第十周学习作业
Posted 三石头
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了第十周学习作业相关的知识,希望对你有一定的参考价值。
1.在阿里云服务器搭建openv-p-n(有条件的同学再做),本次使用的是 VMware Workstation 搭建的环境
环境拓扑图
安装相关软件包
安装openvpn 和证书管理包easy-rsa (需要提前配置epel-release 源)
[root@centos84 ~]# yum list openvpn
Last metadata expiration check: 0:06:54 ago on Sat 19 Feb 2022 10:24:31 PM CST.
Installed Packages
openvpn.x86_64 2.4.11-1.el8 @epel
[root@centos84 ~]# yum list easy-rsa
Last metadata expiration check: 0:07:09 ago on Sat 19 Feb 2022 10:24:31 PM CST.
Installed Packages
easy-rsa.noarch 3.0.8-1.el8
[root@centos84 ~]# yum install openvpn easy-rsa -y
##查看安装的相关包的文件信息
[root@centos84 ~]# rpm -qi openvpn easy-rsa
[root@centos84 ~]# rpm -ql openvpn
[root@centos84 ~]# rpm -ql easy-ras
准备相关文件
##生成服务器配置文件
[root@centos84 ~]# cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/
##准备证书签发相关文件
[root@centos84 ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server
##准备签发证书相关变量的配置文件
[root@centos84 ~]# cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-server/3/vars
#建议修改给CA和OpenVPN服务器颁发的证书的有效期,可适当加长
#CA的证书有效期默为为10年,可以适当延长,比如:36500天
#set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CA_EXPIRE 36500
#服务器证书默为为825天,可适当加长,比如:3650天
#set_var EASYRSA_CERT_EXPIRE 825
#将上面行修改为下面
set_var EASYRSA_CERT_EXPIRE 3650
准备证书及相关文件
初始化PKI和CA证书签发环境
## 脚本easyrsa帮助用法
[root@centos84 ~]# cd /etc/openvpn/easy-rsa-server/3/
[root@centos84 3]# ls
easyrsa openssl-easyrsa.cnf vars x509-types
[root@centos84 3]# pwd
/etc/openvpn/easy-rsa-server/3
[root@centos84 3]# ./easyrsa
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Easy-RSA 3 usage and overview
USAGE: easyrsa [options] COMMAND [command-options]
A list of commands is shown below. To get detailed usage and help for a
command, run:
./easyrsa help COMMAND
For a listing of options that can be supplied before the command, use:
./easyrsa help options
Here is the list of commands available with a short syntax reminder. Use the
help command above to get full usage details.
init-pki
build-ca [ cmd-opts ]
gen-dh
gen-req <filename_base> [ cmd-opts ]
sign-req <type> <filename_base>
build-client-full <filename_base> [ cmd-opts ]
build-server-full <filename_base> [ cmd-opts ]
revoke <filename_base> [cmd-opts]
renew <filename_base> [cmd-opts]
build-serverClient-full <filename_base> [ cmd-opts ]
gen-crl
update-db
show-req <filename_base> [ cmd-opts ]
show-cert <filename_base> [ cmd-opts ]
show-ca [ cmd-opts ]
import-req <request_file_path> <short_basename>
export-p7 <filename_base> [ cmd-opts ]
export-p8 <filename_base> [ cmd-opts ]
export-p12 <filename_base> [ cmd-opts ]
set-rsa-pass <filename_base> [ cmd-opts ]
set-ec-pass <filename_base> [ cmd-opts ]
upgrade <type>
DIRECTORY STATUS (commands would take effect on these locations)
EASYRSA: /etc/openvpn/easy-rsa-server/3.0.8
PKI: /etc/openvpn/easy-rsa-server/3/pki
##初始化数据,在当前目录下生成pki目录及相关文件
[root@centos84 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa-server/3/pki
[root@centos84 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── kdc
├── server
└── serverClient
4 directories, 13 files
创建CA机构
[root@centos84 3]# tree pki/
pki/
├── openssl-easyrsa.cnf
├── private
├── reqs
└── safessl-easyrsa.cnf
2 directories, 2 files
[root@centos84 3]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................+++++
.....+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: ##直接回车
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa-server/3/pki/ca.crt
[root@centos84 3]# tree pki/
pki/
├── ca.crt
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ └── ca.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
##生成CA相关的文件
[root@centos84 3]# cat pki/serial
01
[root@centos84 3]# ll pki/index.txt
-rw-------. 1 root root 0 Feb 19 22:51 pki/index.txt
[root@centos84 3]# ll pki/ca.crt pki/private/ca.key
-rw-------. 1 root root 1204 Feb 19 22:51 pki/ca.crt
-rw-------. 1 root root 1675 Feb 19 22:51 pki/private/ca.key
[root@centos84 3]#
#查看生成的自签名证书
[root@centos84 3]# cat pki/ca.crt
-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIUai3V56c3bgaGkAAJmHYtBI2eiQYwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwIBcNMjIwMjE5MTQ1MTU0WhgPMjEy
MjAxMjYxNDUxNTRaMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs2sx4I8g8cxlvjWWwe8NuBLWOScU5P+wcZaf
ReA1WUrx59ICTjRx8U8EOMnU/8/Eb0DpjP/sYmxR5ERy4jiqcgPtNteP3O+T5wk6
Uv3axPEJxPTcShHXBer4NtGR2VdOrfM3y/lu8bTVi9xLapF/2OqNKasr2axMWs7c
m4QLNZrk+vwEDYgkdfopBoGgF5gLHQl6yt3WmnaCeIcjFY38LdXGBK0rF8M5xupA
+Fehsw3dcIJ/gnpsBC6jfXEPw9gvY7lumyhRJPyZ/MQi93jjWSwItFMV7+qOlWFf
jiZbxbsyWr4g7GeGR4fPaxce1vnJFtn48t1XsaTA1eqWWeFCAQIDAQABo4GQMIGN
MB0GA1UdDgQWBBSc+HVFvEMLRMTxxENmdG1txg2aYzBRBgNVHSMESjBIgBSc+HVF
vEMLRMTxxENmdG1txg2aY6EapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCFGot
1eenN24GhpAACZh2LQSNnokGMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0G
CSqGSIb3DQEBCwUAA4IBAQCi0tTEidOtuLvu3IqrcckF2jveRFK7I8i3i8HuC1N6
yqm1exXSXVd16kNYHpDdsJlSPYYCAOdw65WJSWfHCx4aOgKIQLLjAck3oNoXdOfX
kNvoWwd5qoLHhpZEgP0KmRvQQo1hymL8TG+KC8h+Vu2djMxZ8/LtKBmMALGvoi2h
JNqbs+fMMKveIEFdv7pLh3iP3qqYaidcrNmdRFt2EoFT5oJyfQeMHRzr/sZ/EnB2
RRIHCdslR5C1VoTElEqLD0fqySUDtbK58SsACQqp3bTBHeBQRs8j7XlugRNRe5k2
bi7m8Kk7JZH211/JV+uSPujS6j1/O9+512g2KibYwVr+
-----END CERTIFICATE-----
[root@centos84 3]# openssl x509 -in pki/ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6a:2d:d5:e7:a7:37:6e:06:86:90:00:09:98:76:2d:04:8d:9e:89:06
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Easy-RSA CA
Validity
Not Before: Feb 19 14:51:54 2022 GMT
Not After : Jan 26 14:51:54 2122 GMT
Subject: CN = Easy-RSA CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b3:6b:31:e0:8f:20:f1:cc:65:be:35:96:c1:ef:
0d:b8:12:d6:39:27:14:e4:ff:b0:71:96:9f:45:e0:
35:59:4a:f1:e7:d2:02:4e:34:71:f1:4f:04:38:c9:
d4:ff:cf:c4:6f:40:e9:8c:ff:ec:62:6c:51:e4:44:
72:e2:38:aa:72:03:ed:36:d7:8f:dc:ef:93:e7:09:
3a:52:fd:da:c4:f1:09:c4:f4:dc:4a:11:d7:05:ea:
f8:36:d1:91:d9:57:4e:ad:f3:37:cb:f9:6e:f1:b4:
d5:8b:dc:4b:6a:91:7f:d8:ea:8d:29:ab:2b:d9:ac:
4c:5a:ce:dc:9b:84:0b:35:9a:e4:fa:fc:04:0d:88:
24:75:fa:29:06:81:a0:17:98:0b:1d:09:7a:ca:dd:
d6:9a:76:82:78:87:23:15:8d:fc:2d:d5:c6:04:ad:
2b:17:c3:39:c6:ea:40:f8:57:a1:b3:0d:dd:70:82:
7f:82:7a:6c:04:2e:a3:7d:71:0f:c3:d8:2f:63:b9:
6e:9b:28:51:24:fc:99:fc:c4:22:f7:78:e3:59:2c:
08:b4:53:15:ef:ea:8e:95:61:5f:8e:26:5b:c5:bb:
32:5a:be:20:ec:67:86:47:87:cf:6b:17:1e:d6:f9:
c9:16:d9:f8:f2:dd:57:b1:a4:c0:d5:ea:96:59:e1:
42:01
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
9C:F8:75:45:BC:43:0B:44:C4:F1:C4:43:66:74:6D:6D:C6:0D:9A:63
X509v3 Authority Key Identifier:
keyid:9C:F8:75:45:BC:43:0B:44:C4:F1:C4:43:66:74:6D:6D:C6:0D:9A:63
DirName:/CN=Easy-RSA CA
serial:6A:2D:D5:E7:A7:37:6E:06:86:90:00:09:98:76:2D:04:8D:9E:89:06
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
a2:d2:d4:c4:89:d3:ad:b8:bb:ee:dc:8a:ab:71:c9:05:da:3b:
de:44:52:bb:23:c8:b7:8b:c1:ee:0b:53:7a:ca:a9:b5:7b:15:
d2:5d:57:75:ea:43:58:1e:90:dd:b0:99:52:3d:86:02:00:e7:
70:eb:95:89:49:67:c7:0b:1e:1a:3a:02:88:40:b2:e3:01:c9:
37:a0:da:17:74:e7:d7:90:db:e8:5b:07:79:aa:82:c7:86:96:
44:80:fd:0a:99:1b:d0:42:8d:61:ca:62:fc:4c:6f:8a:0b:c8:
7e:56:ed:9d:8c:cc:59:f3:f2:ed:28:19:8c:00:b1:af:a2:2d:
a1:24:da:9b:b3:e7:cc:30:ab:de:20:41:5d:bf:ba:4b:87:78:
8f:de:aa:98:6a:27:5c:ac:d9:9d:44:5b:76:12:81:53:e6:82:
72:7d:07:8c:1d:1c:eb:fe:c6:7f:12:70:76:45:12:07:09:db:
25:47:90:b5:56:84:c4:94:4a:8b:0f:47:ea:c9:25:03:b5:b2:
b9:f1:2b:00:09:0a:a9:dd:b4:c1:1d:e0:50:46:cf:23:ed:79:
6e:81:13:51:7b:99:36:6e:2e:e6:f0:a9:3b:25:91:f6:d7:5f:
c9:57:eb:92:3e:e8:d2:ea:3d:7f:3b:df:b9:d7:68:36:2a:26:
d8:c1:5a:fe
创建服务端证书申请
#创建服务器证书申请文件,其中server是文件前缀
[root@centos84 3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating a RSA private key
....................................................+++++
...................................................................................+++++
writing new private key to /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-33171.wPUECJ/tmp.KarQTX
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: ## 直接回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-server/3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa-server/3/pki/private/server.key
[root@centos84 3]# tree pki/
pki/
├── ca.crt
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
12 directories, 9 files
签发服务端证书
## 查看颁发证书命令用法
[root@centos84 3]# ./easyrsa help sign
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
sign-req <type> <filename_base>
Sign a certificate request of the defined type. <type> must be a known
type such as client, server, serverClient, or ca (or a user-added type.)
This request file must exist in the reqs/ dir and have a .req file
extension. See import-req below for importing reqs from other sources.
## 颁发服务端证书
[root@centos84 3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word yes to continue, or any other input to abort.
Confirm request details: yes ##输入yes,回车
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-33250.Gqf7zl/tmp.UuLuJe
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
commonName :ASN.1 12:server
Certificate is to be certified until Feb 17 15:02:04 2032 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt
## 验证结果
[root@centos84 3]# tree pki
pki
├── ca.crt
├── certs_by_serial
│ └── E78ED7E8D03CAEE125630247106A2594.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ └── server.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
201871010133-赵永军《面向对象程序设计(java)》第十周学习总结