内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
本文档详细介绍SSL/TLS证书的管理方法。
风哥提示:
Part01-OpenSSL基础
1.1 使用OpenSSL
$ openssl version
OpenSSL 3.0.1 14 Dec 2021
# 生成私钥
$ openssl genrsa -out private.key 2048
# 生成公钥
$ openssl rsa -in private.key -pubout -out public.key
# 生成证书签名请求
$ openssl req -new -key private.key -out request.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
Country Name (2 letter code) [XX]: CN
State or Province Name (full name) []: Beijing
Locality Name (eg, city) [Default City]: Beijing
Organization Name (eg, company) [Default Company Ltd]: Example Inc
Organizational Unit Name (eg, section) []: IT
Common Name (eg, your name or your server’s hostname) []: www.fgedu.net.cn
Email Address []: admin@fgedu.net.cn
# 生成自签名证书
$ openssl req -x509 -nodes -days 365 -key private.key -out certificate.crt
# 查看证书
$ openssl x509 -in certificate.crt -text -noout
# 查看CSR
$ openssl req -in request.csr -text -noout
# 验证证书
$ openssl verify -CAfile ca.crt certificate.crt
certificate.crt: OK
Part02-CA配置
2.1 配置私有CA
$ mkdir -p /etc/pki/CA/{certs,crl,newcerts,private}
$ touch /etc/pki/CA/index.txt
$ echo 01 > /etc/pki/CA/serial
# 生成CA私钥
$ openssl genrsa -out /etc/pki/CA/private/ca.key 4096
# 生成CA证书
$ openssl req -x509 -new -nodes -key /etc/pki/CA/private/ca.key \
-sha256 -days 3650 -out /etc/pki/CA/certs/ca.crt
# 配置CA
$ sudo tee /etc/pki/tls/openssl.cnf << 'EOF'
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /etc/pki/CA
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
private_key = $dir/private/ca.key
certificate = $dir/certs/ca.crt
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
crl_extensions = crl_ext
default_crl_days = 30
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_strict
[ policy_strict ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOF
# 签发证书
$ openssl ca -in request.csr -out certificate.crt -cert /etc/pki/CA/certs/ca.crt -keyfile /etc/pki/CA/private/ca.key
# 吊销证书
$ openssl ca -revoke certificate.crt -cert /etc/pki/CA/certs/ca.crt -keyfile /etc/pki/CA/private/ca.key
# 生成CRL
$ openssl ca -gencrl -out /etc/pki/CA/crl.pem
Part03-Certbot配置
3.1 使用Let’s Encrypt
$ sudo dnf install -y certbot
# 获取证书
$ sudo certbot certonly –standalone -d www.fgedu.net.cn
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for www.fgedu.net.cn
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.fgedu.net.cn/fullchain.pem
Key is saved at: /etc/letsencrypt/live/www.fgedu.net.cn/privkey.pem
# 使用Webroot获取证书
$ sudo certbot certonly更多学习教程公众号风哥教程itpux_com –webroot -w /var/www/html -d www.fgedu.net.cn
# 使用DNS验证
$ sudo certbot certonly –manual –preferred-challenges dns -d www.fgedu.net.cn
# 配置Nginx使用证书
$ sudo tee /etc/nginx/conf.d/ssl.conf << 'EOF'
server {
listen 443 ssl http2;
server_name www.fgedu.net.cn;
ssl_certificate /etc/letsencrypt/live/www.fgedu.net.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.fgedu.net.cn/privkey.pem;
ssl_prot学习交流加群风哥微信: itpux-comocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
proxy_pass http://localhost:8080;
}
}
EOF
# 自动续期
$ sudo crontab -e
0 0 1 * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"
# 测试续期
$ sudo certbot renew --dry-run
Part04-证书管理
4.1 证书管理脚本
$ cat > /usr/local/bin/cert-manager.sh << 'EOF' #!/bin/bash CERT_DIR="/etc/pki/tls/certs" KEY_DIR="/etc/pki/tls/private" DAYS=365 create_cert() { local domain=$1 openssl req -x509 -nodes -days $DAYS \ -newkey rsa:2048 \ -keyout $KEY_DIR/$domain.key \ -out $CERT_DIR/$domain.crt \ -subj "/C=CN/ST=Beijing/L=Beijing/O=Example/CN=$domain" echo "Certificate created for $domain" } check_cert() { local domain=$1 openssl x509 -in $CERT_DIR/$domain.crt -noout -dates } renew_cert() { local domain=$1 openssl req -x509 -nodes -days $DAYS \ -key $KEY_DIR/$domain.key \ -out $CERT_DIR/$domain.crt \ -subj "/C=CN/ST=Beijing/L=Beijing/O=Example/CN=$domain" echo "Certificate renewed for $domain" } case "$1" in create) create_cert $2 ;; check) check_cert $2 ;; renew) renew_cert $2 ;; *) echo "Usage: $0 {create|check|renew} domain" exit 1 ;; esac EOF chmod +x /usr/local/bin/cert-manager.sh # 使用脚本 $ sudo /usr/local/bin/cert-manager.sh create www.fgedu.net.cn $ sudo /usr/local/bin/cert-manager.sh check www.fgedu.net.cn $ sudo /usr/local/bin/cert-manager.sh renew www.fgedu.net.cn
from PG视频:www.itpux.com 1. 使用强密钥(RSA 2048+)
2. 定期更新证书
3. 保护私钥安全
4. 使用可信CA
5. 监控证书过期
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
