SECURITY 03: 邮件服务TLS/SSL 、 总结和答疑 、 CA数字证书服务-技术-51CTO博客
source link: http://blog.51cto.com/13478354/2067029
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
SECURITY 03: 邮件服务TLS/SSL 、 总结和答疑 、 CA数字证书服务
day03
部署CA服务器
邮件加密
网站加密
+++++++++++++++++++++++++++++
部署CA服务器 (54) 机构名称 tarenaa
ca服务器主机名 catwo.tedu.cn
ip 192.168.4.54
部署CA服务器 (55) 机构名称 tarena
ca服务器主机名 ca.tedu.cn
ip 192.168.4.55
192.168.4.55
1 、部署证书签发环境
]# vim /etc/pki/tls/openssl.cnf
40 [ CA_default ]
42 dir = /etc/pki/CA
43 certs = $dir/certs
45 database = $dir/index.txt
50 certificate = $dir/my-ca.crt
51 serial = $dir/serial
55 private_key = $dir/private/my-ca.key
128 [ req_distinguished_name ]
130 countryName_default = CN 国家
135 stateOrProvinceName_default = beijing 省
138 localityName_default = beijing 城市
141 0.organizationName_default = tarena 公司名称
148 organizationalUnitName_default = ope 部门名称
84 [ policy_match ] // 匹配策略
85 countryName = match
86 stateOrProvinceName = match
87 organizationName = match
88 organizationalUnitName = optional
89 commonName = supplied
90 emailAddress = optional
根据配置文件的设置创建对应的文件
123 echo 01 > /etc/pki/CA/serial
124 cat /etc/pki/CA/serial
125 chmod 600 /etc/pki/CA/serial
118 touch /etc/pki/CA/index.txt
120 cat /etc/pki/CA/index.txt
122 chmod 600 /etc/pki/CA/index.txt
创建私钥文件
#cd /etc/pki/CA/private
openssl genrsa -des3 2048 > my-ca.key (密码123456)
#cat my-ca.key
#chmod 600 my-ca.key
#cd /etc/pki/CA
[root@host55 CA]# openssl req -new -x509 -key ./private/my-ca.key -days 365 > my-ca.crt
Enter pass phrase for ./private/my-ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [beijing]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [tarena]:
Organizational Unit Name (eg, section) [ope]:
Common Name (eg, your name or your server's hostname) []:ca.tedu.cn
Email Address []:[email protected]
[root@host55 CA]#
+++++++++++++++++++++++++++++++++
共享根证书给客户端 (55)
138 rpm -q httpd || yum -y install httpd
139 mkdir /var/www/html/ca
140 cp /etc/pki/CA/my-ca.crt /var/www/html/ca/
141 chmod +r /var/www/html/ca/my-ca.crt
142 systemctl start httpd
143 systemctl enable httpd
144 setenforce 0
145 systemctl stop firewalld
254客户端的测试(下载根证书并安装根证书)
firefox http://192.168.4.55/ca
++++++++++++++++++++++++++++++++++++++++
配置网站加密 HTTPS
#rpm -q httpd || yum -y install httpd
#echo web53 > /var/www/html/test.html
#systemctl start httpd ; systemctl enable httpd
#netstat -utnalp | grep httpd
客户端访问254
#vim /etc/hosts
192.168.4.53 www.tedu.cn
:wq
ping -c 2 www.tedu.cn
www.tedu.cn
http://192.168.4.53/test.html
https://192.168.4.53/test.html配置网站服务器 192.168.4.53
1 创建私钥文件
#cd /etc/pki/tls/private/
#openssl genrsa 2048 > www.key
2 创建证书请求文件
]# openssl req -new -key www.key > /root/www.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:tarena
Organizational Unit Name (eg, section) []:ope
Common Name (eg, your name or your server's hostname) []:www.tedu.cn
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@host53 private]#
[root@host53 private]# cat /root/www.csr
3 提交证书请求文件给CA服务器
#scp /root/www.csr 192.168.4.55:/tmp/
配置CA服务器192.168.4.55
1 审核证书请求文件并签发数字证书文件
#ls /tmp/www.csr
#cd /etc/pki/CA/certs
#openssl ca -in /tmp/www.csr > www.crt
2 下发数字证书文件给网站服务器
#scp www.crt 192.168.4.53:/tmp/
3 在 网站服务器 配置 网站服务在运行时,调用私钥文件和数字证书文件,然后重启网站服务
yum -y install mod_ssl
]# vim /etc/httpd/conf.d/ssl.conf
100 SSLCertificateFile /etc/pki/tls/certs/www.crt
107 SSLCertificateKeyFile /etc/pki/tls/private/www.key
:wq
cp /tmp/www.crt /etc/pki/tls/certs/
[root@host53 ~]# ls /etc/pki/tls/private/
localhost.key www.key
#systemctl restart httpd
#netstat -utnalp | grep httpd
[root@host53 ~]# netstat -utnalp | grep httpd
tcp6 0 0 :::80 ::: LISTEN 26098/httpd
tcp6 0 0 :::443 ::: LISTEN 26098/httpd
4客户端验证配置192.168.4.254
++++++++++++++++++++++++++++
在主机52 做邮件服务器
能够发邮件(运行postfix服务)
#yum -y install postfix
#systemctl start postfix ; systemctl enable postfix
#netstat -utnalp | grep :25
#ps -C master
vim /etc/postfix/main.cf
113 inet_interfaces = all
116 #inet_interfaces = localhost
419 home_mailbox = Maildir/
:wq
#systemctl restart postfix
添加本地邮箱账号 并测试能否发送邮件
useradd jerry ;echo 123456 | passwd --stdin jerry
useradd lili ;echo 123456 | passwd --stdin lili
jerry@localhost lili@localhost
123456 123456
邮件服务器 192.168.4.52
发件人 lili@localhost
收件人 jerry@localhost
客户端51 测试能否发送邮件
rpm -q telnet || yum -y install telnet
#which telnet
telnet 192.168.4.52 25 //连接邮件服务器
helo pc51 //客户定义主机名
mail from:lili@localhost //发件人
rcpt to:jerry@localhost //收件人
data //写邮件内容
邮件内容
. //提交邮件
quit //断开连接
+++++++++++++++++++++++++++++++++++++++
52 查看邮件是否被投递到用户的邮箱里?
#cd /home
#ls
#cat jerry/Maildir/new/1517275339.Vfd02I4000084M202939.host52
52 能够收邮件(运行dovecot服务)
yum -y install dovecot
#rpm -q dovecot
#rpm -qc dovecot
#cd /etc/dovecot/
#ls
#vim conf.d/10-mail.conf
24 mail_location = maildir:~/Maildir
:wq
#vim conf.d/10-auth.conf
10 disable_plaintext_auth = no
:wq
[root@host52 conf.d]# systemctl start dovecot
[root@host52 conf.d]# systemctl enable dovecot
[root@host52 conf.d]# netstat -utnalp | grep :110
[root@host52 conf.d]# netstat -utnalp | grep :143
[root@host52 conf.d]# ps -C dovecot
测试能否收邮件
52:
#which telnet
#yum -y install telnet
#telnet localhost 110 //连接本机收邮件的服务
user jerry //收件人用户名
pass 123456 //邮箱密码
list //列出邮件
retr 1 //查看第1封邮件的内容
quit //断开连接
配置邮件加密
配置邮件服务器 192.168.4.52
1 创建私钥文件
2 创建证书请求文件
3 提交证书请求文件给CA
配置CA服务器192.168.4.55
1 审核证书请求文件并签发
2 下发数字证书文件给邮件服务器
3 在邮件服务器 配置 邮件服务在运行时,调用私钥文件和数字证书文件,然后重启邮件服务
4客户端验证配置192.168.4.254
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK