hbkNoYW5nMQ8wDQYDVQQK DAZtYWdlZHUxDzANBgNVBAsMBmRldm9wczEWMBQGA1UEAwwNY2EubWFnZWR1Lm9y ZzEfMB0GCSqGSIb3DQEJARYQYWRtaW5AbWFnZWR1Lm9yZzCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAOAMheWfLrQxzpMEU0lDeqX0Uqy+Zbgyz//kZBBa kFzcsALKjlkvYvKrEi8O+vEpmxj4k70Xs6wA5JOKLmYXyrH+Z2Y3N3P8V4tCYdfR Q9dHJZSdkxXxnAVd9mv07KbmGj5zHmyzZ3WE1XrGPVbFjsbM3HIwjA4W9rraCLcE V66tP80t76i8uYgWbuZFVMb2BboP+f29l+vtWcG0D0cHEv+k+R50Udc85RI3zSR/ y9/JFdg3SHA7Mj+OUGbgK8O53IVf01wxErWA/qT8xUEMlbjmdGcRrp8twJKDHDd3 XQvUghiWzSe8A7cmY1lb/NXVrAjkmsc3BJ56JCy0IClLFqcCAwEAAaNTMFEwHQYD VR0OBBYEFOWNke0V96+yX3EOmltGd3hnQLWpMB8GA1UdIwQYMBaAFOWNke0V96+y X3EOmltGd3hnQLWpMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHYARZNPnhdtUGjE7MhBgPD2dfctSev9fWXa2u3YRSTH3HvpPS4obVoxAe37cuD5 dsQlGZCJ8ydqwSg1RcKu9b/TnSe8Q3TDJsbp8rQfjoRL/x8W47H0AyyBJRYU3JnG No4toSOgMcYZzAGewffKL9mWLkL1F8pnksTPJnLtiFNqyTL3nBF9qSUl7fUev52h U2c2/79YPedziKb098qSdzCn0TdfCixq718Iq+lYfaVREjPgC3XXuup1ZWJJEPRi LFydiQxgvV2PklVPY1Yg0pZnlvWqgKQRaNNef6I3iifI8r93kcUwTwwBKR4+eVri ChFdOU0zFgji9SNOiZsCwwE= -----END CERTIFICATE----- #查看证书内容 [root@CentOS8 CA]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 54:19:4a:73:2d:5c:ee:e0:6d:60:27:e0:32:78:74:29:ca:59:1b:34 Signature Algorithm: sha256WithRSAEncryption Issuer: C = CN, ST = JiangXi, L = NanChang, O = magedu, OU = devops, CN = ca.magedu.org, emailAddress = admin@magedu.org Validity Not Before: Jun 14 12:26:36 2021 GMT Not After : Jun 12 12:26:36 2031 GMT Subject: C = CN, ST = JiangXi, L = NanChang, O = magedu, OU = devops, CN = ca.magedu.org, emailAddress = admin@magedu.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:e0:0c:85:e5:9f:2e:b4:31:ce:93:04:53:49:43: 7a:a5:f4:52:ac:be:65:b8:32:cf:ff:e4:64:10:5a: 90:5c:dc:b0:02:ca:8e:59:2f:62:f2:ab:12:2f:0e: fa:f1:29:9b:18:f8:93:bd:17:b3:ac:00:e4:93:8a: 2e:66:17:ca:b1:fe:67:66:37:37:73:fc:57:8b:42: 61:d7:d1:43:d7:47:25:94:9d:93:15:f1:9c:05:5d: f6:6b:f4:ec:a6:e6:1a:3e:73:1e:6c:b3:67:75:84: d5:7a:c6:3d:56:c5:8e:c6:cc:dc:72:30:8c:0e:16: f6:ba:da:08:b7:04:57:ae:ad:3f:cd:2d:ef:a8:bc: b9:88:16:6e:e6:45:54:c6:f6:05:ba:0f:f9:fd:bd: 97:eb:ed:59:c1:b4:0f:47:07:12:ff:a4:f9:1e:74: 51:d7:3c:e5:12:37:cd:24:7f:cb:df:c9:15:d8:37: 48:70:3b:32:3f:8e:50:66:e0:2b:c3:b9:dc:85:5f: d3:5c:31:12:b5:80:fe:a4:fc:c5:41:0c:95:b8:e6: 74:67:11:ae:9f:2d:c0:92:83:1c:37:77:5d:0b:d4: 82:18:96:cd:27:bc:03:b7:26:63:59:5b:fc:d5:d5: ac:08:e4:9a:c7:37:04:9e:7a:24:2c:b4:20:29:4b: 16:a7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: E5:8D:91:ED:15:F7:AF:B2:5F:71:0E:9A:5B:46:77:78:67:40:B5:A9 X509v3 Authority Key Identifier: keyid:E5:8D:91:ED:15:F7:AF:B2:5F:71:0E:9A:5B:46:77:78:67:40:B5:A9 X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption 76:00:45:93:4f:9e:17:6d:50:68:c4:ec:c8:41:80:f0:f6:75: f7:2d:49:eb:fd:7d:65:da:da:ed:d8:45:24:c7:dc:7b:e9:3d: 2e:28:6d:5a:31:01:ed:fb:72:e0:f9:76:c4:25:19:90:89:f3: 27:6a:c1:28:35:45:c2:ae:f5:bf:d3:9d:27:bc:43:74:c3:26: c6:e9:f2:b4:1f:8e:84:4b:ff:1f:16:e3:b1:f4:03:2c:81:25: 16:14:dc:99:c6:36:8e:2d:a1:23:a0:31:c6:19:cc:01:9e:c1: f7:ca:2f:d9:96:2e:42:f5:17:ca:67:92:c4:cf:26:72:ed:88: 53:6a:c9:32:f7:9c:11:7d:a9:25:25:ed:f5:1e:bf:9d:a1:53: 67:36:ff:bf:58:3d:e7:73:88:a6:f4:f7:ca:92:77:30:a7:d1: 37:5f:0a:2c:6a:ef:5f:08:ab:e9:58:7d:a5:51:12:33:e0:0b: 75:d7:ba:ea:75:65:62:49:10:f4:62:2c:5c:9d:89:0c:60:bd: 5d:8f:92:55:4f:63:56:20:d2:96:67:96:f5:aa:80:a4:11:68: d3:5e:7f:a2:37:8a:27:c8:f2:bf:77:91:c5:30:4f:0c:01:29: 1e:3e:79:5a:e2:0a:11:5d:39:4d:33:16:08:e2:f5:23:4e:89: 9b:02:c3:01选项说明:
-new:生成新证书签署请求 -x509:专用于CA生成自签证书 -key:生成请求时用到的私钥文件 -days n:证书的有效期限 -out /PATH/TO/SOMECERTFILE: 证书的保存路径1.2.4 CA给用户生成私钥和证书申请
[root@CentOS8 CA]#mkdir /data/app1 [root@CentOS8 CA]#(umask 066;openssl genrsa -out /data/app1/app1.key 2048) Generating RSA private key, 2048 bit long modulus (2 primes) ............................+++++ ...............................................................................................................................................+++++ e is 65537 (0x010001) [root@CentOS8 CA]#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:JiangXi Locality Name (eg, city) [Default City]:NanChang Organization Name (eg, company) [Default Company Ltd]:magedu Organizational Unit Name (eg, section) []:it Common Name (eg, your name or your server's hostname) []:app1.magedu.org Email Address []:grain@magedu.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@CentOS8 CA]#ll /data/app1/ total 8 -rw-r--r-- 1 root root 1054 Jun 14 21:01 app1.csr -rw------- 1 root root 1679 Jun 14 20:56 app1.key默认三项内容必须和CA一致:国家,省份,组织,如果不同,会出现以下提示
[root@centos8 ~]#openssl ca -in /data/app2/app2.csr -out /etc/pki/CA/certs/app2.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok The stateOrProvinceName field is different between CA certificate (beijing) and the request (hubei)1.2.5 CA颁发证书
[root@CentOS8 CA]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 14 14:18:05 2021 GMT Not After : Mar 10 14:18:05 2024 GMT Subject: countryName = CN stateOrProvinceName = JiangXi organizationName = magedu organizationalUnitName = it commonName = app1.magedu.org emailAddress = grain@magedu.org X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 93:6C:B7:BD:A1:7A:F5:10:1C:FD:78:FC:99:A1:D3:E0:26:06:B9:50 X509v3 Authority Key Identifier: keyid:E5:8D:91:ED:15:F7:AF:B2:5F:71:0E:9A:5B:46:77:78:67:40:B5:A9 Certificate is to be certified until Mar 10 14:18:05 2024 GMT (1000 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@CentOS8 CA]#tree /etc/pki/CA /etc/pki/CA ├── cacert.pem ├── certs │ └── app1.crt ├── crl ├── index.txt ├── index.txt.attr ├── index.txt.old ├── newcerts │ └── 01.pem ├── private │ └── cakey.pem ├── serial └── serial.old 4 directories, 9 files1.2.6 查看证书
[root@CentOS8 CA]#cat /etc/pki/CA/certs/app1.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=JiangXi, L=NanChang, O=magedu, OU=devops, CN=ca.magedu.org/emailAddress=admin@magedu.org Validity Not Before: Jun 14 14:18:05 2021 GMT Not After : Mar 10 14:18:05 2024 GMT Subject: C=CN, ST=JiangXi, O=magedu, OU=it, CN=app1.magedu.org/emailAddress=grain@magedu.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:bb:3d:ee:80:8e:57:89:6d:fb:88:ce:ae:2f:86: 10:c5:b5:0b:ff:25:bd:30:40:ee:21:c1:cc:92:2e: 99:72:3f:78:9b:af:8a:c2:4e:72:fe:b5:33:97:62: a8:91:9a:4d:6d:fc:e2:d7:fd:9c:dc:07:2b:9c:a9: a7:de:66:34:96:b9:a1:49:c4:23:07:db:c9:80:19: 93:cb:1d:35:e0:10:af:e5:9f:5a:2a:82:92:42:d2: aa:ee:ba:4c:85:cf:b1:fd:6b:a9:fb:d3:f9:35:c2: 75:7b:19:e7:1c:03:60:15:bd:25:c9:43:42:d5:5e: 96:65:e3:b2:17:59:22:9c:80:ef:5d:c4:77:6c:3e: 5a:4f:c8:c7:6b:0c:a0:24:dc:ad:8f:40:e7:c1:f1: e5:f8:39:f5:c6:0b:ff:df:a3:67:22:46:7a:f7:a6: b2:36:df:6a:d9:f1:49:96:4e:1c:56:15:38:84:ba: 84:25:ee:4f:46:c1:c8:22:3d:50:f1:51:38:29:43: b8:6a:e2:d3:ce:34:3b:99:b1:59:d6:c1:a6:e4:9f: 01:14:88:b4:17:10:80:51:87:ae:fe:d4:f6:8d:6e: d0:3a:6e:6a:6d:75:94:a5:d7:55:1a:4b:ed:28:4c: aa:11:d6:67:64:d1:6c:a1:af:64:c3:ae:50:3d:ea: bc:7b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 93:6C:B7:BD:A1:7A:F5:10:1C:FD:78:FC:99:A1:D3:E0:26:06:B9:50 X509v3 Authority Key Identifier: keyid:E5:8D:91:ED:15:F7:AF:B2:5F:71:0E:9A:5B:46:77:78:67:40:B5:A9 Signature Algorithm: sha256WithRSAEncryption 9f:c6:59:1f:a9:99:6c:11:2a:0c:e8:08:39:08:21:dc:7c:5d: 69:ed:0a:33:a9:43:90:87:a6:14:c5:da:b0:65:27:b7:ad:9c: 7d:60:55:ad:79:76:a6:63:80:2e:c4:fb:c8:17:91:32:60:39: 96:f1:6f:22:d1:85:08:97:fd:2b:6d:62:a2:ad:8c:02:07:db: cf:78:2f:e0:04:74:b9:8d:dc:54:d6:c6:05:65:55:93:4e:32: 75:26:d9:63:94:56:43:91:ee:89:40:60:14:ff:38:49:34:ef: c0:2e:9a:16:79:ee:f7:fe:6a:10:5d:5b:e9:b7:c4:16:41:a7: 1d:ef:1f:33:6c:ad:20:17:e2:a5:8b:79:6d:fc:50:d5:4f:c8: 9e:a9:84:f7:35:25:ab:c4:b4:d5:e4:12:a6:a4:66:b7:39:6f: 4b:f1:8a:06:97:fd:c9:17:ad:53:2d:24:ff:13:38:16:a7:2a: ff:84:20:14:e5:27:7a:78:7d:8d:d1:15:19:48:a3:0a:d5:25: dd:89:6e:d8:c6:aa:51:94:64:2d:21:2a:13:65:57:1e:bd:3f: f4:1e:1f:be:6f:b1:38:41:46:19:23:b6:a0:8d:b7:27:56:5f: b9:a0:e0:41:19:e7:38:72:98:d2:74:8b:91:33:80:80:47:63: 0d:f0:69:80 -----BEGIN CERTIFICATE----- MIID/DCCAuSgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMCQ04x EDAOBgNVBAgMB0ppYW5nWGkxETAPBgNVBAcMCE5hbkNoYW5nMQ8wDQYDVQQKDAZt YWdlZHUxDzANBgNVBAsMBmRldm9wczEWMBQGA1UEAwwNY2EubWFnZWR1Lm9yZzEf MB0GCSqGSIb3DQEJARYQYWRtaW5AbWFnZWR1Lm9yZzAeFw0yMTA2MTQxNDE4MDVa Fw0yNDAzMTAxNDE4MDVaMHgxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdKaWFuZ1hp MQ8wDQYDVQQKDAZtYWdlZHUxCzAJBgNVBAsMAml0MRgwFgYDVQQDDA9hcHAxLm1h Z2VkdS5vcmcxHzAdBgkqhkiG9w0BCQEWEGdyYWluQG1hZ2VkdS5vcmcwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7Pe6AjleJbfuIzq4vhhDFtQv/Jb0w QO4hwcySLplyP3ibr4rCTnL+tTOXYqiRmk1t/OLX/ZzcByucqafeZjSWuaFJxCMH 28mAGZPLHTXgEK/ln1oqgpJC0qruukyFz7H9a6n70/k1wnV7GeccA2AVvSXJQ0LV XpZl47IXWSKcgO9dxHdsPlpPyMdrDKAk3K2PQOfB8eX4OfXGC//fo2ciRnr3prI2 32rZ8UmWThxWFTiEuoQl7k9GwcgiPVDxUTgpQ7hq4tPONDuZsVnWwabknwEUiLQX EIBRh67+1PaNbtA6bmptdZSl11UaS+0oTKoR1mdk0Wyhr2TDrlA96rx7AgMBAAGj ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk IENlcnRpZmljYXRlMB0GA1UdDgQWBBSTbLe9oXr1EBz9ePyZodPgJga5UDAfBgNV HSMEGDAWgBTljZHtFfevsl9xDppbRnd4Z0C1qTANBgkqhkiG9w0BAQsFAAOCAQEA n8ZZH6mZbBEqDOgIOQgh3Hxdae0KM6lDkIemFMXasGUnt62cfWBVrXl2pmOALsT7 yBeRMmA5lvFvItGFCJf9K21ioq2MAgfbz3gv4AR0uY3cVNbGBWVVk04ydSbZY5RW Q5HuiUBgFP84STTvwC6aFnnu9/5qEF1b6bfEFkGnHe8fM2ytIBfipYt5bfxQ1U/I nqmE9zUlq8S01eQSpqRmtzlvS/GKBpf9yRetUy0k/xM4Fqcq/4QgFOUnenh9jdEV GUijCtUl3Ylu2MaqUZRkLSEqE2VXHr0/9B4fvm+xOEFGGSO2oI23J1ZfuaDgQRnn OHKY0nSLkTOAgEdjDfBpgA== -----END CERTIFICATE-----1.2.7 将证书相关文件发送到用户端使用
[root@CentOS8 CA]#cp /etc/pki/CA/certs/app1.crt /data/app1/ [root@CentOS8 CA]#tree /data/app1/ /data/app1/ ├── app1.crt ├── app1.csr └── app1.key 0 directories, 3 files1.2.8 证书的吊销
[root@CentOS8 CA]#tree /etc/pki/CA/ /etc/pki/CA/ ├── cacert.pem ├── certs │ ├── app1.crt │ └── app2.crt ├── crl ├── index.txt ├── index.txt.attr ├── index.txt.attr.old ├── index.txt.old ├── newcerts │ ├── 01.pem │ └── 02.pem ├── private │ └── cakey.pem ├── serial └── serial.old 4 directories, 12 files [root@CentOS8 CA]#openssl ca -status 02 Using configuration from /etc/pki/tls/openssl.cnf 02=Valid (V) [root@CentOS8 CA]#openssl ca -revoke /etc/pki/CA/newcerts/02.pem Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 02. Data Base Updated [root@CentOS8 CA]#openssl ca -status 02 Using configuration from /etc/pki/tls/openssl.cnf 02=Revoked (R)1.2.9 生成证书吊销列表文件
[root@CentOS8 CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem Using configuration from /etc/pki/tls/openssl.cnf /etc/pki/CA/crlnumber: No such file or directory error while loading CRL number 140431109904192:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/crlnumber','r') 140431109904192:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76: [root@CentOS8 CA]#echo 01 > /etc/pki/CA/crlnumber [root@CentOS8 CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem Using configuration from /etc/pki/tls/openssl.cnf [root@CentOS8 CA]#cat /etc/pki/CA/crlnumber 022、ssh服务
SSH协议版本:
- v1:基于CRC-32做MAC,不安全;man-in-middle
- v2:双方主机协议选择安全的MAC方式,基于DH算法做密钥交换,基于RSA或DSA实现身份认证
2.1 ssh常用参数、用法
用法:
2.1.1 远程登录
#口令登录 1、ssh user@ip //远程登录服务器的user用户,默认端口22 2、ssh host //通过地址远程登录服务器相同账户,端口默认22 3、ssh user@host -p 10000 // ssh使用远程主机的10000端口进行连接 #公钥登录 1、ssh-keygen #在$HOME/.ssh/目录下,会新生成两个文件: id_rsa.pub和id_rsa,前者是公钥,后者是私钥 2、ssh-copy-id user@host #公钥复制到远程主机host上面,之后可以直接公钥登录基于密钥的登录方式
1. 首先在客户端生成一对密钥(ssh-keygen) 2. 并将客户端的公钥ssh-copy-id 拷贝到服务端 3. 当客户端再次发送一个连接请求,包括ip、用户名 4. 服务端得到客户端的请求后,会到authorized_keys中查找,如果有响应的IP和用户,就会随机生 成一个字符串,例如:magedu 5. 服务端将使用客户端拷贝过来的公钥进行加密,然后发送给客户端6. 得到服务端发来的消息后,客户端会使用私钥进行解密,然后将解密后的字符串发送给服务端 7. 服务端接受到客户端发来的字符串后,跟之前的字符串进行对比,如果一致,就允许免密码登录2.1.2 SSH远程操作
- 远程执行命令
参数:
-p port: 远程服务器监听的端口 -b 指定连接的源IP -v 调试模式 -C 压缩方式 -X 支持X11转发 -t 强制伪tty分配,如 ssh -t remoteserver1 ssh -t remoteserver2 ssh remoteserver3 -o option 如:-o StrictHostKeyChecking=no -i <file> 指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa,~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等范例:
[root@centos8 ~]#ssh -t 10.0.0.8 ssh -t 10.0.0.7 ssh 10.0.0.6 root@10.0.0.8's password: root@10.0.0.7's password: root@10.0.0.6's password: Last login: Fri May 22 09:10:28 2020 from 10.0.0.7 [root@centos6 ~]#远程执行命令
[root@centos6 ~]#ssh 10.0.0.8 "sed -i.bak '/StrictHostKeyChecking/s/.*/StrictHostKeyChecking no/' /etc/ssh/ssh_config" root@10.0.0.8's password: [root@centos6 ~]#在远程主机运行本地shell脚本
[root@centos8 ~]#hostname -I 10.0.0.8 [root@centos8 ~]#cat test.sh #!/bin/bash hostname -I [root@centos8 ~]#ssh 10.0.0.18 /bin/bash < test.sh root@10.0.0.18's password: 10.0.0.182.1.3 scp
实现本机与远程主机之间的数据拷贝
#本地复制远程主机文件(把远程的文件复制到本地) scp root@ip:/var/test/test.tar.gz /var/test/test.tar.gz #远程主机复制本地文件(把本地文件复制到远程主机) scp /var/test/test.tar.gz root@ip:/var/test/test.tar.gz #本地复制远程主机目录 scp -r root@ip:/var/test/ /var/test/2.1.4 绑定本地端口
ssh -D 8080 user@host #SSH会建立一个socket监听本地的8080端口,一旦有数据传向8080端口,就自动把它转移到SSH连接上面,发往远程主机2.1.5 SSH本地端口转发
ssh -L localport:remotehost:remotehostport sshserver选项
-f 后台启用 -N 不打开远程shell,处于等待状态 -g 启用网关功能 #当访问本机的9527的端口时,被加密后转发到sshsrv的ssh服务,再解密被转发到telnetsrv:23 #data<-->localhost:9527 <-->localhost:XXXXX<-->sshsrv:22<-->sshsrv:YYYYY<-->telnetsrv:23 ssh –L 9527:telnetsrv:23 -Nfg sshsrv telnet 127.0.0.1 95272.1.6 SSH远程端口转发
ssh -R sshserverport:remotehost:remotehostport sshserver #让sshsrv侦听9527端口的访问,如有访问,就加密后通过ssh服务转发请求到本机ssh客户端,再由本机解密后转发到telnetsrv:23 #Data<-->sshsrv:9527<-->sshsrv:22<-->localhost:XXXXX<-->localhost:YYYYY<-->telnetsrv:23 ssh –R 9527:telnetsrv:23 –Nf sshsrv2.1.7 SSH动态端口转发
#当用firefox访问internet时,本机的1080端口做为代理服务器,firefox的访问请求被转发到sshserver上,由sshserver替之访问internet ssh -D 1080 root@sshserver -fNg #在本机firefox设置代理socket proxy:127.0.0.1:1080 curl --socks5 127.0.0.1:1080 http://www.google.com3、 sshd服务配置
服务器端: sshd
服务器端的配置文件: /etc/ssh/sshd_config
服务器端的配置文件帮助: man 5 sshd_config
常用参数:
Port LintenAddress ip LoginGraceTime 2m permitRootLogin yes #默认ubuntu不允许root远程ssh登录 StrictModes yes #检查.ssh/ 文件的所有者,权限等 MaxAuthTries 6 Maxsessions 10 #同一个连接最大会话 PubkeyAuthentication yes #基于key验证 PermitEmptyPasswords no #空密码连接 PasswordAuthentication yes #基于用户名和密码连接 GatewayPorts no ClientAliveInterval 10 #单位;秒 ClientAliveCountMax 3 #默认3 UseDNS yes #提高速度可改为No GSSAPIAuthentication yes #提高速度可改为no MaxStartups #未认证连接最大值,默认值10 Banner /path/file #以下可以限制可登录用户的办法: AllowUsers user1 user2 user3 DenyUsers AllowGroups DenyGroups范例:设置ssh 空闲60s自动注销
vim /etc/ssh/sshd_config ClientAliveInterval 60 ClientAliveCountMax 0 Service sshd restart #注意: 新开一个连接才有效范例:解决ssh登录缓慢的问题
vim /etc/ssh/sshd_config UseDNS no GSSAPIAuthentication no systemctl restart sshd范例:在ubuntu上启用root远程ssh登录
vim /etc/ssh/sshd_config #PermitRootLogin prohibit-password 注释掉此行 PermitRootLogin yes 修改为此形式 systemctl restart sshd