标签:country sys emc 配置文件 加密 int security hal local
day03部署CA服务器 (55) 机构名称 tarena
ca服务器主机名 ca.tedu.cn
ip 192.168.4.55
192.168.4.55
1 、部署证书签发环境
]# vim /etc/pki/tls/openssl.cnf
40 [ CA_default ]
42 dir = /etc/pki/CA
43 certs = $dir/certs
45 database = $dir/index.txt
50 certificate = $dir/my-ca.crt
51 serial = $dir/serial
55 private_key = $dir/private/my-ca.key
128 [ req_distinguished_name ]
130 countryName_default = CN 国家
135 stateOrProvinceName_default = beijing 省
138 localityName_default = beijing 城市
141 0.organizationName_default = tarena 公司名称
148 organizationalUnitName_default = ope 部门名称
84 [ policy_match ] // 匹配策略
85 countryName = match
86 stateOrProvinceName = match
87 organizationName = match
88 organizationalUnitName = optional
89 commonName = supplied
90 emailAddress = optional
根据配置文件的设置创建对应的文件
123 echo 01 > /etc/pki/CA/serial
124 cat /etc/pki/CA/serial
125 chmod 600 /etc/pki/CA/serial
118 touch /etc/pki/CA/index.txt
120 cat /etc/pki/CA/index.txt
122 chmod 600 /etc/pki/CA/index.txt
创建私钥文件
#cd /etc/pki/CA/private
#cat my-ca.key
#chmod 600 my-ca.key
Country Name (2 letter code) [CN]:
State or Province Name (full name) [beijing]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [tarena]:
Organizational Unit Name (eg, section) [ope]:
Common Name (eg, your name or your server‘s hostname) []:ca.tedu.cn
Email Address []:plj@163.com
[root@host55 CA]#
+++++++++++++++++++++++++++++++++
共享根证书给客户端 (55)
138 rpm -q httpd || yum -y install httpd
139 mkdir /var/www/html/ca
140 cp /etc/pki/CA/my-ca.crt /var/www/html/ca/
141 chmod +r /var/www/html/ca/my-ca.crt
142 systemctl start httpd
143 systemctl enable httpd
144 setenforce 0
145 systemctl stop firewalld
254客户端的测试(下载根证书并安装根证书)
firefox http://192.168.4.55/ca
++++++++++++++++++++++++++++++++++++++++
配置网站加密 HTTPS
#rpm -q httpd || yum -y install httpd
#echo web53 > /var/www/html/test.html
#systemctl start httpd ; systemctl enable httpd
#netstat -utnalp | grep httpd
客户端访问254
#vim /etc/hosts
192.168.4.53 www.tedu.cn
:wq
www.tedu.cn
http://192.168.4.53/test.html
https://192.168.4.53/test.html
配置网站服务器 192.168.4.53
1 创建私钥文件
#cd /etc/pki/tls/private/
#openssl genrsa 2048 > www.key
2 创建证书请求文件
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:tarena
Organizational Unit Name (eg, section) []:ope
Common Name (eg, your name or your server‘s hostname) []:www.tedu.cn
Email Address []:jim@163.com
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@host53 private]#
[root@host53 private]# cat /root/www.csr
3 提交证书请求文件给CA服务器
#scp /root/www.csr 192.168.4.55:/tmp/
配置CA服务器192.168.4.55
1 审核证书请求文件并签发数字证书文件
#ls /tmp/www.csr
#cd /etc/pki/CA/certs
#openssl ca -in /tmp/www.csr > www.crt
2 下发数字证书文件给网站服务器
#scp www.crt 192.168.4.53:/tmp/
3 在 网站服务器 配置 网站服务在运行时,调用私钥文件和数字证书文件,然后重启网站服务
]# vim /etc/httpd/conf.d/ssl.conf
100 SSLCertificateFile /etc/pki/tls/certs/www.crt
107 SSLCertificateKeyFile /etc/pki/tls/private/www.key
:wq
[root@host53 ~]# ls /etc/pki/tls/private/
localhost.key www.key
#systemctl restart httpd
#netstat -utnalp | grep httpd
[root@host53 ~]# netstat -utnalp | grep httpd
tcp6 0 0 :::80 ::: LISTEN 26098/httpd
tcp6 0 0 :::443 ::: LISTEN 26098/httpd
4客户端验证配置192.168.4.254
++++++++++++++++++++++++++++
在主机52 做邮件服务器
能够发邮件(运行postfix服务)
#yum -y install postfix
#systemctl start postfix ; systemctl enable postfix
#netstat -utnalp | grep :25
#ps -C master
113 inet_interfaces = all
116 #inet_interfaces = localhost
419 home_mailbox = Maildir/
:wq
#systemctl restart postfix
添加本地邮箱账号 并测试能否发送邮件
useradd jerry ;echo 123456 | passwd --stdin jerry
useradd lili ;echo 123456 | passwd --stdin lili
jerry@localhost lili@localhost
123456 123456
邮件服务器 192.168.4.52
发件人 lili@localhost
收件人 jerry@localhost
客户端51 测试能否发送邮件
#which telnet
helo pc51 //客户定义主机名
mail from:lili@localhost //发件人
rcpt to:jerry@localhost //收件人
data //写邮件内容
邮件内容
. //提交邮件
quit //断开连接
+++++++++++++++++++++++++++++++++++++++
52 查看邮件是否被投递到用户的邮箱里?
#cd /home
#ls
#cat jerry/Maildir/new/1517275339.Vfd02I4000084M202939.host52
52 能够收邮件(运行dovecot服务)
#rpm -q dovecot
#rpm -qc dovecot
#cd /etc/dovecot/
#ls
#vim conf.d/10-mail.conf
24 mail_location = maildir:~/Maildir
:wq
#vim conf.d/10-auth.conf
10 disable_plaintext_auth = no
:wq
[root@host52 conf.d]# systemctl start dovecot
[root@host52 conf.d]# systemctl enable dovecot
[root@host52 conf.d]# netstat -utnalp | grep :110
[root@host52 conf.d]# netstat -utnalp | grep :143
[root@host52 conf.d]# ps -C dovecot
测试能否收邮件
52:
#which telnet
#yum -y install telnet
#telnet localhost 110 //连接本机收邮件的服务
user jerry //收件人用户名
pass 123456 //邮箱密码
list //列出邮件
retr 1 //查看第1封邮件的内容
quit //断开连接
配置邮件加密
配置邮件服务器 192.168.4.52
1 创建私钥文件
2 创建证书请求文件
3 提交证书请求文件给CA
配置CA服务器192.168.4.55
1 审核证书请求文件并签发
2 下发数字证书文件给邮件服务器
3 在邮件服务器 配置 邮件服务在运行时,调用私钥文件和数字证书文件,然后重启邮件服务
4客户端验证配置192.168.4.254
SECURITY 03: 邮件服务TLS/SSL 、 总结和答疑 、 CA数字证书服务
标签:country sys emc 配置文件 加密 int security hal local
原文地址:http://blog.51cto.com/13478354/2067029