Jumpserver在线安装及摆设认证服务器CA
主机IP功能JumpServer192.168.1.34堡垒机管理资产及权限CA认证服务器192.168.1.37提供HTTPS安全加密 堡垒机一键在线安装
- ##z在线安装
- curl -sSL https://resource.fit2cloud.com/jumpserver/jumpserver/releases/latest/download/quick_start.sh | bash
- ##默认密码
- admin/admin
- ##启动JumpServer
- 首先进入/opt/jumpserver-installer-v3.9.3/
- 执行 ./jmsctl.sh start
- ##关闭JumpServer
- 首先进入/opt/jumpserver-installer-v3.9.3/
- 执行 ./jmsctl.sh stop
- ##需要使用HTTPS服务
- 将文件证书放在/opt/jumpserver/config/nginx/cert路径下
- 修改配置文件 vi /opt/jumpserver/config/config.txt
- SSL_CERTIFICATE=/opt/jumpserver/config/nginx/cert/httpd.crt
- SSL_CERTIFICATE_KEY=/opt/jumpserver/config/nginx/cert/httpd.key
- ps:注意,需要先停止JumpServer服务后再修改配置文件
- ##关闭setenforce
- setenforce 0
- ###简历CA服务器
- ##生成密钥
- [root@localhost ~]# (umask 007; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
- ps:
- ():表示此命令在子进程中运行,其目的是为了不改变当前Shell中的umask值;
- genrsa:生成私钥;
- -out:私钥的存放路径,cakey.pem:为密钥名,与配置文件中保持一致;
- 2048:密钥长度,默认为1024
- ##自签证书
- [root@localhost ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 1000
- ps:
- req:生成证书签署请求;
- -x509:生成自签署证书;
- -days n:证书的有效天数;
- -new:新请求;
- -key /path/to/keyfile:指定私钥文件;
- -out /path/to/somefile:输出文件位置
- ##初始化工作环境
- [root@localhost ~]# touch /etc/pki/CA/{index.txt,serial}
- [root@localhost ~]# echo 01 > /etc/pki/CA/serial
- ps:
- index.txt:索引文件,用于匹配证书编号;
- serial:证书序列号文件,只在首次生成证书时赋值
登录堡垒机
- ##生成密钥对
- [root@localhost ~]# mkdir -p /etc/httpd/ssl
- [root@localhost ~]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
- ##生成证书信息
- [root@localhost ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [CN]:CN
- State or Province Name (full name) [JS]:JS
- Locality Name (eg, city) [SZ]:SZ
- Organization Name (eg, company) [JFHY]:JHFY
- Organizational Unit Name (eg, section) [JFHY]:JFHY
- Common Name (eg, your name or your server's hostname) [jfhy.com]:jfhy.com
- Email Address [www]:www
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []:123456
- An optional company name []:www
- ##将刚刚申请的请求文件发送给CA服务器
- [root@localhost ~]# scp /etc/httpd/ssl/httpd.csr root@192.168.1.37:/etc/pki/CA/crl
- ##签署证书
- [root@localhost ~]# openssl ca -in /etc/pki/CA/crl/httpd.csr -out /etc/pki/CA/crl/httpd.crt -days 1000
- Using configuration from /etc/pki/tls/openssl.cnf
- Check that the request matches the signature
- Signature ok
- The organizationName field needed to be the same in the
- CA certificate (JFHY) and the request (JHFY)
- ##将签名好的证书发送给堡垒机
- [root@localhost ~]# scp httpd.crt root@192.168.1.34:/etc/httpd/ssl
登录CA服务器
- ##获取证书serial
- [root@localhost ~]# openssl x509 -in httpd.crt -noout -serial -subject
- ps:
- x509:证书格式;
- -in:要吊销的证书;
- -noout:不输出额外信息;
- -serial:显示序列号;
- -subject:显示subject信息
- ##CA验证信息
- [root@localhost ~]# cd /etc/pki/CA/
- [root@localhost CA]# cat index.txt
- ##吊销证书
- [root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
- ##删除证书
- 查看被吊销的证书列表
- [root@localhost CA]# cat /etc/pki/CA/index.txt
- 生成吊销证书的编号(如果是第一次吊销)
- [root@localhost CA]# echo 00 > /etc/pki/CA/crlnumber
- 更新证书吊销列表
- [root@localhost CA]# cd crl
- [root@localhost CA]# openssl ca -gencrl -out ca.crl
- ps: -gencrl:生成证书吊销列表
如出现以上错误,需要在配置文件中修改https默认443端口 自定义端口 如23443
放通防火墙
firewall-cmd --per --add-port=23443/tcp
firewall-cmd --reload
注意
如果修改了端口,需要在配置文件中修改一下:
-1714440104784)]
如出现以上错误,需要在配置文件中修改https默认443端口 自定义端口 如23443
放通防火墙
firewall-cmd --per --add-port=23443/tcp
firewall-cmd --reload
注意
如果修改了端口,需要在配置文件中修改一下:
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。 |
