作业一
1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对
[root@centos8 ~]# gpg --gen-key
gpg (GnuPG) 2.2.9; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.
Real name: centos8
Email address:
You selected this USER-ID:
"centos8"
Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 93351467F0B00471 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/193B804B192A132E7676059793351467F0B00471.rev'
public and secret key created and signed.
pub rsa2048 2020-09-06 [SC] [expires: 2022-09-06]
193B804B192A132E7676059793351467F0B00471
uid centos8
sub rsa2048 2020-09-06 [E] [expires: 2022-09-06]
2、将 CentOS7 导出的公钥,拷贝到 CentOS8 中,在 CentOS8 中使用 CentOS7 的公钥加密一个文件
[root@centos8 ~]# gpg --list-keys/root/.gnupg/pubring.kbx
------------------------
pub rsa2048 2020-09-06 [SC] [expires: 2022-09-06]
193B804B192A132E7676059793351467F0B00471
uid [ultimate] centos8
sub rsa2048 2020-09-06 [E] [expires: 2022-09-06]
[root@centos8 .gnupg]# ll
total 16
-rw-r--r--. 1 root root 1725 Sep 6 16:39 centos8.pubkey
drwx------. 2 root root 58 Sep 6 16:31 openpgp-revocs.d
drwx------. 2 root root 110 Sep 6 16:31 private-keys-v1.d
-rw-r--r--. 1 root root 1437 Sep 6 16:31 pubring.kbx
-rw-------. 1 root root 32 Sep 6 16:30 pubring.kbx~
-rw-------. 1 root root 1280 Sep 6 16:32 trustdb.gpg
root@10.0.0.18's password:
centos8.pubkey
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 93351467F0B00471: public key "centos8" imported
gpg: Total number processed: 1
gpg: imported: 1
[root@CentOS8 data]# gpg --list-keys
/root/.gnupg/pubring.kbx
------------------------
pub rsa2048 2020-09-06 [SC] [expires: 2022-09-06]
193B804B192A132E7676059793351467F0B00471
uid [ unknown] centos8
sub rsa2048 2020-09-06 [E] [expires: 2022-09-06]
gpg: 6ECA10588B6621FF: There is no assurance this key belongs to the named user
sub rsa2048/6ECA10588B6621FF 2020-09-06 centos8
Primary key fingerprint: 193B 804B 192A 132E 7676 0597 9335 1467 F0B0 0471
Subkey fingerprint: AB3E EA08 0E48 678B A37C 48D4 6ECA 1058 8B66 21FF
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
[root@CentOS8 data]# ll luyinghui
luyinghui luyinghui.gpg
[root@CentOS8 data]# ll luyinghui.gpg
-rw-r--r--. 1 root root 341 Sep 6 16:44 luyinghui.gpg
3、回到 CentOS7 服务器,远程拷贝 file.txt.gpg 文件到本地,使用 CentOS7的私钥解密文件
[root@centos8 ~]# scp 10.0.0.18:/data/luyinghui.gpg .
root@10.0.0.18's password:
Permission denied, please try again.
root@10.0.0.18's password:
luyinghui.gpg 100% 341 250.9KB/s 00:00
[root@centos8 ~]# ls
anaconda-ks.cfg luyinghui.gpg
[root@centos8 ~]# gpg -d luyinghui.gpg > luyinghui
gpg: encrypted with 2048-bit RSA key, ID 6ECA10588B6621FF, created 2020-09-06
"centos8"
4、在 CentOS7 中使用 openssl 软件创建 CA
[root@localhost ~]# touch /etc/pki/CA/index.txt
[root@localhost ~]# echo 01 > /etc/pki/CA/serial
[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......+++
...................+++
e is 65537 (0x10001)
[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhenzhou
Organization Name (eg, company) [Default Company Ltd]:mage
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:CA.magedu.com
Email Address []:
[root@localhost CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
5、 在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件,并使用上面的跟证书对其进行签署
[root@localhost CA]# (umask 066; openssl genrsa -out /data/test.key 1024)
Generating RSA private key, 1024 bit long modulus
.++++++
....++++++
e is 65537 (0x10001)
[root@localhost CA]# openssl req -new -key /data/test.key -out /data/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:luoyang
Organization Name (eg, company) [Default Company Ltd]:MAGE
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:www.magedu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost CA]# opensslopenssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt -days 10^C
[root@localhost CA]# openssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (mage) and the request (MAGE)
[root@localhost CA]# tree c
cacert.pem certs/ crl/
[root@localhost CA]# tree certs/
certs/
└── test.crt
0 directories, 1 file
6、吊销已经签署成功的证书
[root@localhost CA]# openssl x509 -in /etc/pki/CA/certs/test1.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=henan/O=mage/OU=devops/CN=www.magedu.com
[root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@localhost CA]# echo 01 > /etc/pki/CA/crlnumber
[root@localhost CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@localhost CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=henan/L=zhenzhou/O=mage/OU=it/CN=CA.magedu.com
Last Update: Sep 6 09:14:51 2020 GMT
Next Update: Oct 6 09:14:51 2020 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Sep 6 09:14:20 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
6d:83:59:b2:09:2b:84:e8:b5:c0:52:d3:7c:99:39:76:0e:30:
3f:df:f3:bf:1d:46:91:cc:cb:84:3a:db:36:c7:09:40:60:fc:
ef:a9:da:73:c3:f4:03:ab:72:93:ed:fa:1f:43:72:00:88:e7:
ef:0c:1d:67:d6:8a:bc:69:00:49:23:1a:f1:0c:15:e6:75:bb:
65:47:3e:73:0d:d1:f5:f4:17:29:2a:58:28:f5:72:c4:2b:a1:
32:e9:44:70:19:ef:09:ff:42:a7:3d:d7:45:2f:e1:40:ae:62:
37:14:65:26:bd:5b:8f:e0:46:0e:79:c2:1b:fc:c8:c0:78:b9:
39:e5:f7:fd:32:45:fc:57:69:96:a2:7b:78:e1:4b:59:c6:d1:
b5:90:01:7e:43:5f:b2:ca:ea:97:09:49:e5:34:14:8a:e0:32:
a0:9a:40:90:fc:36:ef:c4:d2:b7:f5:9c:7c:f2:9b:f8:ee:9e:
39:99:89:30:f5:97:f4:25:d1:65:f5:8f:4b:a9:95:6a:90:67:
23:a5:d0:a6:4c:93:98:6c:a0:14:14:c1:7a:14:14:67:3a:77:
78:99:dc:3e:74:76:61:c9:9f:ad:f9:b0:69:be:9f:57:6e:13:
9a:d1:cf:f6:0e:a4:1a:e1:7c:c8:02:31:c6:53:16:e8:74:76:
96:9a:3e:39
[root@localhost CA]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)
浙公网安备 33010602011771号