CA搭建实验和安全基础

gpg对称的密钥加密

[root@centos8 data]#cd /data/
[root@centos8 data]#cp /etc/issue file
[root@centos8 data]#ls
file
[root@centos8 data]#cat file
\S
Kernel \r on an \m[root@centos8 data]#gpg -c file
[root@centos8 data]#ls
file  file.gpg
[root@centos8 data]#scp file.gpg  192.168.39.100:/data
root@192.168.39.100's password:    #输入远程主机口令
file.gpg                                                100%   97    70.2KB/s   00:00

[root@centos7 data]#ls
file.gpg
[root@centos7 data]#gpg -o file -d file.gpg
gpg: AES encrypted data
gpg: encrypted with 1 passphrase
输入对称的口令解开
[root@centos7 data]#cat file
\S
Kernel \r on an \m

[root@centos8 ~]#vim /etc/pki/tls/openssl.cnf
CA配置文件

gpg实现公钥加密

在centos7和centos8中实现公钥加密。在centos8上用centos7的公钥加密文件，在centos7上用私钥解开文件

1、在hostA主机上生成公钥/私钥对

gpg --gen-key 根据提示创造秘钥对 1.秘钥类型 2.秘钥长度 3.秘钥有效期 4.秘钥名（5个字符以上）

完成后会在/root/下创造.gnupg目录,主要使用pubring.gpg公钥和secring.gpg私钥。

#gpg --gen-key
[root@centos7 ~]#cd .gnupg/
[root@centos7 .gnupg]#ll
total 28
-rw-------. 1 root root 7680 Nov  6 09:29 gpg.conf
drwx------  2 root root    6 Nov  7 21:55 private-keys-v1.d
-rw-------  1 root root 1165 Nov  7 21:55 pubring.gpg
-rw-------  1 root root 1165 Nov  7 21:55 pubring.gpg~
-rw-------  1 root root  600 Nov  7 21:55 random_seed
-rw-------  1 root root 2543 Nov  7 21:55 secring.gpg
srwxr-xr-x  1 root root    0 Nov  7 21:55 S.gpg-agent
-rw-------. 1 root root 1280 Nov  7 21:55 trustdb.gpg

2、在hostA主机上查看公钥gpg --list-keys

[root@centos7 data]#gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub   2048R/B5D2CD0B 2019-11-07
uid                  likai
sub   2048R/A995B210 2019-11-07

3、在hostA主机上导出公钥起名dushan.pubkey gpg -a --export -o dushan.pubkey

[root@centos7 .gnupg]#gpg -a --export -o kaivi.pubkey
[root@centos7 .gnupg]#cat kaivi.pubkey
查看生成导出的公钥

4、从centos7（192.168.39.100）主机上复制公钥文件到需加密的centos8（192.168.39.102）主机上scp

[root@centos7 .gnupg]#scp kaivi.pubkey 192.168.39.102:/root/
The authenticity of host '192.168.39.102 (192.168.39.102)' can't be established.
ECDSA key fingerprint is SHA256:Ig11XThtroxUhSlTRH90FtsTe+cPa5AV75Telofrs0c.
ECDSA key fingerprint is MD5:fe:bb:f0:04:ee:b2:b1:d3:bc:ab:00:ca:9b:63:d6:bf.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.39.102' (ECDSA) to the list of known hosts.
root@192.168.39.102's password:
kaivi.pubkey                                                         100% 1683     1.4MB/s   00:00

5、在需加密数据的centos8主机上生成公钥/私钥对，之后导入刚刚传输过来的公钥

[root@centos8 ~]#gpg --gen-key[root@centos8 .gnupg]#gpg --import /root/kaivi.pubkey [root@centos8 .gnupg]#gpg --list-key
/root/.gnupg/pubring.kbx
------------------------
pub   rsa2048 2019-11-07 [SC] [expires: 2021-11-06]128806C063C463F7842D8D7F64209B38DE03940F
uid           [ultimate] laowang   centos8自己生成的公钥
sub   rsa2048 2019-11-07 [E] [expires: 2021-11-06]pub   rsa2048 2019-11-07 [SC]D4CE2E41C5E4E7803F3CAD2C653D58ABB5D2CD0B
uid           [ unknown] likai   导入centos7 中的公钥
sub   rsa2048 2019-11-07 [E]

7、用从centos7主机导入的公钥，加密centos8主机的文件（使用likai的公钥生成file.gpg
-e加密 -r指定谁的公钥)

[root@centos8 .gnupg]#echo duanxin > file.txt
[root@centos8 .gnupg]#gpg -e -r likai file.txt
gpg: CE9072A8A995B210: There is no assurance this key belongs to the named user
sub  rsa2048/CE9072A8A995B210 2019-11-07 likaiPrimary key fingerprint: D4CE 2E41 C5E4 E780 3F3C  AD2C 653D 58AB B5D2 CD0BSubkey fingerprint: 6D31 F4CA 7B1A DB6F 1854  B8C9 CE90 72A8 A995 B210It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.Use this key anyway? (y/N) y
[root@centos8 .gnupg]#ll
total 24
-rw-r--r-- 1 root root    8 Nov  7 21:59 file.txt
-rw-r--r-- 1 root root  348 Nov  7 22:05 file.txt.gpg
drwx------ 2 root root   58 Nov  7 21:58 openpgp-revocs.d
drwx------ 2 root root  110 Nov  7 21:58 private-keys-v1.d
-rw-r--r-- 1 root root 2784 Nov  7 21:58 pubring.kbx
-rw-r--r-- 1 root root 1437 Nov  7 21:58 pubring.kbx~
-rw------- 1 root root  600 Nov  7 22:05 random_seed
-rw------- 1 root root 1280 Nov  7 21:59 trustdb.gpg

8、centos8主机把文件传到centos7上

[root@centos8 .gnupg]#scp file.txt.gpg 192.168.39.100:/data
The authenticity of host '192.168.39.100 (192.168.39.100)' can't be established.
ECDSA key fingerprint is SHA256:R+9CsnYLEXDvGpX/n78dCH/1p+m9or3SAfMDQ8YetrU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.39.100' (ECDSA) to the list of known hosts.
root@192.168.39.100's password:
Permission denied, please try again.
root@192.168.39.100's password:
file.txt.gpg                                                         100%  348    80.7KB/s   00:00

9、centos7直接用自己已经有的私钥进行直接解密即可

[root@centos7 ~]#cd  /data/
[root@centos7 data]#ll
total 16
-rw-r--r-- 1 root root   348 Nov  7 22:05 file.txt.gpg
-rw-r--r-- 1 root root 11537 Nov  6 19:35 init.sh
[root@centos7 data]#gpg -o file.txt -d file.txt.gpg You need a passphrase to unlock the secret key for
user: "likai"
2048-bit RSA key, ID A995B210, created 2019-11-07 (main key ID B5D2CD0B)gpg: encrypted with 2048-bit RSA key, ID A995B210, created 2019-11-07"likai"
[root@centos7 data]#ll
total 20
-rw-r--r-- 1 root root     8 Nov  7 22:06 file.txt
-rw-r--r-- 1 root root   348 Nov  7 22:05 file.txt.gpg
-rw-r--r-- 1 root root 11537 Nov  6 19:35 init.sh
[root@centos7 data]#cat file.txt
duanxin

删除公钥删除公钥不要删除配置文件，使用命令删除（如公钥和私钥都有，先删除私钥，再删除公钥，否则不成功）

搭建CA自签名和颁发证书

根据CA的格式标准，先在centos8中创建一些基本的子目录文件夹。centos7上默认有了

[root@centos8 ~]#cd /etc/pki/CA/
[root@centos8 CA]#mkdir /etc/pki/CA/{certs,crl,newcerts,private} -pv
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@centos8 CA]#tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private4 directories, 0 files

生成自签名证书。第一步需要生成私钥。然后用私钥生成自签名证书
要求CA的私钥文件名必须放在文件夹/etc/pki/CA/private/cakey.pem
生成私钥的文件名字必须为cakey.pem
创建私钥

[root@centos8 CA]#openssl genrsa -out private/cakey.pem 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.............+++++
............+++++
e is 65537 (0x010001)
如果是centos8一下的版本需要在前面加umask=600 限制一下权限 ，也可以对私钥进行加密处理   后面的1024表示位数 私钥重新生成的私钥不一样 忘记口令只能重新生成私钥 每次生成私钥不一样

生成私钥之后在用私钥生成一个自签名的证书
文件必须放在/etc/pki/CA/下
文件名必须叫做cacert.pem
需要填写一些相关的信息(DN)

[root@centos8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:cakai.magedu.net
Email Address []:15675455220@163.com
[root@centos8 CA]#tree
.
├── cacert.pem       自签名证书
├── certs
├── crl
├── newcerts
└── private└── cakey.pem    私钥4 directories, 2 files

[root@centos8 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:Data:Version: 3 (0x2)Serial Number:6f:19:d2:4f:fd:60:3e:57:33:45:50:d3:ba:ff:ba:45:e7:bb:27:b9Signature Algorithm: sha256WithRSAEncryptionIssuer: C = CN, ST = beijing, L = beijing, O = magedu, OU = it, CN = cakai.magedu.net, emailAddress = 15675455220@163.comValidityNot Before: Nov  7 02:36:35 2019 GMTNot After : Nov  4 02:36:35 2029 GMTSubject: C = CN, ST = beijing, L = beijing, O = magedu, OU = it, CN = cakai.magedu.net, emailAddress = 15675455220@163.comSubject Public Key Info:Public Key Algorithm: rsaEncryption用这个命令可以把证书里面的内容解释出来给我们看

[root@centos8 CA]#sz cacert.pem
上传到windos 然后改一下文件名后缀（.crt）就可以直接打开看

2.给别人颁发证书
需要索引数据库和编号
需要事先创建
先故意不创建这个文件

以centos8为颁发机构，centos7上面申请证书。到一个新的目录里面创建
这里以/data/为例
如何申请证书
先生成一个申请证书私钥
创建文件设置权限 umask 值为066 和077 都可以创建文件的权限都是600

[root@centos7 ~]#cd /data/
[root@centos7 data]#ls [root@centos7 data]#(umask 077;openssl genrsa -out app.key 1024)
Generating RSA private key, 1024 bit long modulus
.............++++++
...++++++
e is 65537 (0x10001)
[root@centos7 data]#cat app.key
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDFxFKaipyxgoXn8q4uLnAW0injZKE9OYfNiVp2UMCgQzMhPbmY
e0B8mILPg32ht+HY823E0nLRAUHBb36/YwerKgsH64yOFw/ueP9MQtOHMq6HEquW
K97mT9EvHexjnYOtcembInUtKxoBUxmyjgwY1MUI98C7SUy0A/sdCHgcnQIDAQAB
AoGAHWm0a12gLlpeNgAG3cF0VECPkE1AGc37n5sFBEHAVFWKPjBi8QWrspwwIFLL
FYk2osCZm8M85k7Mi8tcS3ScCBpuwJ+gI8xbra5gD1nIm8Zww3vSHitdE62ljtvK
CMG5j95DI9lkzW090uZmihSy5W6vo8PFYxVPfgNIGAdZ8dUCQQD/xycdO3ZtZVsa
WRz12iwQLdxTyryrQL+tdBW5OAqjdNwtSt720dSlYzSjTfbFP40ygk5CKPIRvXp0
UyUZVfm7AkEAxfBG3ByhkITHr+sVbyvmhObJChw74GXdcT4sMIvH5eeWyBmSNkjK
YLNoYHBzp+PkIT9hxFl9jpW63gAT5OQRhwJBAMcz8qmYov5GPvLBToXHOiQLo5n6
vn/duKq9SyHqnJZ7L/NyaT3vY96+6cL5uGQcv7oDtDFgtE7OtC0eiDk4NXsCQQC+
sKGDcm3QDatW9jJ7HJ8DEFdDzzl8EIbKjywBRNi6y2a+tavfcjbN/Gkk55D0gJ8J
zMcCY3iLggI513dS/slHAkEAjTwa0kr0u5I3mvK+nIJ8tZT0BlP72ZaHj+lXum3Q
1KJdGmQSy6BpLn0P9TduSrL+niVXEC5t5hzXHlEDUuiSgg==
-----END RSA PRIVATE KEY-----

然后根据生成的申请私钥文件来生成申请文件
有效期不用写，这个由颁发证书机构决定

[root@centos7 data]#openssl req -new -key app.key -out app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:R&D
Common Name (eg, your name or your server's hostname) []:www.magedu.net
Email Address []:15675455220@163.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:[root@centos7 data]#ll
total 8
-rw-r--r-- 1 root root 704 Nov  7 11:01 app.csr
-rw------- 1 root root 891 Nov  7 10:54 app.key[root@centos7 data]#cat app.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBzjCCATcCAQAwgY0xCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdiZWlqaW5nMRAw
DgYDVQQHDAdiZWlqaW5nMQ8wDQYDVQQKDAZtYWdlZHUxDDAKBgNVBAsMA1ImRDEX
MBUGA1UEAwwOd3d3Lm1hZ2VkdS5uZXQxIjAgBgkqhkiG9w0BCQEWEzE1Njc1NDU1
MjIwQDE2My5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMXEUpqKnLGC
hefyri4ucBbSKeNkoT05h82JWnZQwKBDMyE9uZh7QHyYgs+DfaG34djzbcTSctEB
QcFvfr9jB6sqCwfrjI4XD+54/0xC04cyrocSq5Yr3uZP0S8d7GOdg61x6ZsidS0r
GgFTGbKODBjUxQj3wLtJTLQD+x0IeBydAgMBAAGgADANBgkqhkiG9w0BAQsFAAOB
gQBTX/b8UcugrWCIVoJlp4p/+zhUI9YoM5KQIv5qrRo6t/exPppDTaAgIIsjhLqa
zRQGcNLbRpQUDUGqlSGVkngl78MyUpERDQcdbL5bHyaco1rZoKH8xlniEMYZp/Il
yQTyQBXDgGbqmMKOy8a8uae7Pg0O7KHtA3VqUeMh2F9dSw==
-----END CERTIFICATE REQUEST-----[root@centos7 data]#scp app.csr 192.168.39.8:/etc/pki/CA
The authenticity of host '192.168.39.8 (192.168.39.8)' can't be established.
ECDSA key fingerprint is SHA256:Ig11XThtroxUhSlTRH90FtsTe+cPa5AV75Telofrs0c.
ECDSA key fingerprint is MD5:fe:bb:f0:04:ee:b2:b1:d3:bc:ab:00:ca:9b:63:d6:bf.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.39.8' (ECDSA) to the list of known hosts.
root@192.168.39.8's password:
app.csr                                                 100%  704   557.6KB/s   00:00

证书申请文件app.csr传到centos8中也就是认证机构。就可以进行验证
进行证书颁发
证书要放在certs下面

[root@centos8 CA]#openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 700
Using configuration from /etc/pki/tls/openssl.cnf
140076605519680:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt','r')
140076605519680:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:

报错原因是因为我们在之前没有创建/etc/pki/CA/index.txt文件
所以我们需要建起来即可

[root@centos8 CA]#touch /etc/pki/CA/index.txt

[root@centos8 CA]#openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 700
Using configuration from /etc/pki/tls/openssl.cnf
Can't open /etc/pki/CA/index.txt.attr for reading, No such file or directory
139710576666432:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt.attr','r')
139710576666432:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
/etc/pki/CA/serial: No such file or directory
error while loading serial number
139710576666432:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/serial','r')
139710576666432:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:

有报错，这次原因是因为少了文件/etc/pki/CA/serial
注意这个文件要求事先是要往里面添加证书序列号从即开始十六进制数字

[root@centos8 CA]#echo 0F >  /etc/pki/CA/serial
定义一个编号证书为0F  则下一个证书编号为 10

[root@centos8 CA]#openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 700
Using configuration from /etc/pki/tls/openssl.cnf
Can't open /etc/pki/CA/index.txt.attr for reading, No such file or directory
140518173529920:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt.attr','r')
140518173529920:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 15 (0xf)ValidityNot Before: Nov  7 03:15:05 2019 GMTNot After : Oct  7 03:15:05 2021 GMTSubject:countryName               = CNstateOrProvinceName       = beijingorganizationName          = mageduorganizationalUnitName    = R&DcommonName                = www.magedu.netemailAddress              = 15675455220@163.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 40:14:63:FF:16:AA:17:0C:7A:BD:3B:D7:F3:03:FE:A5:F4:5B:69:5EX509v3 Authority Key Identifier: keyid:99:D6:B0:67:C9:BC:06:8B:67:83:23:B0:71:7D:68:40:DF:01:BD:9BCertificate is to be certified until Oct  7 03:15:05 2021 GMT (700 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

.old 文件后缀表示备份文件

[root@centos8 CA]#cat index.txt
V   211007031505Z       0F  unknown /C=CN/ST=beijing/O=magedu/OU=R&D/CN=www.magedu.net/emailAddress=15675455220@163.com
查看给谁颁发的证书

[root@centos8 CA]#openssl x509 -in certs/app.crt -noout -text
Certificate:Data:Version: 3 (0x2)Serial Number: 15 (0xf)Signature Algorithm: sha256WithRSAEncryptionIssuer: C = CN, ST = beijing, L = beijing, O = magedu, OU = it, CN = cakai.magedu.net, emailAddress = 15675455220@163.comValidityNot Before: Nov  7 03:15:05 2019 GMTNot After : Oct  7 03:15:05 2021 GMTSubject: C = CN, ST = beijing, O = magedu, OU = R&D, CN = www.magedu.net, emailAddress = 15675455220@163.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (1024 bit)

查看证书

如果不同的地域之间冲突可以修改验证机构的颁发证书策略即可

[root@centos8 CA]#vim /etc/pki/tls/openssl.cnf

同一个证书默认不能重复颁发
可以修改文件
vim /etc/pki/CA/index.txt.attr 把yes改为no即可

吊销证书
也需要吊销的编号文件/etc/kpi/CA/crlnumber

[root@centos8 ~]#cat /etc/pki/CA/index.txt
V   211007031505Z       0F  unknown /C=CN/ST=beijing/O=magedu/OU=R&D/CN=www.magedu.net/emailAddress=15675455220@163.com[root@centos8 ~]#openssl ca -revoke /etc/pki/CA/newcerts/0F.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0F.
Data Base Updated[root@centos8 ~]#cat /etc/pki/CA/index.txt
R   211007031505Z   191107044516Z   0F  unknown /C=CN/ST=beijing/O=magedu/OU=R&D/CN=www.magedu.net/emailAddress=15675455220@163.com

吊销之后需要生成一个吊销列表，让别人也知道
先要生成吊销编号从多少开始
这里先错过试试

[root@centos8 ~]#openssl ca -gencrl -out /etc/pki/CA/cacert.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140646393997120:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/crlnumber','r')
140646393997120:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:[root@centos8 ~]#echo 00 > /etc/pki/CA/crlnumber
[root@centos8 ~]#openssl ca -gencrl -out /etc/pki/CA/cacert.pem
Using configuration from /etc/pki/tls/openssl.cnf

[root@centos8 CA]#openssl crl -in cacert.pem -noout -text
Certificate Revocation List (CRL):Version 2 (0x1)Signature Algorithm: sha256WithRSAEncryptionIssuer: C = CN, ST = beijing, L = beijing, O = magedu, OU = it, CN = cakai.magedu.net, emailAddress = 15675455220@163.comLast Update: Nov  7 04:50:23 2019 GMTNext Update: Dec  7 04:50:23 2019 GMTCRL extensions:X509v3 CRL Number: 0
Revoked Certificates:Serial Number: 0FRevocation Date: Nov  7 04:45:16 2019 GMTSignature Algorithm: sha256WithRSAEncryption90:44:6a:2d:a8:b9:42:f2:76:65:eb:ef:e1:89:46:cd:9c:2b:de:ef:c7:80:ea:6a:24:a3:58:ad:ce:21:c4:bf:20:fe:ea:ac:d6:03:e5:da:44:68:9e:92:8d:a5:38:f3:3b:ff:af:47:26:a0:22:ca:d4:01:be:ff:3a:b2:2d:64:8c:c0:d4:8f:26:8c:1b:68:af:62:87:fc:53:a6:60:7e:0a:a9:82:0c:c1:58:16:77:1e:a6:35:4b:66:70:94:ba:4c:69:b2:69:cc:50:1e:c1:d8:8c:e9:dc:7f:6b:12:79:fd:75:75:4d:31:5c:77:f6:b5:df:d2:af:3e:bd:c1:9b
查看吊销证书的内容
也可以sz 到本机 改后缀.crl

老王创建CA笔记

mkdir /etc/pki/CA/{certs.newcerts,private} -pv
cd /etc/pki/CA
(umask077;openssl genrsa -out private/cakey.pem 2048)
openssl req -new -x509-key private/cakey.pem -out cacert.pem -days 3650 填写：国家，省份，城市，公司，部门，服务器域名，邮箱
touch index.txt echo
00 > serial
echo 00 > crlnumber 吊销

证书请求
(umask 077;openssl genrsa -out /data/app.key 2048) 放在应用在的目录下
openssl req -new -key /data/app.key -out /data/app.csr 填写：国家，省份，城市，公司，部门，服务器域名，邮箱

颁发证书
openssl ca -in /data/app.csr -out /etc/pki/CA/certs/app.crt -days 100
国家，城市，公司必须一致

基于KEY的远程登入

用centos8作为服务端
centos6 和centos7连接基于key验证

首先需要生成一对公钥私钥对

[root@centos8 ~]#ssh-keygen

默认用rsa算法当然也可以指定其他的算法

[root@centos8 ~]#ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):

这里我们选用默认的rsa算法
ssh-keygen -p 对私钥加口令调用私钥的时候需要口令

[root@centos8 ~]#cd .ssh/
[root@centos8 .ssh]#ll
total 0[root@centos8 ~]#ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):   #输入保护公钥私钥对的密码  这里直接回车 表示 口令为空
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:X5strBXyzMCbFnDZbU/qcSjTREbK/b+ZqWeZDQfWPMo root@centos8
The key's randomart image is:
+---[RSA 2048]----+
|             .+  |
|           + *   |
|        . o + =o.|
|         +   +oBo|
|        S = *.*.=|
|         . % E.oo|
|          = X oo=|
|         . o . =*|
|          .  .+= |
+----[SHA256]-----+[root@centos8 ~]#ll .ssh/     #查看生成的公钥私钥对
total 8
-rw------- 1 root root 1823 Nov  7 17:41 id_rsa
-rw-r--r-- 1 root root  394 Nov  7 17:41 id_rsa.pub
私钥为了安全 默认设置了600权限

接下来需要将公钥传给未来你要连接的主机客户端，并且传到/root/.ssh/ authorized_keys
ssh-copy-id 这个命令会自动在需要连接的主机客户端自动生成一个authorized_keys的文件而且它只会传输公钥，即使不小心把私钥拷贝过去了也会自动修改为公钥

[root@centos8 ~]#ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.39.100
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.39.100 (192.168.39.100)' can't be established.
ECDSA key fingerprint is SHA256:R+9CsnYLEXDvGpX/n78dCH/1p+m9or3SAfMDQ8YetrU.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.39.100's password: Number of key(s) added: 1Now try logging into the machine, with:   "ssh 'root@192.168.39.100'"
and check to make sure that only the key(s) you wanted were added.

后面的事情就是系统自己完成

[root@centos8 ~]#ssh 192.168.39.100
Last login: Thu Nov  7 18:30:45 2019 from 192.168.39.1
[root@centos7 ~]#
发现现在不用输入密码直接登入到了centos7的主机

后面的传输文件scp 或者登入后直接修改文件就很方便了

[root@centos8 ~]#ssh-copy-id root@192.168.39.101
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.39.101 (192.168.39.101)' can't be established.
RSA key fingerprint is SHA256:eW09nANmhy6Dt11/tP9NYkq7+tU1VZYd3X9J24b8iQk.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.39.101's password: Number of key(s) added: 1Now try logging into the machine, with:   "ssh 'root@192.168.39.101'"
and check to make sure that only the key(s) you wanted were added.[root@centos8 ~]#ssh 192.168.39.101
Last login: Thu Nov  7 17:59:00 2019 from 192.168.39.1
[root@kaivi6 ~]#[root@kaivi6 ~]#cd .ssh/
[root@kaivi6 .ssh]#ls
authorized_keys  known_hosts

由于在前面已经生成一对公钥私钥对，所以连接centos6客户端的时候不用再次生成，直接把公钥传输到centos6中即可
上述命令中省略了公钥，但是系统会自动寻找公钥，并且在centos6上的/root/.ssh文件夹下会生成authorized_keys文本文件

安全风险：centos8机器的密码不可以泄露，类似堡垒机
可以考虑对私钥加口令

如果把centos8上的私钥被centos7上面偷走，那么7也可以不输入密码从而进行key验证直接登入centos6

[root@centos8 ~]#scp .ssh/id_rsa 192.168.39.100:/root/.ssh/
id_rsa                                                           100% 1823     1.6MB/s   00:00    [root@centos7 ~]#cd .ssh/
[root@centos7 .ssh]#ls
authorized_keys  id_rsa  known_hosts[root@centos7 ~]#ssh 192.168.39.101
Last login: Thu Nov  7 18:16:43 2019 from 192.168.39.100
[root@kaivi6 ~]#
把私钥移除，看到再次连接centos6的时候需要输入口令
[root@centos7 .ssh]#ls
authorized_keys  id_rsa  known_hosts
[root@centos7 .ssh]#mv id_rsa /data/
[root@centos7 .ssh]#ls
authorized_keys  known_hosts
[root@centos7 .ssh]#ssh 192.168.39.101
root@192.168.39.101's password:

所以私钥千万得保护好。

实现多台机器相互之间的key验证

在这里使用centos6 centos7 centos8 相互之间实现key验证
思路：在一台机器实现key验证，大家共用一个公钥私钥

在8上生成公钥私钥对，然后拷贝到本机

[root@centos8 ~]#ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.[root@centos8 ~]#cd .ssh/
[root@centos8 .ssh]#ls
id_rsa  id_rsa.pub[root@centos8 .ssh]#ssh-copy-id 127.0.0.1       #拷贝到本机
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:Ig11XThtroxUhSlTRH90FtsTe+cPa5AV75Telofrs0c.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@127.0.0.1's password:
Number of key(s) added: 1
Now try logging into the machine, with:   "ssh '127.0.0.1'"
and check to make sure that only the key(s) you wanted were added.[root@centos8 .ssh]#ls
authorized_keys  id_rsa  id_rsa.pub  known_hosts

拷贝到其他主机
scp -rp -r：表示递归拷贝 -p 表示保存权限

[root@centos8 .ssh]#cd
[root@centos8 ~]#scp -rp .ssh/ 192.168.39.100:/root
The authenticity of host '192.168.39.100 (192.168.39.100)' can't be established.
ECDSA key fingerprint is SHA256:R+9CsnYLEXDvGpX/n78dCH/1p+m9or3SAfMDQ8YetrU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.39.100' (ECDSA) to the list of known hosts.
root@192.168.39.100's password:
id_rsa                                                                                 100% 1823     2.0MB/s   00:00
id_rsa.pub                                                                             100%  394   517.1KB/s   00:00
known_hosts                                                                            100%  347   714.5KB/s   00:00
authorized_keys                                                                        100%  394     1.0MB/s   00:00
[root@centos8 ~]#scp -rp .ssh/ 192.168.39.101:/root
The authenticity of host '192.168.39.101 (192.168.39.101)' can't be established.
RSA key fingerprint is SHA256:eW09nANmhy6Dt11/tP9NYkq7+tU1VZYd3X9J24b8iQk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.39.101' (RSA) to the list of known hosts.
root@192.168.39.101's password:
id_rsa                                                                                 100% 1823     1.9MB/s   00:00
id_rsa.pub                                                                             100%  394   525.1KB/s   00:00
known_hosts                                                                            100%  743     1.0MB/s   00:00
authorized_keys

即相互之间实现了基于key的验证
大家共用一个私钥，所以要注意私钥的安全