一、建立私有的CA
1)檢視openssl的配置檔案:/etc/pki/tls/openssl.cnf
<a href="http://s2.51cto.com/wyfs02/M02/87/FD/wKiom1fmDR-x_qsqAABbhmr_3bU145.png" target="_blank"></a>
2)建立所需的檔案
touch /etc/pki/CA/index.txt echo 01 >/etc/pki/CA/serial
3)CA自簽證書生成私鑰
cd /etc/pki/CA
(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
4)生成自簽名證書
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
-new:生成新的證書簽署請求
-x509:專用CA生成自簽證書
-key:生成請求時用到的私鑰檔案
-days n:證書的有限期
-out /path/to/somecertfile:證書的儲存路徑
代碼示範:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
<code>[root@centos6 ~]</code><code># ls /etc/pki/CA/</code>
<code>certs crl newcerts private</code>
<code>[root@centos6 ~]</code><code># touch /etc/pki/CA/index.txt</code>
<code>[root@centos6 ~]</code><code># ll /etc/pki/CA/</code>
<code>total 16</code>
<code>drwxr-xr-x. 2 root root 4096 May 9 22:56 certs</code>
<code>drwxr-xr-x. 2 root root 4096 May 9 22:56 crl</code>
<code>-rw-r--r--. 1 root root 0 Sep 23 07:08 index.txt</code>
<code>drwxr-xr-x. 2 root root 4096 May 9 22:56 newcerts</code>
<code>drwx------. 2 root root 4096 May 9 22:56 private</code>
<code>[root@centos6 ~]</code><code># echo 01 > /etc/pki/CA/serial</code>
<code>total 20</code>
<code>-rw-r--r--. 1 root root 3 Sep 23 07:09 serial</code>
<code>[root@centos6 ~]</code><code># cd /etc/pki/CA</code>
<code>[root@centos6 CA]</code><code># ls</code>
<code>certs crl index.txt newcerts private serial</code>
<code>[root@centos6 CA]</code><code># (nmask 066;openssl genrsa -out private/cakey.pem 2048)</code>
<code>-</code><code>bash</code><code>: nmask: </code><code>command</code> <code>not found</code>
<code>Generating RSA private key, 2048 bit long modulus</code>
<code>..................................+++</code>
<code>.............................+++</code>
<code>e is 65537 (0x10001)</code>
<code>[root@centos6 CA]</code><code># cd private/</code>
<code>[root@centos6 private]</code><code># cat cakey.pem</code>
<code>-----BEGIN RSA PRIVATE KEY-----</code>
<code>MIIEpAIBAAKCAQEAyvOMUreRADORN9F0bk08d4n</code><code>/xASELShJzW6V2K57ma/lmB7e</code>
<code>PBrOWrGCWhZR9tF8+Ewk</code><code>/OCeQLukAHLgeLlte7au7uXf6RjFwi/XXemKzEUDEcOl</code>
<code>+CKTU7wio7if86rzX8xOPmP2+l4pItqqAKp7Kx9TOuAhT7gcQKKr5iU6lTvS</code><code>/EJf</code>
<code>xBLtwoTRIIUdYxLI7XFZe7Lm5uOiYDHIhF70TQC3s0</code><code>/1lnGEsWmAZ</code><code>+uOCFy6bKck</code>
<code>v6orwDu2UfjhSqkiIJBFSvZQJqh6s3kt5dN+MyAkG1wJ6daJS87FKuguLI+ISxIJ</code>
<code>Z7tXXCQqZFle5Iu1LuwRDAoieWfwO868WI+HmQIDAQABAoIBAFaVwXAo0Lv9RB9E</code>
<code>RSAp43o8bdn680kwvwvd+iAPkLvox1M3GCkcZp1azfoRO7bJeT+VfNJGIj4Lz9RB</code>
<code>LnNS6Nq2</code><code>/br</code><code>+Z6DS6MwIDSIL2SN87epORiiu15wJz915jwQuEtb0Gw2TKHN4aKRu</code>
<code>Fcli8llba+7aYFvaeHM684ukpnGz6bRYwRDrEgUvMksFvPA2dqzvP</code><code>/OjEIqvvf/l</code>
<code>d+rhOQGlB18E2oQ3048PJpgPHyceKLuuFkvFGsHofI8a5hLqD3PJ4AjHuPPF</code><code>/Yqz</code>
<code>ZQwxmncV+YM9nJ</code><code>/s8J5PJQ</code><code>+3hPkA6pbhpM1eXHSPajnnkWiMV1RkUBltkHdJGPT9</code>
<code>h4t2o2ECgYEA5z</code><code>/8HvbnXlAHC8</code><code>+5mKO0rkBifxUyG9FVYmGOPKJwoK16eRxWuQgo</code>
<code>VboVZm5mK4LCtsMzUXobSXtgsb941O6U7lxrogflcYEQkvWL7JNg8vdIMwHs75zF</code>
<code>vXnoyCF9ZoDFr0juTP94AI4WW8GTfSo3caL+T8pnQalu5y3JvBQIRVcCgYEA4Kw1</code>
<code>8VAGix+QYWK9h1R35cKcnZQb0eq0ChZ8XFd7leLImPCpv7t1R86mvwIvZkYMIqD3</code>
<code>btUXk8G2ezyoufntEP5KGv9QbsQS8vFDw0RSsYkwWJZBeIUV6yPdUHniIWT6Ozwv</code>
<code>pD6hJwVSAv7m4tNTwJLH2Ebbs22Di05q</code><code>/kfqFI8CgYEA4SVD0</code><code>+Xx57ok0hQhkAI7</code>
<code>BLh87Vv2mGzcI9f1gwVogJfGOSolKStPEgAFm9</code><code>/6q3w5FXXBfh9Td9yejRBtlWrg</code>
<code>J55l0LC9bCALwfk9jU0ERCoL6lWCmNvbDhomUMuCaw0O6xUnpmHINUohbJ5weZlj</code>
<code>t8jIr2jR1XUgHAZRdkNOtisCgYAfOU+13b1LEHPsVOCqMh8Hm2hQrgi</code><code>/v7KNxFo8</code>
<code>KxxN1Fq0hp3Qu6is9hdObGtR92IwXdaFXLAOJNnLfr6kOgusVOrPnbP78NwBT25v</code>
<code>cMtdSQejCB7JNRW6vB1B1e6LXZE5MkAcv2d+GMsxB2PnGh+Fn+COOirGYO3rKlbM</code>
<code>SApMGQKBgQCaAaZzscT3KnnZEFi3e2IrlJMxY09zCm2xRle70m0lK0BHZsoxvcAl</code>
<code>bf19tZsoD2wPcvB6j+SLhB5jdG5iJ6SCp+vx+p</code><code>/XFORlU</code><code>+3V5gD/+P9I2LZfVZ+z</code>
<code>7YvRfXzuEiZi0h4ljBb4Oh8Di</code><code>/0ytKnBzbWs00Trj7ariZ/WfgmTDw</code><code>==</code>
<code>-----END RSA PRIVATE KEY-----</code>
<code>[root@centos6 private]</code><code># ll</code>
<code>total 4</code>
<code>-rw-r--r--. 1 root root 1679 Sep 23 07:10 cakey.pem</code>
<code>[root@centos6 private]</code><code># openssl req -new -x509 -key cakey.pem -days 7300 -out ../ca</code>
<code>cert.pem</code>
<code>You are about to be asked to enter information that will be incorporated</code>
<code>into your certificate request.</code>
<code>What you are about to enter is what is called a Distinguished Name or a DN.</code>
<code>There are quite a few fields but you can leave some blank</code>
<code>For some fields there will be a default value,</code>
<code>If you enter </code><code>'.'</code><code>, the field will be left blank.</code>
<code>-----</code>
<code>Country Name (2 letter code) [XX]:CN</code>
<code>State or Province Name (full name) []:beijing</code>
<code>Locality Name (eg, city) [Default City]:bj</code>
<code>Organization Name (eg, company) [Default Company Ltd]:chen.com</code>
<code>Organizational Unit Name (eg, section) []:alren_1</code>
<code>Common Name (eg, your name or your server's </code><code>hostname</code><code>) []:centos6.localdomain</code>
<code>Email Address []:[email protected]</code>
<code>[root@centos6 private]</code><code># cd ../</code>
<code>[root@centos6 CA]</code><code># cat cacert.pem</code>
<code>-----BEGIN CERTIFICATE-----</code>
<code>MIID7zCCAtegAwIBAgIJANEOQWU3qHpeMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD</code>
<code>VQQGEwJDTjEQMA4GA1UECAwHYmVpamluZzELMAkGA1UEBwwCYmoxETAPBgNVBAoM</code>
<code>CGNoZW4uY29tMRAwDgYDVQQLDAdhbHJlbl8xMRwwGgYDVQQDDBNjZW50b3M2Lmxv</code>
<code>Y2FsZG9tYWluMRwwGgYJKoZIhvcNAQkBFg1hbHJlbkAxNjMuY29tMB4XDTE2MDky</code>
<code>MjIzMTc1MFoXDTM2MDkxNzIzMTc1MFowgY0xCzAJBgNVBAYTAkNOMRAwDgYDVQQI</code>
<code>DAdiZWlqaW5nMQswCQYDVQQHDAJiajERMA8GA1UECgwIY2hlbi5jb20xEDAOBgNV</code>
<code>BAsMB2FscmVuXzExHDAaBgNVBAMME2NlbnRvczYubG9jYWxkb21haW4xHDAaBgkq</code>
<code>hkiG9w0BCQEWDWFscmVuQDE2My5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw</code>
<code>ggEKAoIBAQDK84xSt5EAM5E30XRuTTx3if</code><code>/EBIQtKEnNbpXYrnuZr</code><code>+WYHt48Gs5a</code>
<code>sYJaFlH20Xz4TCT84J5Au6QAcuB4uW17tq7u5d</code><code>/pGMXCL9dd6YrMRQMRw6X4IpNT</code>
<code>vCKjuJ</code><code>/zqvNfzE4</code><code>+Y</code><code>/b6Xiki2qoAqnsrH1M64CFPuBxAoqvmJTqVO9L8Ql/EEu3C</code>
<code>hNEghR1jEsjtcVl7subm46JgMciEXvRNALezT</code><code>/WWcYSxaYBn644IXLpspyS/qivA</code>
<code>O7ZR+OFKqSIgkEVK9lAmqHqzeS3l034zICQbXAnp1olLzsUq6C4sj4hLEglnu1dc</code>
<code>JCpkWV7ki7Uu7BEMCiJ5Z</code><code>/A7zrxYj4eZAgMBAAGjUDBOMB0GA1UdDgQWBBQmophw</code>
<code>H4o7o6EFDot5NMVm+rmm2TAfBgNVHSMEGDAWgBQmophwH4o7o6EFDot5NMVm+rmm</code>
<code>2TAMBgNVHRMEBTADAQH</code><code>/MA0GCSqGSIb3DQEBBQUAA4IBAQBkZgymfLYgWOK4RPv</code><code>+</code>
<code>Vzs2eW+AaYNcNBcot</code><code>/Ju6rByEZ/Sa4nWxNBVge/0ffSDUsmkSlUdS8oYUbLQU5Kq</code>
<code>pqDaQ0jbwqoMkR+YEau0Q8R+N9WtTOWew3xprRu9BvY9jTjBG5pyFp4pqOEcOTm3</code>
<code>YQyzv8C+0KUS2HDi13nBRet6PjYnt7zgiI2qjAuWaz70ntwFduvNDC7biX18CyJe</code>
<code>ydLnQDGot2dXWqGo</code><code>/p4eDtIPxpsaH8UCz4SHDKnKZvVOg2r85Wv4F8If0puGGl7m</code>
<code>qhe40zy</code><code>/s</code><code>+F1V0lWeJ3nbk2vBSETdoZViUWuRz6acy0at6znlgcMLnwjum8jcp8K</code>
<code>IOnK</code>
<code>-----END CERTIFICATE-----</code>
<code>[root@centos6 CA]</code><code># openssl x509 -in cacert.pem -noout -text</code>
<code>Certificate:</code>
<code> </code><code>Data:</code>
<code> </code><code>Version: 3 (0x2)</code>
<code> </code><code>Serial Number: 15064049706582178398 (0xd10e416537a87a5e)</code>
<code> </code><code>Signature Algorithm: sha1WithRSAEncryption</code>
<code> </code><code>Issuer: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain</code><code>/emailAddress</code><code>[email protected]</code>
<code> </code><code>Validity</code>
<code> </code><code>Not Before: Sep 22 23:17:50 2016 GMT</code>
<code> </code><code>Not After : Sep 17 23:17:50 2036 GMT</code>
<code> </code><code>Subject: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain</code><code>/emailAddress</code><code>[email protected]</code>
<code> </code><code>Subject Public Key Info:</code>
<code> </code><code>Public Key Algorithm: rsaEncryption</code>
<code> </code><code>Public-Key: (2048 bit)</code>
<code> </code><code>Modulus:</code>
<code> </code><code>00:ca:f3:8c:52:b7:91:00:33:91:37:d1:74:6e:4d:</code>
<code> </code><code>3c:77:89:ff:c4:04:84:2d:28:49:</code><code>cd</code><code>:6e:95:d8:ae:</code>
<code> </code><code>7b:99:af:e5:98:1e:de:3c:1a:ce:5a:b1:82:5a:16:</code>
<code> </code><code>51:f6:d1:7c:f8:4c:24:fc:e0:9e:40:bb:a4:00:72:</code>
<code> </code><code>e0:78:b9:6d:7b:b6:ae:ee:e5:</code><code>df</code><code>:e9:18:c5:c2:2f:</code>
<code> </code><code>d7:5d:e9:8a:cc:45:03:11:c3:a5:f8:22:93:53:</code><code>bc</code><code>:</code>
<code> </code><code>22:a3:b8:9f:f3:aa:f3:5f:cc:4e:3e:63:f6:fa:5e:</code>
<code> </code><code>29:22:da:aa:00:aa:7b:2b:1f:53:3a:e0:21:4f:b8:</code>
<code> </code><code>1c:40:a2:ab:e6:25:3a:95:3b:d2:fc:42:5f:c4:12:</code>
<code> </code><code>ed:c2:84:d1:20:85:1d:63:12:c8:ed:71:59:7b:b2:</code>
<code> </code><code>e6:e6:e3:a2:60:31:c8:84:5e:f4:4d:00:b7:b3:4f:</code>
<code> </code><code>f5:96:71:84:b1:69:80:67:eb:8e:08:5c:ba:6c:a7:</code>
<code> </code><code>24:bf:aa:2b:c0:3b:b6:51:f8:e1:4a:a9:22:20:90:</code>
<code> </code><code>45:4a:f6:50:26:a8:7a:b3:79:2d:e5:d3:7e:33:20:</code>
<code> </code><code>24:1b:5c:09:e9:d6:89:4b:ce:c5:2a:e8:2e:2c:8f:</code>
<code> </code><code>88:4b:12:09:67:bb:57:5c:24:2a:64:59:5e:e4:8b:</code>
<code> </code><code>b5:2e:ec:11:0c:0a:22:79:67:f0:3b:ce:</code><code>bc</code><code>:58:8f:</code>
<code> </code><code>87:99</code>
<code> </code><code>Exponent: 65537 (0x10001)</code>
<code> </code><code>X509v3 extensions:</code>
<code> </code><code>X509v3 Subject Key Identifier:</code>
<code> </code><code>26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9</code>
<code> </code><code>X509v3 Authority Key Identifier:</code>
<code> </code><code>keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9</code>
<code> </code><code>X509v3 Basic Constraints:</code>
<code> </code><code>CA:TRUE</code>
<code> </code><code>64:66:0c:a6:7c:b6:20:58:e2:b8:44:fb:fe:57:3b:36:79:6f:</code>
<code> </code><code>80:69:83:5c:34:17:28:b7:f2:6e:ea:b0:72:11:9f:d2:6b:89:</code>
<code> </code><code>d6:c4:d0:55:81:ef:f4:7d:f4:83:52:c9:a4:4a:55:1d:4b:ca:</code>
<code> </code><code>18:51:b2:d0:53:92:aa:a6:a0:da:43:48:db:c2:aa:0c:91:1f:</code>
<code> </code><code>98:11:ab:b4:43:c4:7e:37:d5:ad:4c:e5:9e:c3:7c:69:ad:1b:</code>
<code> </code><code>bd:06:f6:3d:8d:38:c1:1b:9a:72:16:9e:29:a8:e1:1c:39:39:</code>
<code> </code><code>b7:61:0c:b3:bf:c0:be:d0:a5:12:d8:70:e2:d7:79:c1:45:eb:</code>
<code> </code><code>7a:3e:36:27:b7:</code><code>bc</code><code>:e0:88:8d:aa:8c:0b:96:6b:3e:f4:9e:</code><code>dc</code><code>:</code>
<code> </code><code>05:76:eb:</code><code>cd</code><code>:0c:2e:db:89:7d:7c:0b:22:5e:c9:d2:e7:40:31:</code>
<code> </code><code>a8:b7:67:57:5a:a1:a8:fe:9e:1e:0e:d2:0f:c6:9b:1a:1f:c5:</code>
<code> </code><code>02:cf:84:87:0c:a9:ca:66:f5:4e:83:6a:fc:e5:6b:f8:17:c2:</code>
<code> </code><code>1f:d2:9b:86:1a:5e:e6:aa:17:b8:d3:3c:bf:b3:e1:75:57:49:</code>
<code> </code><code>56:78:9d:e7:6e:4d:af:05:21:13:76:86:55:89:45:ae:47:3e:</code>
<code> </code><code>9a:73:2d:1a:b7:ac:e7:96:07:0c:2e:7c:23:ba:6f:23:72:9f:</code>
<code> </code><code>0a:20:e9:ca</code>
<code>[root@centos6 CA]</code><code># openssl x509 -in cacert.pem -noout -dates</code>
<code>notBefore=Sep 22 23:17:50 2016 GMT</code>
<code>notAfter=Sep 17 23:17:50 2036 GMT</code>
二、頒發及其吊銷證書
1)頒發證書,在需要使用證書的主機生成證書請求,給web伺服器生成私鑰(本實驗在另一台主機上)
(umask 066;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
2)生成證書申請檔案
openssl req -new-key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr
3)将證書檔案傳給CA,CA簽署證書并将證書頒發給請求者,注意:預設國家、省和公司必須和CA一緻
openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
4)檢視證書中的資訊
opessl x509 -in /path/from/cert_file -noout -text|sbuject|serial|dates
5)吊銷證書,在用戶端擷取要吊銷的證書的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
6)在CA上,根據客戶送出的serial與subject資訊,對比檢驗 是否與index.txt檔案中的資訊一緻吊銷證書
openssl ca -revoke /etc/pki/CA/newcerts/ SERIAL.pem
7)生成吊銷證書的編号(第一次吊銷一個證書時才需要執行)
echo 01 > /etc/pki/CA/crlnumber
8)更新證書吊銷清單,檢視crl檔案
openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl
openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text
9)安裝mod_ssl子產品并修改/etc/httpd/conf.d/ssl.conf配置檔案
DocumentRoot "/web/pma"
ServerName www.chen.net:443
<Directory "/web/pma">
AllowOverride All
Options None
require all granted
</Directory>
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateFile /etc/httpd/ssl/httpd.key
圖示:
授權目錄
<a href="http://s4.51cto.com/wyfs02/M01/88/95/wKioL1f8mQejaZ6GAABSUdPrPYM286.png" target="_blank"></a>
<a href="http://s4.51cto.com/wyfs02/M02/88/99/wKiom1f8mQfAUbX_AAB3A2J8UuU585.png" target="_blank"></a>
10)測試
openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]
執行個體:
openssl s_client -connect www.chen.net:443 -CAfile /etc/pki/CA/cacert.pem
curl --cacert /etc/pki/CA/cacert.pem https://www.chen.net/
實作圖示:
<a href="http://s2.51cto.com/wyfs02/M00/88/98/wKiom1f8kOixxPd4AACTeN1PM7Q878.png" target="_blank"></a>
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
<code>[root@chen ~]</code><code># (umask 066;openssl genrsa -out /etc/pki/tls/private/httpd.key 2048)</code>
<code>..................+++</code>
<code>.....................+++</code>
<code>[root@chen ~]</code><code># cd /etc/pki/tls/private/</code>
<code>[root@chen private]</code><code># cat httpd.key</code>
<code>MIIEpAIBAAKCAQEAydNdaHEea6lQpeMOof1bARNbNjerS+CG6bZWxYp3FVIEsqnQ</code>
<code>5dGZ9uvWFcN3XWAb3nTQR0cEjULIkLQS</code><code>/RnoQA3t9uy83</code><code>+PmL7imXnB6eDhBXOhb</code>
<code>QYXjAyShhR</code><code>/Y</code><code>+OHBJT6HhDZYxqNPoKIxi7ObJVmG6ovuE8P5SQJl5bX21</code><code>/YB</code><code>+CmJ</code>
<code>PpoY37WVd4lJagECSK2NjIuMCdMnmIKZIZgCU3XKnw1kDsG8DJXj7ZVuiimxgspM</code>
<code>wyXFI94vHDVxQ7mEJiIBT3F9rn95+Fy35p+fHBcXS4Iw+gJaa4GZeOuYaNxdwI9l</code>
<code>9nLwx9hW69UJ0wcuJQGc8kyN8AFul</code><code>/sh2aWExQIDAQABAoIBAQC4snRN6w9CyVzj</code>
<code>oqm2dsv8bQFQ2ZsqQhxU7yfzeWbHHRrtgdiJKMq0nFh77DhlPFnkt5QPVp+EwrQX</code>
<code>MKQb+cSAMf8utLGYVtBFpb6iuF5rfFfctUsl6Ge6baBe2qlOAhMmiVWtGasehT+O</code>
<code>qj+bME9v28FLDalfbz3HoakskdyG</code><code>/ptb6MEh/8Z4bAFovyYfI</code><code>+IY+P3dzDd018Sv</code>
<code>V6wgj+A11wmhNUyete++DoO</code><code>/JJtQJZuh0LeN4eg2W51M9vnnH7hrosyRwHfcYioU</code>
<code>SUoKEWs4Md78zVL7IeFcRwV3mSgm356u9SKl2gs+X9Qpb9Uyt5zs1q2jxGxwoe5s</code>
<code>ige9ERbVAoGBAPBIoELS4Cvdr1McaYbvnU6XfCVuWti0ZFDKcEaK2XUz2xMaCeBV</code>
<code>WPfNHq0PiC52RG8h0f9cqSt6m3rB8</code><code>/5HjTuf9fyv2C6rnpUxfzqZ0P3euMBPIMHM</code>
<code>e2nBwr6hOMNeQwxs6YfXILlcRzMub4c4jqxNGESrWoQTogFe4TEINoe</code><code>/AoGBANcG</code>
<code>yXsZRwI76lPEm5Z8eyFiHqKAq+QazyZoH1xXW6ByqtDA6toqHGOtuzhUIwR2HfiG</code>
<code>O2I3CWYVnIxWcnBMvdJ4XwIORVzfG9sh6fBqCRbYd2LhD6xTXPqq6dfssT</code><code>/qI2ql</code>
<code>Cy5PNc0Q2XDFdar0dpIjbjcYuxGPlPPlDtdwALR7AoGBAJtZKRvrAHn72nVuYh+W</code>
<code>XWrJb783iM6gWlcNeudwr8UhoJrJ8+aw51NWr2WOLCp11irPf9iMjOcKXulP6jLV</code>
<code>Cc+pzLzw52DNHjsxBCPb</code><code>/I2V6HaU8gW58XRfjEv5KhzNnaWz6IwlnweYTIQfmoWf</code>
<code>IEbvlSgYbO4FT3F5aThtKew7AoGADojo6adFw4LlThBGLB</code><code>/x</code><code>+sm1JGrqM5sUUZZM</code>
<code>OGO3T9swbLf9qA2cqag+tYoKa+zIDdqU</code><code>/QiXXA0t7daSGcE2O5njYjIwwhxat69N</code>
<code>LvEb+C1dtJNeCdoAuPkAoZXgTV+4USci4Fh+XIQ9DoBqecnYkfxPIO5NBtzbxri/</code>
<code>DhUGFy0CgYB6Q0T2w3e8SkgF6FSgqIe4u5vio6RCsPIVhHuuZacOgeyzAqCEwQJg</code>
<code>b3SDZIexAUyPAnhNtkllnAYSKdFa97fXyGUdLNh0otj74C9Na6yLrUQ8zdEC1o3u</code>
<code>VOJyOO57bfBykghXYi9JN+29sBB0YOj9uDE0nOUImR95eiwKsP5QXg==</code>
<code>[root@chen private]</code><code># openssl req -new -key /etc/pki/tls/private/httpd.key -days 365 -out httpd.csr</code>
<code>Common Name (eg, your name or your server's </code><code>hostname</code><code>) []:www.alren.com</code>
<code>Email Address []:[email protected]</code>
<code>Please enter the following </code><code>'extra'</code> <code>attributes</code>
<code>to be sent with your certificate request</code>
<code>A challenge password []:</code>
<code>An optional company name []:</code>
<code>[root@chen private]</code><code># ls</code>
<code>httpd.csr httpd.key</code>
<code>[root@chen private]</code><code># scp httpd.csr 10.1.249.94:</code>
<code>[root@centos6 CA]</code><code># cp /root/httpd.csr .</code>
<code>cacert.pem certs crl httpd.csr index.txt newcerts private serial</code>
<code>[root@centos6 CA]</code><code># openssl ca -in httpd.csr -out certs/httpd.crt</code>
<code>Using configuration from </code><code>/etc/pki/tls/openssl</code><code>.cnf</code>
<code>Check that the request matches the signature</code>
<code>Signature ok</code>
<code>Certificate Details:</code>
<code> </code><code>Serial Number: 1 (0x1)</code>
<code> </code><code>Not Before: Sep 22 23:43:02 2016 GMT</code>
<code> </code><code>Not After : Sep 22 23:43:02 2017 GMT</code>
<code> </code><code>Subject:</code>
<code> </code><code>countryName = CN</code>
<code> </code><code>stateOrProvinceName = beijing</code>
<code> </code><code>organizationName = chen.com</code>
<code> </code><code>organizationalUnitName = alren_1</code>
<code> </code><code>commonName = www.alren.com</code>
<code> </code><code>emailAddress = [email protected]</code>
<code> </code><code>CA:FALSE</code>
<code> </code><code>Netscape Comment:</code>
<code> </code><code>OpenSSL Generated Certificate</code>
<code> </code><code>CA:82:B2:CF:4A:A2:49:9B:1D:46:84:04:F8:C6:F6:0D:E0:49:B7:A4</code>
<code>Certificate is to be certified </code><code>until</code> <code>Sep 22 23:43:02 2017 GMT (365 days)</code>
<code>Sign the certificate? [y</code><code>/n</code><code>]:y</code>
<code>1 out of 1 certificate requests certified, commit? [y</code><code>/n</code><code>]y</code>
<code>Write out database with 1 new entries</code>
<code>Data Base Updated</code>
<code>cacert.pem crl index.txt index.txt.old private serial.old</code>
<code>certs httpd.csr index.txt.attr newcerts serial</code>
<code>[root@centos6 CA]</code><code># cat index.txt.attr</code>
<code>unique_subject = </code><code>yes</code>
<code>[root@centos6 CA]</code><code># cat index.txt</code>
<code>V 170922234302Z 01 unknown </code><code>/C</code><code>=CN</code><code>/ST</code><code>=beijing</code><code>/O</code><code>=chen.com</code><code>/OU</code><code>=alren_1</code><code>/CN</code><code>=www.alren.com</code><code>/emailAddress</code><code>[email protected]</code>
<code>[root@centos6 CA]</code><code># cat serial</code>
<code>02</code>
<code>[root@centos6 CA]</code><code># cd certs/</code>
<code>[root@centos6 certs]</code><code># ls</code>
<code>httpd.crt</code>
<code>[root@centos6 certs]</code><code># openssl x509 -in httpd.crt -noout -text</code>
<code> </code><code>Subject: C=CN, ST=beijing, O=chen.com, OU=alren_1, CN=www.alren.com</code><code>/emailAddress</code><code>[email protected]</code>
<code> </code><code>00:c9:d3:5d:68:71:1e:6b:a9:50:a5:e3:0e:a1:fd:</code>
<code> </code><code>5b:01:13:5b:36:37:ab:4b:e0:86:e9:b6:56:c5:8a:</code>
<code> </code><code>77:15:52:04:b2:a9:d0:e5:d1:99:f6:eb:d6:15:c3:</code>
<code> </code><code>77:5d:60:1b:de:74:d0:47:47:04:8d:42:c8:90:b4:</code>
<code> </code><code>12:fd:19:e8:40:0d:ed:f6:ec:</code><code>bc</code><code>:</code><code>df</code><code>:e3:e6:2f:b8:</code>
<code> </code><code>a6:5e:70:7a:78:38:41:5c:e8:5b:41:85:e3:03:24:</code>
<code> </code><code>a1:85:1f:d8:f8:e1:c1:25:3e:87:84:36:58:c6:a3:</code>
<code> </code><code>4f:a0:a2:31:8b:b3:9b:25:59:86:ea:8b:ee:13:c3:</code>
<code> </code><code>f9:49:02:65:e5:b5:f6:d7:f6:01:f8:29:89:3e:9a:</code>
<code> </code><code>18:</code><code>df</code><code>:b5:95:77:89:49:6a:01:02:48:ad:8d:8c:8b:</code>
<code> </code><code>8c:09:d3:27:98:82:99:21:98:02:53:75:ca:9f:0d:</code>
<code> </code><code>64:0e:c1:</code><code>bc</code><code>:0c:95:e3:ed:95:6e:8a:29:b1:82:ca:</code>
<code> </code><code>4c:c3:25:c5:23:de:2f:1c:35:71:43:b9:84:26:22:</code>
<code> </code><code>01:4f:71:7d:ae:7f:79:f8:5c:b7:e6:9f:9f:1c:17:</code>
<code> </code><code>17:4b:82:30:fa:02:5a:6b:81:99:78:eb:98:68:</code><code>dc</code><code>:</code>
<code> </code><code>5d:c0:8f:65:f6:72:f0:c7:d8:56:eb:d5:09:d3:07:</code>
<code> </code><code>2e:25:01:9c:f2:4c:8d:f0:01:6e:97:fb:21:d9:a5:</code>
<code> </code><code>84:c5</code>
<code> </code><code>5f:b8:37:e2:e5:e0:5e:65:99:60:9f:2f:5a:81:7e:55:e7:</code><code>dc</code><code>:</code>
<code> </code><code>85:94:</code><code>bc</code><code>:d0:ae:82:db:c0:</code><code>cd</code><code>:bb:0c:7c:7d:6e:97:41:35:94:</code>
<code> </code><code>71:d9:</code><code>bc</code><code>:a4:3e:76:d1:4e:09:3d:a2:a9:5e:a2:24:9c:98:f3:</code>
<code> </code><code>ac:7d:ea:f0:f2:ff:17:0d:47:fb:47:04:d6:29:7f:d8:3a:08:</code>
<code> </code><code>df</code><code>:33:45:8c:15:2a:a0:be:03:</code><code>dc</code><code>:4e:9c:91:ef:a1:99:a8:6d:</code>
<code> </code><code>f2:4c:10:1d:9c:7b:23:28:0a:17:bd:cf:c4:2d:c6:07:d1:73:</code>
<code> </code><code>48:2c:f9:a0:0f:2a:21:d0:f7:a4:9c:85:d5:75:02:c0:09:19:</code>
<code> </code><code>97:b8:aa:1d:e0:e3:8a:39:29:f5:4c:d7:69:01:e8:e6:50:91:</code>
<code> </code><code>fe:75:8a:3d:75:1c:</code><code>df</code><code>:94:36:01:32:43:4e:9c:49:f4:4c:f2:</code>
<code> </code><code>d9:85:9d:45:89:7f:6d:47:a9:48:48:</code><code>bc</code><code>:b3:8b:ed:06:34:f5:</code>
<code> </code><code>30:6e:c9:8f:a9:54:f6:6d:e7:2d:ce:03:9d:2f:ea:fa:47:fa:</code>
<code> </code><code>ee:13:f2:26:3b:a8:7a:e8:fd:66:ae:c6:97:37:03:a7:e8:c7:</code>
<code> </code><code>ad:c3:d9:e1:b1:b9:b0:61:ba:34:ea:80:6b:42:e4:d9:b7:38:</code>
<code> </code><code>0d:49:13:b1:89:2f:ca:a0:aa:69:e5:95:c0:c0:e3:ba:af:9f:</code>
<code> </code><code>68:80:5a:4f</code>
<code>[root@centos6 certs]</code><code>#</code>
<code>[root@centos6 certs]</code><code># openssl ca -revoke httpd.crt</code>
<code>Revoking Certificate 01.</code>
<code>[root@centos6 certs]</code><code># cd ../</code>
<code>cacert.pem crl index.txt index.txt.attr.old newcerts serial</code>
<code>certs httpd.csr index.txt.attr index.txt.old private serial.old</code>
<code>R 170922234302Z 160922234706Z 01 unknown </code><code>/C</code><code>=CN</code><code>/ST</code><code>=beijing</code><code>/O</code><code>=chen.com</code><code>/OU</code><code>=alren_1</code><code>/CN</code><code>=www.alren.com</code><code>/emailAddress</code><code>[email protected]</code>
<code>[root@centos6 CA]</code><code># echo 01 > crlnumber</code>
<code>[root@centos6 CA]</code><code># openssl ca -gencrl -out crl</code>
<code>crl/ crlnumber</code>
<code>[root@centos6 CA]</code><code># openssl ca -gencrl -out crl/ca.rcl</code>
<code>[root@centos6 CA]</code><code># cat crl/ca.rcl</code>
<code>-----BEGIN X509 CRL-----</code>
<code>MIIB</code><code>/TCB5gIBATANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCQ04xEDAOBgNV</code>
<code>BAgMB2JlaWppbmcxCzAJBgNVBAcMAmJqMREwDwYDVQQKDAhjaGVuLmNvbTEQMA4G</code>
<code>A1UECwwHYWxyZW5fMTEcMBoGA1UEAwwTY2VudG9zNi5sb2NhbGRvbWFpbjEcMBoG</code>
<code>CSqGSIb3DQEJARYNYWxyZW5AMTYzLmNvbRcNMTYwOTIyMjM1MDU0WhcNMTYxMDIy</code>
<code>MjM1MDU0WjAUMBICAQEXDTE2MDkyMjIzNDcwNlqgDjAMMAoGA1UdFAQDAgEBMA0G</code>
<code>CSqGSIb3DQEBBQUAA4IBAQADo6PBGbyqpM+noDuaDZxy349jgqcmRLCPDYKRZ4L+</code>
<code>1PyRTVhuIZztSUu2u5x7ZEYx3jyR7rFY8tpHRYT4ZnJe9ol4pTUb8INNx0lIZ4r1</code>
<code>hGlKWKQSDS3WVrQnCswBhWcAccd9wU2+YTj4m7f1drTbu6d5elfaZR1yKsTLnZdV</code>
<code>ESKmr4MXjcD0F80Q8Dc0hpKVKt71JiDwJt0WuHI6XPz90ta8EAN7Ry87Aj8f9</code><code>/HD</code>
<code>LDnOWEEA50F7JgUQgFKI72wvekQoZ9Cj</code><code>/KeFbOov</code><code>+wde7+uCGNqRcPLznnTxVz8a</code>
<code>e0</code><code>/e9HGQaDLGKDoN/vxVXCRQ030fZrPzag810yqSxxgZ</code>
<code>-----END X509 CRL-----</code>
<code>[root@centos6 CA]</code><code># openssl crl -in crl/ca.rcl -noout -text</code>
<code>Certificate Revocation List (CRL):</code>
<code> </code><code>Version 2 (0x1)</code>
<code> </code><code>Issuer: </code><code>/C</code><code>=CN</code><code>/ST</code><code>=beijing</code><code>/L</code><code>=bj</code><code>/O</code><code>=chen.com</code><code>/OU</code><code>=alren_1</code><code>/CN</code><code>=centos6.localdomain</code><code>/emailAddress</code><code>[email protected]</code>
<code> </code><code>Last Update: Sep 22 23:50:54 2016 GMT</code>
<code> </code><code>Next Update: Oct 22 23:50:54 2016 GMT</code>
<code> </code><code>CRL extensions:</code>
<code> </code><code>X509v3 CRL Number:</code>
<code> </code><code>1</code>
<code>Revoked Certificates:</code>
<code> </code><code>Serial Number: 01</code>
<code> </code><code>Revocation Date: Sep 22 23:47:06 2016 GMT</code>
<code> </code><code>03:a3:a3:c1:19:</code><code>bc</code><code>:aa:a4:cf:a7:a0:3b:9a:0d:9c:72:</code><code>df</code><code>:8f:</code>
<code> </code><code>63:82:a7:26:44:b0:8f:0d:82:91:67:82:fe:d4:fc:91:4d:58:</code>
<code> </code><code>6e:21:9c:ed:49:4b:b6:bb:9c:7b:64:46:31:de:3c:91:ee:b1:</code>
<code> </code><code>58:f2:da:47:45:84:f8:66:72:5e:f6:89:78:a5:35:1b:f0:83:</code>
<code> </code><code>4d:c7:49:48:67:8a:f5:84:69:4a:58:a4:12:0d:2d:d6:56:b4:</code>
<code> </code><code>27:0a:cc:01:85:67:00:71:c7:7d:c1:4d:be:61:38:f8:9b:b7:</code>
<code> </code><code>f5:76:b4:db:bb:a7:79:7a:57:da:65:1d:72:2a:c4:cb:9d:97:</code>
<code> </code><code>55:11:22:a6:af:83:17:8d:c0:f4:17:</code><code>cd</code><code>:10:f0:37:34:86:92:</code>
<code> </code><code>95:2a:de:f5:26:20:f0:26:</code><code>dd</code><code>:16:b8:72:3a:5c:fc:fd:d2:d6:</code>
<code> </code><code>bc</code><code>:10:03:7b:47:2f:3b:02:3f:1f:f7:f1:c3:2c:39:ce:58:41:</code>
<code> </code><code>00:e7:41:7b:26:05:10:80:52:88:ef:6c:2f:7a:44:28:67:d0:</code>
<code> </code><code>a3:fc:a7:85:6c:ea:2f:fb:07:5e:ef:eb:82:18:da:91:70:f2:</code>
<code> </code><code>f3:9e:74:f1:57:3f:1a:7b:4f:de:f4:71:90:68:32:c6:28:3a:</code>
<code> </code><code>0d:fe:fc:55:5c:24:50:d3:7d:1f:66:b3:f3:6a:0f:35:d3:2a:</code>
<code> </code><code>92:c7:18:19</code>
<code>[root@centos6 CA]</code><code>#</code>
不同主機之間拷貝檔案小技巧:
在使用ssh遠端登入時提示:remote host indentification has changed!則需清除~/.ssh/known_hosts檔案即可,因為系統檢測出rsa鑰匙發生了改變。清除此配置檔案重連。
<code>[root@centos6 ~]</code><code># ssh 10.1.229.40</code>
<code>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@</code>
<code>@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @</code>
<code>IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!</code>
<code>Someone could be eavesdropping on you right now (</code><code>man</code><code>-</code><code>in</code><code>-the-middle attack)!</code>
<code>It is also possible that the RSA host key has just been changed.</code>
<code>The fingerprint </code><code>for</code> <code>the RSA key sent by the remote host is</code>
<code>3d:bb:7b:99:51:b3:9f:b8:81:4e:fd:6e:b5:ac:92:02.</code>
<code>Please contact your system administrator.</code>
<code>Add correct host key </code><code>in</code> <code>/root/</code><code>.</code><code>ssh</code><code>/known_hosts</code> <code>to get rid of this message.</code>
<code>Offending key </code><code>in</code> <code>/root/</code><code>.</code><code>ssh</code><code>/known_hosts</code><code>:1</code>
<code>RSA host key </code><code>for</code> <code>10.1.229.40 has changed and you have requested strict checking.</code>
<code>Host key verification failed.</code>
<code>[root@centos6 .</code><code>ssh</code><code>]</code><code>#</code>
<code>[root@centos6 .</code><code>ssh</code><code>]</code><code># ssh [email protected]</code>
<code>The authenticity of host </code><code>'10.1.249.93 (10.1.249.93)'</code> <code>can't be established.</code>
<code>RSA key fingerprint is d3:e3:99:1d:b6:00:fe:18:26:58:a5:7d:eb:14:c3:57.</code>
<code>Are you sure you want to </code><code>continue</code> <code>connecting (</code><code>yes</code><code>/no</code><code>)? </code><code>yes</code>
<code>Warning: Permanently added </code><code>'10.1.229.93'</code> <code>(RSA) to the list of known hosts.</code>
<code>[email protected]'s password:</code>
本文轉自chengong1013 51CTO部落格,原文連結:http://blog.51cto.com/purify/1856060,如需轉載請自行聯系原作者
![BurpSuite2021系列(七)Repeater詳解[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)