作业（一）

最新推荐文章于 2024-07-13 11:32:47 发布

Geor_ge_

最新推荐文章于 2024-07-13 11:32:47 发布

阅读量188

点赞数

分类专栏：作业文章标签： linux

本文链接：https://blog.csdn.net/Geor_ge_/article/details/108435373

版权

作业专栏收录该内容

8 篇文章 0 订阅

订阅专栏

Centos7中使用openssl创建CA、证书申请、签署、吊销

1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对

[root@centos7 ~]# gpg --gen-key   #创建非对称秘钥对
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:    #回车默认RSA
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)   #回车默认无期限
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: centos7
Email address: 
Comment: 
You selected this USER-ID:
    "centos7"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

[root@centos7 ~]# ll /root/.gnupg/pubring.gpg
-rw-------. 1 root root 1167 Sep  5 20:31 /root/.gnupg/pubring.gpg
[root@centos7 ~]# ll /root/.gnupg/secring.gpg 
-rw-------. 1 root root 2469 Sep  5 20:31 /root/.gnupg/secring.gpg

2、将 CentOS7 导出的公钥，拷贝到 CentOS8 中，在 CentOS8 中使用 CentOS7 的公钥加密一个文件

[root@centos7 ~]# gpg --list-key   #查看密钥
/root/.gnupg/pubring.gpg
------------------------
pub   2048R/ADF14BE9 2020-09-05
uid                  centos7
sub   2048R/B9073B75 2020-09-05
[root@centos7 ~]# gpg -a --export -o centos7.pubkey
[root@centos7 ~]# ll
total 16
-rw-------. 1 root root 1892 Jun  4 18:05 anaconda-ks.cfg
-rw-r--r--. 1 root root 1687 Sep  5 20:40 centos7.pubkey
-rw-r--r--. 1 root root 1940 Jun  4 18:24 initial-setup-ks.cfg
-rw-r--r--. 1 root root 2116 Sep  5 19:42 zhengshu.sh
[root@centos7 ~]# scp centos7.pubkey 10.0.0.80:/root/

[20:42:13 root@Centos ~]#gpg --import centos7.pubkey 
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 4842B7D5ADF14BE9: public key "centos7" imported
gpg: Total number processed: 1
gpg:               imported: 1
[20:43:04 root@Centos ~]#gpg -e -r centos7 2.txt 
gpg: 34FF119CB9073B75: There is no assurance this key belongs to the named user
sub  rsa2048/34FF119CB9073B75 2020-09-05 centos7
 Primary key fingerprint: 1CE0 7EAD 2EE3 FCE8 9E26  65CD 4842 B7D5 ADF1 4BE9
      Subkey fingerprint: 042D 4EF5 CF49 CC3D DD3F  74C1 34FF 119C B907 3B75

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y

3、回到 CentOS7 服务器，远程拷贝 file.txt.gpg 文件到本地，使用 CentOS7的私钥解密文件

[root@centos7 ~]# scp 10.0.0.80:/root/2.txt.gpg /root/
root@10.0.0.80's password: 
2.txt.gpg                                                                  100%  347    77.6KB/s   00:00    
[root@centos7 ~]# ll 2.txt.gpg 
-rw-r--r--. 1 root root 347 Sep  5 20:49 2.txt.gpg
[root@centos7 ~]# gpg -d 2.txt.gpg 
gpg: encrypted with 2048-bit RSA key, ID B9073B75, created 2020-09-05
      "centos7"
321543534

4、在 CentOS7 中使用 openssl 软件创建 CA

[root@centos7 ~]# touch /etc/pki/CA/index.txt
[root@centos7 ~]# echo 01 > /etc/pki/CA/serial
[root@centos7 ~]# (umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..................+++
.........................................+++
e is 65537 (0x10001)
[root@centos7 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:

5、在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件，并使用上面的跟证书对其进行签署

[root@centos7 ~]# (umask 066;openssl genrsa -out /data/master.key 2048)
Generating RSA private key, 2048 bit long modulus
..............................................................+++
...................................................................................................................................................+++
e is 65537 (0x10001)
[root@centos7 ~]# openssl req -new -key /data/master.key -out /data/master.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:master.crt
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos7 ~]# openssl ca -in /data/master.csr -out /etc/pki/CA/certs/master.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep  5 13:15:06 2020 GMT
            Not After : Dec 14 13:15:06 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = magedu
            organizationalUnitName    = it
            commonName                = master.crt
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                CA:A7:37:86:BF:3D:84:3E:77:F8:E6:40:12:FE:73:DD:48:09:C8:73
            X509v3 Authority Key Identifier: 
                keyid:62:CC:08:7E:6A:80:A2:2B:28:84:BB:34:CB:5E:6E:83:D0:FD:56:44

Certificate is to be certified until Dec 14 13:15:06 2020 GMT (100 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

6、吊销已经签署成功的证书

[root@centos7 ~]# cat /etc/pki/CA/index.txt
V	201214131506Z		01	unknown	/C=CN/ST=beijing/O=magedu/OU=it/CN=master.crt
[root@centos7 ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@centos7 ~]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)
[root@centos7 ~]# cat /etc/pki/CA/index.txt
R	201214131506Z	200905131927Z	01	unknown	/C=CN/ST=beijing/O=magedu/OU=it/CN=master.crt

Geor_ge_

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
作业（一）

作业（一）1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对[root@centos7 ~]# gpg --gen-keygpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted b
复制链接

扫一扫