1、创建私有CA并进行证书申请。
- OpenCA:OpenCA开源组织使用Perl对OpenSSL进行二次开发而成的一套完善的PKI免费软件
- openssl:相关包 openssl和openssl-libs
- 生成证书申请请求
- RA核验
- CA签署
- 获取证书
1.创建CA相关目录和文件
[root@centos8-hkping ~]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@centos8-hkping ~]#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
[root@centos8-hkping ~]#touch /etc/pki/CA/index.txt
[root@centos8-hkping ~]#echo 0F > /etc/pki/CA/serial
2 创建CA的私钥
[root@centos8-hkping ~]#cd /etc/pki/CA/
[root@centos8-hkping CA]#umask 066; openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
........+++++
....+++++
e is 65537 (0x010001)
[root@centos8-hkping CA]#tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 3 files
[root@centos8-hkping CA]#ll private/
total 4
-rw------- 1 root root 1679 Feb 14 15:05 cakey.pem
[root@centos8-hkping CA]#cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEApde/I1pV9wXi93nqja9lKzD+UaE/LI1hdHPj8VJyXvik+W5i
DfQR5uRlHKZAQcNWmBCdvIO1/gF2Czq6/+Tvq5RkqhhPkUA5W1gz/mhqvS7lesc3
2RF148+JCyfOH1NfWc5aYg5X/T/rwh1tdraMmoateIvqgIywlGea+MF+plBHVsKh
vzMBZ578UBPsSd8hwOocRbU0SKczVmDTuw6Ai8IOpWAAj/66rm+RCO4WVb8QSkxm
j1paiAB4A25KF4K2FXLJpWukM7TvddhZDM1lRU6YvjYOC2b6LQIw6fUWCYno1flS
JvdAOP1GqHjnJNoHBOKP0OmXZY/48dQwCHm2RQIDAQABAoIBAQCKKVDdXPbdEpRh
Y7oaS5LXBrv4uYLt1OLpp1qwwuTxZefavTEHOtxnJMNvuLkzkE7l5IHkeT323LTA
6i673LgmkzvB0PsIoR6nkLXQLqEt9pHLVYibWEaEgXNETecUhdqb8KOvqQ94tfXt
A6McETzVx3lhQf8dFRhOqnma32hpmIRD6hz0gQGJTKAUeQo7p83U4COEsGMgOAMc
8zi8Wtv13rVFoC4u7X1QrrRZGRQmiBRfV9OFF3mYtp8LVUtI5M/vKgJRPY0wgg0D
gevSiMKheRwyM3931egkraypyhkVIYj6OuS7uUGmYqvwPPfaW8yaCZG06uxG5Bx0
Xk6K5E9BAoGBANPJZz4ljls7UOnSDJRMZL2VofMpnJ/Q24hlc/Uepbe4Pr6xJepd
w5t3iDqAkIVjtofjpJBpXoJ0gbvKHiWElWCs1blLJutGJjaY2Xe+lFCKDGVavt5I
dhrOB4X8gqNwXdM/IJcFy2jPS8PEudNgL55js444OGijQZJ/ewY1Da8dAoGBAMh2
8VLu55+9E3vTe1d7AcTqOFHmCM7BqGk1cjFe3aWltZ4zDNv5hDz6b8SzuJH8+dfc
QnNs/I2zhfnVy8i4GX0wTRWgWR3gvemhB9knfZkO47j+sekt3hulzy1kRHlylvhX
bSCjugmVurDCwGr0ikRd+SuiVFHZ2gbeGmUFcDNJAoGBAMMUXowpLeKtVY+7Uqj7
YUQcY4vHRaUUTlNqGBCuRTlgdjNSm7kw2zAGP66bpAOqYIT1VC1NUafax3GB8Jjg
cnQVX9yI8/V9rU9XJeGd46H4NwjZOL0pg9iW9OkfOfpwU4x1NoDF7qLBZ2mReRXS
IKrF7avP7227C3h1Ao4qKkulAoGAEbao5loj73KGqTdru7Qr2NmVdm8sMhDcr8dA
OuqWDVASN1NtfHaU38qFW81Bruy6qv9Ug9yKiH7nhMcGhcr2vaAp/5I2rbQxM9a9
2ctqhr7REoS29dLOwISrROiKQG0GuBUJmIu/IZ+wanQbCphnK1lebiOe7cihQmAX
1vtfCbkCgYB2grEKwKGC1qpu4Dh8TF5BNlYi8VkmHf8D1ajjkxm3vhQd1eypz7WM
9Kf/GzizLPoCwxPO3Id/u/9ZMqlJURnfDK8fqENFwRcptc1J+8I0KyjtMxoMi0kv
q4kMdrLAil/K5hZ1vz8LWCKXCR+BpK9iD3L7Ucc0PQLvSN4DeaIYIQ==
-----END RSA PRIVATE KEY-----
3 给CA颁发自签名证书
[root@centos8-hkping CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:
[root@centos8-hkping CA]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
[root@centos8-hkping CA]#cat /etc/pki/CA/cacert.pem
-----BEGIN CERTIFICATE-----
MIIDtzCCAp+gAwIBAgIUbAaIxwiEmrPjSn7Ds1lMyXC4s74wDQYJKoZIhvcNAQEL
BQAwazELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB2JlaWppbmcxEDAOBgNVBAcMB2Jl
aWppbmcxDzANBgNVBAoMBm1hZ2VkdTEPMA0GA1UECwwGZGV2b3BzMRYwFAYDVQQD
DA1jYS5tYWdlZHUub3JnMB4XDTIyMDIxNDA3MDg1OVoXDTMyMDIxMjA3MDg1OVow
azELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB2JlaWppbmcxEDAOBgNVBAcMB2JlaWpp
bmcxDzANBgNVBAoMBm1hZ2VkdTEPMA0GA1UECwwGZGV2b3BzMRYwFAYDVQQDDA1j
YS5tYWdlZHUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApde/
I1pV9wXi93nqja9lKzD+UaE/LI1hdHPj8VJyXvik+W5iDfQR5uRlHKZAQcNWmBCd
vIO1/gF2Czq6/+Tvq5RkqhhPkUA5W1gz/mhqvS7lesc32RF148+JCyfOH1NfWc5a
Yg5X/T/rwh1tdraMmoateIvqgIywlGea+MF+plBHVsKhvzMBZ578UBPsSd8hwOoc
RbU0SKczVmDTuw6Ai8IOpWAAj/66rm+RCO4WVb8QSkxmj1paiAB4A25KF4K2FXLJ
pWukM7TvddhZDM1lRU6YvjYOC2b6LQIw6fUWCYno1flSJvdAOP1GqHjnJNoHBOKP
0OmXZY/48dQwCHm2RQIDAQABo1MwUTAdBgNVHQ4EFgQUkUlXCI3uW4HWdl2OIs4j
YBSgsEcwHwYDVR0jBBgwFoAUkUlXCI3uW4HWdl2OIs4jYBSgsEcwDwYDVR0TAQH/
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAbou/xsQYURE5fpnEuCrJX5rtA445
KICvrVsAuDj3ua5YLJyjw957EyxQrP7ZSX9K/UXb1JQQugDVbWPlUkTTDv+iKuDT
9bMHnaUhw9NzoL38wplf/hALtOO51OOHsy/5tXKB1rf/JQI9uSU0+sUrxNu3lwrX
FCZSxydMzb8erYilbeXqhm5InJB9E11THPQkcWB1iJdTBzfgH2AFRB0eFT7EaPWj
zNnlmMrQIpigPlH4R9b+GEneaho1TH0KMZ1c6VaajzSNOo+V8v5bzvzxHTVLOra5
h7+YqNlosEmeN68xqWmNzSHMJ0VPajA7wDCXdP7WG65L5bm/Ut91Vztf+w==
-----END CERTIFICATE-----
[root@centos8-hkping CA]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6c:06:88:c7:08:84:9a:b3:e3:4a:7e:c3:b3:59:4c:c9:70:b8:b3:be
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = beijing, L = beijing, O = magedu, OU = devops, CN = ca.magedu.org
Validity
Not Before: Feb 14 07:08:59 2022 GMT
Not After : Feb 12 07:08:59 2032 GMT
Subject: C = CN, ST = beijing, L = beijing, O = magedu, OU = devops, CN = ca.magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a5:d7:bf:23:5a:55:f7:05:e2:f7:79:ea:8d:af:
65:2b:30:fe:51:a1:3f:2c:8d:61:74:73:e3:f1:52:
72:5e:f8:a4:f9:6e:62:0d:f4:11:e6:e4:65:1c:a6:
40:41:c3:56:98:10:9d:bc:83:b5:fe:01:76:0b:3a:
ba:ff:e4:ef:ab:94:64:aa:18:4f:91:40:39:5b:58:
33:fe:68:6a:bd:2e:e5:7a:c7:37:d9:11:75:e3:cf:
89:0b:27:ce:1f:53:5f:59:ce:5a:62:0e:57:fd:3f:
eb:c2:1d:6d:76:b6:8c:9a:86:ad:78:8b:ea:80:8c:
b0:94:67:9a:f8:c1:7e:a6:50:47:56:c2:a1:bf:33:
01:67:9e:fc:50:13:ec:49:df:21:c0:ea:1c:45:b5:
34:48:a7:33:56:60:d3:bb:0e:80:8b:c2:0e:a5:60:
00:8f:fe:ba:ae:6f:91:08:ee:16:55:bf:10:4a:4c:
66:8f:5a:5a:88:00:78:03:6e:4a:17:82:b6:15:72:
c9:a5:6b:a4:33:b4:ef:75:d8:59:0c:cd:65:45:4e:
98:be:36:0e:0b:66:fa:2d:02:30:e9:f5:16:09:89:
e8:d5:f9:52:26:f7:40:38:fd:46:a8:78:e7:24:da:
07:04:e2:8f:d0:e9:97:65:8f:f8:f1:d4:30:08:79:
b6:45
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
91:49:57:08:8D:EE:5B:81:D6:76:5D:8E:22:CE:23:60:14:A0:B0:47
X509v3 Authority Key Identifier:
keyid:91:49:57:08:8D:EE:5B:81:D6:76:5D:8E:22:CE:23:60:14:A0:B0:47
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
6e:8b:bf:c6:c4:18:51:11:39:7e:99:c4:b8:2a:c9:5f:9a:ed:
03:8e:39:28:80:af:ad:5b:00:b8:38:f7:b9:ae:58:2c:9c:a3:
c3:de:7b:13:2c:50:ac:fe:d9:49:7f:4a:fd:45:db:d4:94:10:
ba:00:d5:6d:63:e5:52:44:d3:0e:ff:a2:2a:e0:d3:f5:b3:07:
9d:a5:21:c3:d3:73:a0:bd:fc:c2:99:5f:fe:10:0b:b4:e3:b9:
d4:e3:87:b3:2f:f9:b5:72:81:d6:b7:ff:25:02:3d:b9:25:34:
fa:c5:2b:c4:db:b7:97:0a:d7:14:26:52:c7:27:4c:cd:bf:1e:
ad:88:a5:6d:e5:ea:86:6e:48:9c:90:7d:13:5d:53:1c:f4:24:
71:60:75:88:97:53:07:37:e0:1f:60:05:44:1d:1e:15:3e:c4:
68:f5:a3:cc:d9:e5:98:ca:d0:22:98:a0:3e:51:f8:47:d6:fe:
18:49:de:6a:1a:35:4c:7d:0a:31:9d:5c:e9:56:9a:8f:34:8d:
3a:8f:95:f2:fe:5b:ce:fc:f1:1d:35:4b:3a:b6:b9:87:bf:98:
a8:d9:68:b0:49:9e:37:af:31:a9:69:8d:cd:21:cc:27:45:4f:
6a:30:3b:c0:30:97:74:fe:d6:1b:ae:4b:e5:b9:bf:52:df:75:
57:3b:5f:fb
[root@centos8-hkping CA]#sz /etc/pki/CA/cacert.pem
#将文件cacert.pem传到windows上,修改文件名为cacert.pem.crt,双击可以看到下面显示
[root@centos8-hkping CA]#mkdir /data/app1
[root@centos8-hkping CA]#umask 066; openssl genrsa -out /data/app1/app1.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
....................+++++
..............................................+++++
e is 65537 (0x010001)
[root@centos8-hkping CA]#cat /data/app1/app1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyxBjGYtxtk0CqId0QbfxJkbbFho6BJ2Dejzc3h06EDMliPqS
SbFnspt40cSnoSRd5twUlwyFN35xfhPk2BLJOITx1xyUmORNVIJhj6MUL1pr2R5U
HYit4z0KjgREVLjoJKRVycSzy2V3nxdvKwilt3lSLGxqp7CnekSJzQak2bj2AyYW
9ZJT/hb836yfZ0Odkxt/FxkVk8GLGTAMYjKSOOkqSpz0S+k4xRabQ5pUExDTF4uh
b7O9gA/T/LP78vssY6ylRvFT6QXCieMvPM+z9er9hggeecjweq1YEn0/y86kG/fj
quDG28zcT3Hmncn2hlDqWvrKQ1+fbw4LBCxO6QIDAQABAoIBAADRaBTKQwMA/GnB
Ye6B1y7YSjmkkWdDWyw64ojihUFbc2NB3yT82fYWOj5eFG7JvrcXW93f5wl6MOrZ
GarlKHpZzr+XFeInyUf13n69oW8vZg/R13TnAAxSSqCX086jkAvVvaK6cB75oam6
ZnA98Kz0iCg1p5hVVddgP03cIP3fhwYeGM/RF4crg3KjXi8afWqT583+TqhAz0aT
rOLfXMGaY/Q2WUFkZrih9JM8HE1DaEZv7AySmpQPkToP9L1x2K+LQihtBMKwiwxl
g5urEd9DLF7um+hSKb9XSfJEsMypn9NEy3UDB7mfKgzedhjQdyAIbLQV3ofTL8dV
43oPYqECgYEA+NzIrNTCNSjW3hbiOhXakmcaSWZFIVPZFC5Lf0qfG4gmicNtGHIO
ooTSqKxiQ2UxEZjk0wWF8O2PjQInQ1kjxQoeUrVwWiDeLabVi1mYXvKA+QuQ9nhy
+OUbWS+Ts3VI19VQaU0SzwMrYLpvt9bZpC7QklkcG9TdzdZijk4IjJcCgYEA0ONW
sfgt2MLJN9l0Q+QmmabYHJOg5iFlCugH+xs2u5KOsWXsfwLp/fnKiLWVmvu7WtuN
H2O6QjsWTSfyux8XRvij8eeivAESgJTumvvFWoJmfo7ZQFDIUzd5eX9isdBLJJ9D
3XaLUG0aCxCiNzyyUdvRFZLE3zaJ9fBD6V4H8H8CgYEAvhWVyj1wYb5h8J02Cvvq
SW0rLOlK4Fv1MW7zB7Vttk/Wb9+vkr574zLk3SVeoO/H/RL1pSFQ32f0/9WnO8/4
fGZwJuijepQkYGZQMfIrakp8rL1i6n+yAd6tdv/aJ3bsPr+Wfff659gZ5/Y/owIe
l0OS2FXsHG4JRVH9UYjVCt0CgYAbhCbycKfRau9IrRt0qgQvr1u+f+/tAK8nvaL3
gAE4ujiTw8JghMjADPyR/6GCdfCbKlqvrNpnSRNJ/J4r6g+N6Mjn38R/EYEXcQbx
YYMAxjasKzMRFtMcqy0URSSCGdccLuKotKnrYUPR+1HzBsrSn6suNVQ7txp7TDgV
8K4JDwKBgQCCGEdeiS3zJMBnH7MpCgtqGOi0D8BdnlWxVJSeHYlorb6OLop/H6ZZ
e1KCGxsLKev1NBQxc1htZsxgIITo3hmmlkXx07oShAraXggrUfUY3pDqF/FiGfnc
ZM77wfhR5GcOgtwNTJtAZPd0+2wSUicjv6zgv+ADBM5T+2OFg8tHyw==
-----END RSA PRIVATE KEY-----
#生成证书申请文件
[root@centos8-hkping CA]#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.magedu.org
Email Address []:root@magedu.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos8-hkping CA]#ll /data/app1/
total 8
-rw------- 1 root root 1045 Feb 14 15:33 app1.csr
-rw------- 1 root root 1679 Feb 14 15:31 app1.key
[root@centos8-hkping CA]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Feb 14 07:39:38 2022 GMT
Not After : Nov 10 07:39:38 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu
organizationalUnitName = it
commonName = app1.magedu.org
emailAddress = root@magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3E:6B:B6:E4:9A:C6:24:C1:9B:D4:56:72:BC:68:E6:26:66:66:2A:5E
X509v3 Authority Key Identifier:
keyid:91:49:57:08:8D:EE:5B:81:D6:76:5D:8E:22:CE:23:60:14:A0:B0:47
Certificate is to be certified until Nov 10 07:39:38 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos8-hkping CA]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
6.查看证书
[root@centos8-hkping CA]#cat /etc/pki/CA/certs/app1.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=beijing, L=beijing, O=magedu, OU=devops, CN=ca.magedu.org
Validity
Not Before: Feb 14 07:39:38 2022 GMT
Not After : Nov 10 07:39:38 2024 GMT
Subject: C=CN, ST=beijing, O=magedu, OU=it, CN=app1.magedu.org/emailAddress=root@magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:cb:10:63:19:8b:71:b6:4d:02:a8:87:74:41:b7:
f1:26:46:db:16:1a:3a:04:9d:83:7a:3c:dc:de:1d:
3a:10:33:25:88:fa:92:49:b1:67:b2:9b:78:d1:c4:
a7:a1:24:5d:e6:dc:14:97:0c:85:37:7e:71:7e:13:
e4:d8:12:c9:38:84:f1:d7:1c:94:98:e4:4d:54:82:
61:8f:a3:14:2f:5a:6b:d9:1e:54:1d:88:ad:e3:3d:
0a:8e:04:44:54:b8:e8:24:a4:55:c9:c4:b3:cb:65:
77:9f:17:6f:2b:08:a5:b7:79:52:2c:6c:6a:a7:b0:
a7:7a:44:89:cd:06:a4:d9:b8:f6:03:26:16:f5:92:
53:fe:16:fc:df:ac:9f:67:43:9d:93:1b:7f:17:19:
15:93:c1:8b:19:30:0c:62:32:92:38:e9:2a:4a:9c:
f4:4b:e9:38:c5:16:9b:43:9a:54:13:10:d3:17:8b:
a1:6f:b3:bd:80:0f:d3:fc:b3:fb:f2:fb:2c:63:ac:
a5:46:f1:53:e9:05:c2:89:e3:2f:3c:cf:b3:f5:ea:
fd:86:08:1e:79:c8:f0:7a:ad:58:12:7d:3f:cb:ce:
a4:1b:f7:e3:aa:e0:c6:db:cc:dc:4f:71:e6:9d:c9:
f6:86:50:ea:5a:fa:ca:43:5f:9f:6f:0e:0b:04:2c:
4e:e9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3E:6B:B6:E4:9A:C6:24:C1:9B:D4:56:72:BC:68:E6:26:66:66:2A:5E
X509v3 Authority Key Identifier:
keyid:91:49:57:08:8D:EE:5B:81:D6:76:5D:8E:22:CE:23:60:14:A0:B0:47
Signature Algorithm: sha256WithRSAEncryption
70:04:1e:ef:90:c2:ba:80:34:57:ac:c2:16:bd:90:56:c7:4c:
f3:23:15:3e:a5:2f:c7:fd:7e:17:80:b4:01:04:52:c9:e8:6f:
bc:4d:06:7e:27:6b:4e:b5:b9:a2:8d:8d:e8:13:dc:08:9e:01:
3a:a8:bb:88:d1:b2:b4:2a:27:5b:cd:f8:1c:90:25:81:32:93:
89:3d:34:8d:a0:8d:11:c2:21:94:07:ab:83:2c:c4:e1:79:53:
56:6c:56:27:7b:8b:07:74:92:8f:2f:87:26:71:80:49:70:19:
d4:03:1a:14:83:ea:ce:dc:12:42:5c:65:8c:c1:67:74:a8:8a:
e1:bd:62:06:3e:0d:f2:95:6c:aa:0e:40:41:17:af:fa:7b:92:
f9:da:0d:d0:3d:59:6b:ba:6c:1a:8e:ac:32:9b:e0:99:f1:79:
bd:4d:c2:91:d0:79:8e:4f:cf:a4:fc:02:1f:15:56:30:64:2b:
43:04:b0:9d:5a:6f:b8:6d:4e:88:eb:a1:77:06:07:d1:55:e4:
52:5a:49:c8:01:e1:91:88:f8:34:eb:02:71:92:6a:05:5a:c1:
32:95:f3:45:dd:55:d0:91:11:9e:da:1b:9c:64:03:bc:70:b8:
31:d4:a6:1b:20:11:29:d8:b3:52:fd:ac:49:fc:57:6f:ac:dc:
9d:b6:63:19
-----BEGIN CERTIFICATE-----
MIID2DCCAsCgAwIBAgIBDzANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJDTjEQ
MA4GA1UECAwHYmVpamluZzEQMA4GA1UEBwwHYmVpamluZzEPMA0GA1UECgwGbWFn
ZWR1MQ8wDQYDVQQLDAZkZXZvcHMxFjAUBgNVBAMMDWNhLm1hZ2VkdS5vcmcwHhcN
MjIwMjE0MDczOTM4WhcNMjQxMTEwMDczOTM4WjB3MQswCQYDVQQGEwJDTjEQMA4G
A1UECAwHYmVpamluZzEPMA0GA1UECgwGbWFnZWR1MQswCQYDVQQLDAJpdDEYMBYG
A1UEAwwPYXBwMS5tYWdlZHUub3JnMR4wHAYJKoZIhvcNAQkBFg9yb290QG1hZ2Vk
dS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLEGMZi3G2TQKo
h3RBt/EmRtsWGjoEnYN6PNzeHToQMyWI+pJJsWeym3jRxKehJF3m3BSXDIU3fnF+
E+TYEsk4hPHXHJSY5E1UgmGPoxQvWmvZHlQdiK3jPQqOBERUuOgkpFXJxLPLZXef
F28rCKW3eVIsbGqnsKd6RInNBqTZuPYDJhb1klP+FvzfrJ9nQ52TG38XGRWTwYsZ
MAxiMpI46SpKnPRL6TjFFptDmlQTENMXi6Fvs72AD9P8s/vy+yxjrKVG8VPpBcKJ
4y88z7P16v2GCB55yPB6rVgSfT/LzqQb9+Oq4MbbzNxPceadyfaGUOpa+spDX59v
DgsELE7pAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T
U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQ+a7bkmsYkwZvUVnK8
aOYmZmYqXjAfBgNVHSMEGDAWgBSRSVcIje5bgdZ2XY4iziNgFKCwRzANBgkqhkiG
9w0BAQsFAAOCAQEAcAQe75DCuoA0V6zCFr2QVsdM8yMVPqUvx/1+F4C0AQRSyehv
vE0GfidrTrW5oo2N6BPcCJ4BOqi7iNGytConW834HJAlgTKTiT00jaCNEcIhlAer
gyzE4XlTVmxWJ3uLB3SSjy+HJnGASXAZ1AMaFIPqztwSQlxljMFndKiK4b1iBj4N
8pVsqg5AQRev+nuS+doN0D1Za7psGo6sMpvgmfF5vU3CkdB5jk/PpPwCHxVWMGQr
QwSwnVpvuG1OiOuhdwYH0VXkUlpJyAHhkYj4NOsCcZJqBVrBMpXzRd1V0JERntob
nGQDvHC4MdSmGyARKdizUv2sSfxXb6zcnbZjGQ==
-----END CERTIFICATE-----
[root@centos8-hkping CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = beijing, L = beijing, O = magedu, OU = devops, CN = ca.magedu.org
Validity
Not Before: Feb 14 07:39:38 2022 GMT
Not After : Nov 10 07:39:38 2024 GMT
Subject: C = CN, ST = beijing, O = magedu, OU = it, CN = app1.magedu.org, emailAddress = root@magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:cb:10:63:19:8b:71:b6:4d:02:a8:87:74:41:b7:
f1:26:46:db:16:1a:3a:04:9d:83:7a:3c:dc:de:1d:
3a:10:33:25:88:fa:92:49:b1:67:b2:9b:78:d1:c4:
a7:a1:24:5d:e6:dc:14:97:0c:85:37:7e:71:7e:13:
e4:d8:12:c9:38:84:f1:d7:1c:94:98:e4:4d:54:82:
61:8f:a3:14:2f:5a:6b:d9:1e:54:1d:88:ad:e3:3d:
0a:8e:04:44:54:b8:e8:24:a4:55:c9:c4:b3:cb:65:
77:9f:17:6f:2b:08:a5:b7:79:52:2c:6c:6a:a7:b0:
a7:7a:44:89:cd:06:a4:d9:b8:f6:03:26:16:f5:92:
53:fe:16:fc:df:ac:9f:67:43:9d:93:1b:7f:17:19:
15:93:c1:8b:19:30:0c:62:32:92:38:e9:2a:4a:9c:
f4:4b:e9:38:c5:16:9b:43:9a:54:13:10:d3:17:8b:
a1:6f:b3:bd:80:0f:d3:fc:b3:fb:f2:fb:2c:63:ac:
a5:46:f1:53:e9:05:c2:89:e3:2f:3c:cf:b3:f5:ea:
fd:86:08:1e:79:c8:f0:7a:ad:58:12:7d:3f:cb:ce:
a4:1b:f7:e3:aa:e0:c6:db:cc:dc:4f:71:e6:9d:c9:
f6:86:50:ea:5a:fa:ca:43:5f:9f:6f:0e:0b:04:2c:
4e:e9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3E:6B:B6:E4:9A:C6:24:C1:9B:D4:56:72:BC:68:E6:26:66:66:2A:5E
X509v3 Authority Key Identifier:
keyid:91:49:57:08:8D:EE:5B:81:D6:76:5D:8E:22:CE:23:60:14:A0:B0:47
Signature Algorithm: sha256WithRSAEncryption
70:04:1e:ef:90:c2:ba:80:34:57:ac:c2:16:bd:90:56:c7:4c:
f3:23:15:3e:a5:2f:c7:fd:7e:17:80:b4:01:04:52:c9:e8:6f:
bc:4d:06:7e:27:6b:4e:b5:b9:a2:8d:8d:e8:13:dc:08:9e:01:
3a:a8:bb:88:d1:b2:b4:2a:27:5b:cd:f8:1c:90:25:81:32:93:
89:3d:34:8d:a0:8d:11:c2:21:94:07:ab:83:2c:c4:e1:79:53:
56:6c:56:27:7b:8b:07:74:92:8f:2f:87:26:71:80:49:70:19:
d4:03:1a:14:83:ea:ce:dc:12:42:5c:65:8c:c1:67:74:a8:8a:
e1:bd:62:06:3e:0d:f2:95:6c:aa:0e:40:41:17:af:fa:7b:92:
f9:da:0d:d0:3d:59:6b:ba:6c:1a:8e:ac:32:9b:e0:99:f1:79:
bd:4d:c2:91:d0:79:8e:4f:cf:a4:fc:02:1f:15:56:30:64:2b:
43:04:b0:9d:5a:6f:b8:6d:4e:88:eb:a1:77:06:07:d1:55:e4:
52:5a:49:c8:01:e1:91:88:f8:34:eb:02:71:92:6a:05:5a:c1:
32:95:f3:45:dd:55:d0:91:11:9e:da:1b:9c:64:03:bc:70:b8:
31:d4:a6:1b:20:11:29:d8:b3:52:fd:ac:49:fc:57:6f:ac:dc:
9d:b6:63:19
#验证指定编号对应证书的有效性
[root@centos8-hkping CA]#openssl ca -status 0F
Using configuration from /etc/pki/tls/openssl.cnf
0F=Valid (V)
[root@centos8-hkping CA]#cp /etc/pki/CA/certs/app1.crt /data/app1/
[root@centos8-hkping CA]#tree /data/app1/
/data/app1/
├── app1.crt
├── app1.csr
└── app1.key
0 directories, 3 files
8.证书的信任导入
[root@centos8-hkping CA]#sz /etc/pki/CA/certs/app1.crt
ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]
常用选项
-p port #远程服务器监听的端口 -b #指定连接的源ip -v #调试模式 -C #压缩方式 -x #支持x11转发 -t #强制伪tty分配 -o option 如:-o StrictHostKeyChecking=no -i <file> #指定私钥文件路径,实现基于key验证,默认使用文件:~/.ssh/id_dsa,~/.ssh/id_ecdsa,~/.ssh/id_ed25519,~/.ssh/id_rsa
3、总结sshd服务常用参数。
sshd服务端的配置文件:/etc/ssh/sshd_config
Port #端口号,生产中建议修改
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes #检查.ssh/文件的所有者,权限等
MaxSessions 10 #同一个连接最大会话
PubkeyAuthentication yes #基于key验证
PermitEmptyPasswords no #空密码连接
PasswordAuthentication yes #基于用户名密码连接
UseNDNS yes #提高速度改为no
GSSAPIAuthentication yes #提高速度改为no
4、搭建dhcp服务,实现ip地址申请分发
主机获取网络配置可以通过两种方式:
- 静态指定
- 动态获取
- DHCP:Dynamic Host Configuration Protocol,动态主机配置协议
1.vmware关闭“使用本地DHCP服务将IP地址分配给虚拟机”
2.安装dhcp
[root@centos7 ~]# yum install -y dhcp
3.复制并修改配置文件
[root@centos7 ~]# rpm -qa dhcp
dhcp-4.2.5-83.el7.centos.1.x86_64
[root@centos7 ~]# cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf
cp: overwrite ‘/etc/dhcp/dhcpd.conf’? y
[root@centos7 ~]# vim /etc/dhcp/dhcpd.conf
option domain-name "magedu.org";
option domain-name-servers 180,76,76,76;223.6.6.6;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.10 10.0.0.100;
range 10.0.0.110 10.0.0.200;
option touters 10.0.0.254;
next-server 10.0.0.8;
filename "pxelinux.0";
}
dhcp客户端申请地址的过程
[root@centos7 ~]# dhclient -d
Internet Systems Consortium DHCP Client 4.2.5
Copyright 2004-2013 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/eth0/00:0c:29:ee:56:4f
Sending on LPF/eth0/00:0c:29:ee:56:4f
Sending on Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 (xid=0x52f5188)
DHCPREQUEST on eth0 to 255.255.255.255 port 67 (xid=0x52f5188)
DHCPOFFER from 10.0.0.161
DHCPACK from 10.0.0.161 (xid=0x52f5188)
bound to 10.0.0.100 -- renewal in 8352 seconds.
