Current location - Quotes Website - Signature design - CA certificate and DHCP service
CA certificate and DHCP service

1. Create a private CA and apply for a certificate.

1: Create CA private key

$ openssl genrsa -des3 -out ca.key 4096

2: Generate CA's self-signed certificate. In fact, the CA certificate It is a self-signed certificate

$ openssl req -new -x509 -days 365 -key ca.key -outca.crt

3: Generate the private key that requires the certificate to be issued

$ openssl genrsa -des3 -out server.key 4096

4: Generate a certificate signing request to issue a certificate

Ps: The Common Name in the certificate signing request must be different Common in the CA's certificate

Name

$ openssl req -new -key server.key -out server.csr

5: Create an ext file , the content is as follows

keyUsage = nonRepudiation, digitalSignature,keyEncipherment

extendedKeyUsage = serverAuth, clientAuth

subjectAltName=@SubjectAlternativeName

[ SubjectAlternativeName ]

DNS.1=abc.com

DNS.2=*.abc.com

6: Use the CA certificate created by 2 to sign the signature generated by 4 Request for signing

$ openssl x509 -req -days 365 -extfile ";

option domain-name-servers 202.106.0.10, 202.106.0.20;?

default-lease-time 600;

max-lease-time 7200;

1) Configuration composition of /etc/dhcp/dhcpd.conf file

In In the main configuration file dhcpd.conf, you can use three types of configuration: statements, parameters, and options. Their respective functions and expressions are as follows:

Statement: used to describe the network layout in the dhcpd server The division is the logical range of network settings. Common declarations are subnet and host, among which the subnet declaration is used to constrain a network segment. The host statement is used to restrict a specific host.

Parameters: composed of configuration keywords and corresponding values, always ending with ";" (semicolon), generally located within the specified declaration scope, used to set the operating characteristics of the scope (such as Default lease time, maximum lease time, etc.).

Options: guided by "option", followed by specific configuration keywords and corresponding values, also ending with ";", used to specify various address parameters assigned to the client (such as the default gateway address, subnet mask, DNS server address, etc.).

2) Determine the global configuration of the dhcpd service

In order to make the structure of the configuration file clearer, the global configuration is usually placed at the beginning of the configuration file dhcod.conf, which can be a configuration parameter , can also be a configuration option. Commonly used global configuration parameters and options are described below:

ddns-update-style: Dynamic DNS update mode. Used to set the DNS data dynamic update mode associated with the DHCP service. This parameter is rarely used in actual DHCP applications. Just set the value to "none".

default-lease-time: Default lease time. The unit is seconds, indicating the default time that the client can lease an IP address from the DHCP server.

max-lease-time: Maximum lease time. The unit is seconds, indicating the maximum lease time allowed to be requested by the DHCP client. When the client does not request an explicit lease time, the server will use the default lease time.

option domain-name: default search area.

The client specifies the default search domain when resolving host names. This configuration option will be reflected in the client's /etc/resolv.conf configuration file, such as "search benet.com".

option domain-name-servers: DNS server address. Specify the DNS server address used when resolving domain names for the client. This configuration option will also be reflected in the client's /etc/resolv.conf configuration file, such as "nameserver 202.106.0.20". When multiple DNS server addresses need to be set, separate them with commas.

3) Determine the subnet network segment statement

A DHCP server can provide services for multiple network segments, so there must be and can be multiple subnet network segment statements. For example, if you want the DHCP server to provide services for the 192.168.100.0/24 network segment, the IP address range used for automatic allocation is 192.168.100.100~192.168.100.200, and the default gateway address specified for the client is 192.168.100.254, then ke You can modify the dhcpd.conf configuration file and adjust the subnet segment statement by referring to the following content:

[root@centos01 ~]# vim /etc/dhcp/dhcpd.conf

range 192.168.100.100 192.168.100.200;

option routers 192.168.100.254;

}

4) OK host statement

The host statement is used to set the network properties of a single host. It is usually used to assign a fixed IP address (reserved address) to a network printer or an individual server. The most common feature of these hosts is the requirement The IP address obtained each time is the same to ensure the stability of the service.

The host statement specifies the name of the client that needs to use the reserved address through the host keyword, and uses the "hardware ethernet" parameter to specify the MAC address of the host, and uses the "fixed-address" parameter to specify the address reserved for the host. IP address. For example, if you want to assign a fixed IP address 192.168.100.101 to the printer prtsvr (MAC address 00:0C:29:0D:BA:6B), you can modify the dhcpd.conf configuration file and add host to the network segment statement by referring to the following content. Host declaration.

C:\Users\Administrator>getmac

Physical address transfer name

================= == ================================================ =======

00-0C-29-0D-BA-6B? \Device\Tcpip_{92E3F48B-40F0-4A0D-9604-6386AAAE3233}

[root@centos01 ~]# vim /etc/dhcp/dhcpd.conf

host win7 {

hardware ethernet 00:0C:29 :0D:BA:6B;

fixed-address 192.168.100.101;

}

3. Start the dhcpd service

Before starting the dhcpd service, you should confirm that the network interface providing the DHCP server has a statically assigned fixed IP address, and there is at least one The IP address of the network interface corresponds to a subnet network segment in the DHCP server, otherwise the dhcpd service will not be started normally. For example, the IP address of the DHCP server is 192.168.100.10, which is used to provide automatic address allocation services for other clients in network segment 192.168.100.0/24.

After installing the dhcp software package, the corresponding system service script is located in /usr/lib/systemd/system/dhcpd.service, which can be controlled using the systemd service. For example, perform the following operations to start the dhcpd service and check whether UDP port 67 is listening to confirm whether the DHCP server is normal.

[root@centos01 ~]# systemctl start dhcpd

[root@centos01 ~]# systemctl enable dhcpd

[root@centos01 ~]# netstat -anptu | grep 67

udp 0 ? 0 0.0 .0.0:67 ? 0.0.0.0:* ? 2102/dhcpd ?

udp 0 ? 0 0.0.0.0:67 ? 0.0.0.0:* ? 1064/dnsmasq

Note: When you need to shut down or restart the dhcpd service, just change "start" in the above operation command to "stop" or "restart".

2. Using DHCP client

1. Windows client

ipconfig /renew

tracert IP address

route print

2. Linux client

In the Linux client, you can set the method to use DHCP to obtain address. You only need to edit the configuration file of the corresponding network card, modify or add the "BOOTPROTO=dhcp" configuration line, and reload the configuration file or restart the network service. For example, perform the following operations to modify the network card configuration file and reload the configuration to automatically obtain an address through DHCP:

[root@centos02 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens32

TYPE=Ethernet

PROXY_METHOD=none

BROWSER_ONLY=no

BOOTPROTO=dhcp

DEFROUTE=yes

NAME=ens32

DEVICE=ens32

ONBOOT=yes

[root@centos02 ~]# ifdown ens32 ; ifup ens32< /p>

[root@centos02 ~]# systemctl restart network

In the Linux client, you can also use the dhclient tool to test the DHCP server. If you directly execute the "dhclient" command, dhclient will try to apply for new addresses through DHCP for all network interfaces except the loopback interface lo, and then automatically transfer to the background to continue running. Of course, you can specify a specific network interface during testing and combine it with the "-d" option to run it in the foreground. After the test is completed, press Ctrl+C to terminate. For example, after executing the "dhclient -d ens32" command, you can automatically obtain a new IP address for the network card ens32 and display the acquisition process.

[root@centos02 ~]# dhclient -d ens32

Internet Systems Consortium DHCP Client 4.2.5

Copyright 2004-2013 Internet Systems Consortium.

p>

All rights reserved.

For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/ens32/00: 0c:29:97:5c:9f

Sending on? LPF/ens32/00:0c:29:97:5c:9f

Sending on? Socket/fallback

DHCPDISCOVER on ens32 to 255.255.255.255 port 67 interval 4 (xid=0x5364e17f)

DHCPDISCOVER on ens32 to 255.255.255.255 port 67 interval 6 (xid=0x5364e17f)

DHCPDISCOVER on ens32 to 255.255.255.255 port 67 interval 14 (xid=0x5364e17f)

DHCPREQUEST on ens32 to 255.255.255.255 port 67 (xid=0x5364e17f)

DHCPOFFER from 192.168.100.10

DHCPACK from 192.168.100.10 (xid=0x5364e17f)

When the client needs to release the IP lease obtained through the dhclient command, it can be combined with the "-r" option. For example, executing the following "dhclient -r ens32" will release the IP lease previously obtained for the network card ens32. At this time, you will no longer be able to see the assigned IP address by executing the "ifconfig ens32" command.

[root@centos02 ~]# dhclient -r ens32