1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对
[19:33:31 root@centos7 ~]#gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Centos7
Email address:
Comment:
You selected this USER-ID:
"Centos7"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway. You can change your passphrase at any time,
using this program with the option "--edit-key".
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 60333C93 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024R/60333C93 2020-09-05
Key fingerprint = 389C 9150 5D9A 1156 2C50 49E1 082D 8E4F 6033 3C93
uid Centos7
sub 1024R/A3B0DBED 2020-09-05
2、将 CentOS7 导出的公钥,拷贝到 CentOS8 中,在 CentOS8 中使用 CentOS7 的公钥加密一个文件
(1)从Centos7 上导出公钥
[19:41:53 root@centos7 .gnupg]#gpg -a --export -o Centos7.pubkey
(2)将导出公钥拷贝到Centos8上
[19:46:07 root@centos7 .gnupg]#scp Centos7.pubkey 10.0.0.8:/data
The authenticity of host '10.0.0.8 (10.0.0.8)' can't be established.
ECDSA key fingerprint is SHA256:N95hI6bk/+BA1IyTT/RH8w78Kw/JUU2ZTnca7546uvc.
ECDSA key fingerprint is MD5:2c:d8:14:23:28:94:0a:f9:5f:8a:e9:0f:57:9c:ff:45.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '10.0.0.8' (ECDSA) to the list of known hosts.
root@10.0.0.8's password:
Centos7.pubkey 100% 988 781.7KB/s 00:00
(3)导入Centos7 的公钥
[19:50:40 root@centos8 data ]#gpg --import /data/Centos7.pubkey
gpg: key 082D8E4F60333C93: public key "Centos7" imported
gpg: Total number processed: 1
gpg: imported: 1
(4)使用Centos7 的公钥加密文件
[19:54:51 root@centos8 .gnupg ]#gpg -e -r Centos7 /data/chess.sh
gpg: 00B7BFA0A3B0DBED: There is no assurance this key belongs to the named user
sub rsa1024/00B7BFA0A3B0DBED 2020-09-05 Centos7
Primary key fingerprint: 389C 9150 5D9A 1156 2C50 49E1 082D 8E4F 6033 3C93
Subkey fingerprint: F135 9066 3A2A 9E89 8301 E06C 00B7 BFA0 A3B0 DBED
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
3、回到 CentOS7 服务器,远程拷贝 file.txt.gpg 文件到本地,使用 CentOS7的私钥解密文件
(1)拷贝加密文件到本地
[19:48:26 root@centos7 .gnupg]#scp root@10.0.0.8:/data/chess.sh.gpg /data/
root@10.0.0.8's password:
chess.sh.gpg 100% 471 170.3KB/s 00:00
(2)使用Centos7 的私钥解密
[20:00:41 root@centos7 data]#gpg -o chess.sh -d chess.sh.gpg
gpg: encrypted with 1024-bit RSA key, ID A3B0DBED, created 2020-09-05
"Centos7"
[20:01:31 root@centos7 data]#ll
total 16
-rw-r--r--. 1 root root 496 Sep 5 20:01 chess.sh
-rw-r--r--. 1 root root 471 Sep 5 19:59 chess.sh.gpg
-rw-r--r--. 1 root root 782 Aug 27 19:16 https.sh
-rw-r--r--. 1 root root 249 Aug 29 10:38 shuzi.sh
4、在 CentOS7 中使用 openssl 软件创建 CA
(1)生成证书索引文件
[13:27:08 root@centos7 CA]#touch /etc/pki/CA/index.txt
指定第一个颁发证书的序列号
[13:28:56 root@centos7 CA]#echo 01 >/etc/pki/CA/serial
(2)生成CA私钥
[12:49:51 root@centos7 ~]#cd /etc/pki/CA
[12:59:59 root@centos7 CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
......................+++
................+++
e is 65537 (0x10001)
(3)生成CA自签名证书
[13:00:18 root@centos7 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:M42
Common Name (eg, your name or your server's hostname) []:www.rc.com
Email Address []:
5、 在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件,并使用上面的跟证书对其进行签署
(1)为需要使用的主机生成私钥
[13:18:56 root@centos7 certs]#(umask 066;openssl genrsa -out test.key 2048)
Generating RSA private key, 2048 bit long modulus
.............................+++
............................................................+++
e is 65537 (0x10001)
(2)生成证书申请文件
[13:21:14 root@centos7 certs]#openssl req -new -key test.key -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:www.mage.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
(3)CA签署申请证书
[13:40:43 root@centos7 CA]#openssl ca -in /data/certs/test.csr -out /etc/pki/CA/certs/test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 6 05:42:49 2020 GMT
Not After : Sep 6 05:42:49 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
organizationName = magedu
organizationalUnitName = devops
commonName = www.mage.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4C:E9:BA:DA:E9:88:D5:28:95:DB:E0:18:D3:B0:4E:20:B5:40:B8:C3
X509v3 Authority Key Identifier:
keyid:79:5E:28:69:5A:5F:80:95:CC:BA:15:D7:F6:FB:5E:9B:97:C7:FA:D7
Certificate is to be certified until Sep 6 05:42:49 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
6、吊销已经签署成功的证书
[14:10:21 root@centos7 CA]#openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
[14:14:53 root@centos7 CA]#openssl ca -revoke newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[14:17:15 root@centos7 CA]#cat index.txt
R 210906054249Z 200906061715Z 01 unknown /C=CN/ST=henan/O=magedu/OU=devops/CN=www.mage.com
1496
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
