用gpg生成秘钥对和导出公钥及加签验签过程

一．用gpg生成秘钥对和导出公钥过程

生成秘钥对

执行命令：gpg --gen-key

Please select what kind of key you want:

   (1) RSA and RSA (default)

   (2) DSA and Elgamal

   (3) DSA (sign only)

   (4) RSA (sign only)

Your selection? 4

RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048) 4096

Requested keysize is 4096 bits

Please specify how long the key should be valid.

         0 = key does not expire

      <n>  = key expires in n days

      <n>w = key expires in n weeks

      <n>m = key expires in n months

      <n>y = key expires in n years

Key is valid for? (0) 0

Key does not expire at all

Is this correct? (y/N) y

 

GnuPG needs to construct a user ID to identify your key.

 

Real name: test

Name must be at least 5 characters long

Real name: testxsf

Email address: 123@qq.com

Comment:

You selected this USER-ID:

    "testxsf <123@qq.com>"

 

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

输入密码，确认密码（没有截图）

生成用于加密的子项

[root@agent07 new27]# gpg --edit-key testxsf

gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

 

Secret key is available.

 

pub  4096R/38B98186  created: 2021-04-27  expires: never       usage: SC 

                     trust: ultimate      validity: ultimate

[ultimate] (1). testxsf <123@qq.com>

 

gpg> addkey

Key is protected.

 

You need a passphrase to unlock the secret key for

user: "testxsf <123@qq.com>"

4096-bit RSA key, ID 38B98186, created 2021-04-27

 

Please select what kind of key you want:

   (3) DSA (sign only)

   (4) RSA (sign only)

   (5) Elgamal (encrypt only)

   (6) RSA (encrypt only)

Your selection? 6

RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048) 4096

Requested keysize is 4096 bits

Please specify how long the key should be valid.

         0 = key does not expire

      <n>  = key expires in n days

      <n>w = key expires in n weeks

      <n>m = key expires in n months

      <n>y = key expires in n years

Key is valid for? (0) 0

Key does not expire at all

Is this correct? (y/N) y

Really create? (y/N) y

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

 

pub  4096R/38B98186  created: 2021-04-27  expires: never       usage: SC 

                     trust: ultimate      validity: ultimate

sub  4096R/3499E23C  created: 2021-04-27  expires: never       usage: E  

[ultimate] (1). testxsf 123@qq.com

中间有输入密码的过程，需要输入步骤1中设置的密码

列出秘钥

gpg -k

导出ASCII形式的公钥

gpg --armor --output xsftest-pub-sub.asc --export testxsf

此步骤会产生：xsftest-pub-sub.asc

导出私钥（保存起来，不发给客户）

gpg --a -o womende-private_0426.asc --export-secret-key womende

查看公钥文件

[root@agent07 new27]# cat xsftest-pub-sub.asc

 -----BEGIN PGP PUBLIC KEY BLOCK-----

Version: GnuPG v2.0.22 (GNU/Linux)

 

mQINBGCHpGsBEACmdxBF89+ua9pTN1Brh5PJfxTGwfCqgrpdvRc6shBWefPR2SAZ

jTYNNMRij215k5FVDSwu8OAAOBiifOF04xjrMP3m9gxbTh44iy2pm3eKRd1IH8rL

zLleMJAkiUCpOeafA0LXoqM7u3aAABh08pbZZm4EutSi79SM/wJpOR/aiRuEkqxl

uw6s9LJGwjSBP//sPSL4u5F4eu5PIIqMB7OymJuuPncOLtFSArGHPImQ8PStPQOH

tJ0X8fa29x5u2YPfAAIPgAKEpkscZ2n1pjN2BUi6tQ2HREGCxHk8PZWMXJHqssUH

Dz5cXgIdcmEyvhqnFuZ5sKfZzu7FAjPzbRVS21sCe8/tO6aWyMv28dwZO38XmvA5

cioVUTavclxNAc3RDamMUXNKInXo/ucgmCOEo/Hj1139hOxMVXqPe8X0j+6tC5ei

WZwFbGFH99W5IHfRIPXMsN4FmdflwxF0d9m+J20BTnStC5FaA78YSLNGhbj1ngtY

vjDjXeY9wxKQwGb9yX2I9bAzDAKypAkQ8GfrGaBMNIlHE4nUkosAtbG4PALcM/EY

JLflwgy7YHhIKSgaXMFujGhBw6DG2nyLH4364jt9vSqXVDQha09QVCZqyvnT/8aw

UZraoITG6KFYm2PwXJ/jgSMVrplWV/YJEnN/njNpJe8aHQCXWd4GPr3BPQARAQAB

tBR0ZXN0eHNmIDwxMjNAcXEuY29tPokCOQQTAQIAIwUCYIekawIbAwcLCQgHAwIB

BhUIAgkKCwQWAgMBAh4BAheAAAoJEENfC584uYGGHnwP/j+xSDPFJCSuFF2BRvYf

37PzE91FH37ba7qCtLAq6fEpvwk7Q6lx/D1pVjvRmeHnDSdVAk+htrCH9oKaxU5i

yJ669MKY8Sb/QX3E5rhpnopYUDPJwNPG3x3rvx0/GOB3Ixo8cFlvI2uUgEcZOApK

uXapAw5sXFQHcmG0vm0N8SXKE+ixpzzO3Yl7tdMKDp54iz3qWQG4sy/wnYNnToRM

npMl6J2tvvrSIMkbnPCmkK/pbzRT2d0V9giXrBoqWC3UwF/9kAYI2qMhAMG76JL/

AhjmesjyVDbN/rHJpu6t2OOkoI/H+QZzruzk2eP3EFpYPk6WHRlMCJIyVPuqEu50

Go7LuKHjMsTIqkuLmVuWUknm7wD0He3jiWGVZIZhMbVkUYXzY87NZc+OZydjno5q

RiU270YirrTW2hST0AW/YGfzwjUAFadsO4XssjZxsVe0HaNxraeS0B1Cfl7AoTDt

QsBXBb+/dPHXls8UczzI42YlROMGDprswM8zZrl2ZzTVU5gYwZdkII+OMwiLG6h8

ynVhdMKr7idugFVeSlsIvApVb088zBUndunPxnQZlCL03GzH5vaNRflJl90/HMmQ

DF+/mkGsAephXmu4Lvnv/aRQ0klQX73C5YAEZbJfwPaO15Rt398wCJUPt4gw9Fjj

moGxHGkx/HbK1/TlmzV8MJWr

=XXsa

-----END PGP PUBLIC KEY BLOCK-----

二.用secp384r1算法生成证书请求文件

1.生成app私钥

openssl ecparam -name secp384r1 -genkey -out womende_20210427_private.pem

 

2.生成证书请求文件

openssl req -new -key womende_20210427_private.pem -out womende_20210427.csr -subj "/C=CN/ST=DD/L=sh/O=NI/OU=CN/CN=CN"

 

三. 用1步骤生成的秘钥中的私钥将证书请求文件加签

加签:

gpg -o womende_20210427.csr.sig -s womende_20210427.csr

此步骤会生成: womende_20210427.csr.sig

 

验签（可以将1步骤导出的公钥导入另一台服务器，然后验证是否能验签）:

gpg --verify womende_20210427.csr.sig

如下表明验签完整

四. 用对方的公钥将证书请求文件加密

gpg --encrypt --recipient duifangdegongyaowenjian womende_20210427.csr

（“\”是转义用，否则会报错）

此步骤会生成: womende_20210427.csr.gpg