Jumpserver在线安装及部署认证服务器CA
主机 | IP | 功能 |
---|---|---|
JumpServer | 192.168.1.34 | 堡垒机管理资产及权限 |
CA认证服务器 | 192.168.1.37 | 提供HTTPS安全加密 |
堡垒机一键在线安装
##z在线安装
curl -sSL https://resource.fit2cloud.com/jumpserver/jumpserver/releases/latest/download/quick_start.sh | bash
注意事项
##默认密码
admin/admin
##启动JumpServer
首先进入/opt/jumpserver-installer-v3.9.3/
执行 ./jmsctl.sh start
##关闭JumpServer
首先进入/opt/jumpserver-installer-v3.9.3/
执行 ./jmsctl.sh stop
##需要使用HTTPS服务
将文件证书放在/opt/jumpserver/config/nginx/cert路径下
修改配置文件 vi /opt/jumpserver/config/config.txt
SSL_CERTIFICATE=/opt/jumpserver/config/nginx/cert/httpd.crt
SSL_CERTIFICATE_KEY=/opt/jumpserver/config/nginx/cert/httpd.key
ps:注意,需要先停止JumpServer服务后再修改配置文件
##关闭setenforce
setenforce 0
部署CA服务器
###简历CA服务器
##生成密钥
[root@localhost ~]# (umask 007; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
ps:
():表示此命令在子进程中运行,其目的是为了不改变当前Shell中的umask值;
genrsa:生成私钥;
-out:私钥的存放路径,cakey.pem:为密钥名,与配置文件中保持一致;
2048:密钥长度,默认为1024
##自签证书
[root@localhost ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 1000
ps:
req:生成证书签署请求;
-x509:生成自签署证书;
-days n:证书的有效天数;
-new:新请求;
-key /path/to/keyfile:指定私钥文件;
-out /path/to/somefile:输出文件位置
##初始化工作环境
[root@localhost ~]# touch /etc/pki/CA/{index.txt,serial}
[root@localhost ~]# echo 01 > /etc/pki/CA/serial
ps:
index.txt:索引文件,用于匹配证书编号;
serial:证书序列号文件,只在首次生成证书时赋值
实例:堡垒机HTTPS安全加密
登录堡垒机
##生成密钥对
[root@localhost ~]# mkdir -p /etc/httpd/ssl
[root@localhost ~]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
##生成证书信息
[root@localhost ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [JS]:JS
Locality Name (eg, city) [SZ]:SZ
Organization Name (eg, company) [JFHY]:JHFY
Organizational Unit Name (eg, section) [JFHY]:JFHY
Common Name (eg, your name or your server's hostname) [jfhy.com]:jfhy.com
Email Address [www]:www
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:www
##将刚刚申请的请求文件发送给CA服务器
[root@localhost ~]# scp /etc/httpd/ssl/httpd.csr root@192.168.1.37:/etc/pki/CA/crl
登录CA服务器
##签署证书
[root@localhost ~]# openssl ca -in /etc/pki/CA/crl/httpd.csr -out /etc/pki/CA/crl/httpd.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (JFHY) and the request (JHFY)
##将签名好的证书发送给堡垒机
[root@localhost ~]# scp httpd.crt root@192.168.1.34:/etc/httpd/ssl
吊销证书
登录CA服务器
##获取证书serial
[root@localhost ~]# openssl x509 -in httpd.crt -noout -serial -subject
ps:
x509:证书格式;
-in:要吊销的证书;
-noout:不输出额外信息;
-serial:显示序列号;
-subject:显示subject信息
##CA验证信息
[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# cat index.txt
##吊销证书
[root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
##删除证书
查看被吊销的证书列表
[root@localhost CA]# cat /etc/pki/CA/index.txt
生成吊销证书的编号(如果是第一次吊销)
[root@localhost CA]# echo 00 > /etc/pki/CA/crlnumber
更新证书吊销列表
[root@localhost CA]# cd crl
[root@localhost CA]# openssl ca -gencrl -out ca.crl
ps: -gencrl:生成证书吊销列表
错误
如出现以上错误,需要在配置文件中修改https默认443端口 自定义端口 如23443
放通防火墙
firewall-cmd --per --add-port=23443/tcp
firewall-cmd --reload
注意
如果修改了端口,需要在配置文件中修改一下:
-1714440104784)]
如出现以上错误,需要在配置文件中修改https默认443端口 自定义端口 如23443
放通防火墙
firewall-cmd --per --add-port=23443/tcp
firewall-cmd --reload
注意
如果修改了端口,需要在配置文件中修改一下: