2022-03-06

1、创建私有CA并进行证书申请。
创建CA相关目录和文件

[root@centos8 ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'

[root@centos8 ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files

[root@centos8 ~]# touch /etc/pki/CA/index.txt

[root@centos8 ~]# echo 0F > /etc/pki/CA/serial

创建CA的私钥

[root@centos8 ~]# cd /etc/pki/CA/

[root@centos8 CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..........................................................................+++++
.............................+++++
e is 65537 (0x010001)

[root@centos8 CA]# tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial

4 directories, 3 files

[root@centos8 CA]# ll private/
total 4
-rw------- 1 root root 1679 Mar  7 03:25 cakey.pem
[root@centos8 CA]# cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAs2AA8HSWenLclT9I6X7b9gjicSm/NFijMgNI0My7gnMxZujy
1+6RN0rzHtkdB+aYuvLqIxOgbJQBchSQWifOhg9EJnRXPv3XZv3QGb5T3kIFktFs
G9lqLN4ORn7NQv/Ukg1WgMiNvBqEorHE6NisZ6PA8JHIUe1/GsdcUGfi9aMvNc7o
g/mKCvNj9y7COFJlx+HMNdarXAt3MKfkIhaNjI8FLBNFswIBuXxRJwdDGr9crLUm
AhrMkq7Aa74a4jokjBNoOISGQzeFEKyyM/KIPRqXvVJMRqmqQjfl/RcJrprcVNCi
nYMz+l7OUMA2SxWdZJQ0bfcKb3ltN+eYbyHlCQIDAQABAoIBAQCu7Wj9FjXJpEpJ
ojXQv85y2ac7BKNawTYlh95zAbW7OetrmLF6s0UazxTZeJI/Kjq31j1Ph8xjFtNy
FWvRABD/29NyTPLok1SFM/DFqj7P+ULGM0Viw1wv9T2msfIq7KK47Bj37p2KW7IN
l5+YE/XN/HwkH4djnmDeFJ2KLEXBlYgc7hMbN3+2mUMm+VbUTE+Ny5QUydfbGq6h
N23djkHZDRIBy2wGbn0xHffrinz5yN6yAPxQotuYVgbSuHKApMmH2vmp0Yg+QJ2Y
c/zGyBSL1/UK4G6pc5dljCHpd6vxS+iDjfscpsICBnt/JDnK9/WOTbt/m2ds/J5S
/B10p4EhAoGBAN9ILGGeTB9M9cns3Xp4EoXhpTLbAxQwrY1fG8YklGlyS3bpDAoM
L6KgbvnyYlDO8FzGtMFoiC3Le0Z/HF4B4ToiJWpfkgfUIuX2OKekVTPJbSS8F5MB
lrrP0mM4qkLi66JgzFMWit3u3QOghAuv7xtthz/RAOQTqgFfAd/ndNQ3AoGBAM2o
x4ml1dASthKGZ/ns6AbCp78yhf5EcnqLw11ir97LR5S9QS1qqjzgWn+joqMhU6j7
wr82yMH7VIySLKC8v8zqJuVQhdszy6x+VApTWi8rPWtuWXrXJ2BE+dhNcGA3/nbO
mGxz1Q+b5UQ1geP78tGJky5Nl8B9Lxdx3a0OHPC/AoGBAN7Wyix27uQCS//GHVjA
A0SI6fWybQU2e89vD2oWUeRXRIedmP1iIhx9X6SmyoZ5sZv2WKn6aIbD4Pl/nNEZ
sS3yrELYtQaJKnc14F83fC1eJ0aVTjXSTRuOlBugjxSIIsGBOArooZlTblLTXVXI
tas7CdOgBPKbyXzq1BUhjBDLAoGAZspZER9mAp2XiyLKjUwvnFFmblXeSvwDC+UX
PHG63WxU1q7RCNYrSEoKcYlkHIznt6o96DyFkw7/b1MQIzaz1sOhtTPN84Wr4wcx
EggfJzxBcpSw/IjVEXToO4hZBn52HQOdg3dRon+U08a6qSygbMKKYbY+huMKynkL
BxfqtxkCgYEA119DAWYp6ubviJATfpfSmGPfQBJWYvY5ZJgFArYvR6W8EyQru5z2
Z9Vli/VTY8ifkWcHxPgVGRoZDrr8t5RnLMaF65JZJfVTMH8TjAaBY397T5EjZnDH
emGMYU2v4POapzIKQx9lGAh7kc1lsrAH3JeMy4jwVeused8OtSTu52s=
-----END RSA PRIVATE KEY-----

给CA颁发自签名证书

[root@centos8 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:zhejiang
Locality Name (eg, city) [Default City]:hangzhou
Organization Name (eg, company) [Default Company Ltd]:sakura.com
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server hostname) []:ca.sakura.com
Email Address []:[email protected]

[root@centos8 ~]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial

4 directories, 4 files

[root@centos8 ~]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            74:5e:8c:7c:f5:00:34:3f:32:68:24:1d:2f:70:2b:62:08:ec:23:96
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = zhejiang, L = hangzhou, O = sakura.com, OU = devops, CN = ca.sakura.com, emailAddress = [email protected]
        Validity
            Not Before: Mar  6 19:31:52 2022 GMT
            Not After : Mar  3 19:31:52 2032 GMT
        Subject: C = CN, ST = zhejiang, L = hangzhou, O = sakura.com, OU = devops, CN = ca.sakura.com, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b3:60:00:f0:74:96:7a:72:dc:95:3f:48:e9:7e:
                    db:f6:08:e2:71:29:bf:34:58:a3:32:03:48:d0:cc:
                    bb:82:73:31:66:e8:f2:d7:ee:91:37:4a:f3:1e:d9:
                    1d:07:e6:98:ba:f2:ea:23:13:a0:6c:94:01:72:14:
                    90:5a:27:ce:86:0f:44:26:74:57:3e:fd:d7:66:fd:
                    d0:19:be:53:de:42:05:92:d1:6c:1b:d9:6a:2c:de:
                    0e:46:7e:cd:42:ff:d4:92:0d:56:80:c8:8d:bc:1a:
                    84:a2:b1:c4:e8:d8:ac:67:a3:c0:f0:91:c8:51:ed:
                    7f:1a:c7:5c:50:67:e2:f5:a3:2f:35:ce:e8:83:f9:
                    8a:0a:f3:63:f7:2e:c2:38:52:65:c7:e1:cc:35:d6:
                    ab:5c:0b:77:30:a7:e4:22:16:8d:8c:8f:05:2c:13:
                    45:b3:02:01:b9:7c:51:27:07:43:1a:bf:5c:ac:b5:
                    26:02:1a:cc:92:ae:c0:6b:be:1a:e2:3a:24:8c:13:
                    68:38:84:86:43:37:85:10:ac:b2:33:f2:88:3d:1a:
                    97:bd:52:4c:46:a9:aa:42:37:e5:fd:17:09:ae:9a:
                    dc:54:d0:a2:9d:83:33:fa:5e:ce:50:c0:36:4b:15:
                    9d:64:94:34:6d:f7:0a:6f:79:6d:37:e7:98:6f:21:
                    e5:09
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                C7:F6:04:27:18:EF:C3:48:2B:3F:3B:47:79:97:D3:22:B8:72:99:C9
            X509v3 Authority Key Identifier: 
                keyid:C7:F6:04:27:18:EF:C3:48:2B:3F:3B:47:79:97:D3:22:B8:72:99:C9

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         8b:c4:d6:06:7d:38:23:f1:09:0c:54:05:47:3d:97:ef:49:0c:
         4a:33:7d:4f:08:14:4c:0a:4e:94:1a:45:d4:37:62:17:dc:ed:
         e6:d3:95:bc:6b:89:e9:7a:ff:ef:26:e1:c5:ca:9a:77:b6:f9:
         bf:1d:8a:a4:1d:98:c0:a9:3b:4d:6d:64:df:63:21:4b:6c:1a:
         88:19:48:0e:bf:bf:30:ed:b4:67:e6:ec:26:23:fe:eb:90:82:
         fd:65:70:ed:19:9f:19:2d:a3:06:b6:1a:c9:93:0d:09:3f:89:
         f7:c4:c8:8a:49:1e:97:f2:e4:11:6f:c6:1f:53:ef:59:6d:a0:
         70:76:53:db:0a:78:98:95:d6:aa:8a:28:82:a9:b1:19:b7:7a:
         08:49:3a:70:f4:07:03:7b:93:81:5b:d3:28:f6:8f:d3:4f:20:
         0a:07:14:c2:fd:b3:31:51:ee:9a:f2:a7:bf:8e:a1:91:fb:b2:
         da:96:9b:b7:fa:c2:59:5c:4d:67:d7:65:b1:ac:f1:51:7c:14:
         80:b0:54:4e:9a:54:8f:05:f9:18:57:72:c8:f5:d7:c2:69:3e:
         8a:cc:a3:be:be:94:18:f3:eb:d0:7e:62:60:1a:13:94:1b:42:
         a9:6a:65:43:3b:63:ff:46:70:87:43:02:a0:d5:ca:94:9e:81:
         ab:fb:08:eb

用户生成私钥和证书申请

[root@centos8 ~]# mkdir /data/app1

#生成私钥文件
[root@centos8 ~]# (umask 066; openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................+++++
...+++++
e is 65537 (0x010001)

[root@centos8 ~]# cat /data/app1/app1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAt3HStqXxYhoZvdRi37BPNuKYlsIkZqNVr3cPLukp5ULNXAoY
q4Ue4ACIfy9AJgNog252AVf9EBfxyncXlJ8dmfwZmXQLkYHoxPaE1zIScn0RSmmy
gP9CfiPXPd5f37/xOcx431bTj7N4hQW8ijcDoEGfA7O0sFvTDxt63KFMAvINka4s
7EIm7HZi5sCcOX9N0jacqCd2w2fRNg/4dS1wZhXOc5RVrY3FdU/Gghktfc1FlAbX
jqrOVdlX6ubVIwp2g+wbZiFQCXD88G3CtAYoADdiU7JqbJIXi/DvK2RVcVe3F5RX
sH2vGXg/PsXmyUYw/plrECG0gFmnfTEiJPKztQIDAQABAoIBAGzRXEl0joe/K93r
iuteTt8j85gaejVYVo/LdHpDXdLdmawrYQ793J7MMiwf/1GNXAX7FI0fgMJ3MbsE
gjxrVsftP9JDgElEYqvUAGEXFtJLVmJp6LWUtgDVieztaLn1xkafAGSbwMvRjoB6
MqlakRATXRx5EYo8LiscBfmyxMBJjG+ZwpO0w3qa+5j7bPl7ceWrWVVxT6p4ik0d
ua5NbzcDmCaW9EmcG/9argJEhtSq7A1mVFT3GmPG7/a35x1bEWPNSoorW4dZcgVE
iFQIxIpkBLm9gR5Q0+YmIH1ckRu+B9sj6Tx2UNl2ENPurU5HwN1sN3TO6h5i0huk
IyRYU4ECgYEA4UdcXAAWXjUzE2VW4RMpZjC8NrgLWGzb5fxRLviOA/zO4ubuDlXv
bAp5VN8TsVfuYjNl0/B73YwsmvQLBCtj9xfMYL91Uc7iSZy0TDoJtV8yqzB22RMU
G5LY2XtbLUPdKFacStsw/WiGEdTq7sVuAMl58PorCQnjqwP2Ulljd7kCgYEA0HYA
4oITxGZ2Ie/xV/kbVBDcyQY+lylsrKFkw6pa5xnKT3F47aZ6dqHRe6PLgMajsnYv
lP5vHAT1LN9qsxbgHKd6HPTCB1MZnAZEgIIk9ISRPvZVmW/rzuKqTtKjyKPN7Ufp
PpZZfJ4DuzB9X8M5oE2w8qNQyVmqNytn93yRod0CgYBvokkmXfS3om05A1LWHgS5
2xSpmPImU2t0wGAKgqj9WN28musEt5j5VQdjA1hi3UwH5ahkKht3YesIrj53Rnk3
DNf+aWHdtEN2buz5iRkeg5o8MrvyPf4M2+wReYtpFuQVBTZV8eCI8q7dT0FMKRGl
2jFPNOj2hawIJuJ9VEZyIQKBgFde3ggRlM9gUmru8ix5D+cwGhl3MIySpCXGj0Ej
CW6K9KxPVuvkNre6It67S/PxTXLi7hZ4fYE04r2n9kSRdeUMnLW+MAR54+XtCpEB
+xMw7N+Cx2XD7wWLIu5egp75aLnmxe+hfGgqok22iRW18VUquts3cAi0OA9fdffY
kgFRAoGAVL1DMfw/y30gRiiUD0ph6jRdgUeBhOpEwSo2+00mQ+RD+oS0EoHaMF2F
tMLyFi7RphJy0kV+9ozvtvRMC9WDuwMX9f26ABG3S00wsaTX44IufBS6KqsVEa3e
Y0wndXXVxktz86DmyLf4iEPKplEbUQh3cEoBUWPERJ5HrfP+D/Y=
-----END RSA PRIVATE KEY-----

#生成证书申请文件
[root@centos8 ~]# openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:zhejiang
Locality Name (eg, city) [Default City]:hz
Organization Name (eg, company) [Default Company Ltd]:sakura.com
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server hostname) []:app.sakura.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@centos8 ~]# ll /data/app1/
total 8
-rw-r--r-- 1 root root 1106 Mar  7 03:43 app1.csr
-rw------- 1 root root 1675 Mar  7 03:40 app1.key

CA颁发证书

[root@centos8 ~]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 15 (0xf)
        Validity
            Not Before: Mar  6 19:57:25 2022 GMT
            Not After : Nov 30 19:57:25 2024 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = zhejiang
            organizationName          = sakura.com
            organizationalUnitName    = IT
            commonName                = app.sakura.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                DB:95:EF:24:08:00:83:3B:DA:E0:2F:29:AF:FB:94:D4:1B:7C:2F:35
            X509v3 Authority Key Identifier: 
                keyid:C7:F6:04:27:18:EF:C3:48:2B:3F:3B:47:79:97:D3:22:B8:72:99:C9

Certificate is to be certified until Nov 30 19:57:25 2024 GMT (1000 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@centos8 ~]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│   └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 0F.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 9 files

2、总结ssh常用参数、用法
ssh基础知识

ssh: secure shell protocol, 22/tcp，安全的远程登录，实现加密通信，代替传统的 telnet 协议。SSH 协议版本：v1：基于CRC-32做MAC，不安全；man-in-middle 和 v2：双方主机协议选择安全的MAC方式，基于DH算法做密钥交换，基于RSA或DSA实现身份认证。常用软件：CentOS 默认安装的OpenSSH和另一个ssh协议的开源项目dropbear。

命令格式

ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]

常用选项

-p port #远程服务器监听的端口，默认为22，一般生产环境中都会修改成其他的端口
-b #指定连接的源IP
-v #调试模式
-C #压缩方式
-X #支持x11转发
-t #强制伪tty分配，如：ssh -t remoteserver1 ssh -t remoteserver2 ssh remoteserver3
-o option #如：-o StrictHostKeyChecking=no
-i  #指定私钥文件路径，实现基于key验证，默认使用文件： ~/.ssh/id_dsa,~/.ssh/id_ecdsa, ~/.ssh/id_ed25519，~/.ssh/id_rsa等

3、总结sshd服务常用参数。

主要参数及默认值	基本作用和用途
Port 22	sshd服务的默认端口 ，生产中都会修改，如2222、8822端口，可以提高安全性
ListenAddress 0.0.0.0	设定sshd服务监听IP地址 一般保持0.0.0.0
Protocol 2	SSH协议版本
HostKey /etc/ssh/ssh_host_rsa_key	SSH协议版本为2时，RSA私钥存放的位置。
HostKey /etc/ssh/ssh_host_dsa_key	SSH协议版本为2时，DSA私钥存放的位置。
PermitRootLogin yes	设定是否允许root用户直接登录
StrictModes yes	当远程用户私钥改变时则直接拒绝连接
MaxAuthTries 6	密码最多输入错误次数
MaxSessions 10	同时连接的最大终端数
PasswordAuthentication yes	是否允许密码验证，默认允许
PermitEmptyPasswords no	是否允许空密码登陆（不安全），默认为不允许
AllowAgentForwarding yes	SSH转发功能默认打开
AllowTcpForwarding yes	TCPTCP转发功能
GatewayPorts no	远程端口转发并实现网关功能，此项必须设定为yes
LoginGraceTime 2m	没有输入密码时,自动断开时间
ClientAliveInterval 0	间隔多久客户端和服务器端没有操作就断开连接
ClientAliveCountMax 3	检测几次后发现没有操作断开，此项和上一项结合一起使用
UseDNS no	是否使用名称解析，默认不启用
GSSAPIAuthentication no	GSSAPI的认证
MaxStartups 10:30:100	未验证的最大连接数
Banner none	登录前提示的信息
AllowUsers	允许哪些用户登录（白名单）
DenyUsers	不允许哪些用户登录（黑名单）
AllowGroups	允许哪些组登录（白名单）
DenyGroups	不允许哪些组登录（黑名单）

4、搭建dhcp服务，实现ip地址申请分发

[root@sakura:~] # yum -y install dhcp-server
[root@sakura:~] # vim /etc/dhcp/dhcpd.conf
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#

# option definitions common to all supported networks...
option domain-name "sarkura.com";
option domain-name-servers 180.76.76.76,223.5.5.5;

default-lease-time 84600;
max-lease-time 7200;

# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# No service will be given on this subnet, but declaring it helps the 
# DHCP server to understand the network topology.

subnet 10.0.0.0 netmask 255.255.255.0 {
 range 10.0.0.170 10.0.0.200;
 option routers 10.0.0.2;
 next-server 10.0.0.8;
 filename "pxelinux.0";
}
[root@sakura:~] # systemctl enable --now dhcpd