网络技能大赛-云平台部分-CentOS部分07-[CA(https)]
2022年全国职业技能大赛网络系统管理赛项相较2021年再次做出改动,Linux部分从之前的Debian又换回了CentOS,不过相应增加了UOS国产操作系统。
再怎么变比赛的东西也就那么多,希望大家都能勇于动手尝试,多多摸索,愿大家都能取得一个理想的成绩!
交流共享资料群号:926132419
CA
http/nginx隐藏配置 OpenSSL搭建私有CA
#准备两台机器 一台CA服务器 一台客户Web服务器
#以下ServerB为CA服务器 ServerA为Web服务器
####在B上搭建CA服务器 注意路径
[root@serverB CA]# pwd
/etc/pki/CA
[root@serverB CA]# (umask 077;openssl genrsa -out pirvate/cakey.pem 4096)
pirvate/cakey.pem: No such file or directory
139921458653088:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('pirvate/cakey.pem','w')
139921458653088:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@serverB CA]# ls
certs crl newcerts private
[root@serverB CA]# cd private/
[root@serverB private]# ls
[root@serverB private]# (umask 077;openssl genrsa -out cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
....................................................................................................................++
..................................................................................................................................................................................................................................................................................................++
e is 65537 (0x10001)
[root@serverB private]# openssl req -new -x509 -key cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:JS
Locality Name (eg, city) [Default City]:LYG
Organization Name (eg, company) [Default Company Ltd]:ZD
Organizational Unit Name (eg, section) []:BS
Common Name (eg, your name or your server's hostname) []:www.rj.com
Email Address []:
[root@serverB private]# ls
cakey.pem
[root@serverB private]# cd ..
[root@serverB CA]# ls
cacert.pem certs crl newcerts private
[root@serverB CA]# touch /etc/pki/CA/index.txt
[root@serverB CA]# echo 01 > serial
####在A上生成请求文件传到B上认证
[root@serverA nginx]# mkdir ssl
[root@serverA nginx]# cd ssl/
[root@serverA ssl]# ls
[root@serverA ssl]# (umask 066;openssl genrsa -out nginx.key 1024)
Generating RSA private key, 1024 bit long modulus
.........++++++
.........................++++++
e is 65537 (0x10001)
[root@serverA ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:JS
Locality Name (eg, city) [Default City]:LYG
Organization Name (eg, company) [Default Company Ltd]:ZD
Organizational Unit Name (eg, section) []:BS
Common Name (eg, your name or your server's hostname) []:www.rj.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@serverA ssl]# ls
nginx.csr nginx.key
[root@serverA ssl]# scp ./nginx.csr root@172.16.0.139:/data
The authenticity of host '172.16.0.139 (172.16.0.139)' can't be established.
ECDSA key fingerprint is fb:dd:a8:d5:fc:21:c6:8e:99:c6:5d:89:0b:6e:a5:92.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.0.139' (ECDSA) to the list of known hosts.
root@172.16.0.139's password:
nginx.csr 100% 627 0.6KB/s 00:00
[root@serverA ssl]#
####认证从A上传过来的请求文件 生成证书
[root@serverB CA]# openssl ca -in /data/nginx.csr -out /etc/pki/CA/certs/nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 15 00:50:40 2020 GMT
Not After : Sep 15 00:50:40 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = JS
organizationName = ZD
organizationalUnitName = BS
commonName = www.rj.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
CC:71:62:76:0A:B3:DC:0E:8F:8A:61:71:67:56:FF:BA:53:E8:2C:6C
X509v3 Authority Key Identifier:
keyid:2D:A1:8E:3E:EB:1A:36:6D:B0:56:4C:15:55:2C:0A:85:DF:CA:B9:5A
Certificate is to be certified until Sep 15 00:50:40 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@serverB CA]# ls
cacert.pem crl index.txt.attr newcerts serial
certs index.txt index.txt.old private serial.old
[root@serverB CA]# cat index.txt
V 210915005040Z 01 unknown /C=CN/ST=JS/O=ZD/OU=BS/CN=www.rj.com
[root@serverB CA]# pwd
/etc/pki/CA
####从B往A传证书
[root@serverB CA]# cd certs/
[root@serverB certs]# ls
nginx.crt
[root@serverB certs]# scp ./nginx.crt root@172.16.0.138:/etc/nginx/ssl
The authenticity of host '172.16.0.138 (172.16.0.138)' can't be established.
ECDSA key fingerprint is fb:dd:a8:d5:fc:21:c6:8e:99:c6:5d:89:0b:6e:a5:92.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.0.138' (ECDSA) to the list of known hosts.
root@172.16.0.138's password:
nginx.crt 100% 4888 4.8KB/s 00:00
[root@serverB certs]#
####查看证书是否传过来
[root@serverA ssl]# ls
nginx.crt nginx.csr nginx.key
[root@serverA ssl]# pwd
/etc/nginx/ssl