作业一
1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对
#生成公钥私钥对
[root@centos7 ~]#gpg --gen-key
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 82C66144 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024R/82C66144 2020-09-05
Key fingerprint = BED3 651B D40B 06C0 5BC3 DC13 5DA2 1C4E 82C6 6144
uid zheng <1216052234@.com>
sub 1024R/D33F9096 2020-09-05
#执行大量磁盘读写任务,直到创建完密钥
[root@centos7 ~]#dd if=/dev/zero of=/root/test bs=1024 count=10240000
2、将 CentOS7 导出的公钥,拷贝到 CentOS8 中,在 CentOS8 中使用 CentOS7 的公钥加密一个文件
#导出公钥到zheng.pubkey
[root@centos7 ~]#gpg -a --export -o zheng.pubkey
#通过scp发送到centos8上
[root@centos7 ~]#scp zheng.pubkey 10.0.0.8:/root/
root@10.0.0.8's password:
zheng.pubkey 100% 1008 522.2KB/s 00:00
#写一些东西到文件里
[root@centos8 ~]#echo "好好学习,天天向上" > file.txt
#导出公钥
[root@centos8 ~]#gpg --import zheng.pubkey
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 5DA21C4E82C66144: public key "zheng <1216052234@.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
#使用公钥加密文件
[root@centos8 ~]#gpg -e -r 5DA21C4E82C66144 file.txt
gpg: 2EDAC9AAD33F9096: There is no assurance this key belongs to the named user
sub rsa1024/2EDAC9AAD33F9096 2020-09-05 zheng <1216052234@.com>
Primary key fingerprint: BED3 651B D40B 06C0 5BC3 DC13 5DA2 1C4E 82C6 6144
Subkey fingerprint: 12D5 17F6 7703 96B4 E1CA 5104 2EDA C9AA D33F 9096
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
3、回到 CentOS7 服务器,远程拷贝 file.txt.gpg 文件到本地,使用 CentOS7的私钥解密文件
#拷贝file.txt.pgp
[root@centos7 ~]#scp 10.0.0.8:/root/file.txt.gpg .
root@10.0.0.8's password:
file.txt.gpg 100% 236 166.0KB/s 00:00
#解密
[root@centos7 ~]#gpg -d file.txt.gpg
You need a passphrase to unlock the secret key for
user: "zheng <1216052234@.com>"
1024-bit RSA key, ID D33F9096, created 2020-09-05 (main key ID 82C66144)
┌───────────────────────────────────────────────────────────────┐
│ Please enter the passphrase to unlock the secret key for the │
│ OpenPGP certificate: │
│ "zheng <1216052234@.com>" │
│ 1024-bit RSA key, ID D33F9096, │
│ created 2020-09-05 (main key ID 82C66144). │
│ │
│ │
│ Passphrase ******____________________________________________ │
│ │
│ <OK> <Cancel> │
└───────────────────────────────────────────────────────────────┘
gpg: encrypted with 1024-bit RSA key, ID D33F9096, created 2020-09-05
"zheng <1216052234@.com>"
好好学习,天天向上
4、在 CentOS7 中使用 openssl 软件创建 CA
#创建CA所需的文件
[root@centos7 ~]#cd /etc/pki/CA
[root@centos7 CA]#touch index.txt
[root@centos7 CA]#echo 01 > serial
#创建一个CA所需要的rsa的私钥
[root@centos7 CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................+++
...+++
e is 65537 (0x10001)
#使用CA的私钥给自己签署一个证书
[root@centos7 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:student
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:
#查看完整的CA信息
[root@centos7 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9c:c5:bd:d8:3b:f7:14:96
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=henan, L=zhengzhou, O=magedu, OU=student, CN=ca.magedu.org
Validity
Not Before: Sep 5 11:57:55 2020 GMT
Not After : Sep 3 11:57:55 2030 GMT
Subject: C=CN, ST=henan, L=zhengzhou, O=magedu, OU=student, CN=ca.magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a8:85:8b:79:58:35:b6:4b:92:0e:e0:c2:20:25:
56:b1:c4:ce:72:a1:a9:57:dd:a3:b9:8d:84:cd:92:
2a:73:7c:97:84:41:de:54:4b:24:23:b6:34:8d:41:
9e:d9:83:3d:ee:51:ed:e0:78:d4:ce:73:c9:aa:5c:
f5:ce:22:1b:66:29:b5:7c:ed:e3:ee:96:18:e1:da:
89:70:ab:84:e6:d5:1f:28:87:a7:3b:29:c3:82:df:
e2:fa:ac:2e:48:1c:58:11:4c:05:e1:07:67:de:6b:
7f:8d:1a:82:3e:7f:f2:61:12:ad:48:76:5e:2c:f8:
3a:0b:f6:c1:ed:99:e7:8f:9a:9e:d5:34:fb:99:ed:
ee:63:a8:33:ca:9d:f3:51:16:5d:9f:b5:9e:a9:77:
31:de:d3:40:70:ad:dc:9a:d5:8f:2b:61:6f:d5:f7:
76:71:03:a1:7e:23:26:04:03:10:e5:4e:15:2c:b5:
ee:a1:8d:bd:64:70:99:ea:21:70:b0:e1:22:81:8e:
79:1b:1a:b1:b9:89:ad:ca:66:78:ac:ba:6f:f5:78:
7d:12:a6:86:18:5d:b2:d9:3e:bf:f8:44:2a:05:13:
e8:1d:8d:0e:8f:e5:64:e4:56:11:ad:f3:0a:1e:b3:
2a:da:8f:fb:c0:20:55:ef:7e:83:7e:d3:8d:e8:54:
fe:e7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4F:D6:AA:19:AD:CD:83:E3:AF:4B:A6:00:DD:F1:FB:15:E9:D2:38:14
X509v3 Authority Key Identifier:
keyid:4F:D6:AA:19:AD:CD:83:E3:AF:4B:A6:00:DD:F1:FB:15:E9:D2:38:14
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
1e:d5:03:2b:38:bc:dc:08:13:b1:be:53:56:f6:83:b6:15:8c:
7a:29:19:70:29:04:4f:9a:3e:91:e8:61:d3:36:80:e6:c8:47:
ba:30:b6:7c:b9:db:07:79:84:9f:63:78:a1:3e:bf:a9:aa:1b:
a0:39:d3:7d:52:22:dd:48:6b:41:51:c4:3b:8b:ee:c9:5b:76:
c7:27:28:1a:be:d0:76:0b:75:cc:a1:4a:7e:cc:14:8b:1f:b1:
c6:6a:aa:04:38:ec:66:36:3e:78:3a:f7:8b:b2:8f:8c:be:97:
f7:f9:c3:8f:c3:b3:69:f7:7c:c7:86:89:ed:d0:dc:5a:22:72:
59:7c:d5:a6:cb:95:c1:27:9d:96:9c:fd:81:c9:7d:30:9d:41:
62:04:95:93:6a:82:7a:31:81:66:54:e2:4e:3d:d9:c0:02:96:
71:e4:5c:6d:61:ea:da:eb:12:29:a2:29:1c:f5:50:22:d8:45:
a9:31:87:43:de:07:47:ef:b2:9d:15:3b:6b:23:ee:62:09:31:
65:e0:c8:14:d1:78:12:06:3d:f4:df:4a:33:a1:0e:a7:45:1b:
66:b6:d1:1a:bb:54:56:c3:9e:0c:8a:fb:1e:44:ca:2e:fa:c8:
7a:6a:cb:9f:35:af:bf:e8:84:5d:60:99:87:97:32:ac:cb:66:
15:98:c5:85
5、 在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件,并使用上面的跟证书对其进行签署
#为需要申请的用户生成私钥
[root@centos7 CA]#(umask 066; openssl genrsa -out zheng.key 2048)
Generating RSA private key, 2048 bit long modulus
....................................................+++
....+++
e is 65537 (0x10001)
#为需要使用证书的用户生成证书申请文件
[root@centos7 CA]#openssl req -new -key zheng.key -out /data/zheng.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:student1
Common Name (eg, your name or your server's hostname) []:www.magedu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
#在CA签署证书并将证书颁发给请求者
[root@centos7 CA]#openssl ca -in /data/zheng.csr -out /etc/pki/CA/certs/zheng.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 5 12:14:06 2020 GMT
Not After : Dec 14 12:14:06 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
organizationName = magedu
organizationalUnitName = student1
commonName = www.magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AC:4D:04:04:57:9E:04:62:06:C9:50:36:1C:22:CE:30:3F:ED:05:85
X509v3 Authority Key Identifier:
keyid:4F:D6:AA:19:AD:CD:83:E3:AF:4B:A6:00:DD:F1:FB:15:E9:D2:38:14
Certificate is to be certified until Dec 14 12:14:06 2020 GMT (100 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#查看证书信息
[root@centos7 CA]#openssl x509 -in /etc/pki/CA/certs/zheng.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=henan, L=zhengzhou, O=magedu, OU=student, CN=ca.magedu.org
Validity
Not Before: Sep 5 12:14:06 2020 GMT
Not After : Dec 14 12:14:06 2020 GMT
Subject: C=CN, ST=henan, O=magedu, OU=student1, CN=www.magedu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a5:d1:e4:a7:9b:c7:6a:2c:7f:4c:39:b1:bf:6c:
02:7b:45:d8:b3:51:53:22:a5:98:52:57:af:f4:d7:
99:dd:da:39:d5:18:5f:36:3c:e3:b9:43:53:f8:20:
3e:28:be:48:0d:44:31:fa:8f:eb:d6:c6:68:75:0a:
b7:cb:8c:fa:93:19:cb:d7:b9:d1:ee:bf:6a:eb:b3:
09:cf:ad:42:30:0e:db:3e:0c:63:36:fe:1b:a1:86:
b4:6a:6b:23:29:87:b4:12:c1:b6:e1:36:33:a4:51:
31:d9:90:35:89:2b:fe:59:60:13:2c:38:94:ab:24:
05:de:f4:3c:92:97:ae:18:24:59:af:0d:8d:85:48:
16:0d:c9:2c:28:bf:17:a6:a2:c2:1e:da:92:28:85:
0f:f8:96:88:b6:6d:6f:cc:28:ce:cb:30:96:af:5c:
ef:2d:03:40:28:f8:d1:af:07:e9:10:a4:29:3f:59:
17:63:e4:73:b3:7b:5e:e0:c4:e9:71:96:66:98:95:
3a:11:fc:03:87:3c:04:eb:ff:2d:ed:dd:5b:81:29:
34:a8:38:2b:19:bb:07:a6:85:6e:6b:2b:af:7e:88:
15:ca:56:c5:1a:58:7c:61:63:8b:28:fe:7c:0b:13:
dc:7f:8c:d3:22:09:9c:d2:9d:86:cb:e4:39:44:06:
80:0d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AC:4D:04:04:57:9E:04:62:06:C9:50:36:1C:22:CE:30:3F:ED:05:85
X509v3 Authority Key Identifier:
keyid:4F:D6:AA:19:AD:CD:83:E3:AF:4B:A6:00:DD:F1:FB:15:E9:D2:38:14
Signature Algorithm: sha256WithRSAEncryption
07:52:10:3c:6e:b5:a7:74:39:ad:c8:62:d4:7d:68:d7:47:0a:
2b:93:9f:ff:f9:b1:05:50:f5:59:76:26:8e:1f:22:b1:f2:de:
d6:9c:dc:54:9b:36:3c:39:7c:f9:01:ab:55:9c:4c:55:d9:d5:
8f:48:d6:95:47:25:1f:10:9b:ef:76:59:91:4e:85:d1:57:53:
e7:e4:e7:c0:ed:86:02:64:70:09:e1:d6:e7:46:a7:48:5b:46:
df:6c:ad:65:9e:2b:0f:69:13:8a:26:3b:55:bb:d5:ee:61:0b:
d9:0d:ed:82:ba:95:ce:e2:ab:29:e4:fc:7a:61:db:e6:e6:72:
4d:d4:45:28:fe:58:7b:d3:00:70:27:32:7f:48:0b:88:3f:59:
52:ff:e4:69:91:1e:a2:c0:f9:bd:3e:19:92:9b:7b:db:83:22:
62:16:90:ee:53:ad:83:1b:3f:2f:35:44:00:fb:1d:57:39:8b:
ac:2d:be:59:09:42:ea:61:85:11:ba:12:7d:3e:f4:d3:f4:61:
98:11:16:18:61:78:86:e5:17:a2:d1:51:ca:0e:00:79:37:32:
f2:4e:b0:0c:e2:a2:6b:63:a2:61:f3:c8:9e:e8:2e:0e:92:88:
f8:9e:9f:ba:ee:d3:7b:1e:bc:51:47:a4:87:f0:6a:1c:c4:fe:
ad:66:22:4e
6、吊销已经签署成功的证书
#创建证书吊销标号记录文件
[root@centos7 CA]#echo 01 > /etc/pki/CA/crlnumber
#吊销之前创建的zheng.crt证书
[root@centos7 CA]#cat crlnumber
01
[root@centos7 CA]#openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@centos7 CA]#cat index.txt
R 201214121406Z 200905123025Z 01 unknown /C=CN/ST=henan/O=magedu/OU=student1/CN=www.magedu.com
浙公网安备 33010602011771号