CA--实验报告
一、案例环境
| 主机名 | IP地址 | 主要软件 |
|---|---|---|
| ca.domain.com | 192.168.10.4 | openssl |
| mail.domain.com | 192.168.10.5 | dovecot |
| client.domain.com | 192.168.10.6 | mutt |
二、实施步骤
(一)搭建企业CA证书 服务器
1.确认安装openssl
[root@ca ~]# rpm -qa | grep openssl
openssl-devel-1.0.1e-15.el6.x86_64
openssl-1.0.1e-15.el6.x86_64
[root@ca ~]#
2.修改配置文件
vi /etc/pki/tls/openssl.cnf
...//省略
[ req_distinguished_name ]
countryName_default = CN
...//省略
stateOrProvinceName_default = Beijing
localityName_default = Beijing
0.organizationName_default = Example,Inc.
organizationalUnitName = 默认
commonName = TYLT Certificate Authority
emailAddress = [email protected]
3.为CA服务器生成私钥
cd /etc/pki/CA/
echo 01 > serial
ls
touch index.txt
[root@ca ~]# vi /etc/pki/tls/openssl.cnf
[root@ca ~]# cd /etc/pki/CA/
[root@ca CA]# echo 01 > serial
[root@ca CA]# ls
certs crl newcerts private serial
[root@ca CA]# touch index.txt
[root@ca CA]#
openssl genrsa -out pirvate/cakey.pem -des3 2048
中间需要输入密码(下面创建证书时候需要)
确认密码
[root@ca CA]# openssl genrsa -out private/cakey.pem -des3 2048
Generating RSA private key, 2048 bit long modulus
..........................................................................+++
..............................+++
e is 65537 (0x10001)
Enter pass phrase for private/cakey.pem:
Verifying - Enter pass phrase for private/cakey.pem:
[root@ca CA]#
查看是否生成
ls
[root@ca CA]# ls
certs crl index.txt newcerts private serial
[root@ca CA]#
4.为CA服务器创建自己的根证书文件
去CA目录下面
openssl req -new -x509 -key private/cakey.pem -days 365 >cacert.pem
输入密码(私钥的密码)
确认密码
[root@ca CA]# openssl req -new -x509 -key private/cakey.pem -days 365 >cacert.pem
Enter pass phrase for private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [Example,INC.]:
Organizational Unit Name (eg, section) []:Example,INC.
TYTL Certificate Auth []:
[email protected] []:
[root@ca CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@ca CA]#
5.发布证书文件
yum -y install httpd
vim /etc/httpd/conf/httpd.conf
ServerName ca.domain.com
cd /var/www/html
mkdir certs
cd certs
将cacert.pem复制到certs目录下面
mv cacert.pem TYLT-CA.CRT
[root@ca CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@ca CA]# cd /var/www/html/
[root@ca html]# mkdir certs
[root@ca html]# cd certs/
[root@ca certs]# /etc/cron.daily/mlocate.cron update
[root@ca certs]# locate cacert.pem
/etc/pki/CA/cacert.pem
/root/Desktop/vm/vmware-tools-distrib/caf/var/lib/vmware-caf/pme/data/input/certs/cacert.pem
/var/lib/vmware-caf/pme/data/input/certs/cacert.pem
[root@ca certs]# cp /etc/pki/CA/cacert.pem ./
[root@ca certs]# ls
cacert.pem
[root@ca certs]#
(二)配置Dovecot邮件服务器,并为邮件服务器办法证书
1.生成服务私钥
mail.domain.com
[root@mail ~]# rpm -qa | grep openssl
openssl-devel-1.0.1e-15.el6.x86_64
openssl-1.0.1e-15.el6.x86_64
[root@mail ~]#
openssl genrsa -out imaps-svr.key 1024
[root@mail ~]# openssl genrsa -out imaps-svr.key 1024
Generating RSA private key, 1024 bit long modulus
....++++++
......++++++
e is 65537 (0x10001)
[root@mail ~]# ls
anaconda-ks.cfg imaps-svr.key install.log install.log.syslog
[root@mail ~]# ls -l
total 28
-rw-------. 1 root root 1146 Jul 16 01:07 anaconda-ks.cfg
-rw-r--r--. 1 root root 887 Jul 25 00:00 imaps-svr.key
-rw-r--r--. 1 root root 14197 Jul 16 01:07 install.log
-rw-r--r--. 1 root root 3857 Jul 16 01:06 install.log.syslog
[root@mail ~]# date
Mon Jul 25 00:00:56 CST 2016
[root@mail ~]#
2.生成签名请求文件
mail.domain.com
openssl req -new -key imaps-svr.key -out imaps-svr.csr
输入国家名称(要与ca上的一致)
国家CN
省Beijing
城市Beijing
公司Example,INC.
组织:默认
Common Name : mail.domain.com
[root@mail ~]# openssl req -new -key imaps-svr.key -out imaps-svr.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Example,INC.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:mail.domain.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123123
An optional company name []:
[root@mail ~]#
3.将签名证书请求文件发给CA中心
mail.domain.com
scp imaps-svr.csr 192.168.10.4:/root
[root@mail ~]# scp imaps-svr.csr 192.168.10.4:/root
The authenticity of host '192.168.10.4 (192.168.10.4)' can't be established.
RSA key fingerprint is 92:4f:c4:d1:0d:90:52:74:18:09:88:37:86:5b:77:2c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.4' (RSA) to the list of known hosts.
[email protected]'s password:
imaps-svr.csr 100% 676 0.7KB/s 00:00
[root@mail ~]#
4.根据签名请求创建CA证书文件
在ca.domain.com虚拟机上
cd /root/
openssl req -in imaps-svr.csr -noout -text
[root@ca ~]# date
Sun Jul 24 16:05:53 CST 2016
[root@ca ~]# ls -l
total 9948
-rw-------. 1 root root 1575 May 24 00:10 anaconda-ks.cfg
drwxr-xr-x. 3 root root 4096 May 24 00:18 Desktop
drwxr-xr-x. 2 root root 4096 May 24 00:17 Documents
drwxr-xr-x. 2 root root 4096 May 24 00:17 Downloads
-rw-r--r-- 1 root root 10075677 Jun 4 08:19 etc.tar.gz
-rw-r--r-- 1 root root 676 Jul 24 16:05 imaps-svr.csr
-rw-r--r--. 1 root root 49565 May 24 00:10 install.log
-rw-r--r--. 1 root root 10033 May 24 00:08 install.log.syslog
drwxr-xr-x. 2 root root 4096 May 24 00:17 Music
drwxr-xr-x. 2 root root 4096 May 24 00:17 Pictures
drwxr-xr-x. 2 root root 4096 May 24 00:17 Public
drwxr-xr-x. 2 root root 4096 May 24 00:17 Templates
-rw-r--r-- 1 root root 0 Jun 3 10:04 test
drwxr-xr-x. 2 root root 4096 May 24 00:17 Videos
[root@ca ~]#
[root@ca ~]# openssl req -in imaps-svr.csr -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CN, ST=Beijing, L=Beijing, O=Example,INC., CN=mail.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c9:e6:f3:a6:85:53:cd:28:06:29:82:9b:13:82:
cb:c5:1c:b2:f7:69:b2:ba:4a:4b:26:cc:c1:84:a1:
46:c5:04:6f:95:e5:8b:68:4c:79:ac:0b:26:6f:b4:
48:1f:b0:14:53:15:02:17:db:fe:d1:db:30:b1:79:
4b:a6:96:e2:a8:ee:27:0f:4f:05:2f:19:f3:dc:fa:
33:17:1f:5e:42:15:0f:74:02:27:cb:1c:e1:55:ab:
13:c3:ef:c5:01:d6:40:b1:c4:a0:8f:0a:38:d6:e2:
eb:c3:1e:17:75:74:52:ca:e0:a8:55:4d:44:2c:5c:
42:a4:e6:de:b0:90:ba:25:fb
Exponent: 65537 (0x10001)
Attributes:
challengePassword :unable to print attribute
Signature Algorithm: sha1WithRSAEncryption
13:8b:33:f0:4b:f3:5e:a9:d9:6d:b2:db:16:53:e8:d9:ca:4a:
57:34:26:74:f7:e8:1f:d7:9a:dc:09:47:b6:c1:01:5d:de:74:
98:70:a5:31:00:6a:2c:fd:14:57:d1:6c:fb:2f:d6:ac:c4:4f:
2e:0a:a6:c4:00:fb:76:47:c3:1f:71:68:8c:f5:83:06:64:a8:
23:06:1a:16:1c:78:b2:ab:51:04:eb:f6:a1:4d:3e:28:64:67:
8a:53:70:a4:70:4e:81:a7:4e:40:0a:bd:f3:07:89:12:ef:8d:
03:4f:87:d8:7c:0f:21:bc:69:52:c2:a0:32:4a:67:c6:94:89:
1d:3a
[root@ca ~]#
openssl ca -in imaps-svr.csr -out imaps-svr.crt
[root@ca ~]# openssl ca -in imaps-svr.csr -out imaps-svr.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 24 08:08:00 2016 GMT
Not After : Jul 24 08:08:00 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = Example,INC.
commonName = mail.domain.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
12:24:3C:87:BA:1F:99:D6:A1:3F:2A:53:3F:B1:6F:1F:8B:38:2E:17
X509v3 Authority Key Identifier:
keyid:46:49:0F:DB:55:DE:F3:18:DF:FC:AE:2D:27:FE:6A:44:95:01:82:CD
Certificate is to be certified until Jul 24 08:08:00 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ca ~]#
将证书传给mail.domain.com
scp imaps-svr.crt 192.168.10.5:/root
[root@ca ~]# scp imaps-svr.crt 192.168.10.5:/root
The authenticity of host '192.168.10.5 (192.168.10.5)' can't be established.
RSA key fingerprint is 8f:bf:80:44:26:74:6c:57:c2:18:73:dd:39:c7:98:55.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.5' (RSA) to the list of known hosts.
[email protected]'s password:
imaps-svr.crt 100% 3678 3.6KB/s 00:00
[root@ca ~]#
- 启动postfix
5.安装dovecot
- 安装dovecot
新建用户
- dovecot
- dovenull
./configure --prefix=/usr/local/dovecot --sysconfdir=/etc --with-ssl=openssl
[root@mail dovecot-2.0.21]# ./configure --prefix=/usr/local/dovecot --sysconfdir=/etc --with-ssl=openssl
...//省略
Install prefix . : /usr/local/dovecot
File offsets ... : 64bit
I/O polling .... : epoll
I/O notifys .... : inotify
SSL ............ : yes (OpenSSL)
GSSAPI ......... : no
passdbs ........ : static passwd passwd-file shadow checkpassword
: -pam -bsdauth -sia -ldap -sql -vpopmail
userdbs ........ : static prefetch passwd passwd-file checkpassword nss
: -ldap -sql -vpopmail
SQL drivers .... :
: -pgsql -mysql -sqlite
[root@mail dovecot-2.0.21]# make
...//省略
[root@mail dovecot-2.0.21]# make install
...//省略
[root@mail example-config]# /bin/cp -rf /usr/local/dovecot/share/doc/dovecot/example-config/* /etc/dovecot/
[root@mail example-config]# locate dovecot-initd.sh
/usr/local/dovecot-2.0.21/doc/dovecot-initd.sh
[root@mail example-config]# cp /usr/local/dovecot-2.0.21/doc/dovecot-initd.sh /etc/init
init/ init.d/ inittab
[root@mail example-config]# cp /usr/local/dovecot-2.0.21/doc/dovecot-initd.sh /etc/init.d/dovecot
[root@mail example-config]# chmod +x /etc/init.d/dovecot
[root@mail example-config]# chkconfig --add dovecot
[root@mail example-config]#
排错过程
[root@mail ~]# service dovecot start
[root@mail ~]# netstat -utpln | grep "dovecot"
[root@mail ~]# /usr/local/dovecot/sbin/dovecot
doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf: default_login_user doesn't exist: dovenull
[root@mail ~]# service dovecot restart
[root@mail ~]# netstat -utpln | grep "
> dovecot"
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 902/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 978/master
tcp 0 0 :::22 :::* LISTEN 902/sshd
tcp 0 0 ::1:25 :::* LISTEN 978/master
[root@mail ~]# cd /etc/dovecot/
[root@mail dovecot]# ls
10-auth.conf 20-lmtp.conf auth-master.conf.ext dovecot-db.conf.ext
10-director.conf 20-pop3.conf auth-passwdfile.conf.ext dovecot-dict-sql.conf.ext
10-logging.conf 90-acl.conf auth-sql.conf.ext dovecot-ldap.conf.ext
10-mail.conf 90-plugin.conf auth-static.conf.ext dovecot-sql.conf.ext
10-master.conf 90-quota.conf auth-system.conf.ext Makefile
10-ssl.conf auth-checkpassword.conf.ext auth-vpopmail.conf.ext Makefile.am
15-lda.conf auth-deny.conf.ext conf.d Makefile.in
20-imap.conf auth-ldap.conf.ext dovecot.conf README
[root@mail dovecot]# /usr/local/dovecot/sbin/dovecot
doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf: default_login_user doesn't exist: dovenull
[root@mail dovecot]# useradd dovenull
[root@mail dovecot]# /usr/local/dovecot/sbin/dovecot
doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf: default_internal_user doesn't exist: dovecot
[root@mail dovecot]# useradd dovecot
[root@mail dovecot]# /usr/local/dovecot/sbin/dovecot
[root@mail dovecot]# netstat -utpln | grep "
> dovecot"
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 28246/dovecot
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 28246/dovecot
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 902/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 978/master
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 28246/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 28246/dovecot
tcp 0 0 :::110 :::* LISTEN 28246/dovecot
tcp 0 0 :::143 :::* LISTEN 28246/dovecot
tcp 0 0 :::22 :::* LISTEN 902/sshd
tcp 0 0 ::1:25 :::* LISTEN 978/master
tcp 0 0 :::993 :::* LISTEN 28246/dovecot
tcp 0 0 :::995 :::* LISTEN 28246/dovecot
[root@mail dovecot]#
6.调整dovecot配置,启用数字证书
修改10-ssl.conf
ssl = yes
ssl_cert = 将imaps-svr.crt复制到配置文件当中的位置,名称也是对应的
cp imaps-svr.crt /etc/ssl/certs/dovecot.pem
[root@mail ssl]# cp imaps-svr.crt /etc/ssl/certs/dovecot.pem
在ssl目录下
mkdir private
cp /root/imaps-svr.key private/dovecot.pem
[root@mail ~]# cd /etc/ssl
[root@mail ssl]# mkdir private
[root@mail ssl]# cp /root/imaps-svr.key private/dovecot.pem
[root@mail ssl]#
(三)使用mutt客户端测试IMAPS协议
安装mutt
yum -y install mutt
mkdir .mutt
cd .mutt/
vi muttrc
set folder=imaps://mail.domain.com
set spoolfile=imaps://mail.domain.com
set certificat_file=/root/.mutt/TYTL_CA.CRT
[root@client ~]# mkdir .mutt
[root@client ~]# cd .mutt
[root@client .mutt]# vi muttrc
set folder=imaps://mail.domain.com
set spoolfile=imaps://mail.domain.com
set certificat_file=/root/.mutt/TYTL_CA.CRT
启动测试
mutt
