SECURITY 03: 邮件服务TLS/SSL 总结和答疑 CA数字证书服务
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了SECURITY 03: 邮件服务TLS/SSL 总结和答疑 CA数字证书服务相关的知识,希望对你有一定的参考价值。
day03
部署CA服务器
邮件加密
网站加密
+++++++++++++++++++++++++++++
部署CA服务器 (54) 机构名称 tarenaa
ca服务器主机名 catwo.tedu.cn
ip 192.168.4.54
部署CA服务器 (55) 机构名称 tarena
ca服务器主机名 ca.tedu.cn
ip 192.168.4.55
192.168.4.55
1 、部署证书签发环境
]# vim /etc/pki/tls/openssl.cnf
40 [ CA_default ]
42 dir = /etc/pki/CA
43 certs = $dir/certs
45 database = $dir/index.txt
50 certificate = $dir/my-ca.crt
51 serial = $dir/serial
55 private_key = $dir/private/my-ca.key
128 [ req_distinguished_name ]
130 countryName_default = CN 国家
135 stateOrProvinceName_default = beijing 省
138 localityName_default = beijing 城市
141 0.organizationName_default = tarena 公司名称
148 organizationalUnitName_default = ope 部门名称
84 [ policy_match ] // 匹配策略
85 countryName = match
86 stateOrProvinceName = match
87 organizationName = match
88 organizationalUnitName = optional
89 commonName = supplied
90 emailAddress = optional
根据配置文件的设置创建对应的文件
123 echo 01 > /etc/pki/CA/serial
124 cat /etc/pki/CA/serial
125 chmod 600 /etc/pki/CA/serial
118 touch /etc/pki/CA/index.txt
120 cat /etc/pki/CA/index.txt
122 chmod 600 /etc/pki/CA/index.txt
创建私钥文件
#cd /etc/pki/CA/private
openssl genrsa -des3 2048 > my-ca.key (密码123456)
#cat my-ca.key
#chmod 600 my-ca.key
创建根证书文件
#cd /etc/pki/CA
[[email protected] CA]# openssl req -new -x509 -key ./private/my-ca.key -days 365 > my-ca.crt
Enter pass phrase for ./private/my-ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [beijing]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [tarena]:
Organizational Unit Name (eg, section) [ope]:
Common Name (eg, your name or your server‘s hostname) []:ca.tedu.cn
Email Address []:[email protected]
[[email protected] CA]#
+++++++++++++++++++++++++++++++++
共享根证书给客户端 (55)
138 rpm -q httpd || yum -y install httpd
139 mkdir /var/www/html/ca
140 cp /etc/pki/CA/my-ca.crt /var/www/html/ca/
141 chmod +r /var/www/html/ca/my-ca.crt
142 systemctl start httpd
143 systemctl enable httpd
144 setenforce 0
145 systemctl stop firewalld
254客户端的测试(下载根证书并安装根证书)
firefox http://192.168.4.55/ca
++++++++++++++++++++++++++++++++++++++++
配置网站加密 HTTPS
#rpm -q httpd || yum -y install httpd
#echo web53 > /var/www/html/test.html
#systemctl start httpd ; systemctl enable httpd
#netstat -utnalp | grep httpd
客户端访问254
#vim /etc/hosts
192.168.4.53 www.tedu.cn
:wq
ping -c 2 www.tedu.cn
www.tedu.cn
http://192.168.4.53/test.html
https://192.168.4.53/test.html
配置网站服务器 192.168.4.53
1 创建私钥文件
#cd /etc/pki/tls/private/
#openssl genrsa 2048 > www.key
2 创建证书请求文件
]# openssl req -new -key www.key > /root/www.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:tarena
Organizational Unit Name (eg, section) []:ope
Common Name (eg, your name or your server‘s hostname) []:www.tedu.cn
Email Address []:[email protected]
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[[email protected] private]#
[[email protected] private]# cat /root/www.csr
3 提交证书请求文件给CA服务器
#scp /root/www.csr 192.168.4.55:/tmp/
配置CA服务器192.168.4.55
1 审核证书请求文件并签发数字证书文件
#ls /tmp/www.csr
#cd /etc/pki/CA/certs
#openssl ca -in /tmp/www.csr > www.crt
2 下发数字证书文件给网站服务器
#scp www.crt 192.168.4.53:/tmp/
3 在 网站服务器 配置 网站服务在运行时,调用私钥文件和数字证书文件,然后重启网站服务
yum -y install mod_ssl
]# vim /etc/httpd/conf.d/ssl.conf
100 SSLCertificateFile /etc/pki/tls/certs/www.crt
107 SSLCertificateKeyFile /etc/pki/tls/private/www.key
:wq
cp /tmp/www.crt /etc/pki/tls/certs/
[[email protected] ~]# ls /etc/pki/tls/private/
localhost.key www.key
#systemctl restart httpd
#netstat -utnalp | grep httpd
[[email protected] ~]# netstat -utnalp | grep httpd
tcp6 0 0 :::80 ::: LISTEN 26098/httpd
tcp6 0 0 :::443 ::: LISTEN 26098/httpd
4客户端验证配置192.168.4.254
++++++++++++++++++++++++++++
在主机52 做邮件服务器
能够发邮件(运行postfix服务)
#yum -y install postfix
#systemctl start postfix ; systemctl enable postfix
#netstat -utnalp | grep :25
#ps -C master
vim /etc/postfix/main.cf
113 inet_interfaces = all
116 #inet_interfaces = localhost
419 home_mailbox = Maildir/
:wq
#systemctl restart postfix
添加本地邮箱账号 并测试能否发送邮件
useradd jerry ;echo 123456 | passwd --stdin jerry
useradd lili ;echo 123456 | passwd --stdin lili
[email protected] [email protected]
123456 123456
邮件服务器 192.168.4.52
发件人 [email protected]
收件人 [email protected]
客户端51 测试能否发送邮件
rpm -q telnet || yum -y install telnet
#which telnet
telnet 192.168.4.52 25 //连接邮件服务器
helo pc51 //客户定义主机名
mail from:[email protected] //发件人
rcpt to:[email protected] //收件人
data //写邮件内容
邮件内容
. //提交邮件
quit //断开连接
+++++++++++++++++++++++++++++++++++++++
52 查看邮件是否被投递到用户的邮箱里?
#cd /home
#ls
#cat jerry/Maildir/new/1517275339.Vfd02I4000084M202939.host52
52 能够收邮件(运行dovecot服务)
yum -y install dovecot
#rpm -q dovecot
#rpm -qc dovecot
#cd /etc/dovecot/
#ls
#vim conf.d/10-mail.conf
24 mail_location = maildir:~/Maildir
:wq
#vim conf.d/10-auth.conf
10 disable_plaintext_auth = no
:wq
[[email protected] conf.d]# systemctl start dovecot
[[email protected] conf.d]# systemctl enable dovecot
[[email protected] conf.d]# netstat -utnalp | grep :110
[[email protected] conf.d]# netstat -utnalp | grep :143
[[email protected] conf.d]# ps -C dovecot
测试能否收邮件
52:
#which telnet
#yum -y install telnet
#telnet localhost 110 //连接本机收邮件的服务
user jerry //收件人用户名
pass 123456 //邮箱密码
list //列出邮件
retr 1 //查看第1封邮件的内容
quit //断开连接
配置邮件加密
配置邮件服务器 192.168.4.52
1 创建私钥文件
2 创建证书请求文件
3 提交证书请求文件给CA
配置CA服务器192.168.4.55
1 审核证书请求文件并签发
2 下发数字证书文件给邮件服务器
3 在邮件服务器 配置 邮件服务在运行时,调用私钥文件和数字证书文件,然后重启邮件服务
4客户端验证配置192.168.4.254
以上是关于SECURITY 03: 邮件服务TLS/SSL 总结和答疑 CA数字证书服务的主要内容,如果未能解决你的问题,请参考以下文章