admin管理员组文章数量:1651282
gpg对称的密钥加密
[root@centos8 data]#cd /data/
[root@centos8 data]#cp /etc/issue file
[root@centos8 data]#ls
file
[root@centos8 data]#cat file
\S
Kernel \r on an \m
[root@centos8 data]#gpg -c file
[root@centos8 data]#ls
file file.gpg
[root@centos8 data]#scp file.gpg 192.168.39.100:/data
root@192.168.39.100's password: #输入远程主机口令
file.gpg 100% 97 70.2KB/s 00:00
[root@centos7 data]#ls
file.gpg
[root@centos7 data]#gpg -o file -d file.gpg
gpg: AES encrypted data
gpg: encrypted with 1 passphrase
输入对称的口令解开
[root@centos7 data]#cat file
\S
Kernel \r on an \m
[root@centos8 ~]#vim /etc/pki/tls/opensslf
CA配置文件
gpg实现公钥加密
在centos7和centos8中实现公钥加密。在centos8上用centos7的公钥加密文件,在centos7上用私钥解开文件
1、在hostA主机上生成公钥/私钥对
gpg --gen-key 根据提示创造秘钥对 1.秘钥类型 2.秘钥长度 3.秘钥有效期 4.秘钥名(5个字符以上)
完成后会在/root/下创造.gnupg目录,主要使用pubring.gpg公钥和secring.gpg私钥。
#gpg --gen-key
[root@centos7 ~]#cd .gnupg/
[root@centos7 .gnupg]#ll
total 28
-rw-------. 1 root root 7680 Nov 6 09:29 gpg.conf
drwx------ 2 root root 6 Nov 7 21:55 private-keys-v1.d
-rw------- 1 root root 1165 Nov 7 21:55 pubring.gpg
-rw------- 1 root root 1165 Nov 7 21:55 pubring.gpg~
-rw------- 1 root root 600 Nov 7 21:55 random_seed
-rw------- 1 root root 2543 Nov 7 21:55 secring.gpg
srwxr-xr-x 1 root root 0 Nov 7 21:55 S.gpg-agent
-rw-------. 1 root root 1280 Nov 7 21:55 trustdb.gpg
2、在hostA主机上查看公钥gpg --list-keys
[root@centos7 data]#gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/B5D2CD0B 2019-11-07
uid likai
sub 2048R/A995B210 2019-11-07
3、在hostA主机上导出公钥起名dushan.pubkey gpg -a --export -o dushan.pubkey
[root@centos7 .gnupg]#gpg -a --export -o kaivi.pubkey
[root@centos7 .gnupg]#cat kaivi.pubkey
查看生成导出的公钥
4、从centos7(192.168.39.100)主机上复制公钥文件到需加密的centos8(192.168.39.102)主机上scp
[root@centos7 .gnupg]#scp kaivi.pubkey 192.168.39.102:/root/
The authenticity of host '192.168.39.102 (192.168.39.102)' can't be established.
ECDSA key fingerprint is SHA256:Ig11XThtroxUhSlTRH90FtsTe+cPa5AV75Telofrs0c.
ECDSA key fingerprint is MD5:fe:bb:f0:04:ee:b2:b1:d3:bc:ab:00:ca:9b:63:d6:bf.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.39.102' (ECDSA) to the list of known hosts.
root@192.168.39.102's password:
kaivi.pubkey 100% 1683 1.4MB/s 00:00
5、在需加密数据的centos8主机上生成公钥/私钥对,之后导入刚刚传输过来的公钥
[root@centos8 ~]#gpg --gen-key
[root@centos8 .gnupg]#gpg --import /root/kaivi.pubkey
[root@centos8 .gnupg]#gpg --list-key
/root/.gnupg/pubring.kbx
------------------------
pub rsa2048 2019-11-07 [SC] [expires: 2021-11-06]
128806C063C463F7842D8D7F64209B38DE03940F
uid [ultimate] laowang centos8自己生成的公钥
sub rsa2048 2019-11-07 [E] [expires: 2021-11-06]
pub rsa2048 2019-11-07 [SC]
D4CE2E41C5E4E7803F3CAD2C653D58ABB5D2CD0B
uid [ unknown] likai 导入centos7 中的公钥
sub rsa2048 2019-11-07 [E]
7、用从centos7主机导入的公钥,加密centos8主机的文件 (使用likai的公钥生成file.gpg
-e加密 -r指定谁的公钥)
[root@centos8 .gnupg]#echo duanxin > file.txt
[root@centos8 .gnupg]#gpg -e -r likai file.txt
gpg: CE9072A8A995B210: There is no assurance this key belongs to the named user
sub rsa2048/CE9072A8A995B210 2019-11-07 likai
Primary key fingerprint: D4CE 2E41 C5E4 E780 3F3C AD2C 653D 58AB B5D2 CD0B
Subkey fingerprint: 6D31 F4CA 7B1A DB6F 1854 B8C9 CE90 72A8 A995 B210
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
[root@centos8 .gnupg]#ll
total 24
-rw-r--r-- 1 root root 8 Nov 7 21:59 file.txt
-rw-r--r-- 1 root root 348 Nov 7 22:05 file.txt.gpg
drwx------ 2 root root 58 Nov 7 21:58 openpgp-revocs.d
drwx------ 2 root root 110 Nov 7 21:58 private-keys-v1.d
-rw-r--r-- 1 root root 2784 Nov 7 21:58 pubring.kbx
-rw-r--r-- 1 root root 1437 Nov 7 21:58 pubring.kbx~
-rw------- 1 root root 600 Nov 7 22:05 random_seed
-rw------- 1 root root 1280 Nov 7 21:59 trustdb.gpg
8、centos8主机把文件传到centos7上
[root@centos8 .gnupg]#scp file.txt.gpg 192.168.39.100:/data
The authenticity of host '192.168.39.100 (192.168.39.100)' can't be established.
ECDSA key fingerprint is SHA256:R+9CsnYLEXDvGpX/n78dCH/1p+m9or3SAfMDQ8YetrU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.39.100' (ECDSA) to the list of known hosts.
root@192.168.39.100's password:
Permission denied, please try again.
root@192.168.39.100's password:
file.txt.gpg 100% 348 80.7KB/s 00:00
9、centos7直接用自己已经有的私钥进行直接解密即可
[root@centos7 ~]#cd /data/
[root@centos7 data]#ll
total 16
-rw-r--r-- 1 root root 348 Nov 7 22:05 file.txt.gpg
-rw-r--r-- 1 root root 11537 Nov 6 19:35 init.sh
[root@centos7 data]#gpg -o file.txt -d file.txt.gpg
You need a passphrase to unlock the secret key for
user: "likai"
2048-bit RSA key, ID A995B210, created 2019-11-07 (main key ID B5D2CD0B)
gpg: encrypted with 2048-bit RSA key, ID A995B210, created 2019-11-07
"likai"
[root@centos7 data]#ll
total 20
-rw-r--r-- 1 root root 8 Nov 7 22:06 file.txt
-rw-r--r-- 1 root root 348 Nov 7 22:05 file.txt.gpg
-rw-r--r-- 1 root root 11537 Nov 6 19:35 init.sh
[root@centos7 data]#cat file.txt
duanxin
删除公钥 删除公钥不要删除配置文件,使用命令删除(如公钥和私钥都有,先删除私钥,再删除公钥,否则不成功)
搭建CA自签名和颁发证书
根据CA的格式标准,先在centos8中创建一些基本的子目录文件夹。centos7上默认有了
[root@centos8 ~]#cd /etc/pki/CA/
[root@centos8 CA]#mkdir /etc/pki/CA/{certs,crl,newcerts,private} -pv
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@centos8 CA]#tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
生成自签名证书。第一步需要生成私钥。然后用私钥生成自签名证书
要求CA的私钥文件名必须放在文件夹/etc/pki/CA/private/cakey.pem
生成私钥的文件名字必须为cakey.pem
创建私钥
[root@centos8 CA]#openssl genrsa -out private/cakey.pem 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.............+++++
............+++++
e is 65537 (0x010001)
如果是centos8一下的版本需要在前面加umask=600 限制一下权限 ,也可以对私钥进行加密处理 后面的1024表示位数 私钥重新生成的私钥不一样 忘记口令只能重新生成私钥 每次生成私钥不一样
生成私钥之后在用私钥生成一个自签名的证书
文件必须放在/etc/pki/CA/下
文件名必须叫做cacert.pem
需要填写一些相关的信息(DN)
[root@centos8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:cakai.magedu
Email Address []:15675455220@163
[root@centos8 CA]#tree
.
├── cacert.pem 自签名证书
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem 私钥
4 directories, 2 files
[root@centos8 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6f:19:d2:4f:fd:60:3e:57:33:45:50:d3:ba:ff:ba:45:e7:bb:27:b9
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = beijing, L = beijing, O = magedu, OU = it, CN = cakai.magedu, emailAddress = 15675455220@163
Validity
Not Before: Nov 7 02:36:35 2019 GMT
Not After : Nov 4 02:36:35 2029 GMT
Subject: C = CN, ST = beijing, L = beijing, O = magedu, OU = it, CN = cakai.magedu, emailAddress = 15675455220@163
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
用这个命令可以把证书里面的内容解释出来给我们看
[root@centos8 CA]#sz cacert.pem
上传到windos 然后改一下文件名后缀(.crt)就可以直接打开看
2.给别人颁发证书
需要索引数据库和编号
需要事先创建
先故意不创建这个文件
以centos8为颁发机构,centos7上面申请证书。到一个新的目录里面创建
这里以/data/为例
如何申请证书
先生成一个申请证书私钥
创建文件设置权限 umask 值为066 和077 都可以 创建文件的权限都是600
[root@centos7 ~]#cd /data/
[root@centos7 data]#ls
[root@centos7 data]#(umask 077;openssl genrsa -out app.key 1024)
Generating RSA private key, 1024 bit long modulus
.............++++++
...++++++
e is 65537 (0x10001)
[root@centos7 data]#cat app.key
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDFxFKaipyxgoXn8q4uLnAW0injZKE9OYfNiVp2UMCgQzMhPbmY
e0B8mILPg32ht+HY823E0nLRAUHBb36/YwerKgsH64yOFw/ueP9MQtOHMq6HEquW
K97mT9EvHexjnYOtcembInUtKxoBUxmyjgwY1MUI98C7SUy0A/sdCHgcnQIDAQAB
AoGAHWm0a12gLlpeNgAG3cF0VECPkE1AGc37n5sFBEHAVFWKPjBi8QWrspwwIFLL
FYk2osCZm8M85k7Mi8tcS3ScCBpuwJ+gI8xbra5gD1nIm8Zww3vSHitdE62ljtvK
CMG5j95DI9lkzW090uZmihSy5W6vo8PFYxVPfgNIGAdZ8dUCQQD/xycdO3ZtZVsa
WRz12iwQLdxTyryrQL+tdBW5OAqjdNwtSt720dSlYzSjTfbFP40ygk5CKPIRvXp0
UyUZVfm7AkEAxfBG3ByhkITHr+sVbyvmhObJChw74GXdcT4sMIvH5eeWyBmSNkjK
YLNoYHBzp+PkIT9hxFl9jpW63gAT5OQRhwJBAMcz8qmYov5GPvLBToXHOiQLo5n6
vn/duKq9SyHqnJZ7L/NyaT3vY96+6cL5uGQcv7oDtDFgtE7OtC0eiDk4NXsCQQC+
sKGDcm3QDatW9jJ7HJ8DEFdDzzl8EIbKjywBRNi6y2a+tavfcjbN/Gkk55D0gJ8J
zMcCY3iLggI513dS/slHAkEAjTwa0kr0u5I3mvK+nIJ8tZT0BlP72ZaHj+lXum3Q
1KJdGmQSy6BpLn0P9TduSrL+niVXEC5t5hzXHlEDUuiSgg==
-----END RSA PRIVATE KEY-----
然后根据生成的申请私钥文件来生成申请文件
有效期不用写,这个由颁发证书机构决定
[root@centos7 data]#openssl req -new -key app.key -out app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:R&D
Common Name (eg, your name or your server's hostname) []:www.magedu
Email Address []:15675455220@163
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos7 data]#ll
total 8
-rw-r--r-- 1 root root 704 Nov 7 11:01 app.csr
-rw------- 1 root root 891 Nov 7 10:54 app.key
[root@centos7 data]#cat app.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBzjCCATcCAQAwgY0xCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdiZWlqaW5nMRAw
DgYDVQQHDAdiZWlqaW5nMQ8wDQYDVQQKDAZtYWdlZHUxDDAKBgNVBAsMA1ImRDEX
MBUGA1UEAwwOd3d3Lm1hZ2VkdS5uZXQxIjAgBgkqhkiG9w0BCQEWEzE1Njc1NDU1
MjIwQDE2My5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMXEUpqKnLGC
hefyri4ucBbSKeNkoT05h82JWnZQwKBDMyE9uZh7QHyYgs+DfaG34djzbcTSctEB
QcFvfr9jB6sqCwfrjI4XD+54/0xC04cyrocSq5Yr3uZP0S8d7GOdg61x6ZsidS0r
GgFTGbKODBjUxQj3wLtJTLQD+x0IeBydAgMBAAGgADANBgkqhkiG9w0BAQsFAAOB
gQBTX/b8UcugrWCIVoJlp4p/+zhUI9YoM5KQIv5qrRo6t/exPppDTaAgIIsjhLqa
zRQGcNLbRpQUDUGqlSGVkngl78MyUpERDQcdbL5bHyaco1rZoKH8xlniEMYZp/Il
yQTyQBXDgGbqmMKOy8a8uae7Pg0O7KHtA3VqUeMh2F9dSw==
-----END CERTIFICATE REQUEST-----
[root@centos7 data]#scp app.csr 192.168.39.8:/etc/pki/CA
The authenticity of host '192.168.39.8 (192.168.39.8)' can't be established.
ECDSA key fingerprint is SHA256:Ig11XThtroxUhSlTRH90FtsTe+cPa5AV75Telofrs0c.
ECDSA key fingerprint is MD5:fe:bb:f0:04:ee:b2:b1:d3:bc:ab:00:ca:9b:63:d6:bf.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.39.8' (ECDSA) to the list of known hosts.
root@192.168.39.8's password:
app.csr 100% 704 557.6KB/s 00:00
证书申请文件app.csr传到centos8中也就是认证机构。就可以进行验证
进行证书颁发
证书要放在certs下面
[root@centos8 CA]#openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 700
Using configuration from /etc/pki/tls/opensslf
140076605519680:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt','r')
140076605519680:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
报错原因是因为我们在之前没有创建/etc/pki/CA/index.txt文件
所以我们需要建起来即可
[root@centos8 CA]#touch /etc/pki/CA/index.txt
[root@centos8 CA]#openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 700
Using configuration from /etc/pki/tls/opensslf
Can't open /etc/pki/CA/index.txt.attr for reading, No such file or directory
139710576666432:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt.attr','r')
139710576666432:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
/etc/pki/CA/serial: No such file or directory
error while loading serial number
139710576666432:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/serial','r')
139710576666432:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
有报错,这次原因是因为少了文件/etc/pki/CA/serial
注意这个文件要求事先是要往里面添加证书序列号从即开始 十六进制数字
[root@centos8 CA]#echo 0F > /etc/pki/CA/serial
定义一个编号证书为0F 则下一个证书编号为 10
[root@centos8 CA]#openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 700
Using configuration from /etc/pki/tls/opensslf
Can't open /etc/pki/CA/index.txt.attr for reading, No such file or directory
140518173529920:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt.attr','r')
140518173529920:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Nov 7 03:15:05 2019 GMT
Not After : Oct 7 03:15:05 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu
organizationalUnitName = R&D
commonName = www.magedu
emailAddress = 15675455220@163
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
40:14:63:FF:16:AA:17:0C:7A:BD:3B:D7:F3:03:FE:A5:F4:5B:69:5E
X509v3 Authority Key Identifier:
keyid:99:D6:B0:67:C9:BC:06:8B:67:83:23:B0:71:7D:68:40:DF:01:BD:9B
Certificate is to be certified until Oct 7 03:15:05 2021 GMT (700 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
.old 文件后缀表示备份文件
[root@centos8 CA]#cat index.txt
V 211007031505Z 0F unknown /C=CN/ST=beijing/O=magedu/OU=R&D/CN=www.magedu/emailAddress=15675455220@163
查看给谁颁发的证书
[root@centos8 CA]#openssl x509 -in certs/app.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = beijing, L = beijing, O = magedu, OU = it, CN = cakai.magedu, emailAddress = 15675455220@163
Validity
Not Before: Nov 7 03:15:05 2019 GMT
Not After : Oct 7 03:15:05 2021 GMT
Subject: C = CN, ST = beijing, O = magedu, OU = R&D, CN = www.magedu, emailAddress = 15675455220@163
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
查看证书
如果不同的地域之间冲突可以修改验证机构的颁发证书策略即可
[root@centos8 CA]#vim /etc/pki/tls/opensslf
同一个证书默认不能重复颁发
可以修改文件
vim /etc/pki/CA/index.txt.attr 把yes改为no即可
吊销证书
也需要吊销的编号文件/etc/kpi/CA/crlnumber
[root@centos8 ~]#cat /etc/pki/CA/index.txt
V 211007031505Z 0F unknown /C=CN/ST=beijing/O=magedu/OU=R&D/CN=www.magedu/emailAddress=15675455220@163
[root@centos8 ~]#openssl ca -revoke /etc/pki/CA/newcerts/0F.pem
Using configuration from /etc/pki/tls/opensslf
Revoking Certificate 0F.
Data Base Updated
[root@centos8 ~]#cat /etc/pki/CA/index.txt
R 211007031505Z 191107044516Z 0F unknown /C=CN/ST=beijing/O=magedu/OU=R&D/CN=www.magedu/emailAddress=15675455220@163
吊销之后需要生成一个吊销列表,让别人也知道
先要生成吊销编号从多少开始
这里先错过试试
[root@centos8 ~]#openssl ca -gencrl -out /etc/pki/CA/cacert.pem
Using configuration from /etc/pki/tls/opensslf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140646393997120:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/crlnumber','r')
140646393997120:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
[root@centos8 ~]#echo 00 > /etc/pki/CA/crlnumber
[root@centos8 ~]#openssl ca -gencrl -out /etc/pki/CA/cacert.pem
Using configuration from /etc/pki/tls/opensslf
[root@centos8 CA]#openssl crl -in cacert.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = beijing, L = beijing, O = magedu, OU = it, CN = cakai.magedu, emailAddress = 15675455220@163
Last Update: Nov 7 04:50:23 2019 GMT
Next Update: Dec 7 04:50:23 2019 GMT
CRL extensions:
X509v3 CRL Number:
0
Revoked Certificates:
Serial Number: 0F
Revocation Date: Nov 7 04:45:16 2019 GMT
Signature Algorithm: sha256WithRSAEncryption
90:44:6a:2d:a8:b9:42:f2:76:65:eb:ef:e1:89:46:cd:9c:2b:
de:ef:c7:80:ea:6a:24:a3:58:ad:ce:21:c4:bf:20:fe:ea:ac:
d6:03:e5:da:44:68:9e:92:8d:a5:38:f3:3b:ff:af:47:26:a0:
22:ca:d4:01:be:ff:3a:b2:2d:64:8c:c0:d4:8f:26:8c:1b:68:
af:62:87:fc:53:a6:60:7e:0a:a9:82:0c:c1:58:16:77:1e:a6:
35:4b:66:70:94:ba:4c:69:b2:69:cc:50:1e:c1:d8:8c:e9:dc:
7f:6b:12:79:fd:75:75:4d:31:5c:77:f6:b5:df:d2:af:3e:bd:
c1:9b
查看吊销证书的内容
也可以sz 到本机 改后缀.crl
老王创建CA笔记
mkdir /etc/pki/CA/{certs.newcerts,private} -pv
cd /etc/pki/CA
(umask077;openssl genrsa -out private/cakey.pem 2048)
openssl req -new -x509-key private/cakey.pem -out cacert.pem -days 3650 填写:国家,省份,城市,公司,部门,服务器域名,邮箱
touch index.txt echo
00 > serial
echo 00 > crlnumber 吊销证书请求
(umask 077;openssl genrsa -out /data/app.key 2048) 放在应用在的目录下
openssl req -new -key /data/app.key -out /data/app.csr 填写:国家,省份,城市,公司,部门,服务器域名,邮箱颁发证书
openssl ca -in /data/app.csr -out /etc/pki/CA/certs/app.crt -days 100
国家,城市,公司必须一致
基于KEY的远程登入
用centos8作为服务端
centos6 和centos7连接基于key验证
首先需要生成一对公钥私钥对
[root@centos8 ~]#ssh-keygen
默认用rsa算法 当然也可以指定其他的算法
[root@centos8 ~]#ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
这里我们选用默认的rsa算法
ssh-keygen -p 对私钥加口令 调用私钥的时候需要口令
[root@centos8 ~]#cd .ssh/
[root@centos8 .ssh]#ll
total 0
[root@centos8 ~]#ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): #输入保护公钥私钥对的密码 这里直接回车 表示 口令为空
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:X5strBXyzMCbFnDZbU/qcSjTREbK/b+ZqWeZDQfWPMo root@centos8
The key's randomart image is:
+---[RSA 2048]----+
| .+ |
| + * |
| . o + =o.|
| + +oBo|
| S = *.*.=|
| . % E.oo|
| = X oo=|
| . o . =*|
| . .+= |
+----[SHA256]-----+
[root@centos8 ~]#ll .ssh/ #查看生成的公钥私钥对
total 8
-rw------- 1 root root 1823 Nov 7 17:41 id_rsa
-rw-r--r-- 1 root root 394 Nov 7 17:41 id_rsa.pub
私钥为了安全 默认设置了600权限
接下来需要将公钥传给未来你要连接的主机客户端,并且传到/root/.ssh/ authorized_keys
ssh-copy-id 这个命令会自动在需要连接的主机客户端自动生成一个authorized_keys的文件 而且它只会传输公钥,即使不小心把私钥拷贝过去了也会自动修改为公钥
[root@centos8 ~]#ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.39.100
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.39.100 (192.168.39.100)' can't be established.
ECDSA key fingerprint is SHA256:R+9CsnYLEXDvGpX/n78dCH/1p+m9or3SAfMDQ8YetrU.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.39.100's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.39.100'"
and check to make sure that only the key(s) you wanted were added.
后面的事情就是系统自己完成
[root@centos8 ~]#ssh 192.168.39.100
Last login: Thu Nov 7 18:30:45 2019 from 192.168.39.1
[root@centos7 ~]#
发现现在不用输入密码直接登入到了centos7的主机
后面的传输文件scp 或者登入后直接修改文件就很方便了
[root@centos8 ~]#ssh-copy-id root@192.168.39.101
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.39.101 (192.168.39.101)' can't be established.
RSA key fingerprint is SHA256:eW09nANmhy6Dt11/tP9NYkq7+tU1VZYd3X9J24b8iQk.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.39.101's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.39.101'"
and check to make sure that only the key(s) you wanted were added.
[root@centos8 ~]#ssh 192.168.39.101
Last login: Thu Nov 7 17:59:00 2019 from 192.168.39.1
[root@kaivi6 ~]#
[root@kaivi6 ~]#cd .ssh/
[root@kaivi6 .ssh]#ls
authorized_keys known_hosts
由于在前面已经生成一对公钥私钥对,所以连接centos6客户端的时候不用再次生成,直接把公钥传输到centos6中即可
上述命令中省略了公钥,但是系统会自动寻找公钥,并且在centos6上的/root/.ssh文件夹下会生成authorized_keys文本文件
安全风险:centos8机器的密码不可以泄露,类似堡垒机
可以考虑对私钥加口令
如果把centos8上的私钥被centos7上面偷走,那么7也可以不输入密码从而进行key验证直接登入centos6
[root@centos8 ~]#scp .ssh/id_rsa 192.168.39.100:/root/.ssh/
id_rsa 100% 1823 1.6MB/s 00:00
[root@centos7 ~]#cd .ssh/
[root@centos7 .ssh]#ls
authorized_keys id_rsa known_hosts
[root@centos7 ~]#ssh 192.168.39.101
Last login: Thu Nov 7 18:16:43 2019 from 192.168.39.100
[root@kaivi6 ~]#
把私钥移除,看到再次连接centos6的时候需要输入口令
[root@centos7 .ssh]#ls
authorized_keys id_rsa known_hosts
[root@centos7 .ssh]#mv id_rsa /data/
[root@centos7 .ssh]#ls
authorized_keys known_hosts
[root@centos7 .ssh]#ssh 192.168.39.101
root@192.168.39.101's password:
所以私钥千万得保护好。
实现多台机器相互之间的key验证
在这里使用centos6 centos7 centos8 相互之间实现key验证
思路:在一台机器实现key验证,大家共用一个公钥私钥
在8上生成公钥私钥对,然后拷贝到本机
[root@centos8 ~]#ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
[root@centos8 ~]#cd .ssh/
[root@centos8 .ssh]#ls
id_rsa id_rsa.pub
[root@centos8 .ssh]#ssh-copy-id 127.0.0.1 #拷贝到本机
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:Ig11XThtroxUhSlTRH90FtsTe+cPa5AV75Telofrs0c.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@127.0.0.1's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '127.0.0.1'"
and check to make sure that only the key(s) you wanted were added.
[root@centos8 .ssh]#ls
authorized_keys id_rsa id_rsa.pub known_hosts
拷贝到其他主机
scp -rp -r:表示递归拷贝 -p 表示保存权限
[root@centos8 .ssh]#cd
[root@centos8 ~]#scp -rp .ssh/ 192.168.39.100:/root
The authenticity of host '192.168.39.100 (192.168.39.100)' can't be established.
ECDSA key fingerprint is SHA256:R+9CsnYLEXDvGpX/n78dCH/1p+m9or3SAfMDQ8YetrU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.39.100' (ECDSA) to the list of known hosts.
root@192.168.39.100's password:
id_rsa 100% 1823 2.0MB/s 00:00
id_rsa.pub 100% 394 517.1KB/s 00:00
known_hosts 100% 347 714.5KB/s 00:00
authorized_keys 100% 394 1.0MB/s 00:00
[root@centos8 ~]#scp -rp .ssh/ 192.168.39.101:/root
The authenticity of host '192.168.39.101 (192.168.39.101)' can't be established.
RSA key fingerprint is SHA256:eW09nANmhy6Dt11/tP9NYkq7+tU1VZYd3X9J24b8iQk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.39.101' (RSA) to the list of known hosts.
root@192.168.39.101's password:
id_rsa 100% 1823 1.9MB/s 00:00
id_rsa.pub 100% 394 525.1KB/s 00:00
known_hosts 100% 743 1.0MB/s 00:00
authorized_keys
即相互之间实现了基于key的验证
大家共用一个私钥,所以要注意私钥的安全
版权声明:本文标题:CA搭建实验和安全基础 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://m.elefans.com/xitong/1729561156a1206274.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论