day03
部署CA服务器
邮件加密
网站加密
+++++++++++++++++++++++++++++
部署CA服务器 (54) 机构名称 tarenaa
ca服务器主机名 catwo.tedu.cn
ip 192.168.4.54

部署CA服务器 (55) 机构名称 tarena
ca服务器主机名 ca.tedu.cn
ip 192.168.4.55

192.168.4.55
1 、部署证书签发环境
]# vim /etc/pki/tls/openssl.cnf
40 [ CA_default ]
42 dir = /etc/pki/CA
43 certs = $dir/certs
45 database = $dir/index.txt
50 certificate = $dir/my-ca.crt

51 serial = $dir/serial
55 private_key = $dir/private/my-ca.key

128 [ req_distinguished_name ]
130 countryName_default = CN 国家
135 stateOrProvinceName_default = beijing 省
138 localityName_default = beijing 城市
141 0.organizationName_default = tarena 公司名称
148 organizationalUnitName_default = ope 部门名称

84 [ policy_match ] // 匹配策略
85 countryName = match
86 stateOrProvinceName = match
87 organizationName = match
88 organizationalUnitName = optional
89 commonName = supplied
90 emailAddress = optional

根据配置文件的设置创建对应的文件
123 echo 01 > /etc/pki/CA/serial
124 cat /etc/pki/CA/serial
125 chmod 600 /etc/pki/CA/serial

118 touch /etc/pki/CA/index.txt
120 cat /etc/pki/CA/index.txt
122 chmod 600 /etc/pki/CA/index.txt
创建私钥文件
#cd /etc/pki/CA/private

openssl genrsa -des3 2048 > my-ca.key (密码123456)

#cat my-ca.key
#chmod 600 my-ca.key

创建根证书文件
#cd /etc/pki/CA
[root@host55 CA]# openssl req -new -x509 -key ./private/my-ca.key -days 365 > my-ca.crt
Enter pass phrase for ./private/my-ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Country Name (2 letter code) [CN]:
State or Province Name (full name) [beijing]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [tarena]:
Organizational Unit Name (eg, section) [ope]:
Common Name (eg, your name or your server's hostname) []:ca.tedu.cn
Email Address []:plj@163.com
[root@host55 CA]#

+++++++++++++++++++++++++++++++++
共享根证书给客户端 (55)
138 rpm -q httpd || yum -y install httpd
139 mkdir /var/www/html/ca
140 cp /etc/pki/CA/my-ca.crt /var/www/html/ca/
141 chmod +r /var/www/html/ca/my-ca.crt
142 systemctl start httpd
143 systemctl enable httpd
144 setenforce 0
145 systemctl stop firewalld

254客户端的测试(下载根证书并安装根证书)
firefox http://192.168.4.55/ca
++++++++++++++++++++++++++++++++++++++++
配置网站加密 HTTPS
#rpm -q httpd || yum -y install httpd
#echo web53 > /var/www/html/test.html
#systemctl start httpd ; systemctl enable httpd
#netstat -utnalp | grep httpd

客户端访问254
#vim /etc/hosts
192.168.4.53 www.tedu.cn
:wq

ping -c 2 www.tedu.cn

              www.tedu.cn
     http://192.168.4.53/test.html
     https://192.168.4.53/test.html

配置网站服务器 192.168.4.53
1 创建私钥文件
#cd /etc/pki/tls/private/
#openssl genrsa 2048 > www.key

2 创建证书请求文件

]# openssl req -new -key www.key > /root/www.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:tarena
Organizational Unit Name (eg, section) []:ope
Common Name (eg, your name or your server's hostname) []:www.tedu.cn
Email Address []:jim@163.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@host53 private]#

[root@host53 private]# cat /root/www.csr

3 提交证书请求文件给CA服务器
#scp /root/www.csr 192.168.4.55:/tmp/

配置CA服务器192.168.4.55
1 审核证书请求文件并签发数字证书文件
#ls /tmp/www.csr
#cd /etc/pki/CA/certs
#openssl ca -in /tmp/www.csr > www.crt
2 下发数字证书文件给网站服务器
#scp www.crt 192.168.4.53:/tmp/

3 在 网站服务器 配置 网站服务在运行时,调用私钥文件和数字证书文件,然后重启网站服务

yum -y install mod_ssl

]# vim /etc/httpd/conf.d/ssl.conf
100 SSLCertificateFile /etc/pki/tls/certs/www.crt
107 SSLCertificateKeyFile /etc/pki/tls/private/www.key
:wq

cp /tmp/www.crt /etc/pki/tls/certs/

[root@host53 ~]# ls /etc/pki/tls/private/
localhost.key www.key

#systemctl restart httpd
#netstat -utnalp | grep httpd
[root@host53 ~]# netstat -utnalp | grep httpd
tcp6 0 0 :::80 ::: LISTEN 26098/httpd
tcp6 0 0 :::443 :::
LISTEN 26098/httpd

4客户端验证配置192.168.4.254

++++++++++++++++++++++++++++
在主机52 做邮件服务器

能够发邮件(运行postfix服务)
#yum -y install postfix
#systemctl start postfix ; systemctl enable postfix
#netstat -utnalp | grep :25
#ps -C master

vim /etc/postfix/main.cf

113 inet_interfaces = all
116 #inet_interfaces = localhost
419 home_mailbox = Maildir/
:wq
#systemctl restart postfix

添加本地邮箱账号 并测试能否发送邮件
useradd jerry ;echo 123456 | passwd --stdin jerry
useradd lili ;echo 123456 | passwd --stdin lili

jerry@localhost lili@localhost
123456 123456

邮件服务器 192.168.4.52
发件人 lili@localhost
收件人 jerry@localhost

客户端51 测试能否发送邮件

rpm -q telnet || yum -y install telnet

#which telnet

telnet 192.168.4.52 25 //连接邮件服务器

helo pc51 //客户定义主机名
mail from:lili@localhost //发件人
rcpt to:jerry@localhost //收件人
data //写邮件内容
邮件内容
. //提交邮件
quit //断开连接
+++++++++++++++++++++++++++++++++++++++
52 查看邮件是否被投递到用户的邮箱里?
#cd /home
#ls
#cat jerry/Maildir/new/1517275339.Vfd02I4000084M202939.host52

52 能够收邮件(运行dovecot服务)

yum -y install dovecot

#rpm -q dovecot
#rpm -qc dovecot
#cd /etc/dovecot/
#ls
#vim conf.d/10-mail.conf
24 mail_location = maildir:~/Maildir
:wq

#vim conf.d/10-auth.conf
10 disable_plaintext_auth = no
:wq
[root@host52 conf.d]# systemctl start dovecot
[root@host52 conf.d]# systemctl enable dovecot

[root@host52 conf.d]# netstat -utnalp | grep :110
[root@host52 conf.d]# netstat -utnalp | grep :143
[root@host52 conf.d]# ps -C dovecot

测试能否收邮件
52:
#which telnet
#yum -y install telnet

#telnet localhost 110 //连接本机收邮件的服务
user jerry //收件人用户名
pass 123456 //邮箱密码
list //列出邮件
retr 1 //查看第1封邮件的内容
quit //断开连接

配置邮件加密
配置邮件服务器 192.168.4.52
1 创建私钥文件
2 创建证书请求文件
3 提交证书请求文件给CA

配置CA服务器192.168.4.55
1 审核证书请求文件并签发
2 下发数字证书文件给邮件服务器

3 在邮件服务器 配置 邮件服务在运行时,调用私钥文件和数字证书文件,然后重启邮件服务

4客户端验证配置192.168.4.254