Centos7中创建RSA非对称密钥对及搭建私有CA并为客户端颁发证书
1.在centos7中使用gpg创建RSA非对称密钥对
[13:32:55 root@centos7 data]#gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon 06 Sep 2021 01:35:41 PM CST
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: centos7
Email address:
Comment:
You selected this USER-ID:
"centos7"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
[14:01:48 root@centos7 ~]#cd .gnupg/
#pubring.gpg为生成的公钥 secring.gpg为生成的私钥
[14:02:03 root@centos7 .gnupg]#ls
gpg.conf pubring.gpg random_seed S.gpg-agent
private-keys-v1.d pubring.gpg~ secring.gpg trustdb.gpg
2.将 CentOS7 导出的公钥,拷贝到 CentOS8 中,在 CentOS8 中使用 CentOS7 的公钥加密一个文件
#centos7中导出公钥,并发送给centos8
[14:26:29 root@centos7 ~]#gpg -a --export -o centos7.pubkey
[14:27:11 root@centos7 ~]#ls
centos7.pubkey
[14:27:12 root@centos7 ~]#scp centos7.pubkey root@10.0.0.8:
The authenticity of host '10.0.0.8 (10.0.0.8)' can't be established.
ECDSA key fingerprint is SHA256:9DNVak0nXGMb1+vL6OOF8B+p4shNw0A7FlMGNUWEewI.
ECDSA key fingerprint is MD5:ea:f5:51:92:b2:01:b7:1e:f8:64:33:91:a5:a2:b8:db.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.8' (ECDSA) to the list of known hosts.
root@10.0.0.8's password:
centos7.pubkey 100% 1857 126.5KB/s 00:00
#centos8中生成密钥对
[14:36:50 root@centos8 ~]#gpg --gen-key
gpg (GnuPG) 2.2.9; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.
Real name: centos8
Email address:
You selected this USER-ID:
"centos8"
Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key AF569B011207BAE2 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/130A4CF087EB7DB05AA3DC88AF569B011207BAE2.rev'
public and secret key created and signed.
pub rsa2048 2020-09-06 [SC] [expires: 2022-09-06]
130A4CF087EB7DB05AA3DC88AF569B011207BAE2
uid centos8
sub rsa2048 2020-09-06 [E] [expires: 2022-09-06]
#导入centos7的公钥
[14:41:30 root@centos8 ~]#gpg --import centos7.pubkey
gpg: key D7F524782FB6286F: public key "centos7" imported
gpg: key 897BF425B0033D23: public key "centos7" imported
gpg: Total number processed: 2
gpg: imported: 2
[14:51:58 root@centos8 ~]#gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2022-09-06
/root/.gnupg/pubring.kbx
------------------------
pub rsa2048 2020-09-06 [SC] [expires: 2022-09-06]
130A4CF087EB7DB05AA3DC88AF569B011207BAE2
uid [ultimate] centos8
sub rsa2048 2020-09-06 [E] [expires: 2022-09-06]
pub rsa1024 2020-09-06 [SC]
D76EF6B0CE0231C7ED938A3DD7F524782FB6286F
uid [ unknown] centos7
sub rsa1024 2020-09-06 [E]
pub rsa1024 2020-09-06 [SC]
5BC166056D01962BE7F79827897BF425B0033D23
uid [ unknown] centos7
sub rsa1024 2020-09-06 [E]
#用centos7的公钥加密文件
[14:46:41 root@centos8 ~]#cp /etc/fstab /data
[14:52:27 root@centos8 ~]#gpg -e -r centos7 /data/fstab
gpg: D8EEC020ABAB00C1: There is no assurance this key belongs to the named user
sub rsa1024/D8EEC020ABAB00C1 2020-09-06 centos7
Primary key fingerprint: D76E F6B0 CE02 31C7 ED93 8A3D D7F5 2478 2FB6 286F
Subkey fingerprint: 79A6 EA56 0932 E63B 3DD4 F4D1 D8EE C020 ABAB 00C1
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
[14:53:50 root@centos8 ~]#ls /data
fstab fstab.gpg
3、回到 CentOS7 服务器,远程拷贝 file.txt.gpg 文件到本地,使用 CentOS7的私钥解密文件
#在centos7上远程拷贝 file.txt.gpg文件到本地
[14:57:49 root@centos7 ~]#scp root@10.0.0.8:/data/fstab.gpg .
root@10.0.0.8's password:
fstab.gpg 100% 606 755.6KB/s 00:00
[14:59:35 root@centos7 ~]#gpg -o fstab -d fstab.gpg
You need a passphrase to unlock the secret key for
user: "centos7"
1024-bit RSA key, ID ABAB00C1, created 2020-09-06 (main key ID 2FB6286F)
gpg: encrypted with 1024-bit RSA key, ID ABAB00C1, created 2020-09-06
"centos7"
[15:00:38 root@centos7 ~]#ls
anaconda-ks.cfg fstab fstab.gpg
[15:00:42 root@centos7 ~]#cat fstab
#
# /etc/fstab
# Created by anaconda on Sun Sep 6 11:03:56 2020
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
UUID=97f43276-f19c-4d64-a05a-1434c41eea81 / xfs defaults 0 0
UUID=002baf57-5d8e-496f-80eb-fd7b0f6e2c7e /boot ext4 defaults 1 2
UUID=e63afb7a-d681-45dd-90ef-a9fb89d59981 /data xfs defaults 0 0
UUID=703a0804-fbc3-476b-b700-192300d42b00 swap swap defaults 0 0
4.在 CentOS7 中使用 openssl 软件创建 CA
#创建CA所需文件
#生成证书索引数据库文件
[15:26:37 root@centos7 ~]#cd /etc/pki/CA/
[15:24:32 root@centos7 CA]#ls
certs crl newcerts private
[15:26:37 root@centos7 CA]#touch index.txt
#指定第一个颁发证书的序列号
[15:26:37 root@centos7 CA]#echo 01 > /etc/pki/CA/serial
#生成CA私钥
[15:23:56 root@centos7 CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.....................................................................................................................+++
..................+++
e is 65537 (0x10001)
#生成CA自签名证书
[15:26:37 root@centos7 CA]#openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:centos7
Email Address []:
[15:27:29 root@centos7 CA]#ls
cacert.pem certs crl newcerts private
[15:27:33 root@centos7 CA]#tree
.
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 2 files
5、 在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件,并使用上面的跟证书对其进行签署
#生成证书申请私钥
[15:43:32 root@centos7 data]#(umask 066; openssl genrsa -out /data/request.key 2048)
Generating RSA private key, 2048 bit long modulus
.....................+++
......................................+++
e is 65537 (0x10001)
#根据密钥生成证书申请文件
[15:47:59 root@centos7 data]#openssl req -new -key /data/request.key -out /data/request.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:dev
Common Name (eg, your name or your server's hostname) []:app
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#CA签发证书
[15:51:48 root@centos7 data]#openssl ca -in /data/request.csr -out /etc/pki/CA/certs/request.crt -days 200
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 6 07:51:51 2020 GMT
Not After : Mar 25 07:51:51 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
organizationName = magedu
organizationalUnitName = dev
commonName = app
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
8D:F1:ED:8E:04:9D:36:DA:81:C5:9C:85:95:1A:5D:8F:CC:A4:AC:5F
X509v3 Authority Key Identifier:
keyid:54:5A:61:66:64:42:DF:E3:E1:6B:9D:E2:04:3C:09:25:B7:F7:E2:74
Certificate is to be certified until Mar 25 07:51:51 2021 GMT (200 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[16:03:43 root@centos7 data]#openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
6、吊销已经签署成功的证书
#查看要吊销的证书的serial
[16:09:41 root@centos7 ~]#openssl x509 -in /etc/pki/CA/certs/request.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=henan/O=magedu/OU=dev/CN=app
#吊销已经签署成功的证书
[16:11:06 root@centos7 ~]#openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
#创建吊销列表序列文件
[16:09:16 root@centos7 ~]#echo 01 > /etc/pki/CA/crlnumber
#更新吊销列表
[16:12:14 root@centos7 ~]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[16:12:42 root@centos7 ~]#ls /etc/pki/CA/
cacert.pem crlnumber index.txt index.txt.old serial
certs crlnumber.old index.txt.attr newcerts serial.old
crl crl.pem index.txt.attr.old private
#查看被吊销证书状态
[16:13:06 root@centos7 ~]#openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)
A/
cacert.pem crlnumber index.txt index.txt.old serial
certs crlnumber.old index.txt.attr newcerts serial.old
crl crl.pem index.txt.attr.old private
#查看被吊销证书状态
[16:13:06 root@centos7 ~]#openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)