1、 openSSL
官网:https://www.openssl.org/ OpenSSL计划在1998年开始,其目标是发明一套自由的加密工具,在互联网上使用。OpenSSL以EricYoung以及Tim Hudson两人开发的SSLeay为基础,随着两人前往RSA公司任职,SSLeay在1998年12月停止开发。因此在1998年12月,社群另外分支出OpenSSL,继续开发下去OpenSSL管理委员会当前由7人组成有13个开发人员[3]具有提交权限(其中许多人也是OpenSSL管理委员会的一部分)。只有两名全职员工(研究员),其余的是志愿者该项目每年的预算不到100万美元,主要依靠捐款。 TLS 1.3的开发由 Akamai 赞助OpenSSL是一个开放源代码的软件库包,应用程序可以使用这个包来进行安全通信,同时确认另一端连线者的身份。这个包广泛被应用在互联网的网页服务器上其主要库是以C语言所写成,实现了基本的加密功能,实现了SSL与TLS协议。OpenSSL可以运行OpenVMS、 Microsoft Windows以及绝大多数类Unix操作系统上(包括Solaris,Linux,Mac OS X与各种版本的开放源代码BSD操作系统) 心脏出血漏洞:OpenSSL 1.0.1版本(不含1.0.1g)含有一个严重漏洞,可允许***者读取服务器的内存信息。该漏洞于2014年4月被公诸于世,影响三分之二的活跃网站 包括三个组件: libcrypto:用于实现加密和解密的库 libssl:用于实现ssl通信协议的安全库 openssl:多用途命令行工具
1.2 在centos8上实现私有CA和证书申请
1.2.1 创建CA相关目录和文件
[root@CentOS8 pki]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@CentOS8 pki]#tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
#生成证书索引数据库文件
[root@CentOS8 pki]#touch /etc/pki/CA/index.txt
#指定第一个颁发证书的序列号
[root@CentOS8 pki]#echo 01 > /etc/pki/CA/serial
index.txt和serial文件在颁发证书时需要使用,如果不存在,会出现以下错误提示
[root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out
/etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
140040142845760:error:02001002:system library:fopen:No such file or
directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt','r')
140040142845760:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:79:
[root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out
/etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140240559408960:error:02001002:system library:fopen:No such file or
directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/serial','r')
140240559408960:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:79:
1.2.2 创建CA的私钥
[root@CentOS8 pki]#cd /etc/pki/CA/
[root@CentOS8 CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
....................................+++++
.............+++++
e is 65537 (0x010001)
[root@CentOS8 CA]#tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 3 files
[root@CentOS8 CA]#ll private/cakey.pem
-rw------- 1 root root 1679 Jun 14 20:17 private/cakey.pem
[root@CentOS8 CA]#cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA4AyF5Z8utDHOkwRTSUN6pfRSrL5luDLP/+RkEFqQXNywAsqO
WS9i8qsSLw768SmbGPiTvRezrADkk4ouZhfKsf5nZjc3c/xXi0Jh19FD10cllJ2T
FfGcBV32a/TspuYaPnMebLNndYTVesY9VsWOxszccjCMDhb2utoItwRXrq0/zS3v
qLy5iBZu5kVUxvYFug/5/b2X6+1ZwbQPRwcS/6T5HnRR1zzlEjfNJH/L38kV2DdI
cDsyP45QZuArw7nchV/TXDEStYD+pPzFQQyVuOZ0ZxGuny3AkoMcN3ddC9SCGJbN
J7wDtyZjWVv81dWsCOSaxzcEnnokLLQgKUsWpwIDAQABAoIBAQDW8ey7YL4Tzfza
+rlUflJ6SC3Q4FECKG14mAqPzfLVxDtwUhfC5D1PhmPJlduV5k6P5FsIfGa5S5n/
GgBtncGuhd15KNwggCUUyzjHLlKhg/Y/3/Suhr8iPwUciTtI21SuOQ8lRfCpxChy
wyEx0BKsEvoi6wRSuCE5HdhijN36CxyxwAcFddtPw9nBAkDmnqrdRhBpbc2O5P1M
aw/+zmEPqa5O8R6HCqgr+eRgNGIg9PICAG6Qer4VvQjLpTAR2oRioNdmdDAl5JC7
9UScFrx6Cyrule23Ac36zMLtJYK28Zc3tt8mO+klCuj6HdeIG9owgb2lGxOgsYP1
f7Dyi1sRAoGBAPFcgfnm4dLfv/mDzUU2igfz0ArS8OXixO5ZWFYDkkQQVh9zmzwJ
YZ6SODBoYrViCH1NsnAMNfzM80WCURUF30l8EUyF7sepRV54ams01izbsdBcpv/z
yscabSxrhJ20rthid3AxVIZnuKruqVhMfAiXy5CNz2bOK8nfm+/hijulAoGBAO2j
NsyzcjESg1q2QUw0GnRwOoUvQMpAQtwnVTMBhMk1vHNee5QCBHvJd4ESXTLO3PJh
xr8YEA+79rvNdvYjzh9Q2TkH5upBrJ6Aqs/TkhN8otLKzl75wmjbwZ0/q6QVQjiB
qcdoJz3aoSMMehKmaGi8SPAjTQzU84MLwy/0HudbAoGAEzDy2McF77mAzzsuqDE0
+nrlcObi5rSIShdqkbRI/gZ6gpezoStxyqT/uMGkD54S5Lu303b1F/vH4CADiHNm
FLa7vWTs3o1UCbXzaEDUQs7ZLaMgWDuvRPOR+LU33z5NpMD3lEEn4mP+6ACAEJhM
SHahZgYQlrEQBEY2ZPV/A00CgYBny183H7XjyzNGXs68ixF3BEH7RD1nWZQadq+W
/LXT8L2kIoOVjSAKNWAWJ0A/3ezRjXVyp/7z8GR/eOnZ7p+sO/L1Hwd0EEVmYcq5
xa5LBqhTq7Nh9nM8u6egmFvO6l4nMjNG3q4tLR4uodd75+U4weyVvsV7slO+TFfv
zQ/mewKBgQDAxXLlVw9I2nFEl7MWkNwk2FzZ5J0NPUL9fTc1/tsthgE3Z4bm8vzR
en3S99/btlCEPX1JXJ2pXUmTvXyOo4ZzK1KlfX85Iid45NjATSY5NrafgR7714TX
jHtFdr4MZsbrss/4jatBBOWxZybYX1h+biaD/+tVLtcyKOO6blwlGg==
-----END RSA PRIVATE KEY-----
1.2.3 给CA颁发自签名证书
[root@CentOS8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:JiangXi
Locality Name (eg, city) [Default City]:NanChang
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:admin@magedu.org
[root@CentOS8 CA]#tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
[root@CentOS8 CA]#cat cacert.pem
-----BEGIN CERTIFICATE-----
MIID/TCCAuWgAwIBAgIUVBlKcy1c7uBtYCfgMnh0KcpZGzQwDQYJKoZIhvcNAQEL
BQAwgY0xCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdKaWFuZ1hpMREwDwYDVQQHDAhO
YW5DaGFuZzEPMA0GA1UECgwGbWFnZWR1MQ8wDQYDVQQLDAZkZXZvcHMxFjAUBgNV
BAMMDWNhLm1hZ2VkdS5vcmcxHzAdBgkqhkiG9w0BCQEWEGFkbWluQG1hZ2VkdS5v
cmcwHhcNMjEwNjE0MTIyNjM2WhcNMzEwNjEyMTIyNjM2WjCBjTELMAkGA1UEBhMC
Q04xEDAOBgNVBAgMB0ppYW5nWGkxETAPBgNVBAcMCE5hbkNoYW5nMQ8wDQYDVQQK
DAZtYWdlZHUxDzANBgNVBAsMBmRldm9wczEWMBQGA1UEAwwNY2EubWFnZWR1Lm9y
ZzEfMB0GCSqGSIb3DQEJARYQYWRtaW5AbWFnZWR1Lm9yZzCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAOAMheWfLrQxzpMEU0lDeqX0Uqy+Zbgyz//kZBBa
kFzcsALKjlkvYvKrEi8O+vEpmxj4k70Xs6wA5JOKLmYXyrH+Z2Y3N3P8V4tCYdfR
Q9dHJZSdkxXxnAVd9mv07KbmGj5zHmyzZ3WE1XrGPVbFjsbM3HIwjA4W9rraCLcE
V66tP80t76i8uYgWbuZFVMb2BboP+f29l+vtWcG0D0cHEv+k+R50Udc85RI3zSR/
y9/JFdg3SHA7Mj+OUGbgK8O53IVf01wxErWA/qT8xUEMlbjmdGcRrp8twJKDHDd3
XQvUghiWzSe8A7cmY1lb/NXVrAjkmsc3BJ56JCy0IClLFqcCAwEAAaNTMFEwHQYD
VR0OBBYEFOWNke0V96+yX3EOmltGd3hnQLWpMB8GA1UdIwQYMBaAFOWNke0V96+y
X3EOmltGd3hnQLWpMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AHYARZNPnhdtUGjE7MhBgPD2dfctSev9fWXa2u3YRSTH3HvpPS4obVoxAe37cuD5
dsQlGZCJ8ydqwSg1RcKu9b/TnSe8Q3TDJsbp8rQfjoRL/x8W47H0AyyBJRYU3JnG
No4toSOgMcYZzAGewffKL9mWLkL1F8pnksTPJnLtiFNqyTL3nBF9qSUl7fUev52h
U2c2/79YPedziKb098qSdzCn0TdfCixq718Iq+lYfaVREjPgC3XXuup1ZWJJEPRi
LFydiQxgvV2PklVPY1Yg0pZnlvWqgKQRaNNef6I3iifI8r93kcUwTwwBKR4+eVri
ChFdOU0zFgji9SNOiZsCwwE=
-----END CERTIFICATE-----
#查看证书内容
[root@CentOS8 CA]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
54:19:4a:73:2d:5c:ee:e0:6d:60:27:e0:32:78:74:29:ca:59:1b:34
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = JiangXi, L = NanChang, O = magedu, OU = devops, CN = ca.magedu.org, emailAddress = admin@magedu.org
Validity
Not Before: Jun 14 12:26:36 2021 GMT
Not After : Jun 12 12:26:36 2031 GMT
Subject: C = CN, ST = JiangXi, L = NanChang, O = magedu, OU = devops, CN = ca.magedu.org, emailAddress = admin@magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e0:0c:85:e5:9f:2e:b4:31:ce:93:04:53:49:43:
7a:a5:f4:52:ac:be:65:b8:32:cf:ff:e4:64:10:5a:
90:5c:dc:b0:02:ca:8e:59:2f:62:f2:ab:12:2f:0e:
fa:f1:29:9b:18:f8:93:bd:17:b3:ac:00:e4:93:8a:
2e:66:17:ca:b1:fe:67:66:37:37:73:fc:57:8b:42:
61:d7:d1:43:d7:47:25:94:9d:93:15:f1:9c:05:5d:
f6:6b:f4:ec:a6:e6:1a:3e:73:1e:6c:b3:67:75:84:
d5:7a:c6:3d:56:c5:8e:c6:cc:dc:72:30:8c:0e:16:
f6:ba:da:08:b7:04:57:ae:ad:3f:cd:2d:ef:a8:bc:
b9:88:16:6e:e6:45:54:c6:f6:05:ba:0f:f9:fd:bd:
97:eb:ed:59:c1:b4:0f:47:07:12:ff:a4:f9:1e:74:
51:d7:3c:e5:12:37:cd:24:7f:cb:df:c9:15:d8:37:
48:70:3b:32:3f:8e:50:66:e0:2b:c3:b9:dc:85:5f:
d3:5c:31:12:b5:80:fe:a4:fc:c5:41:0c:95:b8:e6:
74:67:11:ae:9f:2d:c0:92:83:1c:37:77:5d:0b:d4:
82:18:96:cd:27:bc:03:b7:26:63:59:5b:fc:d5:d5:
ac:08:e4:9a:c7:37:04:9e:7a:24:2c:b4:20:29:4b:
16:a7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E5:8D:91:ED:15:F7:AF:B2:5F:71:0E:9A:5B:46:77:78:67:40:B5:A9
X509v3 Authority Key Identifier:
keyid:E5:8D:91:ED:15:F7:AF:B2:5F:71:0E:9A:5B:46:77:78:67:40:B5:A9
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
76:00:45:93:4f:9e:17:6d:50:68:c4:ec:c8:41:80:f0:f6:75:
f7:2d:49:eb:fd:7d:65:da:da:ed:d8:45:24:c7:dc:7b:e9:3d:
2e:28:6d:5a:31:01:ed:fb:72:e0:f9:76:c4:25:19:90:89:f3:
27:6a:c1:28:35:45:c2:ae:f5:bf:d3:9d:27:bc:43:74:c3:26:
c6:e9:f2:b4:1f:8e:84:4b:ff:1f:16:e3:b1:f4:03:2c:81:25:
16:14:dc:99:c6:36:8e:2d:a1:23:a0:31:c6:19:cc:01:9e:c1:
f7:ca:2f:d9:96:2e:42:f5:17:ca:67:92:c4:cf:26:72:ed:88:
53:6a:c9:32:f7:9c:11:7d:a9:25:25:ed:f5:1e:bf:9d:a1:53:
67:36:ff:bf:58:3d:e7:73:88:a6:f4:f7:ca:92:77:30:a7:d1:
37:5f:0a:2c:6a:ef:5f:08:ab:e9:58:7d:a5:51:12:33:e0:0b:
75:d7:ba:ea:75:65:62:49:10:f4:62:2c:5c:9d:89:0c:60:bd:
5d:8f:92:55:4f:63:56:20:d2:96:67:96:f5:aa:80:a4:11:68:
d3:5e:7f:a2:37:8a:27:c8:f2:bf:77:91:c5:30:4f:0c:01:29:
1e:3e:79:5a:e2:0a:11:5d:39:4d:33:16:08:e2:f5:23:4e:89:
9b:02:c3:01
选项说明:
-new:生成新证书签署请求
-x509:专用于CA生成自签证书
-key:生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
1.2.4 CA给用户生成私钥和证书申请
[root@CentOS8 CA]#mkdir /data/app1
[root@CentOS8 CA]#(umask 066;openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
............................+++++
...............................................................................................................................................+++++
e is 65537 (0x010001)
[root@CentOS8 CA]#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:JiangXi
Locality Name (eg, city) [Default City]:NanChang
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.magedu.org
Email Address []:grain@magedu.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@CentOS8 CA]#ll /data/app1/
total 8
-rw-r--r-- 1 root root 1054 Jun 14 21:01 app1.csr
-rw------- 1 root root 1679 Jun 14 20:56 app1.key
默认三项内容必须和CA一致:国家,省份,组织,如果不同,会出现以下提示
[root@centos8 ~]#openssl ca -in /data/app2/app2.csr -out
/etc/pki/CA/certs/app2.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The stateOrProvinceName field is different between
CA certificate (beijing) and the request (hubei)
1.2.5 CA颁发证书
[root@CentOS8 CA]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 14 14:18:05 2021 GMT
Not After : Mar 10 14:18:05 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = JiangXi
organizationName = magedu
organizationalUnitName = it
commonName = app1.magedu.org
emailAddress = grain@magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
93:6C:B7:BD:A1:7A:F5:10:1C:FD:78:FC:99:A1:D3:E0:26:06:B9:50
X509v3 Authority Key Identifier:
keyid:E5:8D:91:ED:15:F7:AF:B2:5F:71:0E:9A:5B:46:77:78:67:40:B5:A9
Certificate is to be certified until Mar 10 14:18:05 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@CentOS8 CA]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
1.2.6 查看证书
[root@CentOS8 CA]#cat /etc/pki/CA/certs/app1.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=JiangXi, L=NanChang, O=magedu, OU=devops, CN=ca.magedu.org/emailAddress=admin@magedu.org
Validity
Not Before: Jun 14 14:18:05 2021 GMT
Not After : Mar 10 14:18:05 2024 GMT
Subject: C=CN, ST=JiangXi, O=magedu, OU=it, CN=app1.magedu.org/emailAddress=grain@magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bb:3d:ee:80:8e:57:89:6d:fb:88:ce:ae:2f:86:
10:c5:b5:0b:ff:25:bd:30:40:ee:21:c1:cc:92:2e:
99:72:3f:78:9b:af:8a:c2:4e:72:fe:b5:33:97:62:
a8:91:9a:4d:6d:fc:e2:d7:fd:9c:dc:07:2b:9c:a9:
a7:de:66:34:96:b9:a1:49:c4:23:07:db:c9:80:19:
93:cb:1d:35:e0:10:af:e5:9f:5a:2a:82:92:42:d2:
aa:ee:ba:4c:85:cf:b1:fd:6b:a9:fb:d3:f9:35:c2:
75:7b:19:e7:1c:03:60:15:bd:25:c9:43:42:d5:5e:
96:65:e3:b2:17:59:22:9c:80:ef:5d:c4:77:6c:3e:
5a:4f:c8:c7:6b:0c:a0:24:dc:ad:8f:40:e7:c1:f1:
e5:f8:39:f5:c6:0b:ff:df:a3:67:22:46:7a:f7:a6:
b2:36:df:6a:d9:f1:49:96:4e:1c:56:15:38:84:ba:
84:25:ee:4f:46:c1:c8:22:3d:50:f1:51:38:29:43:
b8:6a:e2:d3:ce:34:3b:99:b1:59:d6:c1:a6:e4:9f:
01:14:88:b4:17:10:80:51:87:ae:fe:d4:f6:8d:6e:
d0:3a:6e:6a:6d:75:94:a5:d7:55:1a:4b:ed:28:4c:
aa:11:d6:67:64:d1:6c:a1:af:64:c3:ae:50:3d:ea:
bc:7b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
93:6C:B7:BD:A1:7A:F5:10:1C:FD:78:FC:99:A1:D3:E0:26:06:B9:50
X509v3 Authority Key Identifier:
keyid:E5:8D:91:ED:15:F7:AF:B2:5F:71:0E:9A:5B:46:77:78:67:40:B5:A9
Signature Algorithm: sha256WithRSAEncryption
9f:c6:59:1f:a9:99:6c:11:2a:0c:e8:08:39:08:21:dc:7c:5d:
69:ed:0a:33:a9:43:90:87:a6:14:c5:da:b0:65:27:b7:ad:9c:
7d:60:55:ad:79:76:a6:63:80:2e:c4:fb:c8:17:91:32:60:39:
96:f1:6f:22:d1:85:08:97:fd:2b:6d:62:a2:ad:8c:02:07:db:
cf:78:2f:e0:04:74:b9:8d:dc:54:d6:c6:05:65:55:93:4e:32:
75:26:d9:63:94:56:43:91:ee:89:40:60:14:ff:38:49:34:ef:
c0:2e:9a:16:79:ee:f7:fe:6a:10:5d:5b:e9:b7:c4:16:41:a7:
1d:ef:1f:33:6c:ad:20:17:e2:a5:8b:79:6d:fc:50:d5:4f:c8:
9e:a9:84:f7:35:25:ab:c4:b4:d5:e4:12:a6:a4:66:b7:39:6f:
4b:f1:8a:06:97:fd:c9:17:ad:53:2d:24:ff:13:38:16:a7:2a:
ff:84:20:14:e5:27:7a:78:7d:8d:d1:15:19:48:a3:0a:d5:25:
dd:89:6e:d8:c6:aa:51:94:64:2d:21:2a:13:65:57:1e:bd:3f:
f4:1e:1f:be:6f:b1:38:41:46:19:23:b6:a0:8d:b7:27:56:5f:
b9:a0:e0:41:19:e7:38:72:98:d2:74:8b:91:33:80:80:47:63:
0d:f0:69:80
-----BEGIN CERTIFICATE-----
MIID/DCCAuSgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMCQ04x
EDAOBgNVBAgMB0ppYW5nWGkxETAPBgNVBAcMCE5hbkNoYW5nMQ8wDQYDVQQKDAZt
YWdlZHUxDzANBgNVBAsMBmRldm9wczEWMBQGA1UEAwwNY2EubWFnZWR1Lm9yZzEf
MB0GCSqGSIb3DQEJARYQYWRtaW5AbWFnZWR1Lm9yZzAeFw0yMTA2MTQxNDE4MDVa
Fw0yNDAzMTAxNDE4MDVaMHgxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdKaWFuZ1hp
MQ8wDQYDVQQKDAZtYWdlZHUxCzAJBgNVBAsMAml0MRgwFgYDVQQDDA9hcHAxLm1h
Z2VkdS5vcmcxHzAdBgkqhkiG9w0BCQEWEGdyYWluQG1hZ2VkdS5vcmcwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7Pe6AjleJbfuIzq4vhhDFtQv/Jb0w
QO4hwcySLplyP3ibr4rCTnL+tTOXYqiRmk1t/OLX/ZzcByucqafeZjSWuaFJxCMH
28mAGZPLHTXgEK/ln1oqgpJC0qruukyFz7H9a6n70/k1wnV7GeccA2AVvSXJQ0LV
XpZl47IXWSKcgO9dxHdsPlpPyMdrDKAk3K2PQOfB8eX4OfXGC//fo2ciRnr3prI2
32rZ8UmWThxWFTiEuoQl7k9GwcgiPVDxUTgpQ7hq4tPONDuZsVnWwabknwEUiLQX
EIBRh67+1PaNbtA6bmptdZSl11UaS+0oTKoR1mdk0Wyhr2TDrlA96rx7AgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBSTbLe9oXr1EBz9ePyZodPgJga5UDAfBgNV
HSMEGDAWgBTljZHtFfevsl9xDppbRnd4Z0C1qTANBgkqhkiG9w0BAQsFAAOCAQEA
n8ZZH6mZbBEqDOgIOQgh3Hxdae0KM6lDkIemFMXasGUnt62cfWBVrXl2pmOALsT7
yBeRMmA5lvFvItGFCJf9K21ioq2MAgfbz3gv4AR0uY3cVNbGBWVVk04ydSbZY5RW
Q5HuiUBgFP84STTvwC6aFnnu9/5qEF1b6bfEFkGnHe8fM2ytIBfipYt5bfxQ1U/I
nqmE9zUlq8S01eQSpqRmtzlvS/GKBpf9yRetUy0k/xM4Fqcq/4QgFOUnenh9jdEV
GUijCtUl3Ylu2MaqUZRkLSEqE2VXHr0/9B4fvm+xOEFGGSO2oI23J1ZfuaDgQRnn
OHKY0nSLkTOAgEdjDfBpgA==
-----END CERTIFICATE-----
1.2.7 将证书相关文件发送到用户端使用
[root@CentOS8 CA]#cp /etc/pki/CA/certs/app1.crt /data/app1/
[root@CentOS8 CA]#tree /data/app1/
/data/app1/
├── app1.crt
├── app1.csr
└── app1.key
0 directories, 3 files
1.2.8 证书的吊销
[root@CentOS8 CA]#tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ ├── app1.crt
│ └── app2.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ ├── 01.pem
│ └── 02.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 12 files
[root@CentOS8 CA]#openssl ca -status 02
Using configuration from /etc/pki/tls/openssl.cnf
02=Valid (V)
[root@CentOS8 CA]#openssl ca -revoke /etc/pki/CA/newcerts/02.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 02.
Data Base Updated
[root@CentOS8 CA]#openssl ca -status 02
Using configuration from /etc/pki/tls/openssl.cnf
02=Revoked (R)
1.2.9 生成证书吊销列表文件
[root@CentOS8 CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140431109904192:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/crlnumber','r')
140431109904192:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
[root@CentOS8 CA]#echo 01 > /etc/pki/CA/crlnumber
[root@CentOS8 CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@CentOS8 CA]#cat /etc/pki/CA/crlnumber
02
2、ssh服务
SSH协议版本:
- v1:基于CRC-32做MAC,不安全;man-in-middle
- v2:双方主机协议选择安全的MAC方式,基于DH算法做密钥交换,基于RSA或DSA实现身份认证
2.1 ssh常用参数、用法
用法:
2.1.1 远程登录
#口令登录
1、ssh user@ip //远程登录服务器的user用户,默认端口22
2、ssh host //通过地址远程登录服务器相同账户,端口默认22
3、ssh user@host -p 10000 // ssh使用远程主机的10000端口进行连接
#公钥登录
1、ssh-keygen #在$HOME/.ssh/目录下,会新生成两个文件: id_rsa.pub和id_rsa,前者是公钥,后者是私钥
2、ssh-copy-id user@host #公钥复制到远程主机host上面,之后可以直接公钥登录
基于密钥的登录方式
1. 首先在客户端生成一对密钥(ssh-keygen)
2. 并将客户端的公钥ssh-copy-id 拷贝到服务端
3. 当客户端再次发送一个连接请求,包括ip、用户名
4. 服务端得到客户端的请求后,会到authorized_keys中查找,如果有响应的IP和用户,就会随机生
成一个字符串,例如:magedu
5. 服务端将使用客户端拷贝过来的公钥进行加密,然后发送给客户端6. 得到服务端发来的消息后,客户端会使用私钥进行解密,然后将解密后的字符串发送给服务端
7. 服务端接受到客户端发来的字符串后,跟之前的字符串进行对比,如果一致,就允许免密码登录
2.1.2 SSH远程操作
- 远程执行命令
ssh [user@]host [COMMAND]
ssh [user@]host /bin/bash < test.sh #远程执行本地的脚本
参数:
-p port: 远程服务器监听的端口
-b 指定连接的源IP
-v 调试模式
-C 压缩方式
-X 支持X11转发
-t 强制伪tty分配,如 ssh -t remoteserver1 ssh -t remoteserver2 ssh remoteserver3
-o option 如:-o StrictHostKeyChecking=no
-i <file> 指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa,~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等
范例:
[root@centos8 ~]#ssh -t 10.0.0.8 ssh -t 10.0.0.7 ssh 10.0.0.6
root@10.0.0.8's password:
root@10.0.0.7's password:
root@10.0.0.6's password:
Last login: Fri May 22 09:10:28 2020 from 10.0.0.7
[root@centos6 ~]#
远程执行命令
[root@centos6 ~]#ssh 10.0.0.8 "sed -i.bak
'/StrictHostKeyChecking/s/.*/StrictHostKeyChecking no/' /etc/ssh/ssh_config"
root@10.0.0.8's password:
[root@centos6 ~]#
在远程主机运行本地shell脚本
[root@centos8 ~]#hostname -I
10.0.0.8
[root@centos8 ~]#cat test.sh
#!/bin/bash
hostname -I
[root@centos8 ~]#ssh 10.0.0.18 /bin/bash < test.sh
root@10.0.0.18's password:
10.0.0.18
2.1.3 scp
实现本机与远程主机之间的数据拷贝
#本地复制远程主机文件(把远程的文件复制到本地)
scp root@ip:/var/test/test.tar.gz /var/test/test.tar.gz
#远程主机复制本地文件(把本地文件复制到远程主机)
scp /var/test/test.tar.gz root@ip:/var/test/test.tar.gz
#本地复制远程主机目录
scp -r root@ip:/var/test/ /var/test/
2.1.4 绑定本地端口
ssh -D 8080 user@host #SSH会建立一个socket监听本地的8080端口,一旦有数据传向8080端口,就自动把它转移到SSH连接上面,发往远程主机
2.1.5 SSH本地端口转发
ssh -L localport:remotehost:remotehostport sshserver
选项
-f 后台启用
-N 不打开远程shell,处于等待状态
-g 启用网关功能
#当访问本机的9527的端口时,被加密后转发到sshsrv的ssh服务,再解密被转发到telnetsrv:23
#data<-->localhost:9527 <-->localhost:XXXXX<-->sshsrv:22<-->sshsrv:YYYYY<-->telnetsrv:23
ssh –L 9527:telnetsrv:23 -Nfg sshsrv
telnet 127.0.0.1 9527
2.1.6 SSH远程端口转发
ssh -R sshserverport:remotehost:remotehostport sshserver
#让sshsrv侦听9527端口的访问,如有访问,就加密后通过ssh服务转发请求到本机ssh客户端,再由本机解密后转发到telnetsrv:23
#Data<-->sshsrv:9527<-->sshsrv:22<-->localhost:XXXXX<-->localhost:YYYYY<-->telnetsrv:23
ssh –R 9527:telnetsrv:23 –Nf sshsrv
2.1.7 SSH动态端口转发
#当用firefox访问internet时,本机的1080端口做为代理服务器,firefox的访问请求被转发到sshserver上,由sshserver替之访问internet
ssh -D 1080 root@sshserver -fNg
#在本机firefox设置代理socket proxy:127.0.0.1:1080
curl --socks5 127.0.0.1:1080 http://www.google.com
3、 sshd服务配置
服务器端: sshd
服务器端的配置文件: /etc/ssh/sshd_config
服务器端的配置文件帮助: man 5 sshd_config
常用参数:
Port
LintenAddress ip
LoginGraceTime 2m
permitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes #检查.ssh/ 文件的所有者,权限等
MaxAuthTries 6
Maxsessions 10 #同一个连接最大会话
PubkeyAuthentication yes #基于key验证
PermitEmptyPasswords no #空密码连接
PasswordAuthentication yes #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位;秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为No
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups #未认证连接最大值,默认值10
Banner /path/file
#以下可以限制可登录用户的办法:
AllowUsers user1 user2 user3
DenyUsers
AllowGroups
DenyGroups
范例:设置ssh 空闲60s自动注销
vim /etc/ssh/sshd_config
ClientAliveInterval 60
ClientAliveCountMax 0
Service sshd restart
#注意: 新开一个连接才有效
范例:解决ssh登录缓慢的问题
vim /etc/ssh/sshd_config
UseDNS no
GSSAPIAuthentication no
systemctl restart sshd
范例:在ubuntu上启用root远程ssh登录
vim /etc/ssh/sshd_config
#PermitRootLogin prohibit-password 注释掉此行
PermitRootLogin yes 修改为此形式
systemctl restart sshd
