Certificate problem

In order to avoid re combing , Just stay , One time analysis , It's really comfortable to be comfortable in the back

Form of certificate , Commonly used formats are pem、jks、pkcs12

Format generated by interconnection , Usually it is pem Format , It's also x509

0、 Self signed certificates are commonly generated

myssl ：https://myssl.com/create_test_cert.html

samltool：https://www.samltool.com/self_signed_certs.php

1、 Certificate docking overview

On the whole , Generally, docking development can be divided into two situations

① The customer directly provides the root certificate （ Here we define it as A certificate ）

② We provide csr After the customer signs , The signing certificate returned to us （ Here we define it as B certificate ）

1） The customer directly provides the root certificate

We only need to provide the certificate according to the customer , Convert directly to jks that will do

Reference resources ：https://myssl.com/cert_convert_wasm.html

2） Customer signature is required

① Generate a csr（3 Ways of planting ）

It is recommended to fill in the information in the formal process （ In the final analysis, the key pair is generated

（1） Online generation ：

https://myssl.com/csr_create.html

（2）openssl:

# req  Generate signature request certificate file 
openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout [$Key_File] -out [$OpenSSL_CSR]

① -new： Specify to generate a new CSR file .

② -nodes： Specifies that the key file is not encrypted .

 Usually with follow-up  -newkey  Continuous use 

③ -sha256： Specify the digest algorithm .

 Summary algorithm optional values here ： -sha256 / -sha384 / -sha512 / -sha1

④ -newkey rsa:2048 Specify the key type and length .

 The key type is optional ： rsa / ecdsa
 Key strength optional ： 2048 / 3072 / 4096

⑤ [$Key_File]： Key file name .

⑥ [$OpenSSL_CSR]： The storage path of encrypted files .

（3）keytool：

# certreq  Generate signature request certificate file 
keytool -certreq -sigalg SHA256withRSA -alias [$Alias] -keystore [$Keytool_Path] -file [$Keytool_CSR]

① -sigalg： Key algorithm name .

 optional type ：SHA256withRSA / SHA1withDSA / SHA256withECDSA

② -keysize： The key length is 2048bit.

 Optional values refer to ： 
2048 (when using -genkeypair and -keyalg is "RSA")
1024 (when using -genkeypair and -keyalg is "DSA")
256 (when using -genkeypair and -keyalg is "EC")
56 (when using -genseckey and -keyalg is "DES")
168 (when using -genseckey and -keyalg is "DESede")

③ [$Alias]： Certificate alias , Customizable .

④ [$Keytool_Path]： Save path of certificate file .

② Issued by customer

Usually, the customer will hand it over to CA Issue

（1） utilize openssl Since the issue of the certificate ：

openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

① -days： Expiration time , Usually it is 365 Multiple , The longest is 10 year

②server.csr： We provide a request for signature csr

③ca.crt： Ca Issued by the crt certificate

④ca.key： Ca Issued key

⑤server.crt： Generated signing certificate , Used to provide for our use

（2） utilize keytool Since the issue of the certificate ：

keytool -gencert -infile client.csr -outfile client.cer -alias serverStore -keystore serverStore.jks  -storepass 123456

① client.csr： We provide a request for signature csr

②client.cer： Self issued certificate generated

③ serverStore： Issued certificate alias

④serverStore.jks：crt from pem Convert to jks Certificate

⑤123456： Generate jks Encrypted password for

③ Transformation format

Reference resources ：https://myssl.com/cert_convert_wasm.html

2、 Format conversion problem

①PEM -> JKS

It can be encrypted , from crt/cert Convert to jks, The password part can be used or not .（ Usually supply java Development use ）

②PEM ->PKCS12( Also called PFX)

It can be encrypted , from crt/cert Convert to jks, The password part can be used or not .（ Usually supply C#,VB And so on ）

3、 Overview of the relationship between certificates and issuing certificates

On the whole , Actually belong to A Generate a certificate , You can't give it directly to B,B Need a proof to A, Give Way A Issue a sub certificate to B, Give Way B Can be CA A relation of identification .

CA It can be a public provider , It can also be the private service of the server CA provider .

Tips： The so-called providers here , In fact, it is the storage and detection function of the keystore

① for example java Application validation build

Preset applications are divided into A,B, The corresponding content will be prefixed with A_XX And B_XX To represent respectively A、B application

（1） structure A、B Respective applications CA Certificate root node

Here alias The name is used to query the node （ Although it will eventually become lowercase , But I am still stubborn ）

#A  Server  
keytool -genkey -alias A_root -keyalg RSA -keystore A_root.jks
#B  Server 
keytool -genkey -alias B_root -keyalg RSA -keystore B_root.jks

# see jks Certificate method 
keytool -v -list -keystore xxx.jks

（2） Generate Certificate

（1） Here alias The name is used to query the node

（2）A_client.cer 、B_client.cer Is the root certificate

#  Generate A  Server's certificate  A_client.cer
keytool -export -alias A_root -file A_client.cer -keystore A_root.jks
#  Generate B  Server's certificate  B_client.cer
keytool -export -alias B_root -file B_client.cer -keystore B_root.jks

（3） Generate certificate request

Each generates csr Go and ask the other party to sign and authenticate

# Generate A The certificate request file corresponding to the server 
keytool -certreq -file A.csr -alias A_root -keystore A_root.jks
# Generate B The certificate request file corresponding to the server 
keytool -certreq -file B.csr -alias B_root -keystore B_root.jks

# see CSR
openssl req -noout -text -in xxx.csr

（4） grant a certificate

Issuing certificate request , Make it verifiable by the issuer . Default event 90 God

# Issue B Certificate request for server 
keytool -gencert -infile B.csr -outfile A_signed.cer -alias A_root -keystore A_root.jks
# Issue A Certificate request for server 
keytool -gencert -infile A.csr -outfile B_signed.cer -alias B_root -keystore B_root.jks

# Check the certificate 
openssl x509 -noout -text -in xxx.crt

（5） Join the keystore

Check out the keystore ：keytool -v -list -keystore xxx.jks

1） Add a single key

You need to put the certificates signed by both parties into your own key store , Of course, in business , Add the other party unilaterally

#A  Server 
keytool -import -keystore A_root.jks -file A_signed.cer -alias A_client_signed
keytool -import -keystore A_root.jks -file B_signed.cer -alias B_client_signed

#B  Server 
keytool -import -keystore B_root.jks -file A_signed.cer -alias A_client_signed
keytool -import -keystore B_root.jks -file B_signed.cer -alias B_client_signed

2） Join the entire keystore

#  take B The keystore of is imported into A In the keystore 
keytool -importkeystore -srckeystore A_root.jks -destkeystore B_root.jks
#  take A The keystore of is imported into B In the keystore 
keytool -importkeystore -srckeystore B_root.jks -destkeystore A_root.jks

②ssh Build mutual trust as a server （ Using key pairs ）

In fact, it is based on ssh-key As a login method , Replace simple password login . In fact, it is also the processing of key pairs

Tips ： When switching users With su - , Switch environment variables at the same time

（1） Create user

Usually we subconsciously should prohibit root Log in , Create an administrative user for the logged in user

#  modify SSHD To configure , prohibit root Sign in 
#  lookup “#PermitRootLogin yes”, End of paragraph “yes” Change it to “no”.
vi /etc/ssh/sshd_config

#  Create user 
#  for example ： user name test
useradd -m test
#  Configure a password 
passwd test

（2） allow sudo To configure

In fact, they are all operation files vi /etc/sudoers

Mode one ： Dynamic compatibility

# 1、 Open comments  
# Allows people in group wheel to run all commands
#  Usually  root  The user's group is called  wheel, So we need to untangle the notes 
## centos 
%wheel    ALL=(ALL)    ALL

## ubuntu
%sudo   ALL=(ALL:ALL) ALL


# 2、 Modify the user test, Make it belong to root Group （wheel）
## centos
usermod -g root test

## ubuntu
sudo usermod -aG sudo test

Mode two ： It's all over

#  Add rows directly for the user 
## centos , reference root To write 
# Allow root to run any commands anywhere
root    ALL=(ALL)     ALL
test    ALL=(ALL)     ALL

## Ubuntu, reference root To write 
# User privilege specification
root    ALL=(ALL:ALL) ALL
test    ALL=(ALL:ALL) ALL

（3） Optional changes sshd port

As for why ？ To avoid default port scanning

In fact, it is also an operation on the file vi /etc/ssh/sshd_config

# 1、 Seek  Port 22, Delete # Number , from 0~65536 Select an idle port from the to fill in  
#  for example ：23333
Port 23333

# 2、 restart sshd service 
## centos
service sshd restart

## ubuntu
sudo systemctl restart ssh.service

（4） Set up ssh-key Sign in

1） Generate ssh-key

The following example corresponds to the message ：

ssh-key Generate ：

test And test.pub

#  Mode one ： 
#  Usually ssh-key The operation is as follows , Generate public key 
# -f  file name  -C  remarks   -t  type 
ssh-keygen -t rsa -f test -C "test key"

#  Mode two ：
# openssl  Generate a format compliant key pair 
## 1、 Generate the key  
openssl genrsa -3 -out rsa_key.private
## 2、 Generate public key 
openssl rsa -pubout -in rsa_key.private -out rsa_key.public
## 3、 The public key is converted to ssh  Accepted format PKCS8
ssh-keygen -f rsa_key.public -i -mPKCS8 >id_rsa.pub
## 4、 Get the private key  rsa_key.private  And public key  rsa_key.public
##  be ssh  The key pair is ：id_rsa.pub

2） Upload public key to server

The following corresponds to the example message ：

user ：test

ip Limit ：192.168.0.127

##  Mode one ：  Use ssh-key
# 1、 Upload public key 
ssh-copy-id -i ./test.pub  [email protected]
# It is equivalent to transferring the public key to  test user   In the authorization key file 

# 2、 Set public key permissions  ( Optional , But it is suggested that )
# 1） Guarantee fee root The user cannot operate 
chmod 400 /home/test/.ssh/authorized_keys
# 2） Ensure that permissions are not modified  
# chattr + It is equivalent to recursively processing open file attributes  ,i Do not change any files or directories .
chattr +i /home/test/.ssh/authorized_keys


##  Mode two ： openssl Generate 
# -f  Express the default installation 
ssh-copy-id -f -i ./id_rsa.pub [email protected]

（5） test ssh Sign in

The permission to log in to the public key is 600

# Ordinary ssh-key  Generate  , Call the public key 
ssh -i  test.pub  [email protected]
# opensll  Generate , Call the public key 
ssh-copy-id -f -i ./id_rsa.pub [email protected]

# if ip Changed , The cache is still old , It can be emptied ssh-agent cache 
#  The way 1：  Delete the specified key 
ssh-add -d ~/.ssh/test/test
#  The way 2：  Empty cache 
##  View cache records 
ssh-keygen -l -f ~/.ssh/known_hosts
##  Empty the specified ip
##  For example  192.168.0.127
ssh-keygen -R 192.168.0.127