No.8 CA证书和SSH服务

1、创建私有CA并进行证书申请。

1.1 创建CA相关目录和文件

[22:05:51 root@centos8 data]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[22:06:09 root@centos8 data]#tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 filesvim /etc/pki/tls/openssl.cnf
[ CA_default ]
dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of# several certs with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.
certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number# must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
根据配置文件中的定义，创建index.txt和serial文件
[22:09:05 root@centos8 CA]#touch /etc/pki/CA/index.txt
[22:09:30 root@centos8 CA]#echo 01 > /etc/pki/CA/serial

1.2 创建CA的私钥

[22:14:10 root@centos8 CA](umask 066; openssl genrsa -out private/cakey.pem 2048)
[22:14:10 root@centos8 CA]#tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial
4 directories, 3 files
[22:14:17 root@centos8 CA]#cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA16BJ4fmgqUUKJTJyQ927j+p+IEJ+oQXNLCHf+/QZtHP5sPCF
X+KWjK4p621Jv9hEZ6GUaRxfmB52tLmXpbm9lYssPXPdMa4C7faST9mQjPn7riKF
FIKZqiN4uJJdCBSG+rUSB/w3LEAGlHgTAQw1Zy4MaZApE8Oko1PSzqG1CuGMn1BI
mIWjy1kxCckWWTwHpPp7fb0ai7EJnaiEgyjcA3UKWR9ze7Qhr4ZI9jXo/+8URQHr
35J+gs1YCSEnIOyEQECsZk4mIFpTQgqBgDh5U2QRZDuuFvmx2Ev7DOJ8mlv5NRni
YE5G1Rk9SLcP0puyZqWnZKfr6OgqPd2+tImDMwIDAQABAoIBAG4f1/wIYMxyjTbo
J8GPeh6LVXUmYMPeUaYretiUF5i47po2jPemotsgjBpIC7VmP7FprYFtU0k+rcOp
UdD7Jt88YBDWnu6jf62HE7yiUhgeCDMsQCl0dgSV7y7c2ZSp3zIlzhqz7n20CWhE
VvhfAts6gm5biQ8mCWy8/9o2bl8qWFuH6N2IffioO8V0cbYDSj/11e1sH757V5yH
jaQrCNEvUBOZ1wHOWWqhXNJ0zSTPf8xCaVQ+kGMdCwygex5HXbA6f/NRg0p2Mjmi
+2VC2lbgzU4HgHWqvfyC3jlfvrZ2hmBPovWWaXcHTAqL0mQMsrPpo5KhE3ah+kUB
kTol2NkCgYEA9DhEx2rSJZaI33hJVZWhEP4IsXY1Vck/+jmqhrH12jNzOx5yhjGP
RzFkH5YBAN+ftZDLK5i6byKRYUPY6RXaeD046UcB5xnfonPLXRcCQjb4vMH6z6RI
LDVOpLwP0/GeT9UQLCTaZZsNLKfKax3aS8eOd2kKFACzrAtig4rEta0CgYEA4gbu
1dfScTfZPbUzPqFoxcjVfaxgTS/xe+BsQ9U3lq32hq1RdHR/hhHXXUWMFCk9DB5F
1j7gCkjXk8mTmLGuB2UyPXe3s6QORtxyuwOV3o9MHbRGR8AEcOw/SKdfX6dJLXL9
mD24rUZ+L7aEU8Gap+lJA1woUyfh4hnS+sQFeF8CgYBpWpzRKlPdw0LopIt+UD5b
hjtZ0xTPHTJsT9QwpzTYHLnpFwlwupCEtdnrhlqIde//86ax+AD1UIRG4W4Bn1vP
4xlaCTfY6mB/RFTGo9ZlmjFTvJrmWIiKCbUTe82YMPOKnO+NG5jbnDfiu7+m1goG
BuB+wuGGH4djAMZO2N5jQQKBgBNNnkYbCXjr2RzBBeBabpU9oqX5+7t71bbLotNk
OTwgHUbBNIyqil2L1oW7s8vg/bq0Nyil9AJM2ERh2b4XppIxHUpMmB66axG4MAAy
vTDlsg1zYPEtv/NY6cqtqKKFqeU8xdWjp8r8kzhF8SUqCqg+byLfUv5PEKZ7qB4M
cZ8nAoGBAMje3kjW+U6mq5gTMRNdfVlRjdz++kQ6Z35dC81AyAVbihpW7gK/tf0A
nI9xJZ8t3PB6A6RGEmtrjsO9eORcuoLeWwAnjBHiNgdW2YkUTzwsvvENvKogDQkD
uO80GYxeGLaIQo1VT+EvW970bVHiDEWgVDSGmo0rvSUHWRf/2m4p
-----END RSA PRIVATE KEY-----
[22:14:40 root@centos8 CA]#ll private/cakey.pem
-rw-------. 1 root root 1675 Dec 13 22:14 private/cakey.pem

1.3 给CA颁发自签名证书

[22:17:19 root@centos8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shandong
Locality Name (eg, city) [Default City]:jn
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:
[22:17:44 root@centos8 CA]#
[22:17:45 root@centos8 CA]#
[22:17:45 root@centos8 CA]#tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial4 directories, 4 files
[22:21:02 root@centos8 CA]#cat cacert.pem
-----BEGIN CERTIFICATE-----
MIIDUzCCAjugAwIBAgIUKc/T12l1ZX85q3Nj3U4KTTBYdkowDQYJKoZIhvcNAQEL
BQAwOTELMAkGA1UEBhMCY24xFTATBgNVBAcMDERlZmF1bHQgQ2l0eTETMBEGA1UE
CgwKbWFnZWR1Lm9yZzAeFw0yMTEyMTMxNDE3NDRaFw0zMTEyMTExNDE3NDRaMDkx
CzAJBgNVBAYTAmNuMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxEzARBgNVBAoMCm1h
Z2VkdS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXoEnh+aCp
RQolMnJD3buP6n4gQn6hBc0sId/79Bm0c/mw8IVf4paMrinrbUm/2ERnoZRpHF+Y
Hna0uZelub2Viyw9c90xrgLt9pJP2ZCM+fuuIoUUgpmqI3i4kl0IFIb6tRIH/Dcs
QAaUeBMBDDVnLgxpkCkTw6SjU9LOobUK4YyfUEiYhaPLWTEJyRZZPAek+nt9vRqL
sQmdqISDKNwDdQpZH3N7tCGvhkj2Nej/7xRFAevfkn6CzVgJIScg7IRAQKxmTiYg
WlNCCoGAOHlTZBFkO64W+bHYS/sM4nyaW/k1GeJgTkbVGT1Itw/Sm7Jmpadkp+vo
6Co93b60iYMzAgMBAAGjUzBRMB0GA1UdDgQWBBSRQDe5X23JWC4iSqPwDQX4PzZd
azAfBgNVHSMEGDAWgBSRQDe5X23JWC4iSqPwDQX4PzZdazAPBgNVHRMBAf8EBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDSvO5+s5RdPavqgCxcoLrqYi2k1HZDmv6b
fs6Y50i8X2etlw2AlR8lAFVg147ueHMC8vdFbe5i5c9X/KMJYnJ9a4KEOyByUEiu
okhK/XMKZBO4afg6LjTh9pCHt83kHrMPkWyd8vYBTyefWG9ODRylbpnAHAg24e8H
ggr9L81HD49VVE6BU1gEsNjC6VIFWk/JCr5gWScSVd1sgkRer3uhx857mR4nfueT
AR5HkoAnMmpeSHKytw4Lm9cZp826Yjyv1sY011k6nRVQWLmiAftwaLEWO0ytecng
pjLgcEL76hra8RZDv9Lb1SrUTebb0GMoTEKpIEGy4w2/G7Dtl9ht
-----END CERTIFICATE-----
[22:21:11 root@centos8 CA]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:Data:Version: 3 (0x2)Serial Number:4e:34:73:46:cc:a8:f4:8a:26:b3:a7:71:d0:97:d3:b4:e4:8a:2c:49Signature Algorithm: sha256WithRSAEncryptionIssuer: C = cn, ST = shandong, L = jn, O = magedu, CN = ca.magedu.orgValidityNot Before: Dec 13 14:55:45 2021 GMTNot After : Dec 11 14:55:45 2031 GMTSubject: C = cn, ST = shandong, L = jn, O = magedu, CN = ca.magedu.orgSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (2048 bit)Modulus:00:d7:a0:49:e1:f9:a0:a9:45:0a:25:32:72:43:dd:bb:8f:ea:7e:20:42:7e:a1:05:cd:2c:21:df:fb:f4:19:b4:73:f9:b0:f0:85:5f:e2:96:8c:ae:29:eb:6d:49:bf:d8:44:67:a1:94:69:1c:5f:98:1e:76:b4:b9:97:a5:b9:bd:95:8b:2c:3d:73:dd:31:ae:02:ed:f6:92:4f:d9:90:8c:f9:fb:ae:22:85:14:82:99:aa:23:78:b8:92:5d:08:14:86:fa:b5:12:07:fc:37:2c:40:06:94:78:13:01:0c:35:67:2e:0c:69:90:29:13:c3:a4:a3:53:d2:ce:a1:b5:0a:e1:8c:9f:50:48:98:85:a3:cb:59:31:09:c9:16:59:3c:07:a4:fa:7b:7d:bd:1a:8b:b1:09:9d:a8:84:83:28:dc:03:75:0a:59:1f:73:7b:b4:21:af:86:48:f6:35:e8:ff:ef:14:45:01:eb:df:92:7e:82:cd:58:09:21:27:20:ec:84:40:40:ac:66:4e:26:20:5a:53:42:0a:81:80:38:79:53:64:11:64:3b:ae:16:f9:b1:d8:4b:fb:0c:e2:7c:9a:5b:f9:35:19:e2:60:4e:46:d5:19:3d:48:b7:0f:d2:9b:b2:66:a5:a7:64:a7:eb:e8:e8:2a:3d:dd:be:b4:89:83:33Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Subject Key Identifier: 91:40:37:B9:5F:6D:C9:58:2E:22:4A:A3:F0:0D:05:F8:3F:36:5D:6BX509v3 Authority Key Identifier: keyid:91:40:37:B9:5F:6D:C9:58:2E:22:4A:A3:F0:0D:05:F8:3F:36:5D:6BX509v3 Basic Constraints: criticalCA:TRUESignature Algorithm: sha256WithRSAEncryptionb7:bc:60:0b:7d:2a:fe:30:13:fd:c8:37:db:1f:00:70:ad:d4:b5:00:1b:b0:47:ff:77:97:2c:be:2d:9a:34:09:24:b6:83:df:97:56:82:e4:26:13:bd:58:ac:3c:41:cb:4e:db:33:46:ec:ee:1c:15:53:bc:8f:4b:e4:c2:07:a5:9c:dd:9f:10:35:5a:2f:b4:71:88:b4:d3:db:c4:99:b1:e1:8d:63:84:d2:b4:66:1a:90:69:8b:c2:90:5c:86:49:2d:4f:66:57:21:2e:95:fe:47:23:f4:92:43:61:4f:6c:1f:08:21:bb:21:e7:c5:1e:25:42:91:48:be:eb:9f:60:51:a2:30:44:3a:8b:ea:15:59:b5:9f:1c:e4:5f:cf:73:59:8f:e1:b7:0f:79:2c:28:38:ac:bf:8e:bb:2a:22:0e:19:a0:ae:f3:c0:7b:71:e8:63:06:d9:e2:49:63:e0:a9:f5:c3:09:e5:da:f7:95:3e:e7:96:ba:b5:90:51:98:5e:35:27:9b:1b:6b:86:d3:a9:1c:b1:d5:dd:0f:6e:35:fc:16:11:21:f6:b8:8a:e1:19:7f:00:0b:87:14:b0:f5:ad:80:c7:ef:3d:04:c8:ef:50:1a:a7:dc:fe:99:07:04:90:24:fe:60:d9:b0:e5:ff:e6:5f:9f:c8:f1:1f:ce:7c:82

1.4 用户生成私钥和证书申请文件

[22:24:38 root@centos8 CA]mkdir /data/app1
[22:25:41 root@centos8 data]#(umask 066;openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................................................................................................................+++++
.................................+++++
e is 65537 (0x010001)
[22:25:52 root@centos8 data]#cat /data/app1/app1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAruak7Dcnct+OSGCkPglfukSZw9HPlIiqV3TaTfUlazE6U77c
Z5lXWJL3USjus+a8Lm7DKJj3aCR6p0wsLM+0G6LT8MZzMzpykBM1cMKQU/2W00RO
JgMf6S7Sja9xmeLhQwN/McjcZI9TIxoqlUlGeg4GnwiS2FT5sBPs0cbzhO3CwonY
AiglyAkFNJbvVCR7YRvdbp70x0nxL8PYMwd7sUDLH85DVpzajJfXwBuQjtP5pseo
pKs/17bLY7j01kGbeSl3z3W3HIu9MuJecUVvo9mYRtFzMnNqbcOhGi5Iw2ZGlRsu
6CL3ugCeKIkWjj4KQ3sE5FITcmbKzgKjqpKaQwIDAQABAoIBADHT9eJyKCP6+r82
ATTHWOVpS+FU8e2gLd9ypAsXr0xlnvdi5coCDrdmT11o6vCH6M7VsXXsdnfOBL+K
3P77QZWqAvWSpBlRKnhPcKcqVxIGqiSQTi9YLowxUb0Z4aR01bZQ1bjqP5fKmWXj
u4QCdziorEw8lhFZzDTUyGBPbOtOlNKLOj8Q6+dOW+YIr82mRISy1WQDLIcTm87u
w1KCnlSlylLqKAxNUnnWruaGcfw1Bg5l14UsanXbt51XU47uZPbfkaiB1Kskky2Q
HdPGFCjdD14MVayY1N+dRd+dwG/OPEoTSW+Ns3OhO1vGIGo1mhRFmmY6eGorgNtV
qE7SbYkCgYEA2c3uagN5ZPhNc04J9IWq5VgUZRzoimme1hx9gBNDnd66Buv4/x34
FG0s1Ndy+QV2eZjVZyn6Hfy3qG5yyz5Ybar8andK0sF6d6ROWLadsCtKSqpTwNoR
cj3C7qf6JY1/VsxlqYCkEjVVwfyF0slKzlbU70hiU9AWcDA/3+J3YXUCgYEAzZKc
+12ywdmycwEL1koNWSwR5yXs3lu/OLYWF2PleX6c4gAwwt1LkpEYNq3YzpBinGA2
3gTKgLgEZSeNsdZMCZO0XBYSxZMdeF5Po8dMVkCynqt7OACD19nCBFSQvdm2kAV7
hCGfPbCWouaLsAcQmWwSBdD1ih/hm+kmrrb/ndcCgYEAt3DPFXDZpGXQ7YVTsyOF
XOZDPyoK3NC6W4DhXqZa87LsIPpL26rFD4coFBdlmUC1mRJU4i+jnfAESxLDElTv
K2awc4cHeNxFplC3P9aGlyLOznYIVkwUF5DXBiRp9YjoMBW0pf9XsJJFKT3jBDZP
D9xoOSRQ1GBVFaY9lfXqMCUCgYBT2Fqiw4KnQg1gjqqvSiDLoAflSTilMLJ7hPjZ
rWro9NUz8HPy5qNuMjO4CYwGJCm0MiHux/F4MpXIVCucvxTgSxgi/vXFE83PTFgb
Kqxd+aFgyfxFyR/9J9nUPlGSvXuSnknUiIoUdTPbWUDcGOWSTdvD94hOP9aa6qtW
U1lKnQKBgQChTAlPi4Q4r/SO0cTAAFQLfa+jXEg9kRdjN9I/3idorhG7Ynj0Cq1i
DFZg/X90YgzHeIyAYm+5HzXm5r+yNlyiXRZmb/TyZnthXtV5+Swn2NixLSKhGDlg
hzIMNxCAz/4pRCTHTvRs3eZur3syoKj+jAmejrlm6h+fvtwJO3wRsg==
-----END RSA PRIVATE KEY-----[22:57:07 root@centos8 app1]#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shandong
Locality Name (eg, city) [Default City]:jn
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:app1.magedu.org
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

1.5 CA颁发证书

[23:35:00 root@centos8 app1]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Dec 13 15:35:30 2021 GMTNot After : Sep  8 15:35:30 2024 GMTSubject:countryName               = cnstateOrProvinceName       = shandongorganizationName          = mageducommonName                = app1.magedu.orgX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 0D:AD:83:06:DE:DE:39:F9:ED:C8:43:0D:6A:44:25:C1:6E:CB:A4:AFX509v3 Authority Key Identifier: keyid:91:40:37:B9:5F:6D:C9:58:2E:22:4A:A3:F0:0D:05:F8:3F:36:5D:6BCertificate is to be certified until Sep  8 15:35:30 2024 GMT (1000 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

1.6 查看证书

[23:58:21 root@centos8 app1]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│   └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old4 directories, 9 files
[23:59:13 root@centos8 app1]#openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
[23:59:37 root@centos8 app1]#cat /etc/pki/CA/index.txt
V   240908153530Z       01  unknown /C=cn/ST=shandong/O=magedu/CN=app1.magedu.org
[00:00:05 root@centos8 app1]#cat /etc/pki/CA/serial.old
01
[00:00:27 root@centos8 app1]#cat /etc/pki/CA/serial
02
[00:01:38 root@centos8 app1]#cp /etc/pki/CA/certs/app1.crt /data/app1/
[00:01:55 root@centos8 app1]#ls /data/app1/
app1.crt  app1.csr  app1.key

1.7 信任证书
CA证书

1.8 吊销证书

[11:33:39 root@centos8 app1]#openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
[11:33:53 root@centos8 app1]#openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[11:34:22 root@centos8 app1]#openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)
[11:34:25 root@centos8 app1]#cat /etc/pki/CA/index.txt
R   240908153530Z   211214033422Z   01  unknown /C=cn/ST=shandong/O=magedu/CN=app1.magedu.org

1.9 生成证书吊销列表文件

[11:37:42 root@centos8 app1]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140616407349056:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/crlnumber','r')
140616407349056:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
[11:38:10 root@centos8 app1]#echo 01 > /etc/pki/CA/crlnumber
[11:38:45 root@centos8 app1]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[11:38:48 root@centos8 app1]#
[11:38:49 root@centos8 app1]#cat /etc/pki/CA/crlnumber
02
[11:39:04 root@centos8 app1]#cat /etc/pki/CA/crl.pem
-----BEGIN X509 CRL-----
MIIBxTCBrgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJjbjERMA8GA1UE
CAwIc2hhbmRvbmcxCzAJBgNVBAcMAmpuMQ8wDQYDVQQKDAZtYWdlZHUxFjAUBgNV
BAMMDWNhLm1hZ2VkdS5vcmcXDTIxMTIxNDAzMzg0OFoXDTIyMDExMzAzMzg0OFow
FDASAgEBFw0yMTEyMTQwMzM0MjJaoA4wDDAKBgNVHRQEAwIBATANBgkqhkiG9w0B
AQsFAAOCAQEAckP2aDYPGlIh4/Ea9tTvCNTbilG/IZfov6DBMkAwDickZIUIRt9o
xMAKITIwMxtN7RgVPg/r3GTtNc6FWO/6LvGacYopfwtzg1BGFMDUpM2A4TI6OF44
KXbVkXU98uven3PDvT0srnCjnaAesY/A8f9y6XaHcReDCCRSz6ery6EmwSKXXbXn
QRhnf9jxFHvV3VGTJ0IC9wJtD68DwFg0qdz8kJXLNuTEKTH6W/WP3SQG0YTANNiy
GEhW5Mxp+ZIoEllEQRm+qau+2GosmIwlzoq8vmBQX16QfkCS2H0e7C02QNmz1WwJ
Ih4x82l8079MT51aFZOTIPI0iCr6/d1w5w==
-----END X509 CRL-----
[11:40:28 root@centos8 app1]#
[11:40:29 root@centos8 app1]#openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):Version 2 (0x1)Signature Algorithm: sha256WithRSAEncryptionIssuer: C = cn, ST = shandong, L = jn, O = magedu, CN = ca.magedu.orgLast Update: Dec 14 03:38:48 2021 GMTNext Update: Jan 13 03:38:48 2022 GMTCRL extensions:X509v3 CRL Number: 1
Revoked Certificates:Serial Number: 01Revocation Date: Dec 14 03:34:22 2021 GMTSignature Algorithm: sha256WithRSAEncryption72:43:f6:68:36:0f:1a:52:21:e3:f1:1a:f6:d4:ef:08:d4:db:8a:51:bf:21:97:e8:bf:a0:c1:32:40:30:0e:27:24:64:85:08:46:df:68:c4:c0:0a:21:32:30:33:1b:4d:ed:18:15:3e:0f:eb:dc:64:ed:35:ce:85:58:ef:fa:2e:f1:9a:71:8a:29:7f:0b:73:83:50:46:14:c0:d4:a4:cd:80:e1:32:3a:38:5e:38:29:76:d5:91:75:3d:f2:eb:de:9f:73:c3:bd:3d:2c:ae:70:a3:9d:a0:1e:b1:8f:c0:f1:ff:72:e9:76:87:71:17:83:08:24:52:cf:a7:ab:cb:a1:26:c1:22:97:5d:b5:e7:41:18:67:7f:d8:f1:14:7b:d5:dd:51:93:27:42:02:f7:02:6d:0f:af:03:c0:58:34:a9:dc:fc:90:95:cb:36:e4:c4:29:31:fa:5b:f5:8f:dd:24:06:d1:84:c0:34:d8:b2:18:48:56:e4:cc:69:f9:92:28:12:59:44:41:19:be:a9:ab:be:d8:6a:2c:98:8c:25:ce:8a:bc:be:60:50:5f:5e:90:7e:40:92:d8:7d:1e:ec:2d:36:40:d9:b3:d5:6c:09:22:1e:31:f3:69:7c:d3:bf:4c:4f:9d:5a:15:93:93:20:f2:34:88:2a:fa:fd:dd:70:e7
[11:40:57 root@centos8 app1]#sz /etc/pki/CA/crl.pem
[11:41:32 root@centos8 app1]#修改后缀为crl.pem.crl

2、总结ssh常用参数、用法

ssh: secure shell protocol, 22/tcp, 安全的远程登录，实现加密通信，代替传统的telnet 协议
具体的软件实现：
OpenSSH：ssh协议的开源实现，CentOS 默认安装
dropbear：另一个ssh协议的开源项目的实现

公钥交换原理

（1）客户端发起链接请求
（2）服务端返回自己的公钥，以及一个会话ID（这一步客户端得到服务端公钥）
（3）客户端生成密钥对
（4）客户端用自己的公钥异或会话ID，计算出一个值Res，并用服务端的公钥加密
（5）客户端发送加密后的值到服务端，服务端用私钥解密，得到Res
（6）服务端用解密后的值Res异或会话ID，计算出客户端的公钥（这一步服务端得到客户端公钥）
（7）最终：双方各自持有三个秘钥，分别为自己的一对公、私钥，以及对方的公钥，之后的所有通讯都
会被加密

ssh 加密通讯原理

格式：

ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]-p port #远程服务器监听的端口
-b #指定连接的源IP
-v #调试模式
-C #压缩方式
-X #支持x11转发
-t #强制伪tty分配，如：ssh -t remoteserver1 ssh -t remoteserver2   ssh
remoteserver3
-o option   如：-o StrictHostKeyChecking=no
-i <file>  #指定私钥文件路径，实现基于key验证，默认使用文件：~/.ssh/id_dsa,
~/.ssh/id_ecdsa, ~/.ssh/id_ed25519，~/.ssh/id_rsa等

举例：

[14:21:26 root@centos8 ~]#ssh -t 192.168.234.100 ssh 192.168.234.101
Warning: Permanently added '192.168.234.100' (ECDSA) to the list of known hosts.
root@192.168.234.100's password:
root@192.168.234.101's password:
Last login: Tue Dec 14 14:19:10 2021 from 192.168.234.1
[14:22:41 root@test02 ~]#
[14:22:50 root@centos8 ~]#ssh 192.168.234.101 "touch 1.txt"
Warning: Permanently added '192.168.234.101' (ECDSA) to the list of known hosts.
root@192.168.234.101,s password:
[14:23:53 root@centos8 ~]#echo "hostname -I " > test.sh
[14:24:45 root@centos8 ~]#
[14:24:46 root@centos8 ~]#
[14:24:46 root@centos8 ~]#ssh 192.168.234.101 /bin/bash < test.sh
root@192.168.234.101's password:
192.168.234.101

ssh服务登录的常用验证方式: 用户/口令, 基于密钥

(1) 客户端发起ssh请求，服务器会把自己的公钥发送给用户
(2)  用户会根据服务器发来的公钥对密码进行加密
(3)  加密后的信息回传给服务器，服务器用自己的私钥解密，如果密码正确，则用户登录成功

1. 首先在客户端生成一对密钥（ssh-keygen）
2. 并将客户端的公钥ssh-copy-id 拷贝到服务端
3. 当客户端再次发送一个连接请求，包括ip、用户名
4. 服务端得到客户端的请求后，会到authorized_keys中查找，如果有响应的IP和用户，就会随机生
成一个字符串，例如：magedu
5. 服务端将使用客户端拷贝过来的公钥进行加密，然后发送给客户端
6. 得到服务端发来的消息后，客户端会使用私钥进行解密，然后将解密后的字符串发送给服务端
7. 服务端接受到客户端发来的字符串后，跟之前的字符串进行对比，如果一致，就允许免密码登录

[14:40:21 root@centos8 ~]#ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:JF0ZWL+f1MvxklBIIccVieIkbra6NajTXWycnSM2Xps root@centos8
The key's randomart image is:
+---[RSA 3072]----+
|         o=+++oo |
|       .o.+=o..  |
|      ..o+ .o .  |
|       o+ .  o . |
|       oS+ oo....|
|       .. X =+.o+|
|     ..oo= + +=o.|
|    ..o.... E  . |
|    ....         |
+----[SHA256]-----+
[14:40:51 root@centos8 ~]#ls .ssh/
authorized_keys  id_rsa  id_rsa.pub  known_hosts
[14:40:55 root@centos8 ~]#ssh-copy-id root@192.168.234.100
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.234.100's password:
Number of key(s) added: 1
Now try logging into the machine, with:   "ssh 'root@192.168.234.100'"
and check to make sure that only the key(s) you wanted were added.

[14:39:57 root@test01 ~]#ls .ssh/
authorized_keys  known_hosts
[14:42:15 root@test01 ~]#

启用ssh代理，不用每次都输入私钥密码。

[14:45:56 root@centos8 ~]#ssh root@192.168.234.100
Enter passphrase for key '/root/.ssh/id_rsa':
root@192.168.234.100's password:
[14:46:02 root@centos8 ~]#ssh-agent bash
[14:46:21 root@centos8 ~]#ps -ef | grep ssh-agent
root        4566    4565  0 14:46 ?        00:00:00 ssh-agent bash
root        4598    4565  0 14:46 pts/0    00:00:00 grep --color=auto ssh-agent
[14:46:31 root@centos8 ~]#ssh-add
Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (root@centos8)
[14:46:47 root@centos8 ~]#ssh root@192.168.234.100
Last login: Wed Dec 15 14:45:26 2021 from 192.168.234.129
/etc/motd
welcome!
happy every day!
[14:47:34 root@test01 ~]#logout
Connection to 192.168.234.100 closed.
[14:47:46 root@centos8 ~]#

3、总结sshd服务常用参数。
服务器端：sshd
服务器端的配置文件: /etc/ssh/sshd_config
服务器端的配置文件帮助：man 5 sshd_config

Port  22      #生产建议修改
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes   #检查.ssh/文件的所有者，权限等
MaxAuthTries   6    #最大尝试次数
MaxSessions  10         #同一个连接最大会话
PubkeyAuthentication yes     #基于key验证
PermitEmptyPasswords no      #空密码连接
PasswordAuthentication yes   #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups    #未认证连接最大值，默认值10
Banner /path/file

ssh服务的最佳实践

建议使用非默认端口
禁止使用protocol version 1
限制可登录用户
设定空闲会话超时时长
利用防火墙设置ssh访问策略
仅监听特定的IP地址
基于口令认证时，使用强密码策略，比如：tr -dc A-Za-z0-9_ < /dev/urandom | head -c 12|
xargs
使用基于密钥的认证
禁止使用空密码
禁止root用户直接登录
限制ssh的访问频度和并发在线数
经常分析日志

4、搭建dhcp服务，实现ip地址申请分发

1、DHCP Client以广播的方式发出DHCP Discover报文。
2、所有的DHCP Server都能够接收到DHCP Client发送的DHCP Discover报文，所有的DHCP Server都会给出响应，向DHCP Client发送一个DHCP Offer报文。
DHCP Offer报文中“Your(Client) IP Address”字段就是DHCP Server能够提供给DHCP Client使用的IP地址，且DHCP Server会将自己的IP地址放在“option”字段中以便DHCP Client区分不同的DHCP Server。DHCP Server在发出此报文后会存在一个已分配IP地址的纪录。
3、DHCP Client只能处理其中的一个DHCP Offer报文，一般的原则是DHCP Client处理最先收到的DHCP Offer报文。
DHCP Client会发出一个广播的DHCP Request报文，在选项字段中会加入选中的DHCP Server的IP地址和需要的IP地址。
4、DHCP Server收到DHCP Request报文后，判断选项字段中的IP地址是否与自己的地址相同。如果不相同，DHCP Server不做任何处理只清除相应IP地址分配记录；如果相同，DHCP Server就会向DHCP Client响应一个DHCP ACK报文，并在选项字段中增加IP地址的使用租期信息。
5、DHCP Client接收到DHCP ACK报文后，检查DHCP Server分配的IP地址是否能够使用。如果可以使用，则DHCP Client成功获得IP地址并根据IP地址使用租期自动启动续延过程；如果DHCP Client发现分配的IP地址已经被使用，则DHCP Client向DHCPServer发出DHCP Decline报文，通知DHCP Server禁用这个IP地址，然后DHCP Client开始新的地址申请过程。
6、DHCP Client在成功获取IP地址后，随时可以通过发送DHCP Release报文释放自己的IP地址，DHCP Server收到DHCP Release报文后，会回收相应的IP地址并重新分配。
在使用租期超过50%时刻处，DHCP Client会以单播形式向DHCP Server发送DHCPRequest报文来续租IP地址。如果DHCP Client成功收到DHCP Server发送的DHCP ACK报文，则按相应时间延长IP地址租期；如果没有收到DHCP Server发送的DHCP ACK报文，则DHCP Client继续使用这个IP地址。
在使用租期超过87.5%时刻处，DHCP Client会以广播形式向DHCP Server发送DHCPRequest报文来续租IP地址。如果DHCP Client成功收到DHCP Server发送的DHCP ACK报文，则按相应时间延长IP地址租期；如果没有收到DHCP Server发送的DHCP ACK报文，则DHCP Client继续使用这个IP地址，直到IP地址使用租期到期时，DHCP Client才会向DHCP Server发送DHCP Release报文来释放这个IP地址，并开始新的IP地址申请过程。

/etc/dhcp/dhcpd.confoption domain-name "magedu.org";
option domain-name-servers 180.76.76.76, 223.6.6.6;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet 192.168.234.0 netmask 255.255.255.0 {range 192.168.234.10  192.168.234.100;
option routers 192.168.234.2;
}
#根据mac指定分配的ip地址
host testclient {hardware ethernet 00:0c:29:33:b4:1a;
fixed-address 192.168.234.12;
default-lease-time 86400;
max-lease-time 864000;
option routers 192.168.234.2;
option domain-name-servers 114.114.114.114,8.8.8.8 ;
option domain-name "magedu.net";
}

No.8 CA证书和SSH服务相关推荐

openssl自签名ca证书,以及签发服务端/客户端证书
网上由很多,但是感觉操作比较复杂,有些签发的证书不可用.现在介绍简单方法.假设已经安装了openssl,已有sudo权限.已经建立路径:/ope/ca,所有操作都在此路径下进行. 1. 准备工作,由于 ...
安装CA证书服务的一系列过程
安装CA证书服务的过程打开一台server 2008服务器以及一台普通客户机win 7虚拟机. 下面是server 2008上面的IP地址和DNS地址的配置. 下面这是win 7上面的IP配置一定要 ...
自制CA证书，自制客户端，服务端证书
自制CA证书,客户端.服务端证书参考资料:HTTPS证书生成原理和部署细节废话不多讲,我们直入正题. 首先我假设你的系统已经安装了openssl.使用openssl version -a即可查看当 ...
网络服务与安全之openSSL制作CA证书
在网络中,数据在服务器端与客户端之间传递,为了保证数据安全,需要将数据进行加密后再传输,这样即使数据被窃取,窃听者也无法知道数据的真实内容. 当前的网络服务中,使用TLS来加密.应用层在TLS之上,使 ...
[技能大赛-中职组-网络搭建与应用]2022江苏赛题答案-CA 证书服务--3
前言: [技能大赛-中职组-网络搭建与应用]2022江苏赛题答案-CA 证书服务--3
Linux 搭建私有CA证书服务器之超详细版本
一.CA简介 CA是什么?CA是Certificate Authority的简写,从字面意思翻译过来是凭证管理中心,认证授权.它有点类似我们生活中的身份证颁发机构,这里的CA就相当于生活中颁发身份证的 ...
如何使用Openssl 制作CA证书
一.SSL协议百科名片 SSL是Secure Socket Layer(安全套接层协议),可以在Internet上提供秘密性传输.Netscape公司在推出第一个Web浏览器的同时,提出了SSL协议标 ...
CA证书和TLS介绍
数字签名用自己的私钥给数据加密就叫数字签名公钥传输威胁在A和B的通信中,C可以把自己的公钥发给A,让A把C的公钥当成B的公钥,这样的话.B拿到加密数据反而无法解密,而C却可以解密出数据.从而实现 ...
第1章 ssh命令和SSH服务详解
基础服务类系列文章:http://www.cnblogs.com/f-ck-need-u/p/7048359.html 本文对SSH连接验证机制进行了非常详细的分析,还详细介绍了ssh客户端工具的各种 ...

No.8 CA证书和SSH服务

ssh服务登录的常用验证方式: 用户/口令, 基于密钥

No.8 CA证书和SSH服务相关推荐

最新文章

热门文章