作业一
1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对
[root@centos7 ~]#gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: centos
Email address:
Comment:
You selected this USER-ID:
"centos"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key C8EA44DE marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/C8EA44DE 2020-09-05
Key fingerprint = 3DE2 C6AF B0B5 0D82 79F8 770C EF64 9FA5 C8EA 44DE
uid centos
sub 2048R/13943D46 2020-09-05
[root@centos7 ~]#ll .gnupg/
total 28
-rw------- 1 root root 7680 Sep 5 18:55 gpg.conf
drwx------ 2 root root 6 Sep 5 19:11 private-keys-v1.d
-rw------- 1 root root 1166 Sep 5 19:14 pubring.gpg
-rw------- 1 root root 1166 Sep 5 19:14 pubring.gpg~
-rw------- 1 root root 600 Sep 5 19:14 random_seed
-rw------- 1 root root 2543 Sep 5 19:14 secring.gpg
srwxr-xr-x 1 root root 0 Sep 5 19:14 S.gpg-agent
-rw------- 1 root root 1280 Sep 5 19:14 trustdb.gpg
[root@centos7 ~]#gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/C8EA44DE 2020-09-05
uid centos
sub 2048R/13943D46 2020-09-05
2、将 CentOS7 导出的公钥,拷贝到 CentOS8 中,在 CentOS8 中使用 CentOS7 的公钥加密一个文件
[root@centos7 ~]#gpg -a --export -o centos.pubkey
[root@centos7 ~]#scp centos.pubkey 10.0.0.8:/data/
root@10.0.0.8's password:
centos.pubkey 100% 1683 1.4MB/s 00:00
[root@centos8 data]#ls
centos.pubkey
[root@centos8 data]#echo linux > file.txt
[root@centos8 data]#gpg --import centos.pubkey
gpg: key EF649FA5C8EA44DE: public key "centos" imported
gpg: Total number processed: 1
gpg: imported: 1
[root@centos8 data]#gpg --list-key
/root/.gnupg/pubring.kbx
------------------------
pub rsa2048 2020-09-05 [SC]
3DE2C6AFB0B50D8279F8770CEF649FA5C8EA44DE
uid [ unknown] centos
sub rsa2048 2020-09-05 [E]
[root@centos8 data]#gpg -e -r centos file.txt
gpg: 8314610013943D46: There is no assurance this key belongs to the named user
sub rsa2048/8314610013943D46 2020-09-05 centos
Primary key fingerprint: 3DE2 C6AF B0B5 0D82 79F8 770C EF64 9FA5 C8EA 44DE
Subkey fingerprint: E190 BD7D CFF2 4D26 8206 CF0E 8314 6100 1394 3D46
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
[root@centos8 data]#ls
centos.pubkey file.txt file.txt.gpg
3、回到 CentOS7 服务器,远程拷贝 file.txt.gpg 文件到本地,使用 CentOS7的私钥解密文件
[root@centos7 ~]#scp 10.0.0.8:/data/file.txt.gpg /data/
root@10.0.0.8's password:
file.txt.gpg 100% 346 225.7KB/s 00:00
[root@centos7 data]#ls
file.txt.gpg
[root@centos7 data]#gpg -o file.txt -d file.txt.gpg
You need a passphrase to unlock the secret key for
user: "centos"
2048-bit RSA key, ID 13943D46, created 2020-09-05 (main key ID C8EA44DE)
gpg: encrypted with 2048-bit RSA key, ID 13943D46, created 2020-09-05
"centos"
[root@centos7 data]#cat file.txt
linux
4、在 CentOS7 中使用 openssl 软件创建 CA
[root@centos7 pki]#cd /etc/pki/CA/
[root@centos7 CA]#ls
certs crl newcerts private
[root@centos7 CA]#touch index.txt
[root@centos7 CA]#echo 01 > serial
[root@centos7 CA]#tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
└── serial
4 directories, 2 files
[root@centos7 CA]#(umask 066; openssl genrsa -out private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.....................................................................++
.++
e is 65537 (0x10001)
[root@centos7 CA]#openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:M42
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:
[root@centos7 CA]#tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
[root@centos7 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
93:cc:7f:8a:ad:90:9a:61
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=bj, L=bj, O=magedu, OU=M42, CN=ca.magedu.com
Validity
Not Before: Sep 5 11:49:19 2020 GMT
Not After : Sep 3 11:49:19 2030 GMT
Subject: C=CN, ST=bj, L=bj, O=magedu, OU=M42, CN=ca.magedu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:9c:e8:9a:c9:2d:4d:52:78:68:0d:3f:b2:d9:21:
d6:eb:9e:1d:25:02:4e:f2:3d:dc:a5:a7:dc:6f:70:
e2:aa:37:1e:44:41:28:60:d5:7c:ae:2c:8d:55:95:
86:05:4d:db:a5:ad:a2:fb:66:b0:ff:e4:20:72:ab:
b6:b4:2b:ae:1d:d9:ff:97:6a:3b:58:48:a8:31:51:
b5:46:67:c3:7d:f9:4e:41:ea:a8:b0:08:91:4c:4b:
88:9c:8d:38:9c:c0:ce:c1:51:7b:5e:5d:a2:f7:ba:
61:7d:85:51:a4:e9:b2:cf:84:8b:36:b0:10:10:b9:
37:ee:51:1e:1e:b7:b0:31:68:4b:c7:dc:93:37:8a:
76:e3:66:86:d8:f7:f1:55:b6:d6:63:5b:c2:44:71:
f5:c6:6e:b5:c3:ea:5a:f9:19:04:8a:44:2a:0a:ea:
0f:ff:3b:2d:a0:61:fe:7c:c3:45:18:16:05:44:8c:
90:fc:6f:fc:9a:ae:b3:16:3a:01:44:4b:4b:95:83:
56:89:72:02:17:1a:be:31:9c:75:ce:42:f3:c3:d9:
b1:ab:e4:26:4f:ff:30:ce:5c:0b:de:f8:12:63:5d:
5f:29:47:61:3c:db:a3:c4:37:4f:64:0f:8d:94:9b:
bb:17:56:2f:b4:8d:b2:a0:5f:ca:cc:81:90:58:d4:
08:c7:82:36:f0:f4:60:bc:e3:5d:c7:48:a0:0c:b5:
23:a3:90:f1:44:c8:80:99:20:26:9e:4c:d7:0b:bf:
85:e5:e5:93:fd:da:ae:39:b2:ff:f2:2f:e6:fd:87:
07:27:31:79:63:ac:a1:4c:9d:b0:30:7a:1f:70:b9:
a1:ca:b6:3f:e3:4b:01:6d:71:c2:b4:3a:71:0b:94:
33:78:20:85:ec:9b:2d:18:25:73:0e:b0:2f:57:a9:
96:9f:5e:45:e7:36:4b:8f:76:82:89:8f:72:13:12:
1b:c4:80:06:92:52:f5:cd:2c:4a:cb:bc:e4:d5:04:
39:a6:8a:2c:90:ae:a3:a3:8b:5b:2b:79:69:bc:5a:
55:67:7f:40:ed:65:46:b9:be:ad:32:08:24:14:ea:
a9:0f:4b:78:71:2f:48:ba:d3:d0:fd:1b:56:16:da:
1e:8d:48:bb:9b:8d:29:ea:b9:81:86:c5:26:46:c8:
f3:d3:d3:21:19:2c:08:dd:3c:f5:49:c2:cd:34:7a:
7c:58:57:8e:04:74:48:4f:17:9f:1b:c1:6c:c4:7f:
b8:ec:fa:00:8c:6e:e6:6d:9d:54:69:16:aa:53:6d:
f9:4e:2a:31:60:07:bd:98:f9:42:ad:f0:d9:21:0a:
d9:a6:d3:e8:0e:6e:97:7f:ab:67:13:f1:e2:7c:aa:
3f:4f:17
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
80:AA:D3:C7:05:37:57:44:2E:7E:26:19:7A:76:02:47:F6:47:FD:6C
X509v3 Authority Key Identifier:
keyid:80:AA:D3:C7:05:37:57:44:2E:7E:26:19:7A:76:02:47:F6:47:FD:6C
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
60:67:2f:a8:6d:15:3d:d2:5b:21:0e:e0:80:02:35:6e:40:4a:
85:a2:31:26:6c:e0:8b:0d:10:53:b8:4c:25:46:78:dd:e6:41:
03:dd:b1:91:1a:96:56:3a:bf:0b:8c:16:98:b8:21:44:71:a2:
5c:5d:49:55:34:cb:74:58:84:21:ba:ea:75:d7:4c:f5:f1:d7:
76:a2:53:56:26:1b:88:dc:b7:4b:28:18:34:9b:4c:56:dc:ed:
a9:e4:2a:33:dd:93:09:c6:43:bf:67:22:7a:7b:fe:a5:21:1c:
71:67:75:83:64:62:7f:b3:d0:2d:4f:ab:42:f8:95:91:01:fe:
71:77:36:9d:37:12:ef:39:93:f9:56:68:da:69:09:9a:50:f1:
87:af:ab:5b:37:39:7a:27:69:98:a6:c5:c2:61:17:1c:b7:fe:
fe:b6:5e:e9:10:fb:34:fa:55:72:88:ff:20:6e:40:fd:ba:d7:
7f:56:f9:8b:4d:cd:96:85:2a:6c:88:51:d5:f6:a3:70:b9:a2:
9f:fd:a1:6d:57:48:00:dc:cd:fe:e0:31:d7:67:2b:ce:88:b1:
4c:dd:49:ef:03:f3:9e:1e:b9:be:73:82:7c:aa:a2:06:d6:48:
66:7a:da:84:df:bb:03:9b:41:b3:1b:f2:12:7d:75:a6:12:7f:
b8:f6:58:06:e0:f1:94:6c:ab:42:c6:d5:98:f1:03:3e:5e:14:
a8:f3:ad:c5:37:df:fe:21:24:62:d4:21:86:d9:0a:ea:d4:07:
49:b6:82:a6:67:70:7e:f4:7f:ed:f9:1d:07:86:41:48:3f:e1:
a9:e0:07:fe:63:5a:eb:fd:92:c7:16:d2:d0:3f:15:98:57:03:
f2:cc:0b:58:5f:00:19:c3:4e:df:40:d7:07:10:de:f5:5c:a9:
73:c2:83:03:78:31:92:68:5a:8d:7b:d8:00:8f:99:39:ec:0f:
19:5f:7a:ae:c6:85:e5:2c:12:f7:ed:4a:f4:20:b9:15:48:b9:
cc:c0:f2:1c:1c:31:3d:82:38:f2:b7:e0:02:94:c2:de:ba:70:
bb:6e:94:d9:58:5a:24:2d:17:44:2b:cf:ac:f4:e5:b2:ca:e4:
7a:2b:af:c2:6a:70:53:34:91:ae:12:66:12:8b:fa:21:03:4d:
18:5f:71:67:f0:04:cc:27:1a:b6:3d:61:cc:e0:b8:fb:14:05:
a6:26:f9:44:95:7a:d4:0e:32:fb:5e:38:ea:52:6f:f5:dc:8e:
25:22:c7:e7:94:22:5f:d2:1c:ac:05:d6:30:68:6f:ee:a3:96:
72:c3:09:52:88:c1:4a:d8:30:3b:05:80:cd:ad:89:7e:89:a8:
80:d3:bf:76:59:21:40:4e
5、 在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件,并使用上面的跟证书对其进行签署
[root@centos7 CA]#mkdir /data/app
[root@centos7 CA]#(umask 066; openssl genrsa -out /data/app/app.key 1024)
Generating RSA private key, 1024 bit long modulus
....++++++
.................................++++++
e is 65537 (0x10001)
[root@centos7 CA]#openssl req -new -key /data/app/app.key -out /data/app/app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:app
Common Name (eg, your name or your server's hostname) []:app.magedu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos7 CA]#openssl ca -in /data/app/app.csr -out /etc/pki/CA/app.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 5 11:59:03 2020 GMT
Not After : Sep 5 11:59:03 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = bj
localityName = bj
organizationName = magedu
organizationalUnitName = app
commonName = app.magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9B:DD:AE:3A:59:B7:8E:1D:70:65:17:86:18:5C:46:D7:B0:2E:E1:81
X509v3 Authority Key Identifier:
keyid:80:AA:D3:C7:05:37:57:44:2E:7E:26:19:7A:76:02:47:F6:47:FD:6C
Certificate is to be certified until Sep 5 11:59:03 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos7 CA]#tree
.
├── app.crt
├── app.csr
├── cacert.pem
├── certs
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files
[root@centos7 CA]#openssl x509 -in app.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=bj, L=bj, O=magedu, OU=M42, CN=ca.magedu.com
Validity
Not Before: Sep 5 11:59:03 2020 GMT
Not After : Sep 5 11:59:03 2021 GMT
Subject: C=CN, ST=bj, L=bj, O=magedu, OU=app, CN=app.magedu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:ad:0c:b4:cc:e1:e2:63:cb:ff:c4:25:47:26:1c:
d3:e6:ce:03:94:ae:61:38:d1:d8:ac:cf:f4:16:60:
cd:e9:8c:b3:43:25:a3:2e:de:26:92:33:a6:eb:53:
ea:13:61:df:0a:62:76:2c:46:35:37:04:de:a4:f9:
cc:58:20:fe:86:fd:97:b7:54:61:1f:32:86:e4:c6:
47:0d:1f:fa:0a:55:47:b1:2d:ea:52:15:40:e7:c7:
5d:a5:ab:93:97:4c:98:9d:b6:e9:f2:af:1e:95:4c:
67:69:58:4c:e5:a9:01:22:78:5c:14:9c:5f:aa:93:
ff:27:f8:79:b5:69:e9:6e:97
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9B:DD:AE:3A:59:B7:8E:1D:70:65:17:86:18:5C:46:D7:B0:2E:E1:81
X509v3 Authority Key Identifier:
keyid:80:AA:D3:C7:05:37:57:44:2E:7E:26:19:7A:76:02:47:F6:47:FD:6C
Signature Algorithm: sha256WithRSAEncryption
78:db:3c:9d:bc:60:f2:0b:2a:b7:ec:7c:c9:95:e0:e6:ef:5c:
b8:67:f2:62:81:b9:22:fb:33:19:12:4e:66:2c:96:4d:6e:79:
a9:d5:fd:c0:34:d9:b1:9c:82:0a:79:77:fc:d0:a6:cd:f9:88:
b7:6a:77:e2:a1:33:1d:94:3c:37:4c:d7:4c:cd:ae:79:a6:c9:
6f:4b:d3:70:c6:5c:19:8f:38:68:f2:13:7b:56:42:a0:fd:01:
85:23:64:b3:48:e1:6f:2d:ab:ea:b4:67:ab:1a:94:47:e1:ca:
47:77:55:e8:e3:fb:a7:4c:02:56:e5:8c:03:0d:a0:d1:2b:c8:
27:e7:8e:c4:26:9b:fb:43:38:df:2b:5b:c5:81:65:87:f5:4a:
5a:43:ca:e3:ee:64:83:20:37:2f:5d:6e:e3:e0:5b:c0:9c:d8:
bb:04:49:3e:95:2c:30:f5:0e:03:b1:ab:bb:70:7d:17:22:1a:
a0:1c:f1:62:4f:f5:f4:df:f4:09:90:6e:41:9d:f3:e6:6d:45:
e6:9a:14:f3:65:71:13:2a:44:84:71:71:c2:d8:3d:45:f1:37:
33:3c:d0:4f:55:9e:1e:8e:db:98:e5:58:23:90:95:d3:00:ae:
e2:de:81:e5:2f:49:d0:2b:a1:fe:51:12:31:56:12:6c:9e:9d:
68:f5:1f:e3:d1:64:08:29:bb:de:01:9e:94:67:f0:57:3e:8c:
6c:99:b0:f8:44:b9:97:c7:d6:6b:84:36:fb:16:97:fe:b2:09:
e3:ea:e8:44:cd:86:17:b5:1e:3b:7b:3d:39:b5:41:38:4a:e5:
da:22:fb:76:b3:d6:93:f7:0a:ab:2f:5a:cf:8c:72:ef:0c:04:
a6:8a:76:73:c7:41:62:83:be:6a:a8:30:42:ec:54:d5:25:48:
27:e9:90:0a:4a:43:c1:53:54:e5:c3:a0:a2:39:eb:bf:9d:06:
a5:60:ff:06:b2:d0:8d:51:38:8b:a1:ba:96:d8:9e:3c:95:55:
30:d5:df:b5:3a:66:26:a1:30:77:a8:1b:72:bb:23:93:de:30:
ba:f1:f4:56:a5:39:76:22:d0:e2:f0:9b:aa:ac:7b:63:a8:dd:
8e:9b:d1:60:77:99:fe:5e:c5:95:d4:f9:1c:a3:75:28:58:db:
16:de:fc:dc:ad:be:0a:97:6a:85:38:d1:a2:30:ab:7c:cd:3b:
41:72:02:0f:9e:a3:51:f1:2d:10:64:44:d0:df:77:f0:a5:e9:
d9:23:32:62:51:9a:ea:28:03:59:e1:81:f0:d4:3e:0a:e4:be:
f6:eb:55:65:a5:66:7f:af:6f:e0:94:30:b8:22:c9:94:1d:a3:
a1:e1:e6:97:20:7b:8d:0a
6、吊销已经签署成功的证书
[root@centos7 CA]#cat index.txt
V 210905115903Z 01 unknown /C=CN/ST=bj/L=bj/O=magedu/OU=app/CN=app.magedu.com
[root@centos7 CA]#openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
[root@centos7 CA]#openssl ca -revoke newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@centos7 CA]#openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)
浙公网安备 33010602011771号