1 解决DOS攻击生产案例:根据web日志或者或者网络连接数,监控当某个IP 并发连接数或者短时内PV达到100,即调用防火墙命令封掉对应的IP,监控频率每隔5分钟。防火墙命令为:iptables -A INPUT -s IP -j REJECT
[root@centos8 ~]# cat deny_dos2.sh
#!/bin/bash
ss -nt|awk '{
split($5,ip,":")
count[ip[1]]++
}
END{
for(i in count){
if(count[i]>=100){
system("iptables -A INPUT -s "i" -j REJECT")
}
}
}'
[root@centos8 ~]# chmod +x deny_dos2.sh
[root@centos8 ~]# crontab -e
[root@centos8 ~]# crontab -l
*/5 * * * * /root/deny_dos2.sh2 描述密钥交换的过程
# RSA密钥交换、RSA数字签名
1.Visitor给出协议版本号、一个客户端随机数(Client random),以及客户端支持的加密方法
2.Server确认双方使用的加密方法,以及一个服务器生成的随机数(Server random)
3.Server发送数字证书给visitor
4.visitor确认数字证书有效(查看证书状态且查询证书吊销列表),并使用信任的CA的公钥解密数字证书获得Server的公钥,然后生成一个新的46字节随机数(称为预备主密钥Pre-master secret),并使用Server的公钥加密预备主密钥发给Server
5.Server使用自己的私钥,解密Visitor发来的预备主密钥
6.Visitor和Server双方都具有了(客户端随机数+服务端随机数+预备主密钥),它们两者都根据约定的加密方法,使用这三个随机数生成对称密钥——主密钥(也称为对话密钥session key),用来加密后续的对话过程
7.在双方验证完session key的有效性之后,SSL握手机制就算结束了。之后所有的数据只需要使用“对话密钥”(此密钥并不是的session key,而是由其通过计算得到)加密即可,不再需要多余的加密机制
注意:
1.在SSL握手机制中,需要三个随机数(客户端随机数+服务端随机数+预备主密钥)
2.至始至终客户端和服务端只有一次非对称加密动作―—客户端使用证书中获得的服务端公钥加密预备主密钥。
3.上述SSL握手机制的前提单向验证,无需验证客户端,如果需要验证客户端则可能需要客户端的证书或客户端提供签名等。
4.Server和Visitor通信,Server把数字证书发给Visitor,最关键的一点是Visitor要保证证书的有效性,通过查看证书状态并去CA的吊销列表查看Server的证书是否被吊销。只有Server的证书可用了,才保证了第—环节的安全性
5.RSA密钥交换有一个很大的问题:没有前向安全性Forward Secrecy。这意味着攻击者可以把监听到的加密流量先存起来,后续—旦拿到了私钥,之前所有流量都可以成功解密3 https的通信过程
1.客户端发起HTTPS请求
用户在浏览器里输入一个https网址,然后连接到服务器的443端口
2.服务端的配置
采用HTTPS协议的服务器必须要有一套数字证书,可以自己制作,也可以向组织申请。区别就是自己颁发的证书需要客户端验证通过,才可以继续访问,而使用受信任的公司申请的证书则不会弹出提示页面。这套证书其实就是一对公钥和私钥
3.传送服务器的证书给客户端
证书里其实就是公钥,并且还包含了很多信息,如证书的颁发机构,过期时间等等
4.客户端解忻验证服务器证书
这部分工作是由客户端的TLS来完成的,首先会验证公钥是否有效,比如:颁发机构,过期时间等等,如果发现异常,则会弹出一个警告框,提示证书存在问题。如果证书没有问题,那么就生成一个随机值。然后用证书中公钥对该随机值进行非对称加密
5.客户端将加密信息传送服务器
这部分传送的是用证书加密后的随机值,目的就是让服务端得到这个随机值,以后客户端和服务端的通信就可以通过这个随机值来进行加密解密了
6.服务端解密信息
服务端将客户端发送过来的加密信息用服务器私钥解密后,得到了客户端传过来的随机值
7.服务器加密信息并发送信息
服务器将数据利用随机值进行对称加密,再发送给客户端
8.客户端接收并解密信息
客户端用之前生成的随机值解密服务段传过来的数据,于是获取了解密后的内容4 创建私有CA并进行证书申请
4.1 创建CA相关目录和文件
[root@centos8 ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@centos8 ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@centos8 ~]# touch /etc/pki/CA/index.txt
[root@centos8 ~]# echo 0F > /etc/pki/CA/serialindex.txt和serial文件在颁发证书时需要使用,如果不存在,会出现以下错误提示
[root@centos8 ~]# openssl ca -in /root/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
140241335084864:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/index.txt','r')
140241335084864:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
[root@centos8 ~]# openssl ca -in /root/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140695833495360:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/serial','r')
140695833495360:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:4.2 创建CA的私钥
[root@centos8 ~]# cd /etc/pki/CA/
[root@centos8 CA]# (umask 066;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.+++++
..............................................................................................+++++
e is 65537 (0x010001)
[root@centos8 CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 1 file
[root@centos8 CA]# ll private/
total 4
-rw-------. 1 root root 1675 Apr 22 21:14 cakey.pem
[root@centos8 CA]# cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxxsVCkoyuGMWff69PNBkAgPbeysFa6V8A9CSNC7HD6thRB0W
eLs9SBMSytkl94x7keUBrhzFz4WMI6dEcNC1kDfWwTBvdL7nfmu65eJyO37TkU4Z
vRAyoflWulO89FlYiTNonzXLz8DEonAAo8xcD0AeBRQg78NawF04pmV8RAao7Fwc
oas5+Rk07n0gIxo06gsZk4hY7xcYwgpAmM8u1UirBXLlRMyE1WTsNdh/Y/M63O89
93dg9pGZ9SiE2WeMXnsxI/SpQ/Ud5H3cpSsWXWS4s2y7sysnDHgYrQS6B6WO8tRw
fo2tFo1p+itFa/2UiuJ9kCs2ggAYNA6Vo1833wIDAQABAoIBAQCbYDgIIqT4HWNl
CZEVzy3sIKR7trPxMF/Z/j7J+CMhyEUMSYLKzpthDnlg0Rp+1yNrVAH+pLd9XaNi
A1s2irjVha3SbwDbY0r17g4Y7aDlavCheQg+8VAB9LlIiKZxLPQZhYPEks+tHaqV
dMAbExRYVlnW7sFROestKNJXj+Tsk8GBOwqWD3bYdWIiYHNTg4Y0cAR8gCmRnjLo
cCeLfueGHEgDiYp+r77hYB6ADlBqv9vNCsRocEFQRcE3QdHsSoa7qSIzjVriH/sX
okOHo8+UUj3sT2BHDSXu9W3p93ij/Mr/W6QQs+hVVVBKaCJoom90l/mKPhwwR0GC
aUq+DheBAoGBAOURBlhdS/Y0EXaWqPrrIz9ClbQGueHTZy7IWUS+PjuH+LN9EER0
CDxAgIw3lygus55Nj2EvpN32FbH5QbQ2HQRZGyo6mae23c4HPL0zWnsSQcJD+ic5
GsebhXLVp5Z/EDV6Hbb3ZQuQsEi+grpdA8Nda4hJp/CQQCwIwa50dZXBAoGBAN6E
OvZ2YzbvjStKYsQBbLojWGt4EfcOg380C8ZkGNoCPql7VTz1S9ObFDgHHvwr3JVk
f7cz46l8smtgDY1eDotfsPpRsFlRAoXSPs83O6J50H6eg3NpsY/1rcWTGdSxht0K
0Xel3O++aJOyZgAChdPYbYgtiq8vPvXEOL1mZnWfAoGAR1n8Pf4hsTkaz3OygyZH
PmdBNmh58ivlkh76H32a6PQ7tb0ZGhmCjzIQWJzgSrXxYTgLl1w94J3MuDlKDBZn
B3myCn9iaWl+wbRjaRPb9UYEkbyW6SzSeKaq9NA0eZ5usBmvs9Rv9yBEqQQeuGpM
x8gLvNIkq7xjINRBcFP6ZIECgYATL82xwMWPUBqZGAHqKsFIT5HpOmI6LlsyVbeK
NMlbywPCM2tHJVOTfHTC3AJU9idADnlgv62qyKDN12tzvB9+7xJgkzikivKvvVBD
J90RhnVu5ZYqFnwEEMgaGDQK/f/GAY/MRFYHqiB0U9atu4n0mV3gdyTVNDq2kGPg
GPtOuwKBgD8XJUOmuKSnEbuo7vjXuFBfEfbzXlkKHqhENpTavqkGaU7uZH8CCeMo
jvPOTRRRPbqwjwOmgCChFf7V8L1zXtATASgUSoL/YO2Dey7q9iY2LEaMbISZYQ7D
dxR/syIBTg6ukZ1wjvrMx2bRVLwAV0o5/raDI1/zzdhtToH2S1nu
-----END RSA PRIVATE KEY-----4.3 给CA颁发自签名证书
[root@centos8 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3560 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shandong
Locality Name (eg, city) [Default City]:jinan
Organization Name (eg, company) [Default Company Ltd]:waluna
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.waluna.top
Email Address []:admin@waluna.top
[root@centos8 ~]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 2 files
[root@centos8 ~]# cat /etc/pki/CA/cacert.pem
-----BEGIN CERTIFICATE-----
MIID+TCCAuGgAwIBAgIUKHHN08W+V/D7XQYPoEYCttoUSMQwDQYJKoZIhvcNAQEL
BQAwgYsxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhzaGFuZG9uZzEOMAwGA1UEBwwF
amluYW4xDzANBgNVBAoMBndhbHVuYTEPMA0GA1UECwwGZGV2b3BzMRYwFAYDVQQD
DA1jYS53YWx1bmEudG9wMR8wHQYJKoZIhvcNAQkBFhBhZG1pbkB3YWx1bmEudG9w
MB4XDTIxMDQyMjEzMTgwMloXDTMxMDEyMDEzMTgwMlowgYsxCzAJBgNVBAYTAkNO
MREwDwYDVQQIDAhzaGFuZG9uZzEOMAwGA1UEBwwFamluYW4xDzANBgNVBAoMBndh
bHVuYTEPMA0GA1UECwwGZGV2b3BzMRYwFAYDVQQDDA1jYS53YWx1bmEudG9wMR8w
HQYJKoZIhvcNAQkBFhBhZG1pbkB3YWx1bmEudG9wMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAxxsVCkoyuGMWff69PNBkAgPbeysFa6V8A9CSNC7HD6th
RB0WeLs9SBMSytkl94x7keUBrhzFz4WMI6dEcNC1kDfWwTBvdL7nfmu65eJyO37T
kU4ZvRAyoflWulO89FlYiTNonzXLz8DEonAAo8xcD0AeBRQg78NawF04pmV8RAao
7Fwcoas5+Rk07n0gIxo06gsZk4hY7xcYwgpAmM8u1UirBXLlRMyE1WTsNdh/Y/M6
3O8993dg9pGZ9SiE2WeMXnsxI/SpQ/Ud5H3cpSsWXWS4s2y7sysnDHgYrQS6B6WO
8tRwfo2tFo1p+itFa/2UiuJ9kCs2ggAYNA6Vo1833wIDAQABo1MwUTAdBgNVHQ4E
FgQUbqO+6a7Nfq55NMDfOOUiCtN8CrkwHwYDVR0jBBgwFoAUbqO+6a7Nfq55NMDf
OOUiCtN8CrkwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAmZJz
GI99EDFM2HNq9QhkgafBMXOs0mRSHOUDG45DrvMkLraO4luzHpeQZ8sy0uAbAQ/Q
eLFXeCV2Y4NVmmmzuHomdV1RZ4EWmOQCanrgip+Or2RJYn/eqIqPgAN/qziDCiBy
xhFeY65SN7JV524sKqcnuG1t9hCZnXeUlwJ670EwmEYyACtea4miRaTERoTcxh2I
1jUyble6h2V5BRsK7h+2S5DzQZ7KMw0u3mcPKukdYyBmvc8SNBTpsSfi7GJqdC4+
cZWqe2tkUdYkpxKNQkMIABYxqti1G/AbunPfhodNMJK3gH1zQoPUoZYBIekSAVAx
G3dNILRPyswowPM4wQ==
-----END CERTIFICATE-----
[root@centos8 ~]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
28:71:cd:d3:c5:be:57:f0:fb:5d:06:0f:a0:46:02:b6:da:14:48:c4
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = shandong, L = jinan, O = waluna, OU = devops, CN = ca.waluna.top, emailAddress = admin@waluna.top
Validity
Not Before: Apr 22 13:18:02 2021 GMT
Not After : Jan 20 13:18:02 2031 GMT
Subject: C = CN, ST = shandong, L = jinan, O = waluna, OU = devops, CN = ca.waluna.top, emailAddress = admin@waluna.top
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c7:1b:15:0a:4a:32:b8:63:16:7d:fe:bd:3c:d0:
64:02:03:db:7b:2b:05:6b:a5:7c:03:d0:92:34:2e:
c7:0f:ab:61:44:1d:16:78:bb:3d:48:13:12:ca:d9:
25:f7:8c:7b:91:e5:01:ae:1c:c5:cf:85:8c:23:a7:
44:70:d0:b5:90:37:d6:c1:30:6f:74:be:e7:7e:6b:
ba:e5:e2:72:3b:7e:d3:91:4e:19:bd:10:32:a1:f9:
56:ba:53:bc:f4:59:58:89:33:68:9f:35:cb:cf:c0:
c4:a2:70:00:a3:cc:5c:0f:40:1e:05:14:20:ef:c3:
5a:c0:5d:38:a6:65:7c:44:06:a8:ec:5c:1c:a1:ab:
39:f9:19:34:ee:7d:20:23:1a:34:ea:0b:19:93:88:
58:ef:17:18:c2:0a:40:98:cf:2e:d5:48:ab:05:72:
e5:44:cc:84:d5:64:ec:35:d8:7f:63:f3:3a:dc:ef:
3d:f7:77:60:f6:91:99:f5:28:84:d9:67:8c:5e:7b:
31:23:f4:a9:43:f5:1d:e4:7d:dc:a5:2b:16:5d:64:
b8:b3:6c:bb:b3:2b:27:0c:78:18:ad:04:ba:07:a5:
8e:f2:d4:70:7e:8d:ad:16:8d:69:fa:2b:45:6b:fd:
94:8a:e2:7d:90:2b:36:82:00:18:34:0e:95:a3:5f:
37:df
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
6E:A3:BE:E9:AE:CD:7E:AE:79:34:C0:DF:38:E5:22:0A:D3:7C:0A:B9
X509v3 Authority Key Identifier:
keyid:6E:A3:BE:E9:AE:CD:7E:AE:79:34:C0:DF:38:E5:22:0A:D3:7C:0A:B9
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
99:92:73:18:8f:7d:10:31:4c:d8:73:6a:f5:08:64:81:a7:c1:
31:73:ac:d2:64:52:1c:e5:03:1b:8e:43:ae:f3:24:2e:b6:8e:
e2:5b:b3:1e:97:90:67:cb:32:d2:e0:1b:01:0f:d0:78:b1:57:
78:25:76:63:83:55:9a:69:b3:b8:7a:26:75:5d:51:67:81:16:
98:e4:02:6a:7a:e0:8a:9f:8e:af:64:49:62:7f:de:a8:8a:8f:
80:03:7f:ab:38:83:0a:20:72:c6:11:5e:63:ae:52:37:b2:55:
e7:6e:2c:2a:a7:27:b8:6d:6d:f6:10:99:9d:77:94:97:02:7a:
ef:41:30:98:46:32:00:2b:5e:6b:89:a2:45:a4:c4:46:84:dc:
c6:1d:88:d6:35:32:6e:57:ba:87:65:79:05:1b:0a:ee:1f:b6:
4b:90:f3:41:9e:ca:33:0d:2e:de:67:0f:2a:e9:1d:63:20:66:
bd:cf:12:34:14:e9:b1:27:e2:ec:62:6a:74:2e:3e:71:95:aa:
7b:6b:64:51:d6:24:a7:12:8d:42:43:08:00:16:31:aa:d8:b5:
1b:f0:1b:ba:73:df:86:87:4d:30:92:b7:80:7d:73:42:83:d4:
a1:96:01:21:e9:12:01:50:31:1b:77:4d:20:b4:4f:ca:cc:28:
c0:f3:38:c1
[root@centos8 ~]# sz /etc/pki/CA/cacert.pem
rz
Starting zmodem transfer. Press Ctrl+C to cancel.
Transferring cacert.pem...
100% 1 KB 1 KB/sec 00:00:01 0 Errors
[root@centos8 ~]#
# 将文件cacert.pem传到windows上,修改文件后缀名为cacert.pem.crt,双击可以看到下面显示
4.4 用户生成私钥和证书申请
[root@centos8 ~]# mkdir app1
[root@centos8 ~]# (umask 066;openssl genrsa -out /root/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
......+++++
......................+++++
e is 65537 (0x010001)
[root@centos8 ~]# cat /root/app1/app1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAucQhnQheONFOCFB+TkhMukqwr/IWWZTxQ2nAjpwjPwA4VRZF
IMpQHy57T1T5HcyuC+fcxlj1DIw22VPgFaXt7ypEfLps3abq2PmsO4FQ6EXCKG9g
PvE6Ty4HbD8WG60Rt3iMq2QY9fS/jsGNmzuXgBp5z1/+U8xjaskKTiytjp0a/rgA
CPBtdLwtVTpNSkySQlF7xQpCxjzRF8sqDLCUpCJsO8K80zG296kZ5maEYj5syETt
uqfoAjPHDe3DtqzdNEApR1itOCKE1ZeN4JGTRAjWEaM45sQRbHtKWsWXEnHVgaND
6NHWr30gKzMU6MCKzYvFE18bRPwSVK6PDCLB6wIDAQABAoIBABim33MQXjiaBgny
bKCE1bHPIZ1nufGPY2j3yrbiH4dHxzH7b5cHYhSRPYnsk9aRh/NKhLDJs1ND9C9p
Aw68Y1PevxHyR2ousXGzyFhpM8xvHXHyPcp8hqllSVTjFlL756L6W2iPMwTIwvb1
1o3oHZXBbbLIYV7Le9H69eQj57BKDQkA46uwhlEjmgmqi+rstx+yrm/RVRFTHh5p
Ycc/0B+eJYg9/y5FTxQgBTm72SZ62FF/6ZBJgjpfh99Fh6zFInuGNfBK9GJP/VV8
lIiJH9fqXU9dbAdkyBTPyTkJKmD4Huyd3Mror3/x2tCizyEs+sAlXaTzOvzHIy4V
xEmXG5ECgYEA5kWiY2ndjnQhpXomGiveUG4ISuUSD5hPEhzBPz7UT5+lQNmPddwn
myGAoqQWbjRdQ3PwWCXgpA/gfYhD05ctTFGhJRNhq5FzwYPf/CPvn6bk6Gfl1Gk0
CSLl1opLZ/8oABILWu+1M6gceyduTZ/0dQLJiAuFIx6uU7l6PhwkLhMCgYEAzoWE
CKHkzfCQT7bqPKvogEdxbNmAItpTm+hNlWw8ME/OaCgFMsOwjkxWo8XMe/URvGDz
kDBInnbKup5vxm8CT4xxd1bv85K25cYqiyPQXDJfNGeEmZjxcx7ge3kK5933VE90
yBItQX2b9s0lxm5iD5PUK7adAqhnlxFjoytpt8kCgYEAs8gEG7fIufKjXk26t84u
OP9fTBICgth4S3zVx6onGq9a1wHFBtDGv1Bt3Q1dUddiRUqciEWyWITo0Tl1Mxqh
zCcjOA4kwE3EYX6zfmkUKcKkj2qmvqsQbF2pslGww9YrhbqQ0QO7pkQHUIOdk89h
jYWKkMPlw2Ct3EJAVYOlH68CgYBTV+6AzVTZB0w130uIUJfzrOFJXD0p05IKSSWG
N7fSh2J1BjGS2wZVZtlQHnL3U19k9ntUpSepS6dkyKuzGPmFwNfJoXwUgBDviZmB
rWJY0rs5Gs2YbvCB1OQi8CZGjH1TuP0YAL3iwB5A62ljOwi34KCvQ3L5r5yeipX7
M3nmgQKBgEmlj87/iB3mlaSx7CL75PD5lxDQvQv/Vw87D8CxvZcBhtsoCfbk81ZI
ln5qCjDvAVYcXnK0nRtyBoaMqnh9w8bS8t1WYkwqL9QA6K2u7P16dGZv0WKL1q29
al2GNddGaB0TdmkcFPAN7ZEd+qh7zC7jERC9kcYTR+9AE9L6/XPz
-----END RSA PRIVATE KEY-----
[root@centos8 ~]# openssl req -new -key /root/app1/app1.key -out /root/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shandong
Locality Name (eg, city) [Default City]:jn
Organization Name (eg, company) [Default Company Ltd]:waluna
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.waluna.top
Email Address []:root@waluna.top
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos8 ~]# ll /root/app1/
total 8
-rw-r--r--. 1 root root 1045 Apr 22 22:30 app1.csr
-rw-------. 1 root root 1675 Apr 22 22:26 app1.key
默认有三项内容必须和CA一致:国家,省份,组织,如果不同,会出现下面的提示
[root@centos8 ~]# mkdir app2
[root@centos8 ~]# (umask 066;openssl genrsa -out /root/app2/app2.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
................................................................+++++
....................+++++
e is 65537 (0x010001)
[root@centos8 ~]# openssl req -new -key /root/app2/app2.key -out /root/app2/app2.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:tianhu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.tianhu.com
Email Address []:admin@tianhu.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos8 ~]# openssl ca -in /root/app2/app2.csr -out /etc/pki/CA/certs/app2.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The stateOrProvinceName field is different between
CA certificate (shandong) and the request (beijing)
# 可以更改/etc/pki/tls/openssl.cnf文件策略为optional可选或者修改为policy_anything
[root@centos8 ~]# vim /etc/pki/tls/openssl.cnf
policy = policy_anything
# 成功颁发
[root@centos8 ~]# openssl ca -in /root/app2/app2.csr -out /etc/pki/CA/certs/app2.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 16 (0x10)
Validity
Not Before: Apr 22 15:09:40 2021 GMT
Not After : Jan 17 15:09:40 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
localityName = beijing
organizationName = tianhu
organizationalUnitName = it
commonName = www.tianhu.com
emailAddress = admin@tianhu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A0:04:D2:89:45:F1:5E:EB:6C:22:99:68:D8:68:DD:75:49:D2:AE:83
X509v3 Authority Key Identifier:
keyid:6E:A3:BE:E9:AE:CD:7E:AE:79:34:C0:DF:38:E5:22:0A:D3:7C:0A:B9
Certificate is to be certified until Jan 17 15:09:40 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated4.5 CA颁发证书
[root@centos8 ~]# openssl ca -in /root/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Apr 22 14:35:42 2021 GMT
Not After : Jan 17 14:35:42 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = shandong
organizationName = waluna
organizationalUnitName = it
commonName = app1.waluna.top
emailAddress = root@waluna.top
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
84:00:04:7C:B6:57:A2:A0:1F:78:39:70:3D:46:66:5C:02:15:32:89
X509v3 Authority Key Identifier:
keyid:6E:A3:BE:E9:AE:CD:7E:AE:79:34:C0:DF:38:E5:22:0A:D3:7C:0A:B9
Certificate is to be certified until Jan 17 14:35:42 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos8 ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files4.6 查看证书
[root@centos8 ~]# cat /etc/pki/CA/certs/app1.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=shandong, L=jinan, O=waluna, OU=devops, CN=ca.waluna.top/emailAddress=admin@waluna.top
Validity
Not Before: Apr 22 14:35:42 2021 GMT
Not After : Jan 17 14:35:42 2024 GMT
Subject: C=CN, ST=shandong, O=waluna, OU=it, CN=app1.waluna.top/emailAddress=root@waluna.top
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b9:c4:21:9d:08:5e:38:d1:4e:08:50:7e:4e:48:
4c:ba:4a:b0:af:f2:16:59:94:f1:43:69:c0:8e:9c:
23:3f:00:38:55:16:45:20:ca:50:1f:2e:7b:4f:54:
f9:1d:cc:ae:0b:e7:dc:c6:58:f5:0c:8c:36:d9:53:
e0:15:a5:ed:ef:2a:44:7c:ba:6c:dd:a6:ea:d8:f9:
ac:3b:81:50:e8:45:c2:28:6f:60:3e:f1:3a:4f:2e:
07:6c:3f:16:1b:ad:11:b7:78:8c:ab:64:18:f5:f4:
bf:8e:c1:8d:9b:3b:97:80:1a:79:cf:5f:fe:53:cc:
63:6a:c9:0a:4e:2c:ad:8e:9d:1a:fe:b8:00:08:f0:
6d:74:bc:2d:55:3a:4d:4a:4c:92:42:51:7b:c5:0a:
42:c6:3c:d1:17:cb:2a:0c:b0:94:a4:22:6c:3b:c2:
bc:d3:31:b6:f7:a9:19:e6:66:84:62:3e:6c:c8:44:
ed:ba:a7:e8:02:33:c7:0d:ed:c3:b6:ac:dd:34:40:
29:47:58:ad:38:22:84:d5:97:8d:e0:91:93:44:08:
d6:11:a3:38:e6:c4:11:6c:7b:4a:5a:c5:97:12:71:
d5:81:a3:43:e8:d1:d6:af:7d:20:2b:33:14:e8:c0:
8a:cd:8b:c5:13:5f:1b:44:fc:12:54:ae:8f:0c:22:
c1:eb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
84:00:04:7C:B6:57:A2:A0:1F:78:39:70:3D:46:66:5C:02:15:32:89
X509v3 Authority Key Identifier:
keyid:6E:A3:BE:E9:AE:CD:7E:AE:79:34:C0:DF:38:E5:22:0A:D3:7C:0A:B9
Signature Algorithm: sha256WithRSAEncryption
3e:9b:c7:a9:23:85:81:62:01:15:c2:18:75:34:fc:95:6a:2b:
a4:14:71:17:94:e5:6b:1f:7e:10:f7:5f:b8:e4:65:52:96:12:
f5:a1:f3:5b:1d:66:f7:e3:09:41:60:53:98:15:c5:a9:e6:4f:
a0:3a:7e:52:40:72:2f:89:71:92:ea:34:5a:c4:fa:3d:15:fc:
57:d0:54:23:2a:2e:b1:25:ab:66:d5:25:b5:63:ad:18:7f:7f:
65:81:95:2f:28:3b:a0:45:32:91:63:3a:cb:c1:05:08:e0:e2:
ca:85:2e:37:1a:5e:70:eb:f2:2d:13:e5:59:bd:8b:ee:31:38:
d8:7f:2d:0d:fe:d5:6e:55:16:d9:63:d4:1d:ad:e5:3f:5c:91:
7c:07:12:40:40:69:18:95:db:1b:44:cd:66:de:65:04:52:c6:
38:71:0a:a0:c0:2a:94:32:6c:90:a4:94:51:da:a8:86:bf:6b:
01:4b:ea:67:02:ec:84:fb:1e:e2:07:95:0e:a6:c0:9c:ce:c8:
5f:b3:da:31:d7:3e:26:df:d1:67:c8:b7:69:1e:9d:79:85:03:
d3:8f:11:12:8b:16:4a:f6:50:96:6a:97:c6:2a:90:6b:83:c5:
d2:dc:8f:97:4c:cc:cf:b5:a8:fc:4b:89:c8:f9:60:de:ea:eb:
cd:1b:a5:88
-----BEGIN CERTIFICATE-----
MIID+jCCAuKgAwIBAgIBDzANBgkqhkiG9w0BAQsFADCBizELMAkGA1UEBhMCQ04x
ETAPBgNVBAgMCHNoYW5kb25nMQ4wDAYDVQQHDAVqaW5hbjEPMA0GA1UECgwGd2Fs
dW5hMQ8wDQYDVQQLDAZkZXZvcHMxFjAUBgNVBAMMDWNhLndhbHVuYS50b3AxHzAd
BgkqhkiG9w0BCQEWEGFkbWluQHdhbHVuYS50b3AwHhcNMjEwNDIyMTQzNTQyWhcN
MjQwMTE3MTQzNTQyWjB4MQswCQYDVQQGEwJDTjERMA8GA1UECAwIc2hhbmRvbmcx
DzANBgNVBAoMBndhbHVuYTELMAkGA1UECwwCaXQxGDAWBgNVBAMMD2FwcDEud2Fs
dW5hLnRvcDEeMBwGCSqGSIb3DQEJARYPcm9vdEB3YWx1bmEudG9wMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAucQhnQheONFOCFB+TkhMukqwr/IWWZTx
Q2nAjpwjPwA4VRZFIMpQHy57T1T5HcyuC+fcxlj1DIw22VPgFaXt7ypEfLps3abq
2PmsO4FQ6EXCKG9gPvE6Ty4HbD8WG60Rt3iMq2QY9fS/jsGNmzuXgBp5z1/+U8xj
askKTiytjp0a/rgACPBtdLwtVTpNSkySQlF7xQpCxjzRF8sqDLCUpCJsO8K80zG2
96kZ5maEYj5syETtuqfoAjPHDe3DtqzdNEApR1itOCKE1ZeN4JGTRAjWEaM45sQR
bHtKWsWXEnHVgaND6NHWr30gKzMU6MCKzYvFE18bRPwSVK6PDCLB6wIDAQABo3sw
eTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBD
ZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUhAAEfLZXoqAfeDlwPUZmXAIVMokwHwYDVR0j
BBgwFoAUbqO+6a7Nfq55NMDfOOUiCtN8CrkwDQYJKoZIhvcNAQELBQADggEBAD6b
x6kjhYFiARXCGHU0/JVqK6QUcReU5WsffhD3X7jkZVKWEvWh81sdZvfjCUFgU5gV
xanmT6A6flJAci+JcZLqNFrE+j0V/FfQVCMqLrElq2bVJbVjrRh/f2WBlS8oO6BF
MpFjOsvBBQjg4sqFLjcaXnDr8i0T5Vm9i+4xONh/LQ3+1W5VFtlj1B2t5T9ckXwH
EkBAaRiV2xtEzWbeZQRSxjhxCqDAKpQybJCklFHaqIa/awFL6mcC7IT7HuIHlQ6m
wJzOyF+z2jHXPibf0WfIt2kenXmFA9OPERKLFkr2UJZql8YqkGuDxdLcj5dMzM+1
qPxLicj5YN7q680bpYg=
-----END CERTIFICATE-----
[root@centos8 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = shandong, L = jinan, O = waluna, OU = devops, CN = ca.waluna.top, emailAddress = admin@waluna.top
Validity
Not Before: Apr 22 14:35:42 2021 GMT
Not After : Jan 17 14:35:42 2024 GMT
Subject: C = CN, ST = shandong, O = waluna, OU = it, CN = app1.waluna.top, emailAddress = root@waluna.top
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b9:c4:21:9d:08:5e:38:d1:4e:08:50:7e:4e:48:
4c:ba:4a:b0:af:f2:16:59:94:f1:43:69:c0:8e:9c:
23:3f:00:38:55:16:45:20:ca:50:1f:2e:7b:4f:54:
f9:1d:cc:ae:0b:e7:dc:c6:58:f5:0c:8c:36:d9:53:
e0:15:a5:ed:ef:2a:44:7c:ba:6c:dd:a6:ea:d8:f9:
ac:3b:81:50:e8:45:c2:28:6f:60:3e:f1:3a:4f:2e:
07:6c:3f:16:1b:ad:11:b7:78:8c:ab:64:18:f5:f4:
bf:8e:c1:8d:9b:3b:97:80:1a:79:cf:5f:fe:53:cc:
63:6a:c9:0a:4e:2c:ad:8e:9d:1a:fe:b8:00:08:f0:
6d:74:bc:2d:55:3a:4d:4a:4c:92:42:51:7b:c5:0a:
42:c6:3c:d1:17:cb:2a:0c:b0:94:a4:22:6c:3b:c2:
bc:d3:31:b6:f7:a9:19:e6:66:84:62:3e:6c:c8:44:
ed:ba:a7:e8:02:33:c7:0d:ed:c3:b6:ac:dd:34:40:
29:47:58:ad:38:22:84:d5:97:8d:e0:91:93:44:08:
d6:11:a3:38:e6:c4:11:6c:7b:4a:5a:c5:97:12:71:
d5:81:a3:43:e8:d1:d6:af:7d:20:2b:33:14:e8:c0:
8a:cd:8b:c5:13:5f:1b:44:fc:12:54:ae:8f:0c:22:
c1:eb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
84:00:04:7C:B6:57:A2:A0:1F:78:39:70:3D:46:66:5C:02:15:32:89
X509v3 Authority Key Identifier:
keyid:6E:A3:BE:E9:AE:CD:7E:AE:79:34:C0:DF:38:E5:22:0A:D3:7C:0A:B9
Signature Algorithm: sha256WithRSAEncryption
3e:9b:c7:a9:23:85:81:62:01:15:c2:18:75:34:fc:95:6a:2b:
a4:14:71:17:94:e5:6b:1f:7e:10:f7:5f:b8:e4:65:52:96:12:
f5:a1:f3:5b:1d:66:f7:e3:09:41:60:53:98:15:c5:a9:e6:4f:
a0:3a:7e:52:40:72:2f:89:71:92:ea:34:5a:c4:fa:3d:15:fc:
57:d0:54:23:2a:2e:b1:25:ab:66:d5:25:b5:63:ad:18:7f:7f:
65:81:95:2f:28:3b:a0:45:32:91:63:3a:cb:c1:05:08:e0:e2:
ca:85:2e:37:1a:5e:70:eb:f2:2d:13:e5:59:bd:8b:ee:31:38:
d8:7f:2d:0d:fe:d5:6e:55:16:d9:63:d4:1d:ad:e5:3f:5c:91:
7c:07:12:40:40:69:18:95:db:1b:44:cd:66:de:65:04:52:c6:
38:71:0a:a0:c0:2a:94:32:6c:90:a4:94:51:da:a8:86:bf:6b:
01:4b:ea:67:02:ec:84:fb:1e:e2:07:95:0e:a6:c0:9c:ce:c8:
5f:b3:da:31:d7:3e:26:df:d1:67:c8:b7:69:1e:9d:79:85:03:
d3:8f:11:12:8b:16:4a:f6:50:96:6a:97:c6:2a:90:6b:83:c5:
d2:dc:8f:97:4c:cc:cf:b5:a8:fc:4b:89:c8:f9:60:de:ea:eb:
cd:1b:a5:88
# 单独查看发行人
[root@centos8 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -issuer
issuer=C = CN, ST = shandong, L = jinan, O = waluna, OU = devops, CN = ca.waluna.top, emailAddress = admin@waluna.top
# 单独查看主题
[root@centos8 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -subject
subject=C = CN, ST = shandong, O = waluna, OU = it, CN = app1.waluna.top, emailAddress = root@waluna.top
# 单独查看证书时间
[root@centos8 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -dates
notBefore=Apr 22 14:35:42 2021 GMT
notAfter=Jan 17 14:35:42 2024 GMT
# 单独查看序列号
[root@centos8 ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -serial
serial=0F
# 验证指定编号对应证书的有效性
[root@centos8 ~]# openssl ca -status 0F
Using configuration from /etc/pki/tls/openssl.cnf
0F=Valid (V)
[root@centos8 ~]# cat /etc/pki/CA/index.txt
V 240117143542Z 0F unknown /C=CN/ST=shandong/O=waluna/OU=it/CN=app1.waluna.top/emailAddress=root@waluna.top
[root@centos8 ~]# cat /etc/pki/CA/index.txt.old
[root@centos8 ~]# cat /etc/pki/CA/serial
10
[root@centos8 ~]# cat /etc/pki/CA/serial.old
0F
[root@centos8 ~]# sz /etc/pki/CA/certs/app1.crt
rz
Starting zmodem transfer. Press Ctrl+C to cancel.
Transferring app1.crt...
100% 4 KB 4 KB/sec 00:00:01 0 Errors
[root@centos8 ~]#
# 将文件/etc/pki/CA/certs/app1.crt传到windows上,双击可以看到下面显示
4.7 将证书相关文件发送到用户端使用
[root@centos8 ~]# cp /etc/pki/CA/certs/app1.crt /root/app1
[root@centos8 ~]# tree /root/app1
/root/app1
├── app1.crt
├── app1.csr
└── app1.key
0 directories, 3 files4.8 证书的信任
默认生成的证书,在windows上是不被信任的,可以通过下面的操作实现信任
打开internet属性
4.9 证书的吊销
# 同一个证书申请可以颁发两个证书吗?
[root@centos8 ~]# openssl ca -in /root/app2/app2.csr -out /etc/pki/CA/certs/app2_2.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
ERROR:There is already a certificate for /C=CN/ST=beijing/L=beijing/O=tianhu/OU=it/CN=www.tianhu.com/emailAddress=admin@tianhu.com
The matching entry has the following details
Type :Valid
Expires on :240117150940Z
Serial Number :10
File name :unknown
Subject Name :/C=CN/ST=beijing/L=beijing/O=tianhu/OU=it/CN=www.tianhu.com/emailAddress=admin@tianhu.com
# 可以看出默认是禁止的
# 修改/etc/pki/CA/index.txt.attr文件即可
[root@centos8 ~]# vim /etc/pki/CA/index.txt.attr
unique_subject = no
# 再次颁发证书
[root@centos8 ~]# openssl ca -in /root/app2/app2.csr -out /etc/pki/CA/certs/app2_2.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 20 (0x14)
Validity
Not Before: Apr 22 15:33:22 2021 GMT
Not After : Jan 17 15:33:22 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
localityName = beijing
organizationName = tianhu
organizationalUnitName = it
commonName = www.tianhu.com
emailAddress = admin@tianhu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A0:04:D2:89:45:F1:5E:EB:6C:22:99:68:D8:68:DD:75:49:D2:AE:83
X509v3 Authority Key Identifier:
keyid:6E:A3:BE:E9:AE:CD:7E:AE:79:34:C0:DF:38:E5:22:0A:D3:7C:0A:B9
Certificate is to be certified until Jan 17 15:33:22 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos8 ~]# tree /etc/pki/CA/certs/
/etc/pki/CA/certs/
├── app1.crt
├── app2_2.crt
└── app2.crt
0 directories, 3 files
# 成功颁发
# 证书吊销
[root@centos8 ~]# openssl ca -revoke /etc/pki/CA/newcerts/11.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 11.
Data Base Updated
# 查看状态
[root@centos8 ~]# openssl ca -status 11
Using configuration from /etc/pki/tls/openssl.cnf
11=Revoked (R)
[root@centos8 ~]# cat /etc/pki/CA/index.txt
V 240117143542Z 0F unknown /C=CN/ST=shandong/O=waluna/OU=it/CN=app1.waluna.top/emailAddress=root@waluna.top
V 240117150940Z 10 unknown /C=CN/ST=beijing/L=beijing/O=tianhu/OU=it/CN=www.tianhu.com/emailAddress=admin@tianhu.com
R 240117151228Z 210422153506Z 11 unknown /C=CN/ST=shandong/L=jn/O=waluna/OU=it/CN=app1.waluna.top/emailAddress=root@waluna.top4.10 生成证书吊销列表文件
# 第一次吊销会报错
[root@centos8 ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140460583081792:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/crlnumber','r')
140460583081792:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
# 需先给crl指定一个序号
[root@centos8 ~]# echo 01 > /etc/pki/CA/crlnumber
# 成功吊销
[root@centos8 ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
# 查看此文件序号增加
[root@centos8 ~]# cat /etc/pki/CA/crlnumber
02
[root@centos8 ~]# cat /etc/pki/CA/crl.pem
-----BEGIN X509 CRL-----
MIIB+zCB5AIBATANBgkqhkiG9w0BAQsFADCBizELMAkGA1UEBhMCQ04xETAPBgNV
BAgMCHNoYW5kb25nMQ4wDAYDVQQHDAVqaW5hbjEPMA0GA1UECgwGd2FsdW5hMQ8w
DQYDVQQLDAZkZXZvcHMxFjAUBgNVBAMMDWNhLndhbHVuYS50b3AxHzAdBgkqhkiG
9w0BCQEWEGFkbWluQHdhbHVuYS50b3AXDTIxMDQyMjE1MzgyNFoXDTIxMDUyMjE1
MzgyNFowFDASAgERFw0yMTA0MjIxNTM1MDZaoA4wDDAKBgNVHRQEAwIBATANBgkq
hkiG9w0BAQsFAAOCAQEAON96YblSzelCunOTySlBud3s96CgmbpsXSxJr4w6gydo
0kUX1boEj/9KAaPYCaiKMkyf6lrcRoOi7EQsKP5KrUchW2R1GLt1f3cPosC0UamV
t8QEpTGX9WZJs6vMGzaz837Dv5xMAw2OnKDfF6Z6mdkd5CQ1ZyeNNctQ035ShFG+
jA9osrfzkB8QHiXtf0NEvXyNYw/wr3L01d93kzB7+Yocy2vO3fCaoYDyAYb0ULzH
2ttnnU8ZSloC5XpnTOIpGXDX44PPJ5peXkIftybeGtj4j5g+kzeYmKc8EJfEAoGd
KX/4yrHWpZrX1yJgvyWTQXLtG2T5kHYAanBS0ageow==
-----END X509 CRL-----
[root@centos8 ~]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = shandong, L = jinan, O = waluna, OU = devops, CN = ca.waluna.top, emailAddress = admin@waluna.top
Last Update: Apr 22 15:38:24 2021 GMT
Next Update: May 22 15:38:24 2021 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 11
Revocation Date: Apr 22 15:35:06 2021 GMT
Signature Algorithm: sha256WithRSAEncryption
38:df:7a:61:b9:52:cd:e9:42:ba:73:93:c9:29:41:b9:dd:ec:
f7:a0:a0:99:ba:6c:5d:2c:49:af:8c:3a:83:27:68:d2:45:17:
d5:ba:04:8f:ff:4a:01:a3:d8:09:a8:8a:32:4c:9f:ea:5a:dc:
46:83:a2:ec:44:2c:28:fe:4a:ad:47:21:5b:64:75:18:bb:75:
7f:77:0f:a2:c0:b4:51:a9:95:b7:c4:04:a5:31:97:f5:66:49:
b3:ab:cc:1b:36:b3:f3:7e:c3:bf:9c:4c:03:0d:8e:9c:a0:df:
17:a6:7a:99:d9:1d:e4:24:35:67:27:8d:35:cb:50:d3:7e:52:
84:51:be:8c:0f:68:b2:b7:f3:90:1f:10:1e:25:ed:7f:43:44:
bd:7c:8d:63:0f:f0:af:72:f4:d5:df:77:93:30:7b:f9:8a:1c:
cb:6b:ce:dd:f0:9a:a1:80:f2:01:86:f4:50:bc:c7:da:db:67:
9d:4f:19:4a:5a:02:e5:7a:67:4c:e2:29:19:70:d7:e3:83:cf:
27:9a:5e:5e:42:1f:b7:26:de:1a:d8:f8:8f:98:3e:93:37:98:
98:a7:3c:10:97:c4:02:81:9d:29:7f:f8:ca:b1:d6:a5:9a:d7:
d7:22:60:bf:25:93:41:72:ed:1b:64:f9:90:76:00:6a:70:52:
d1:a8:1e:a3
[root@centos8 ~]# sz /etc/pki/CA/crl.pem
rz
Starting zmodem transfer. Press Ctrl+C to cancel.
Transferring crl.pem...
100% 743 bytes 743 bytes/sec 00:00:01 0 Errors
[root@centos8 ~]#
# 将此文件crl.pem传到windows上并改后缀为crl.pem.crl,双击可以查看以下显示
4.11 一键颁发CA证书
cat issue_rootca.sh
#!/bin/bash
mkdir -p /etc/pki/CA/{certs,crl,newcerts,private} # create dir
touch /etc/pki/CA/index.txt # create file
echo 0F > /etc/pki/CA/serial # create file and set serial number
cd /etc/pki/CA/
(umask 066;openssl genrsa -out private/cakey.pem 2048) &> /dev/null # create Private key
# Issue self signed certificate
# Country Name (2 letter code) [XX]
# State or Province Name (full name) []
# Locality Name (eg, city) [Default City]
# Organization Name (eg, company) [Default Company Ltd]
# Organizational Unit Name (eg, section) []
# Common Name (eg, your name or your server's hostname) []
# Email Address []
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3560 -out /etc/pki/CA/cacert.pem &> /dev/null <<EOF
CN
shandong
jinan
waluna
devops
ca.waluna.top
admin@waluna.top
EOF
echo "Issue self signed certificate successful"
cat issue_CA.sh
#!/bin/bash
mkdir app1 # create user dir
(umask 066;openssl genrsa -out /root/app1/app1.key 2048) &> /dev/null # create user Private key
echo "create user Private key successful"
# Certificate Application
# Country Name (2 letter code) [XX]
# State or Province Name (full name) []
# Locality Name (eg, city) [Default City]
# Organization Name (eg, company) [Default Company Ltd]
# Organizational Unit Name (eg, section) []
# Common Name (eg, your name or your server's hostname) []
# Email Address []
# A challenge password []:
# An optional company name []
openssl req -new -key /root/app1/app1.key -out /root/app1/app1.csr &> /dev/null <<EOF
CN
shandong
jn
waluna
it
app1.waluna.top
root@waluna.top
EOF
echo "Certificate Application created complete"
# Issue user certificate
# Sign the certificate? [y/n]
# 1 out of 1 certificate requests certified, commit? [y/n]
openssl ca -in /root/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000 &> /dev/null <<EOF
y
y
EOF
echo "Issue user certificate successful"
# cpoy CA to user dir
cp /etc/pki/CA/certs/app1.crt /root/app1
echo "Application completed"
Comments | 1 条评论
步骤清晰完整,还传了那么多图,真是辛苦了。