發表者討論內容

冷日
(冷日) 發表時間：2016/5/10 2:30

Webmaster

註冊日: 2008/2/19
來自:
發表數: 15773

[轉貼]在 Mac 和 Linux 使用 SSH

如何在Azure 的 Linux 和 Mac 使用 SSH
透過 Ralph Squillace 更新日期： 12/15/2015

本主題描述如何在 Linux 和 Mac 上使用 ssh-keygen 和 openssl，以建立和使用 ssh-rsa 格式和 .pem 格式檔案來保護與 Linux 型 Azure VM 的安全通訊。建議您建立新的部署時，使用資源管理員部署模型建立以 Linux 為基礎的 Azure 虛擬機器，並採用 ssh-rsa 類型的公用金鑰檔案或字串 (取決於部署用戶端)。Azure 入口網站目前只接受 ssh-rsa 格式的字串，無論是傳統部署或資源管理員部署。
注意：
Azure 建立和處理資源的部署模型有二種：資源管理員和傳統。本文將說明如何使用這兩個模型，但 Microsoft 建議大多數新的部署請使用資源管理員模型。

若要建立這些類型的檔案，用於Windows 電腦與 Azure 中的 Linux VM 進行安全通訊，請參閱在 Windows 上使用 SSH 金鑰。
您需要哪些檔案？

Azure 的基本 SSH 安裝程式包含 2048 位元的 ssh-rsa 公用和私密金鑰組 (根據預設，ssh-keygen 會將這些檔案儲存為 ~/.ssh/id_rsa 和 ~/.ssh/id-rsa.pub，除非變更預設值) 以及從 id_rsa 私密金鑰檔案產生的 .pem 檔案，以搭配傳統入口網站的傳統部署模型使用。

以下是部署案例，以及您在每個案例中使用的檔案類型：

任何使用 Azure 入口網站的部署都需要 ssh-rsa 金鑰，無論部署模型為何。
需要 .pem 檔案才能使用傳統入口網站來建立 VM。使用 Azure CLI 的傳統部署也支援 .pem 檔案。

建立金鑰與 SSH 搭配使用

Azure 需要 ssh-rsa 格式 2048 位元的金鑰檔案，或對等的.pem 檔案，取決於您的案例。如果您已經有這類檔案，在建立 Azure VM 時傳遞公開金鑰檔。

如果您需要建立檔案：

請確定您的 ssh-keygen 和 openssl 實作是最新版。這會因平台而異。
若是 Mac，請務必瀏覽 Apple 產品安全性網站，必要時選擇適當的更新。

若是 Ubuntu、Debian、Mint 等 Debian 型的 Linux 散發套件：

        sudo apt-get update ssh-keygen
        sudo apt-get update openssl

若是 CentOS、Oracle Linux 等 RPM 型的 Linux 散發套件：

        sudo yum update ssh-keygen
        sudo yum update openssl

若是 SLES 和 OpenSUSE

        sudo zypper update ssh-keygen
        sudo zypper update openssl

使用 ssh-keygen 建立 2048 位元 RSA 公開和私密金鑰檔案，且除非您有要用於檔案的特定位置或特定名稱，否則接受預設位置和名稱 ~/.ssh/id_rsa。基本命令是：

    ssh-keygen -t rsa -b 2048

正常情況下，您的 ssh-keygen 實作會加入註解，通常是使用者名稱和電腦的主機名稱。您可以使用 -C 選項指定特定的註解。

從您 ~/.ssh/id_rsa 檔案建立.pem 檔案，以便您使用傳統的入口網站。使用 openssl，如下所示：

    openssl req -x509 -key ~/.ssh/id_rsa -nodes -days 365 -newkey rsa:2048 -out myCert.pem

如果您想要從不同的私密金鑰檔案建立.pem 檔案，請修改 -key 引數。

注意：
如果您打算管理使用傳統部署模型部署的服務，您可能也想要建立 .cer 格式檔案以上傳至入口網站 - 雖然這不牽涉到 ssh 或連接到 Linux VM，這是本文的主題。若要在 Linux 或 Mac 上建立這些檔案，輸入：

openssl.exe x509 -outform der -in myCert.pem -out myCert.cer

將.pem 檔案轉換成 DER 編碼的 x509 憑證檔案。
使用您有的 SSH 金鑰

您可以在所有新工作使用 ssh rsa (.pub) 金鑰，尤其是資源管理員部署模型和預覽入口網站；如果您需要使用傳統入口網站，您可能需要從您的金鑰建立 .pem 檔案。
建立 VM 與您的公開金鑰檔案

建立所需的檔案之後，有許多方法可以建立能使用公開-私密金鑰交換進行安全連線的 VM。在幾乎所有的情況下，尤其是使用資源管理員部署，請在系統提示您提供 ssh 金鑰檔案路徑或檔案內容字串時，傳遞.pub 檔案。
範例：建立 VM with the id_rsa.pub 檔案

最常見的用法是以命令方式建立 VM 時 - 或上傳範本建立 VM 時。下列程式碼範例示範在 Azure 中建立新的、安全 Linux VM，做法是將公開檔案名稱 (在此案例中是預設 ~/.ssh/id_rsa.pub 檔案) 傳遞給 azure vm create 命令。(其他引數已事先建立。)

azure vm create \
--nic-name testnic \
--public-ip-name testpip \
--vnet-name testvnet \
--vnet-subnet-name testsubnet \
--storage-account-name computeteststore
--image-urn canonical:UbuntuServer:14.04.3-LTS:latest \
--username ops \
-ssh-publickey-file ~/.ssh/id_rsa.pub \
testrg testvm westeurope linux

下一個範例示範如何使用 ssh-rsa 格式與資源管理員範本和 Azure CLI，建立受到使用者名稱和 ~/.ssh/id_rsa.pub 內容字串保護的 Ubuntu VM。(本範例縮短公開金鑰字串以利閱讀。)

azure group deployment create \
--resource-group test-sshtemplate \
--template-uri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-vm-sshkey/azuredeploy.json \
--name mysshdeployment
info:    Executing command group deployment create
info:    Supply values for the following parameters
testnewStorageAccountName: testsshvmtemplate3
adminUserName: ops
sshKeyData: ssh-rsa AAAAB3NzaC1yc2EAAAADAQA+/L+rHIjz+nXTzxApgnP+iKDZco9 user@macbookpro
dnsNameForPublicIP: testsshvmtemplate
location: West Europe
vmName: sshvm
+ Initializing template configurations and parameters
+ Creating a deployment
info:    Created template deployment "mysshdeployment"
+ Waiting for deployment to complete
data:    DeploymentName     : mysshdeployment
data:    ResourceGroupName  : test-sshtemplate
data:    ProvisioningState  : Succeeded
data:    Timestamp          : 2015-10-08T00:12:12.2529678Z
data:    Mode               : Incremental
data:    TemplateLink       : https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-vm-sshkey/azuredeploy.json
data:    ContentVersion     : 1.0.0.0
data:    Name                   Type    Value

data:    newStorageAccountName  String  testtestsshvmtemplate3
data:    adminUserName          String  ops
data:    sshKeyData             String  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAkek3P6V3EhmD+xP+iKDZco9 user@macbookpro
data:    dnsNameForPublicIP     String  testsshvmtemplate
data:    location               String  West Europe
data:    vmSize                 String  Standard_A2
data:    vmName                 String  sshvm
data:    ubuntuOSVersion        String  14.04.2-LTS
info:    group deployment create command OK

範例：以 .pem 檔案建立 VM

接著您可以使用 .pem 檔案搭配傳統入口網站或是搭配傳統部署模式和 azure vm create，如以下範例所示：

azure vm create \
-l "West US" -n testpemasm \
-P -t myCert.pem -e 22 \
testpemasm \
b39f27a8b8c64d52b05eac6a62ebad85__Ubuntu-14_04_3-LTS-amd64-server-20150908-zh-TW-30GB \
ops
info:    Executing command vm create
warn:    --vm-size has not been specified. Defaulting to "Small".
+ Looking up image b39f27a8b8c64d52b05eac6a62ebad85__Ubuntu-14_04_3-LTS-amd64-server-20150908-zh-TW-30GB
+ Looking up cloud service
info:    cloud service testpemasm not found.
+ Creating cloud service
+ Retrieving storage accounts
+ Configuring certificate
+ Creating VM
info:    vm create command OK

連接到您的 VM

ssh 命令需要登入用的使用者名稱、電腦的網路位址、要連接至該位址的連接埠、以及許多其他特殊變數。(如需關於 ssh 的詳細資訊，您可先從此篇安全殼層說明文章開始了解)

資源管理員部署的典型用法看起來如下 (如果您只是指定子網域和部署位置)：

ssh user@subdomain.westus.cloudapp.azure.com -p 22

或者，如果您要連接至傳統部署雲端服務，您使用的位址可能看起來像這樣：

ssh user@subdomain.cloudapp.net -p 22

因為位址形式可以變更 - 您永遠可以使用的 IP 位址，也或許使用您指派的自訂網域名稱 - 您將必須探索 Azure VM 的位址。
探索搭配傳統部署之 Azure VM SSH 的位址

您可以使用 azure vm show 命令搭配 VM 名稱，來探索用於 VM 與傳統部署模型的位址：

azure vm show testpemasm
info:    Executing command vm show
+ Getting virtual machines
data:    DNSName "testpemasm.cloudapp.net"
data:    Location "West US"
data:    VMName "testpemasm"
data:    IPAddress "100.116.160.154"
data:    InstanceStatus "ReadyRole"
data:    InstanceSize "Small"
data:    Image "b39f27a8b8c64d52b05eac6a62ebad85__Ubuntu-14_04_3-LTS-amd64-server-20150908-zh-TW-30GB"
data:    OSDisk hostCaching "ReadWrite"
data:    OSDisk name "testpemasm-testpemasm-0-201510102050230517"
data:    OSDisk mediaLink "https://portalvhds4blttsxgjj1rf.blob.core.windows.net/vhd-store/testpemasm-2747c9c432b043ff.vhd"
data:    OSDisk sourceImageName "b39f27a8b8c64d52b05eac6a62ebad85__Ubuntu-14_04_3-LTS-amd64-server-20150908-zh-TW-30GB"
data:    OSDisk operatingSystem "Linux"
data:    OSDisk iOType "Standard"
data:    ReservedIPName ""
data:    VirtualIPAddresses 0 address "40.83.178.221"
data:    VirtualIPAddresses 0 name "testpemasmContractContract"
data:    VirtualIPAddresses 0 isDnsProgrammed true
data:    Network Endpoints 0 localPort 22
data:    Network Endpoints 0 name "ssh"
data:    Network Endpoints 0 port 22
data:    Network Endpoints 0 protocol "tcp"
data:    Network Endpoints 0 virtualIPAddress "40.83.178.221"
data:    Network Endpoints 0 enableDirectServerReturn false
info:    vm show command OK

探索搭配資源管理員部署之 Azure VM SSH 的位址

azure vm show testrg testvm
info:    Executing command vm show
+ Looking up the VM "testvm"
+ Looking up the NIC "testnic"
+ Looking up the public ip "testpip"

請檢查網路設定檔 (Network Profile) 區段：

data:    Network Profile:
data:      Network Interfaces:
data:        Network Interface #1:
data:          Id                        :/subscriptions/<guid>/resourceGroups/testrg/providers/Microsoft.Network/networkInterfaces/testnic
data:          Primary                   :true
data:          MAC Address               :00-0D-3A-21-8E-AE
data:          Provisioning State        :Succeeded
data:          Name                      :testnic
data:          Location                  :westeurope
data:            Private IP alloc-method :Static
data:            Private IP address      :192.168.1.101
data:            Public IP address       :40.115.48.189
data:            FQDN                    :testsubdomain.westeurope.cloudapp.azure.com
data:
data:    Diagnostics Instance View:
info:    vm show command OK

如果您建立 VM 時沒有使用預設的 SSH 連接埠 22，您可以使用 azure network nsg show 命令探索具有輸入規則的連接埠，如下列範例所示：

azure network nsg show testrg testnsg
info:    Executing command network nsg show
+ Looking up the network security group "testnsg"
data:    Id                              : /subscriptions/<guid>/resourceGroups/testrg/providers/Microsoft.Network/networkSecurityGroups/testnsg
data:    Name                            : testnsg
data:    Type                            : Microsoft.Network/networkSecurityGroups
data:    Location                        : westeurope
data:    Provisioning state              : Succeeded
data:    Security group rules:
data:    Name                           Source IP          Source Port  Destination IP  Destination Port  Protocol  Direction  Access  Priority
data:    -----------------------------  -----------------  -----------  --------------  ----------------  --------  ---------  ------  --------
data:    testnsgrule                    *                  *            *               22                Tcp       Inbound    Allow   1000
data:    AllowVnetInBound               VirtualNetwork     *            VirtualNetwork  *                 *         Inbound    Allow   65000
data:    AllowAzureLoadBalancerInBound  AzureLoadBalancer  *            *               *                 *         Inbound    Allow   65001
data:    DenyAllInBound                 *                  *            *               *                 *         Inbound    Deny    65500
data:    AllowVnetOutBound              VirtualNetwork     *            VirtualNetwork  *                 *         Outbound   Allow   65000
data:    AllowInternetOutBound          *                  *            Internet        *                 *         Outbound   Allow   65001
data:    DenyAllOutBound                *                  *            *               *                 *         Outbound   Deny    65500
info:    network nsg show command OK

範例：使用 .pem 金鑰和傳統部署之 SSH 工作階段的輸出

如果您使用從您的 ~/.ssh/id_rsa 檔案建立之 .pem 檔案建立虛擬機器，可以直接 ssh 到該 VM。請注意，當您這樣做，憑證交握會使用您在 ~/.ssh/id_rsa 的私密金鑰。(VM 建立程序會從 .pem 計算公開金鑰，並將 ssh-rsa 形式的公開金鑰放在 ~/.ssh/authorized_users 中。) 連線可能看起來像以下範例：

ssh ops@testpemasm.cloudapp.net -p 22
The authenticity of host 'testpemasm.cloudapp.net (40.83.178.221)' can't be established.
RSA key fingerprint is dc:bb:e4:cc:59:db:b9:49:dc:71:a3:c8:37:36:fd:62.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'testpemasm.cloudapp.net,40.83.178.221' (RSA) to the list of known hosts.
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-28-generic x86_64)

* Documentation:  https://help.ubuntu.com/

System information as of Sat Oct 10 20:53:08 UTC 2015

System load: 0.52              Memory usage: 5%   Processes:       80
Usage of /:  45.3% of 1.94GB   Swap usage:   0%   Users logged in: 0

Graph this data and manage this system at:
    https://landscape.canonical.com/

Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

0 packages can be updated.
0 updates are security updates.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

如果您遇到連接問題

您可以閱讀疑難排解 SSH 連接中的建議，試試是否能解決狀況。
後續步驟

既然您已連接到您的 VM，請務必先更新您所選的散發套件，再繼續使用它。

原文出處：在 Mac 和 Linux 使用 SSH |Microsoft Azure

回覆

冷日
(冷日) 發表時間：2016/5/10 2:34

Webmaster

註冊日: 2008/2/19
來自:
發表數: 15773

[轉貼]設定.建立 SSL 憑證

【Linux-Service】設定.建立SSL憑證

Posted on 2014-08-24 by 亞索數位

設定.建立SSL憑證筆記

STEP 1：
到 /etc/httpd/conf/ 目錄下來建立憑證，目錄下有許多 ssl.* 的目錄，建立後的憑證要各別放入所屬的目錄中。
# cd /etc/httpd/conf/

STEP 2：

建立 server.key 使用 1024-bit key 加密，一般也可使用 512-bit key 或 2048 -bit key，使用越大的 bit 數加密，解密的時間越長，雖然安全性越高，但所花的連線時間也會越長，所以建議使用 1024-bit 即可，因2016年對於1024-bit加密憑證即將不予採用，因此如果網站須要有對外服務申請正式憑證的請使用2048-bit加密

# openssl genrsa -out server.key 1024

Generating RSA private key, 1024 bit long modulus
..++++++
…….++++++++
e is 65537 (0x10001)
每次執行時上面的訊息都會有些許不同，檢查執行後目錄下是否有產生 server.key 的檔案。

STEP 3：
建立 server.crt 憑證，有效時間為 365 天，使用 X.509 憑證格式。

# openssl req -new -key server.key -out server.crt -x509 -days 365

You are about to ....................................................................................
...................................................................................................................
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]：TW　＜輸入國家簡稱（兩個字母）
State or Province Name (full name) [Berkshire]：Taiwan　＜輸入省或州
Locality Name (eg, city) [Newbury]：Taipei　＜輸入城市名稱
Organization Name (eg, company) [My Company Ltd]：XYZ　＜輸入公司名稱
Organizational Unit Name (eg, section) [ ]：ABC　＜輸入部門
Common Name (eg, your name or your server's hostname) [ ]：www.xyz.com.tw　
＜建議輸入主機的FQDN
Email Address [ ]：[email protected]＜輸入管理者的mail

檢查執行後目錄下是否有產生 server.crt 的檔案。
在Linux下只要兩行指令即可產生憑證及key。

STEP 4：
接下來只要將 server.crt 及 server.key 搬移到相關的目錄中即可。

# mv server.key /etc/httpd/conf/ssl.key/

# mv server.crt /etc/httpd/conf/ssl.crt/

STEP 5：
若不知道你的 httpd 所放置 crt 及 key 的位置，可檢查 httpd.conf 裡，SSLCertificateFile 及 SSLCertificateKeyFile　的參數。

#vi /etc/httpd/conf/httpd.conf

SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

6. 最後只要重新啟動 httpd 新的憑證即可生效。
# service httpd restart

二、網路版本（應適用舊版本Linux，也適用FC3及REL4）
STEP 1：
先建立 server.csr

# openssl req -new > server.csr

Generating a 1024 bit RSA private key
.++++++
.........................................++++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase：　＜輸入四碼以上的 password
Verifying - Enter PEM pass phrase：　＜再輸入一次四碼以上的 password
-----
You are ....................................
-----
Country Name (2 letter code) [GB]：TW　＜輸入國家簡稱，以下與方法一相同。
.............................
Please enter ..................
A challenge password [ ]：　＜直接按"Enter"
An optional company name [ ]：　＜直接按"Enter"

執行後會產生兩個檔案 server.csr 及 privkey.pem。

STEP 2：
接下來產生加密的 key

# openssl rsa -in privkey.pem -out server.key

Enter pass phrase for privkey.pem：　＜輸入上一個指令中phrase 的 password，必須要與上一個指令中所輸入的 phrase 密碼一樣，輸入後會寫入 server.key 中。
執行後會產生 server.key 的檔案。

STEP 3：
最後產生 server.crt 的憑證

# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365

執行後會產生 server.crt 的憑證。

STEP 4：
接下來只要將 server.crt 及 server.key 搬移到相關目錄中，然後將 httpd 重新啟動即可生效。

三、由第三方產生憑證 (申請正式使用 .csr，個人使用俗稱假憑證 .crt)
若要由第三方公信單位授發憑證，則需產生 server.csr 檔案

# openssl genrsa -out server.key 1024

# openssl req -new -key server.key -out server.csr

執行後會產生 server.csr 的檔案，並將 server.csr 寄給第三方公信單位產生 server.crt 憑證即可。

額外說明：

一般正式憑證來的時候會收到如下的檔案
依據以下的步驟即可將憑證匯入併讓正式環境使用 ( 以nginx為例 )，憑證編碼的內容示意圖如下所圖

1. cat uca_2.cer uca_1.cer > uca.cer
2. cat server.cer uca.cer > server.cer
3. 開啟 /usr/local/etc/nginx/nginx.conf , 將SSL設定進行編輯
4. 設定ssl_certificate /path/to/server.cer; #伺服器憑證路徑
5. 重新啟動NginX

<<< 注意事項 >>>

***************************************************************************************

目前SSL憑證皆需從SHA1提升至SHA256，相關訊息如下：

1. 為何需提升至SHA 256 SSL 憑證？

依據國際組織(CA/Browser Forum) 及作業系統與瀏覽器廠商規範，
CA 憑證機構於2016/1/1起不可再簽發SHA1 SSL 憑證，而作業系統與瀏覽器廠商亦安排於2017/1/1 後不支援SHA1 SSL 憑證，故導入使用SHA256 SSL 憑證已為國際必然趨勢。

2. Google Chrome 瀏覽器於https 連線時，出現黃色三角形圖示，其意義為何？

Google Chrome 瀏覽器，自版本39起(2014/11下旬發布)，針對SSL 憑證(及其憑證鏈)所使用之”雜湊演算法”與”憑證效期”進行了相關檢查，因應不同檢查結果會有其特定圖示表示之，但不影響憑證的使用及功能，僅為提醒之意義。

3. 原SHA1 SSL 憑證若要置換為SHA256 SSL 憑證，該怎麼進行？

需請您產製一份新的CSR(憑證請求檔，CN=貴公司網站名稱)，並以固定之信件標題：“SHA256SSL 憑證置換+貴公司網站名稱”，寄送給TWCA 客服信箱： [email protected]
，若您的來信格式符合上述要求且資料完整無誤，
TWCA於五個工作天內審驗核發，並寄送至貴公司技術聯絡人信箱內。

4. SHA1 SSL & SHA256 SSL憑證有何不同？

除 SSL 憑證本身之雜湊演算法提升為 SHA256以提供更高安全性外，亦配合國際規範要求，一併提升憑證鏈之憑證轉為 SHA256 雜湊演算法，故請於安裝時遵照操作手冊程序，完成全部憑證之安裝與更新。

5. 軟體支援性說明

Microsoft Windows XP SP2(含) 之前版本，不支援 SHA256 雜湊演算法。

Microsoft Windows Server 2003 SP2(含) 之前版本，不支援 SHA256 雜湊演算法。(安裝 KB 938397, KB 968730 後可支援 SHA256)
Mac OS X 10.5(不含) 之前版本，不支援 SHA256 雜湊演算法。
iOS 5.0(不含) 之前版本，會出現憑證不信任提示。
Android 4.0(不含) 之前版本，會出現憑證不信任提示。
Java 1.4.2(不含) 之前版本，不支援 SHA256 雜湊演算法。
Apache 2.0.63(不含) 之前版本[使用OpenSSL 0.9.8o(不含) 之前版本]，不支援 SHA256 雜湊演算法。
IBM HTTP Server 8.5(不含) 之前版本，不支援 SHA256 雜湊演算法。
F5 BIG-IP 10.1.0(不含) 之前版本，不支援 SHA256 雜湊演算法。

原文出處：【Linux-Service】設定.建立SSL憑證 – 亞索筆記

回覆

冷日
(冷日) 發表時間：2016/5/10 2:39

Webmaster

註冊日: 2008/2/19
來自:
發表數: 15773

[轉貼]Cisco IronPort WSA: Configuring management and HTTPS proxy certificates

Cisco IronPort WSA: Configuring management and HTTPS proxy certificates

By Jeff on June 17, 2014 in Networking

Cisco IronPort S170 I’ve been working on a Cisco IronPort WSA deployment for the past few weeks and I’ve noticed the documentation available from various sources (Cisco’s docs, Google, etc.) is pretty sparse. Most of the functionality is pretty easy to figure out, but I did notice that the documentation for configuring the management certificate and the HTTPS proxy certificate was lacking. So, here’s a quick guide for getting the certificates issued (from a MS CA) and installed on the WSA.

Assumptions

For the purposes of the blog post, I’m going to assume that your MS CA is properly configured for certificate enrollment. Additionally, I’m going to use the following placeholder hostnames:

IronPort Web Security Appliance = wsa

MS CA web enrollment server = certauthor

Microsoft CA Templates

Regardless of how your certificate authority is setup, you should have some default certificate templates. The templates that we’re concerned with (and that I assume are setup properly) are:

Subordinate Certificate Authority – used for the HTTPS proxy
Web Server – used for securing web management sessions (and optionally encrypted authentication)

There are scenarios where installing these certificates might not be required, but my assumption is that you want to get both the management certificate and HTTPS proxy certificate installed.

Provisioning Certificates

There are numerous ways to created private keys, certificate requests, and get them signed by the CA. However, I’ve found that the easiest way is by using the OpenSSL toolkit (get it
here). This section will show you how to generate the private keys/CSRs, submit them to the CA, and install them into the WSA.

Generating Private Keys and CSRs

The following are the commands are used to generate the private keys and CSRs we need for the CA:

Web Server Certificate
openssl genrsa -out web.key 1024
openssl req -new -out web.csr -key web.key

Subordinate CA Certificate
openssl genrsa -out sub-ca.key 1024
openssl req -new -out sub-ca.csr -key sub-ca.key

Fig 1. OpenSSL Commands

If you get the “unable to write ‘random state'” message from OpenSSL on Windows, you’ll need to run the command prompt as an administrator

Submitting the CSRs

In preparation for submitting the CSR to the CA you will want to have the .csrfiles (generated earlier) open in your favorite text editor. Then, you need to complete the following steps:

a. Navigate to https://certauthor/certsrv which will bring you to the following web page:

Fig 2. CSR – Step 1

b. Click the Request a certificate link which will bring you to the following web page:

Fig 3. CSR – Step 2

c. Click the Submit a certificate request by using a base-64-encoded… link which will bring you to the following page:

Fig 4. CSR – Step 3

d. Paste the contents of the web.csr file into the field labeled Base-64-encoded certificate request.

e. Select the Web Server certificate template.

f. Click Submit > and, depending on your CA settings, you will be taken to a page that will allow you to download the certificate.

g. Select the DER format and save the certificate with your .key and .csr files

h. Repeat steps a through g for the sub-ca.csr using the Subordinate Certificate Authority template instead.

Converting DER to PEM

Now that we have the signed certificates from the CA, we’re ready to convert them from the DER format to the PEM format (the WSA expects the PEM format). To do that we’ll need to go back to the command line a run a few more commands:

Web Server Conversion
openssl x509 -inform der -in web.cer -out web.pem
Subordinate CA Conversion
openssl x509 -inform der -in sub-ca.cer -out sub-ca.pem

Fig 5. DER to PEM

That’s it as far as the certificate provisioning is concerned. Next we’ll be importing the certificates into the WSA appliance for use.

Installing the Certificates

Management Certificate

The installation of the management certificate is pretty simple. The process goes like this:

Log into your WSA via SSH
Type certconfig and press return
Type setup and press return
Type Y to confirm that you want to continue and press return
You will be prompted to “ paste cert in PEM format (end with ‘.’):“
Paste the contents of the web.pem file we generated earlier into the SSH session, followed by pressing return, a period, and return one more time
You will be prompted to “ paste key in PEM format (end with ‘.’):“
Paste the contents of the web.key file we generated earlier into the SSH session, followed by pressing return, a period, and return one more time
You can then commit the changes to complete the configuration for the management interface

After committing, you can test out the new certificate by browsing to https://wsa:8443 and verifying that the certificate being used is the one you just configured

HTTPS Proxy Certificate

The installation of the HTTPS proxy certificate is done through the web management interface located at https://wsa:8443. Once logged into the WSA web management interface, you will need to do the following:

Navigate to Security Services > HTTPS Proxy
Click the Edit Settings… button for the HTTPS Proxy Settings section (located just above the Certificate Lists)
Ensure the Enable HTTPS Proxy is checked
Click the Use Uploaded Certificate and Key radio button
Click the Choose File button next to the Certificate label
Select the sub-ca.pem file that you generated earlier and click Open
Click the Choose File button next to the Key label
Select the sub-ca.key
file that you generated earlier and click Open
Click Submit at the bottom of the page

10. Commit your changes

After you’ve committed your changes (assuming no errors) you will have completely setup both the Management Certificate and the HTTPS Proxy Certificate. That’s it — if you have any questions or comments please feel free to leave a message below.

原文出處：Cisco IronPort WSA: Configuring management and HTTPS proxy certificates | Byte of IT

回覆

冷日
(冷日) 發表時間：2016/5/10 6:18

Webmaster

註冊日: 2008/2/19
來自:
發表數: 15773

[轉貼]Authentication without password using OpenSSH Key, certificates .pem and .pub

Authentication without password using OpenSSH Key, certificates .pem and .pub

Experimenting with Amazon AWS virtual server instances, I found out, that using a pre-generated file - key or certificate known both to server and client, the client does not have to connect to server using password. It is easy, when connecting to server using ssh command line with -i parameter (identity file), pass a link to .pem file stored on you local computer, for example:

$ ssh -i ~/ec2.pem ubuntu@12.34.56.78

Ec2.pem is a file containing public certificate, ubuntu is username and then add @your.public.ip.address or hostname. PEM file is not hard to get, for example Amazon AWS EC2 Console will let you generate this file.

Server with SSH access and password - enable authentication without using password

I have recently paid for a server in German hosting company Hetzner, they provided me with login information: my public IP address, username: root and password: pre-generated password. It is a standard procedure, now how to make this work without using password, using just a .pem file?

First step is to generate Key Pair and PEM file.
Next step is to upload certificate to your remote server in command line using SSH, first time with password.
Last step, testing connection client to server without using a password.

1) How to generate a Key Pair for authentication without password

$ ssh-keygen -t rsa -b 2048 -v

Enter this command to generate 2,048 bit RSA key using verbose (questions asked during) mode, and a public .pem X.509 certificate.

Generating public/private rsa key pair.

Enter file in which to save the key (/home/anonymouse/.ssh/id_rsa):hetzner

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in hetzner.

Your public key has been saved in hetzner.pub.

The key fingerprint is:

bb:c6:9c:ee:6b:c0:67:58:b2:bb:4b:44:72:d3:cc:a5 localhost@localhost

The key's randomart image is:

You will be asked for a file name, I inserted a name of the hosting provider hetzner, it will generate a hetzner.pub file and the hetzner file without file extension, rename it to hetzner.pem, files are created in the current directory you have open in terminal window. You will be asked to enter passphrase, it is for securing the certificate on your local machine, I ignored this option by pressing enter, as it is voluntary option and I feel confident about my local computer security.

2) Uploading the generated certificate from client computer to server

This is done
so server can recognize client, the both have access to these certificates and compare them. To upload certificate on the server, we need to establish a secure connection and this time, if everything goes well, it may be the last time using the password.

$ ssh-copy-id -i ~/hetzner.pub root@ 12.34.56.78

root@12.34.56.78's password:

Now try logging into the machine, with "ssh 'root@12.34.56.78'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting, you may still want to use a password.

So to check, id you have successfully uploaded your key to the server, login to the server:

$ sudo nano ~/.ssh/authorized_keys or $ sudo cat ~/.ssh/authorized_keys , you should see a file with a one or more lines of random characters, these are the uploaded or generated keys known to this machine.

Mine ~/.ssh/authorized_keys
looks like this, i cut off few hundred of characters from right of both lines:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAX ...

ssh-rsa AQCqFd4B798zz9Lu+a3jGjhVXBRx ...

Each line is a ssh-rsa key, you may want to check that you accidentally did not upload anything unwanted, but first of all, one of the lines should contain the exactly same content, as the hetzner.pub (your .pub file, that was uploaded), you may open .pub file in any text editor on you local machine to make sure,

3) Test the connection

$ sudo ssh -i ~/hetzner.pem root@12.34.56.78

Should connect you without using a password, notice, that I am not using .pub but .pem now, that is a file hetzner, that we have renamed in step 1 to hetzner.pem. You may have to confirm the Key Pair with "yes" on the first login. Both files were generated in step 1 using $ ssh-keygen -t rsa -b 2048 -v command, but one is generated bwithout suffix.

On client side

If you do not wish to supply the key path every time on client computer when connecting to remote server, one must tell OpenSSH where to look for private key, by default it looks in ~/.ssh/id_rsa and other folders, use ssh with -v parameter, verbose mode will print what it does step by step on screen. Usually this file should contain something like

-----BEGIN RSA PRIVATE KEY-----

fjksdfjsdlfjksdlfjlsdjfsdl0GrdNS326iv4CcJHASJ2EMpXnIaUpBtc5U2SY14yq8/4gfRLHLdbwzzx/O
PEjlPv1BX4OJlxSWtKPaQsb5QsgwJseoNmBl1djTSY3haZS9P89MsNKiqlv1XtwbcMYOQRVydFdn
.....

.....

......

NHfo3MomYtSoawyBFfsdfsdfasdfasdfasdfasJKJFLSJLDJKSJDVXG58e2Vn7vmY4DYHDDkBd3Y=
-----END RSA PRIVATE KEY-----

You may have this file with .pem suffix. Pem is your private key, unlike .pub - the public key, private key stays always only on you computer, newer give up your private key. Content of ~/.ssh/id_rsa can be replaced with .pem file, it works fine, no conversion is needed.

Two or more private keys

If you have more servers and you wish to connect using multiple private keys, create ~/.ssh/config file, that contain following lines:

Host server1 server1.company.com

Hostname 12.34.56.78
User ubuntu

IdentityFile /media/11361B1123123634/server1.pem

Host server2 server2.company.com
Hostname server2.company.com
User root
IdentityFile /media/11361B1123123634/server2.pem

Host myPC myPC.local

Hostname 192.168.0.106
User mike
IdentityFile /home/mike/.ssh/id_rsa

This file is recognized by ssh by default, it must be named config full path: ~/.ssh/config and if you wish to use sudo (for example later in cron with rsync), this file must be also accessible as /root/.ssh/config. In above file /media/11361B1123123634/ is my encrypted USB drive, so the upper two connections works only if the drive is mounted. In Host, first name is short name that can be used with ssh command, for example:

$ ssh server1

This should now connect you to server1.company.com without typing a password, this way also rsync and other command that use ssh may be used to work with other servers without supplying typed or visible passwords every time they communicate.

Troubleshooting

Agent admitted failure to sign using the key

If you do some changes in permissions, change file location, you may need to run this on the client machine to get rid of the Agent admitted failure to sign using the key. error message.

# eval "$(ssh-agent)"

# ssh-add

Permissions on clients ~/.ssh should be dr-xr-x---

# chmod 550 .ssh

Troubles with key path, rsync prompting for password when should not

If using rsync with sudo, it looks for key file in /root/.ssh/config not in /home/user/.ssh/config, so be sure to copy or link this file to correct location, otherwise ssh and scp will be working fine while rsync will prompt for password.

Authentication without password using OpenSSH Key, certificates .pem and .pub - BeginningLinux.com

回覆

主題一覽的下方

討論串

前一個主題 | 下一個主題 | 頁首 |

| |

發表新主題

一網情深 : [轉貼]在 Mac 和 Linux 使用 SSH