1、对称加密过程由哪三部分组成
答:
- 生成密钥
- 加密文件
- 编码(base64)加密后文件
2、使用 openssl 中的 aes 对称加密算法对文件 file.txt 进行加密,然后解密
答:
openssl enc -e -aes -a -salt -in file.txt -out file.cipher
openssl enc -d -aes -a -salt -in file.cipher -out file.txt
3、搭建CA和申请证书
答:
前提说明:在centos8上搭建CA;在centos7上申请证书
搭建CA过程
- 创建CA所需目录和文件
[root@centos8 ~]#mkdir -p /etc/pki/CA/{private,certs,newcerts,crl}
[root@centos8 ~]#touch /etc/pki/CA/{serial,index.txt}
[root@centos8 ~]#echo 01 > /etc/pki/CA/serial
[root@centos8 ~]#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── index.txt
├── newcerts
├── private
└── serial
4 directories, 2 files
- 生成CA私钥
[root@centos8 ~]#(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem)
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................+++++
.........+++++
e is 65537 (0x010001)
- 生成CA自签名证书
[root@centos8 ~]#openssl req -new -x509 -days 3650 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:centos8
Email Address []:
申请证书过程
- 生成私钥
[root@centos7 ~]#(umask 077;openssl genrsa -out /data/test.key)
Generating RSA private key, 2048 bit long modulus
.............................................................................................................................................................+++
..........................................................+++
e is 65537 (0x10001)
- 生成证书签署请求
[root@centos7 ~]#openssl req -new -key /data/test.key -out /data/test.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:centos7
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- 将请求发送给CA,并颁发证书
[root@centos7 ~]#scp /data/test.csr 10.0.0.8:/data
root@10.0.0.8's password:
test.csr
[root@centos8 ~]#openssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 21 05:16:47 2020 GMT
Not After : Jul 21 05:16:47 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = magedu
commonName = centos7
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
26:5A:CC:D0:EF:F7:7D:73:33:C3:AF:16:29:C6:30:25:4D:E2:C1:F8
X509v3 Authority Key Identifier:
keyid:A3:87:35:EC:49:7D:22:0A:62:E2:E0:60:25:3A:8B:F4:12:5F:E3:93
Certificate is to be certified until Jul 21 05:16:47 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4、使用脚本实现多个用户key验证免密登录
ssh-keygen -P "" -f /root/.ssh/id_rsa
while read IP PASSWD;do
sshpass -p $PASSWD ssh-copy-id -o StrictHostKeyChecking=no root@$IP
done < /data/host_passwd.txt
#/data/host_passwd.txt文件用于存放ip地址和密码