Making CA certificate ... Generating a 2048 bit RSA private key ...........................................................................................+++ ...........................................................................................................................................................................+++ writing new private key to '/etc/pki/CA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: //输入密码,后面都要用这个密码 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- //这里按照自己的需求填就好,但是Common Name要注意一下 //我也不知道Common Name的CA根证书要求,但是尽量保证有Root CA这几个字吧 Country Name (2 letter code) [XX]:CN //国家简称 State or Province Name (full name) []:China //国家全称 Locality Name (eg, city) [Default City]:BeiJing //城市 Organization Name (eg, company) [Default Company Ltd]:skills //组织名 Organizational Unit Name (eg, section) []:Operations Departments //组织单位名称 Common Name (eg, your name or your server's hostname) []:CSK Global Root CA //通用名 Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: ee:45:5e:8b:1f:a7:00:5e Validity Not Before: Jan 10 13:34:46 2024 GMT Not After : Jan 9 13:34:46 2027 GMT Subject: countryName = CN stateOrProvinceName = China organizationName = skills organizationalUnitName = Operations Departments commonName = CSK Global Root CA X509v3 extensions: X509v3 Subject Key Identifier: 62:08:B0:98:FF:F5:98:7E:4E:1B:3F:BE:08:7E:30:F3:E6:BF:0E:90 X509v3 Authority Key Identifier: keyid:62:08:B0:98:FF:F5:98:7E:4E:1B:3F:BE:08:7E:30:F3:E6:BF:0E:90
X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Jan 9 13:34:46 2027 GMT (1095 days)
Write out database with 1 new entries Data Base Updated [root@routersrv ~]#
[root@routersrv ~]# /etc/pki/tls/misc/CA -newreq //申请证书 Generating a 2048 bit RSA private key ....................................................................................................+++ ............+++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:China Locality Name (eg, city) [Default City]:BeiJing Organization Name (eg, company) [Default Company Ltd]:skills Organizational Unit Name (eg, section) []:Operations Departments Common Name (eg, your name or your server's hostname) []:*.chinaskills.cn Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem [root@routersrv ~]#
Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Check that the request matches the signature Signature ok ...
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated ... Signed certificate is in newcert.pem [root@routersrv ~]# ls anaconda-ks.cfg newcert.pem newkey.pem newreq.pem [root@routersrv ~]#
Apache服务配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
[root@appsrv ~]# vim /etc/httpd/conf conf/ conf.d/ conf.modules.d/ 配置文件 执行文件 模板
//Require all granted:允许所有主机访问 //Require all denied:拒绝所有主机访问 //Require local:仅允许本地主机访问 //Require [not] host <主机名或域名列表>:允许或拒绝指定主机或域名访问 //Require [not] ip <IP 地址或网段列表>:允许或拒绝指定 IP 地址网络访问
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here.
Enter current password for root (enter for none): OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation.
Set root password? [Y/n] y //设置root密码 New password: Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment.
Remove anonymous users? [Y/n] y //是否移除匿名用户 ... Success!
Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] n //是否禁止root远程登陆 ... skipping.
By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment.
Remove test database and access to it? [Y/n] y //是否移除测试数据库和其访问权 - Dropping test database... ... Success! - Removing privileges on test database... ... Success!
Reloading the privilege tables will ensure that all changes made so far will take effect immediately.
Reload privilege tables now? [Y/n] y //重载privilege tables,就是保存 ... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB installation should now be secure.
[root@appsrv ~]# mysql -u root -p //使用root用户和密码登录 Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 10 Server version: 5.5.68-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
//创建root用户并赋予所有权限 MariaDB [(none)]> grant all privileges on *.* to 'root'@'%' identified by '000000' with grant option; Query OK, 0 rows affected (0.00 sec)
[root@appsrv webdata]# systemctl enable httpd Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@appsrv webdata]# vim /usr/lib/systemd/system/httpd.service //进入文件
[Unit] Description=The Apache HTTP Server After=network.target remote-fs.target nss-lookup.target Documentation=man:httpd(8) Documentation=man:apachectl(8)
[Service] Type=notify EnvironmentFile=/etc/sysconfig/httpd ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND ExecReload=/usr/sbin/httpd $OPTIONS -k graceful ExecStop=/bin/kill -WINCH ${MAINPID} # We want systemd to give httpd some time to finish gracefully, but still want # it to kill httpd after TimeoutStopSec if something went wrong during the # graceful stop. Normally, Systemd sends SIGTERM signal right after the # ExecStop, which would kill httpd. We are sending useless SIGCONT here to give # httpd time to finish. KillSignal=SIGCONT PrivateTmp=true
