centos7-使用gpg加解密和创建私有CA证书

最新推荐文章于 2023-06-26 17:27:02 发布
最新推荐文章于 2023-06-26 17:27:02 发布
阅读量2k 收藏 1
点赞数 2
文章标签: linux
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_43976886/article/details/108433702
版权

1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对

[root@centos77 ~]# gpg --gen-key    # 生成公钥/私钥对
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:   
   (1) RSA and RSA (default)  # 加密方式选项
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1   # 默认选择第一种加密方式
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048  # 加密长度:1024-4096之间
Requested keysize is 2048 bits
Please specify how long the key should be valid.  # 秘钥保存时间
         0 = key does not expire     # 密钥不过期
      <n>  = key expires in n days   # 密钥在n天后过期
      <n>w = key expires in n weeks  # 密钥在n周内到期
      <n>m = key expires in n months # 密钥在n月内到期
      <n>y = key expires in n years  # 密钥在n年内到期
Key is valid for? (0) y  # 选择哪种保存时间
invalid value			 # 无效值
Key is valid for? (0) y  
invalid value
Key is valid for? (0) 
Key does not expire at all  # 密钥根本不会过期
Is this correct? (y/N) y    # 这样对吗
GnuPG needs to construct a user ID to identify your key.

Real name: centos77   # 名字,最少五位
Email address:        # 邮箱
Comment: 
You selected this USER-ID:
    "centos77"

#更改    名字				 邮箱       保存   退出
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O # okay : 大写的O
You need a Passphrase to protect your secret key.
# 您需要密码来保护您的密钥

# 密码是:123456

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key D4AA14A2 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/D4AA14A2 2020-09-05
      Key fingerprint = 955D C22C 841E 8063 320B  67D0 29FA 804D D4AA 14A2
uid                  centos77
sub   2048R/988B04FC 2020-09-05


# 查看生成的公钥
[root@centos77 ~]# gpg --list-keys  
/root/.gnupg/pubring.gpg       # 公钥存放的路径
------------------------
pub   2048R/D4AA14A2 2020-09-05
uid                  centos77
sub   2048R/988B04FC 2020-09-05

2、将 CentOS7 导出的公钥,拷贝到 CentOS8 中,在 CentOS8 中使用 CentOS7 的公钥加密一个文件

# 上导出公钥到 magedu.pubkey
[root@centos77 ~]# gpg -a --export -o magedu.pubkey
[root@centos77 ~]# ls -l
total 8
-rw-------. 1 root root 1631 Aug  4 20:25 anaconda-ks.cfg
-rw-r--r--. 1 root root 1687 Sep  5 20:32 magedu.pubkey


# 复制公钥文件到需加密的centos8主机上
[root@centos77 ~]# scp magedu.pubkey root@10.0.0.80:/root/
root@10.0.0.80's password: 
magedu.pubkey                                                100% 1687   495.5KB/s   00:00    

[root@hah ~]# ls -l /root
total 16
-rw-r--r--  1 root root  390 Sep  5 15:09 123456.pub
-rw-------. 1 root root 1572 Aug  5 19:28 anaconda-ks.cfg
-rw-r--r--  1 root root  380 Sep  5 16:23 id_rsa_2048.pub
-rw-r--r--  1 root root 1687 Sep  5 20:32 magedu.pubkey

# 查看公钥私钥
[root@hah ~]# gpg --list-keys
gpg: /root/.gnupg/trustdb.gpg: trustdb created

# 生成公钥私钥对
[root@hah ~]# gpg --gen-key
gpg (GnuPG) 2.2.9; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: centos80
Email address: 
You selected this USER-ID:
    "centos80"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O


# 密码是:654321

[root@hah ~]# gpg --import magedu.pubkey   # 导入centos77公钥
gpg: key 29FA804DD4AA14A2: public key "centos77" imported
gpg: Total number processed: 1
gpg:               imported: 1
[root@hah ~]# gpg --list-keys # 查看公钥列表
/root/.gnupg/pubring.kbx
------------------------
pub   rsa2048 2020-09-05 [SC] [expires: 2022-09-05]
      98F4B23952579AD594F52188DAB3D8E045DC4679
uid           [ultimate] centos80
sub   rsa2048 2020-09-05 [E] [expires: 2022-09-05]

pub   rsa2048 2020-09-05 [SC]
      955DC22C841E8063320B67D029FA804DD4AA14A2
uid           [ unknown] centos77
sub   rsa2048 2020-09-05 [E]

[root@hah ~]# echo mage > test  # 创建文件

# 用从centos7主机导入的公钥,加密centos8主机的文件file,生成file.gpg
# 注意:这里选定用谁的公钥进行加密,就是当初创建公钥私钥时候起的名字
[root@hah ~]# gpg -e -r centos77 test  
gpg: 960FE6D8988B04FC: There is no assurance this key belongs to the named user
sub  rsa2048/960FE6D8988B04FC 2020-09-05 centos77
 Primary key fingerprint: 955D C22C 841E 8063 320B  67D0 29FA 804D D4AA 14A2
      Subkey fingerprint: CBA2 939F 041D 669E D47B  2C6C 960F E6D8 988B 04FC

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y

[root@hah ~]# ls -l
total 24
-rw-r--r--  1 root root  390 Sep  5 15:09 123456.pub
-rw-------. 1 root root 1572 Aug  5 19:28 anaconda-ks.cfg
-rw-r--r--  1 root root  380 Sep  5 16:23 id_rsa_2048.pub
-rw-r--r--  1 root root 1687 Sep  5 20:32 magedu.pubkey
-rw-r--r--  1 root root    5 Sep  5 20:44 test
-rw-r--r--  1 root root  341 Sep  5 20:47 test.gpg

[root@hah ~]# cat test.gpg 
 
.´Aȝg҄`]
       rE¼Ѭg۽2萲·󋽁𳳌bn̒moPþ~y*u쇪!jKºCº潋x}_PVX¨6ZĒC»%rN)魢5>☩'A󿿧n'»K©³¦ZB&²:l񁲂Ʋ½1#f¤FVӒq賡t摾F»§񙛠+qgܘ¨ﺝ垄"ф2Aؗƫ%؂:tқ¡l¦߶©RВdµ]ŰҢ¿䨲Éd~P𺣊ӁoSBW¥)+C¬H̕6
[root@hah ~]#

3、回到 CentOS7 服务器,远程拷贝 file.txt.gpg 文件到本地,使用 CentOS7的私钥解密文件

[root@hah ~]# scp test.gpg root@10.0.0.77:/root/
root@10.0.0.77's password: 
test.gpg                                                     100%  341   145.8KB/s   00:00    
[root@hah ~]# 


[root@centos77 ~]# ls -l
total 12
-rw-------. 1 root root 1631 Aug  4 20:25 anaconda-ks.cfg
-rw-r--r--. 1 root root 1687 Sep  5 20:32 magedu.pubkey
-rw-r--r--. 1 root root  341 Sep  5 20:51 test.gpg

# 解密文件并打印
[root@centos77 ~]# gpg -d test.gpg

You need a passphrase to unlock the secret key for
user: "centos77"
2048-bit RSA key, ID 988B04FC, created 2020-09-05 (main key ID D4AA14A2)

gpg: encrypted with 2048-bit RSA key, ID 988B04FC, created 2020-09-05
      "centos77"
mage


# 输入的密码是centos77主机的秘钥密码

# 解密后生成文件: -o:解密后的文件;-d:需要解密的文件
[root@centos77 ~]# gpg -o test77 -d test.gpg

You need a passphrase to unlock the secret key for
user: "centos77"
2048-bit RSA key, ID 988B04FC, created 2020-09-05 (main key ID D4AA14A2)

gpg: encrypted with 2048-bit RSA key, ID 988B04FC, created 2020-09-05
      "centos77"

[root@centos77 ~]# ls -l
total 16
-rw-------. 1 root root 1631 Aug  4 20:25 anaconda-ks.cfg
-rw-r--r--. 1 root root 1687 Sep  5 20:32 magedu.pubkey
-rw-r--r--. 1 root root    5 Sep  5 20:55 test77
-rw-r--r--. 1 root root  341 Sep  5 20:51 test.gpg
[root@centos77 ~]# cat test77 
mage
[root@centos77 ~]#

4、在 CentOS7 中使用 openssl 软件创建 CA

# 安装openssl 相关软件
[root@centos771 pki]# yum -y install openssl openssl-devel

# 查看相关文件
[root@centos771 pki]# cd CA/
[root@centos771 CA]# ls
certs  crl  newcerts  private

# 创建ca相关文件
[root@centos771 CA]# touch index.txt   # 创建index.txt 
[root@centos771 CA]# echo 01 > serial  # 创建新证书编号为01,往下依次类推,为十六进制
[root@centos771 CA]# ll
total 4
drwxr-xr-x. 2 root root 6 Aug  9  2019 certs
drwxr-xr-x. 2 root root 6 Aug  9  2019 crl
-rw-r--r--. 1 root root 0 Sep  6 13:24 index.txt
drwxr-xr-x. 2 root root 6 Aug  9  2019 newcerts
drwx------. 2 root root 6 Aug  9  2019 private
-rw-r--r--. 1 root root 3 Sep  6 13:24 serial

# 生成私钥文件
[root@centos771 CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.....................................................................................................................................+++
..........+++
e is 65537 (0x10001)


# 生成自签文件,注意是在/etc/pki/CA目录生成
[root@centos771 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 360
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.magedu.org
Email Address []:
[root@centos771 CA]# 
[root@centos771 CA]# ll
total 8
-rw-r--r--. 1 root root 1322 Sep  6 13:28 cacert.pem
drwxr-xr-x. 2 root root    6 Aug  9  2019 certs
drwxr-xr-x. 2 root root    6 Aug  9  2019 crl
-rw-r--r--. 1 root root    0 Sep  6 13:24 index.txt
drwxr-xr-x. 2 root root    6 Aug  9  2019 newcerts
drwx------. 2 root root   23 Sep  6 13:26 private
-rw-r--r--. 1 root root    3 Sep  6 13:24 serial
[root@centos771 CA]# cat cacert.pem 
-----BEGIN CERTIFICATE-----
MIIDozCCAougAwIBAgIJAPuSha1u8RBNMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
BAYTAkNOMQ4wDAYDVQQIDAVoZW5hbjESMBAGA1UEBwwJemhlbmd6aG91MQ8wDQYD
VQQKDAZtYWdlZHUxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA53d3cubWFnZWR1Lm9y
ZzAeFw0yMDA5MDYwNTI4NTFaFw0yMTA5MDEwNTI4NTFaMGgxCzAJBgNVBAYTAkNO
MQ4wDAYDVQQIDAVoZW5hbjESMBAGA1UEBwwJemhlbmd6aG91MQ8wDQYDVQQKDAZt
YWdlZHUxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA53d3cubWFnZWR1Lm9yZzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANXQeMieNH139EULilFFn2wvl4WO
OTtptQ6pg94nmXEUbFGmb29jfgdQEqm6JBvoMK3KqSrfGsmw7qeGqjeaDNpOoRXY
g/NXgGhdKDqKb+u1bur6czyxrlHFhKJUGI1aDWkzWv0rGheNSfQEGCuNSzTDyE8t
tzruEtr5dhKNBXQAoojh0YLY2Pd0HfdDNoZWYmhigcjYYr8e/q122PqmE8d4Fqwf
GDSZSDco7hF/e2eyxiMCTefTHzW3/LyP1eNWzY8bFYt1hIH9jhxrBrgXKR2RbxMt
mC30QiN5cwqXyQysjI62kycn4De28xSSmxThbC1lOR306DqX0tBtln+KELsCAwEA
AaNQME4wHQYDVR0OBBYEFOVgUcqU0ULq9JPEPCtVXblfPonPMB8GA1UdIwQYMBaA
FOVgUcqU0ULq9JPEPCtVXblfPonPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBACrFEow84WP84NUfrw5zaTkDj4axiwJkB2t1F7jEyuMYuKrY8ocYDdGp
yB0AyshPifAz54Vtt3Npqcu1MdyGkFaitv8cO9qJJeG3zhJjj/PB6zrrRgjiSkEc
Ys761/zWpka3OupKKSNHMJesk/0j7a+H/zpqtgaP+uTL3rXZkXWN+J/gT4wQzdd1
QTDCgeQ+YfgxPdO550Tld5U4FclfvndbP4UsRDHJzIlfKsVBOfOaVDN0+8gPn+ad
HgMpzjgI7EXKq5quaGLoz4RVNkf/lQp43qhKOPhyDBU8zxSqMP+Z2atMLnHMECCS
2KCtNG5ONiiUZV//tNvMZyAYVE+YSB4=
-----END CERTIFICATE-----
[root@centos771 CA]# sz cacert.pem 
[root@centos771 CA]# 
# 将cacert.pem文件名添加后缀为crt:cacert.pem.crt
# 安装证书

5、 在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件,并使用上面的跟证书对其进行签署

# 创建私钥文件
[root@centos771 CA]# mkdir -p /data/test_ca/demo
[root@centos771 CA]# (umask 066; openssl genrsa -out   /data/test_ca/demo/test.key 2048)
Generating RSA private key, 2048 bit long modulus
....................+++
...+++
e is 65537 (0x10001)

# 生成申请文件(注意:默认国家、省、公司三项必须跟CA一致)
[root@centos771 CA]# openssl req -new -key /data/test_ca/demo/test.key -out /data/test_ca/demo/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:java
Common Name (eg, your name or your server's hostname) []:www.test.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos771 CA]# 

[root@centos771 CA]# cat /data/test_ca/demo/test.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIICrTCCAZUCAQAwaDELMAkGA1UEBhMCQ04xDjAMBgNVBAgMBWhlbmFuMRIwEAYD
VQQHDAl6aGVuZ3pob3UxDzANBgNVBAoMBm1hZ2VkdTENMAsGA1UECwwEamF2YTEV
MBMGA1UEAwwMd3d3LnRlc3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAoZdfm3SFdUdPXGE4jZtk8a2QRYvD3cOIB4+7DWCmJawx5QTMv/mdggVV
Qz+/lRfvBZ68Ds8nrCnT2KQHajxXApxm/dnisrr1glnO8HMAltOn2z7ZVEcGLJ3+
WXHZrb7IL7wCT+Eu0h3NV3PIsgLCXAqWtzAr9sX8tnObd45Fy7DVwKtaPq1O0KP/
BNBBbZSivEDuDstYkpWP2ogxHpMhO7jyDXlYVS+/bfJrroE6aSP9McZCEft+uDcj
y/k14XvmBJL3/CzNZJRn0DsIojdE3BuJWfj2BUcwGzuW9S2+B1mBZLAg7/e8sKvm
3dibc4Q0rcMUyjB+wCLAKnGX7WKLeQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEB
AHMcTAXS5S6LFdZeQu9uIqYUgH6SoPeQh4peA+boSJpU2DdfUTaQVpkIrlE8PNzK
DZXEyf3wFDSc1q2BwBLZZs52GWxqi5edwVsmAO8gmtIbn3CPRzo868GKD35dCRq0
UBmb1xX/wUuL3dW6j7ov701crvnunpfEog7hC5SIjFfpj0o+ucV1O66q4Di15Bvz
vs30GjyMSqyMI/u9V/kiCYG17s8HYQdiLJOP9CoAAoOFg5br41g6qRbOfng3f3ZO
vDlwgFRWmHafKbdNhrqN5szrJxoPToswiCmjfo00WXHm2hAgp/pDGOCKyn/oc0OC
Wli/ubQOsSlIi0SiYj3yhkc=
-----END CERTIFICATE REQUEST-----

# CA 颁发证书
[root@centos771 CA]# openssl ca -in /data/test_ca/demo/test.csr -out /etc/pki/CA/certs/test.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep  6 05:47:44 2020 GMT
            Not After : Dec 15 05:47:44 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = henan
            organizationName          = magedu
            organizationalUnitName    = java
            commonName                = www.test.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                2B:51:17:23:97:08:B8:AB:97:08:8C:F3:42:91:C5:BF:1F:A0:DF:68
            X509v3 Authority Key Identifier: 
                keyid:E5:60:51:CA:94:D1:42:EA:F4:93:C4:3C:2B:55:5D:B9:5F:3E:89:CF

Certificate is to be certified until Dec 15 05:47:44 2020 GMT (100 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos771 CA]# 

[root@centos771 CA]# ll certs/
total 8
-rw-r--r--. 1 root root 4451 Sep  6 13:48 test.crt
[root@centos771 CA]# cat certs/test.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=henan, L=zhengzhou, O=magedu, OU=IT, CN=www.magedu.org
        Validity
            Not Before: Sep  6 05:47:44 2020 GMT
            Not After : Dec 15 05:47:44 2020 GMT
        Subject: C=CN, ST=henan, O=magedu, OU=java, CN=www.test.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a1:97:5f:9b:74:85:75:47:4f:5c:61:38:8d:9b:
                    64:f1:ad:90:45:8b:c3:dd:c3:88:07:8f:bb:0d:60:
                    a6:25:ac:31:e5:04:cc:bf:f9:9d:82:05:55:43:3f:
                    bf:95:17:ef:05:9e:bc:0e:cf:27:ac:29:d3:d8:a4:
                    07:6a:3c:57:02:9c:66:fd:d9:e2:b2:ba:f5:82:59:
                    ce:f0:73:00:96:d3:a7:db:3e:d9:54:47:06:2c:9d:
                    fe:59:71:d9:ad:be:c8:2f:bc:02:4f:e1:2e:d2:1d:
                    cd:57:73:c8:b2:02:c2:5c:0a:96:b7:30:2b:f6:c5:
                    fc:b6:73:9b:77:8e:45:cb:b0:d5:c0:ab:5a:3e:ad:
                    4e:d0:a3:ff:04:d0:41:6d:94:a2:bc:40:ee:0e:cb:
                    58:92:95:8f:da:88:31:1e:93:21:3b:b8:f2:0d:79:
                    58:55:2f:bf:6d:f2:6b:ae:81:3a:69:23:fd:31:c6:
                    42:11:fb:7e:b8:37:23:cb:f9:35:e1:7b:e6:04:92:
                    f7:fc:2c:cd:64:94:67:d0:3b:08:a2:37:44:dc:1b:
                    89:59:f8:f6:05:47:30:1b:3b:96:f5:2d:be:07:59:
                    81:64:b0:20:ef:f7:bc:b0:ab:e6:dd:d8:9b:73:84:
                    34:ad:c3:14:ca:30:7e:c0:22:c0:2a:71:97:ed:62:
                    8b:79
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                2B:51:17:23:97:08:B8:AB:97:08:8C:F3:42:91:C5:BF:1F:A0:DF:68
            X509v3 Authority Key Identifier: 
                keyid:E5:60:51:CA:94:D1:42:EA:F4:93:C4:3C:2B:55:5D:B9:5F:3E:89:CF

    Signature Algorithm: sha256WithRSAEncryption
         cd:d9:4f:2a:39:29:8f:6b:cc:95:19:31:34:e7:64:91:a0:de:
         8e:fc:2b:8a:ed:da:c7:6f:f3:a9:1e:1a:31:f2:d1:f3:90:30:
         62:8a:b2:df:a6:57:52:14:c8:be:62:21:cb:9b:8a:94:4c:91:
         af:4d:10:5f:0e:b9:98:b7:7a:25:8e:c4:85:2d:15:70:4d:49:
         c1:0e:33:3b:9f:17:3c:04:41:7b:1d:b1:5b:73:f9:3c:53:6a:
         86:c1:76:ae:9b:62:f0:3e:ad:d2:62:cc:fe:88:a5:c9:75:9d:
         87:5c:b9:97:4f:da:75:9d:e2:54:25:1f:50:d5:a0:8f:2a:b8:
         03:d6:c5:dc:16:03:d9:4b:fc:cf:5c:53:db:e4:76:1b:3b:b6:
         18:65:22:a7:0b:a3:25:f1:31:32:97:36:53:6b:2f:01:7d:bd:
         0b:0e:9a:d8:e1:25:2e:12:2d:55:ec:03:d3:a0:c3:59:1c:41:
         69:d8:ef:f2:b6:7c:09:82:2f:85:18:4c:af:cf:50:8d:49:de:
         56:84:10:f8:e0:49:7c:c1:18:ce:4d:0e:9c:76:a7:ff:0d:3e:
         e6:08:c8:a8:b0:69:7b:3f:72:d4:40:19:ff:c4:8e:90:46:18:
         76:5c:8e:0c:0f:61:87:ae:a1:cd:56:6d:76:78:8a:95:5b:3e:
         7d:27:e2:64
-----BEGIN CERTIFICATE-----
MIIDsjCCApqgAwIBAgIBATANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJDTjEO
MAwGA1UECAwFaGVuYW4xEjAQBgNVBAcMCXpoZW5nemhvdTEPMA0GA1UECgwGbWFn
ZWR1MQswCQYDVQQLDAJJVDEXMBUGA1UEAwwOd3d3Lm1hZ2VkdS5vcmcwHhcNMjAw
OTA2MDU0NzQ0WhcNMjAxMjE1MDU0NzQ0WjBUMQswCQYDVQQGEwJDTjEOMAwGA1UE
CAwFaGVuYW4xDzANBgNVBAoMBm1hZ2VkdTENMAsGA1UECwwEamF2YTEVMBMGA1UE
AwwMd3d3LnRlc3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
oZdfm3SFdUdPXGE4jZtk8a2QRYvD3cOIB4+7DWCmJawx5QTMv/mdggVVQz+/lRfv
BZ68Ds8nrCnT2KQHajxXApxm/dnisrr1glnO8HMAltOn2z7ZVEcGLJ3+WXHZrb7I
L7wCT+Eu0h3NV3PIsgLCXAqWtzAr9sX8tnObd45Fy7DVwKtaPq1O0KP/BNBBbZSi
vEDuDstYkpWP2ogxHpMhO7jyDXlYVS+/bfJrroE6aSP9McZCEft+uDcjy/k14Xvm
BJL3/CzNZJRn0DsIojdE3BuJWfj2BUcwGzuW9S2+B1mBZLAg7/e8sKvm3dibc4Q0
rcMUyjB+wCLAKnGX7WKLeQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIB
DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUK1EX
I5cIuKuXCIzzQpHFvx+g32gwHwYDVR0jBBgwFoAU5WBRypTRQur0k8Q8K1VduV8+
ic8wDQYJKoZIhvcNAQELBQADggEBAM3ZTyo5KY9rzJUZMTTnZJGg3o78K4rt2sdv
86keGjHy0fOQMGKKst+mV1IUyL5iIcubipRMka9NEF8OuZi3eiWOxIUtFXBNScEO
MzufFzwEQXsdsVtz+TxTaobBdq6bYvA+rdJizP6Ipcl1nYdcuZdP2nWd4lQlH1DV
oI8quAPWxdwWA9lL/M9cU9vkdhs7thhlIqcLoyXxMTKXNlNrLwF9vQsOmtjhJS4S
LVXsA9Ogw1kcQWnY7/K2fAmCL4UYTK/PUI1J3laEEPjgSXzBGM5NDpx2p/8NPuYI
yKiwaXs/ctRAGf/EjpBGGHZcjgwPYYeuoc1WbXZ4ipVbPn0n4mQ=
-----END CERTIFICATE-----
[root@centos771 CA]# 

# 查看证书内容
[root@centos771 CA]# openssl x509 -in certs/test.crt -noout   -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=henan, L=zhengzhou, O=magedu, OU=IT, CN=www.magedu.org
        Validity
            Not Before: Sep  6 05:47:44 2020 GMT
            Not After : Dec 15 05:47:44 2020 GMT
        Subject: C=CN, ST=henan, O=magedu, OU=java, CN=www.test.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a1:97:5f:9b:74:85:75:47:4f:5c:61:38:8d:9b:
                    64:f1:ad:90:45:8b:c3:dd:c3:88:07:8f:bb:0d:60:
                    a6:25:ac:31:e5:04:cc:bf:f9:9d:82:05:55:43:3f:
                    bf:95:17:ef:05:9e:bc:0e:cf:27:ac:29:d3:d8:a4:
                    07:6a:3c:57:02:9c:66:fd:d9:e2:b2:ba:f5:82:59:
                    ce:f0:73:00:96:d3:a7:db:3e:d9:54:47:06:2c:9d:
                    fe:59:71:d9:ad:be:c8:2f:bc:02:4f:e1:2e:d2:1d:
                    cd:57:73:c8:b2:02:c2:5c:0a:96:b7:30:2b:f6:c5:
                    fc:b6:73:9b:77:8e:45:cb:b0:d5:c0:ab:5a:3e:ad:
                    4e:d0:a3:ff:04:d0:41:6d:94:a2:bc:40:ee:0e:cb:
                    58:92:95:8f:da:88:31:1e:93:21:3b:b8:f2:0d:79:
                    58:55:2f:bf:6d:f2:6b:ae:81:3a:69:23:fd:31:c6:
                    42:11:fb:7e:b8:37:23:cb:f9:35:e1:7b:e6:04:92:
                    f7:fc:2c:cd:64:94:67:d0:3b:08:a2:37:44:dc:1b:
                    89:59:f8:f6:05:47:30:1b:3b:96:f5:2d:be:07:59:
                    81:64:b0:20:ef:f7:bc:b0:ab:e6:dd:d8:9b:73:84:
                    34:ad:c3:14:ca:30:7e:c0:22:c0:2a:71:97:ed:62:
                    8b:79
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                2B:51:17:23:97:08:B8:AB:97:08:8C:F3:42:91:C5:BF:1F:A0:DF:68
            X509v3 Authority Key Identifier: 
                keyid:E5:60:51:CA:94:D1:42:EA:F4:93:C4:3C:2B:55:5D:B9:5F:3E:89:CF

    Signature Algorithm: sha256WithRSAEncryption
         cd:d9:4f:2a:39:29:8f:6b:cc:95:19:31:34:e7:64:91:a0:de:
         8e:fc:2b:8a:ed:da:c7:6f:f3:a9:1e:1a:31:f2:d1:f3:90:30:
         62:8a:b2:df:a6:57:52:14:c8:be:62:21:cb:9b:8a:94:4c:91:
         af:4d:10:5f:0e:b9:98:b7:7a:25:8e:c4:85:2d:15:70:4d:49:
         c1:0e:33:3b:9f:17:3c:04:41:7b:1d:b1:5b:73:f9:3c:53:6a:
         86:c1:76:ae:9b:62:f0:3e:ad:d2:62:cc:fe:88:a5:c9:75:9d:
         87:5c:b9:97:4f:da:75:9d:e2:54:25:1f:50:d5:a0:8f:2a:b8:
         03:d6:c5:dc:16:03:d9:4b:fc:cf:5c:53:db:e4:76:1b:3b:b6:
         18:65:22:a7:0b:a3:25:f1:31:32:97:36:53:6b:2f:01:7d:bd:
         0b:0e:9a:d8:e1:25:2e:12:2d:55:ec:03:d3:a0:c3:59:1c:41:
         69:d8:ef:f2:b6:7c:09:82:2f:85:18:4c:af:cf:50:8d:49:de:
         56:84:10:f8:e0:49:7c:c1:18:ce:4d:0e:9c:76:a7:ff:0d:3e:
         e6:08:c8:a8:b0:69:7b:3f:72:d4:40:19:ff:c4:8e:90:46:18:
         76:5c:8e:0c:0f:61:87:ae:a1:cd:56:6d:76:78:8a:95:5b:3e:
         7d:27:e2:64

[root@centos771 CA]# sz certs/test.crt 
[root@centos771 CA]#

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-IYPxSvMN-1599383058353)(C:\Users\superman\AppData\Roaming\Typora\typora-user-images\image-20200906135226551.png)]

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-oMepguuC-1599383058354)(C:\Users\superman\AppData\Roaming\Typora\typora-user-images\image-20200906135250785.png)]

6、吊销已经签署成功的证书

# 查找要吊销的证书
[root@centos771 CA]# openssl x509 -in certs/test.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=henan/O=magedu/OU=java/CN=www.test.com

# 创建必要文件,生成吊销证书的编号
[root@centos771 CA]# echo 01 > /etc/pki/CA/crlnumber

# 吊销证书
[root@centos771 CA]# openssl ca -revoke newcerts/01.pem   # 吊销的是证书编号
Using configuration from /etc/pki/tls/openssl.cnf
ERROR:Already revoked, serial number 01

# 更新证书吊销列表
[root@centos771 CA]# openssl ca -gencrl -out crl.pem
Using configuration from /etc/pki/tls/openssl.cnf

# 查看吊销列表内容
[root@centos771 CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=CN/ST=henan/L=zhengzhou/O=magedu/OU=IT/CN=www.magedu.org
        Last Update: Sep  6 06:10:39 2020 GMT
        Next Update: Oct  6 06:10:39 2020 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Sep  6 05:59:00 2020 GMT
    Signature Algorithm: sha256WithRSAEncryption
         ce:e5:70:ac:f4:90:85:ae:d3:e7:94:79:0d:f5:83:70:64:7c:
         7c:1e:d7:b1:00:e5:7c:c8:fc:e6:9c:fd:88:ac:ea:83:6b:0c:
         7d:c5:5f:c3:89:a9:d2:c4:8b:f5:14:99:16:19:52:67:45:7e:
         bf:10:53:b2:4d:3d:6b:70:df:2d:77:3d:c7:a7:7f:cb:d6:b7:
         ba:89:c6:da:fe:f6:b3:94:bd:dc:87:a4:6c:48:77:b8:c2:28:
         18:9c:f6:09:ff:32:95:a5:28:2d:62:3f:e1:c6:a7:1e:d2:71:
         c7:e1:00:e4:e7:fd:11:7d:10:f6:1f:f7:b7:0f:91:31:0d:33:
         7d:fe:1c:5d:9b:e6:95:c3:84:28:71:59:7f:93:99:a0:e1:79:
         7d:ba:66:5a:68:7e:92:fd:8d:f9:b0:55:38:83:03:72:dd:c8:
         bc:45:6e:0c:8b:db:77:20:06:1f:f2:01:23:d5:ff:79:eb:57:
         a6:dc:ce:03:ef:3c:74:44:44:88:59:72:34:e7:14:d4:af:82:
         af:7e:b4:4a:a3:30:e2:f7:81:76:de:c4:75:8d:13:39:46:22:
         fc:30:03:e7:15:08:16:e7:a6:43:16:1a:36:89:55:8c:60:c5:
         01:eb:f7:5b:ae:b0:18:fe:eb:6b:20:aa:05:ff:77:5e:55:96:
         c3:e1:47:f3
[root@centos771 CA]# ls
cacert.pem  crl        crlnumber.old  index.txt       index.txt.attr.old  newcerts  serial
certs       crlnumber  crl.pem        index.txt.attr  index.txt.old       private   serial.old

# 查看吊销的证书状态
[root@centos771 CA]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)

# 查看数据库内容
[root@centos771 CA]# cat index.txt
R	201215054744Z	200906055900Z	01	unknown	/C=CN/ST=henan/O=magedu/OU=java/CN=www.test.com

[root@centos771 CA]# sz crl.pem 
[root@centos771 CA]# 
# 修改crl.pem的后缀名为crl:  crl.pem.crl


01:eb:f7:5b:ae:b0:18:fe:eb:6b:20:aa:05:ff:77:5e:55:96:
     c3:e1:47:f3

[root@centos771 CA]# ls
cacert.pem  crl        crlnumber.old  index.txt       index.txt.attr.old  newcerts  serial
certs       crlnumber  crl.pem        index.txt.attr  index.txt.old       private   serial.old

#查看吊销的证书状态

[root@centos771 CA]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)

#查看数据库内容

[root@centos771 CA]# cat index.txt
R	201215054744Z	200906055900Z	01	unknown	/C=CN/ST=henan/O=magedu/OU=java/CN=www.test.com

[root@centos771 CA]# sz crl.pem 
[root@centos771 CA]#

#修改crl.pem的后缀名为crl: crl.pem.crl

無 賴
关注
  • 2
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
利用gpg实现非对称秘钥密文件和opensll实现证书创建、申请和颁发
iboyish的博客
09-28 529
1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥 [root@centos7 ~]#gpg --gen-key gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
CentOS-7-x86-64-Minimal-2009.iso
最新发布
05-30
CentOS-7-x86_64-Minimal-2009.iso是一个针对x86_64架构系统的CentOS 7版本的ISO镜像文件。它包含了运行CentOS操作系统所需的最基本组件和软件包,相较于完整版或桌面版,它没有预装许多额外的应用程序和图形界面,...
CentOS 7.3报Centos7_Base库缺少GPG公钥
dhy19850819的博客
01-08 469
事故场景:公司服务器是用vmware虚拟出来的 1、现象:yum安装wget提示Centos7_Base库缺少GPG公钥 2、解决: 添Centos7_Base库的GPG公钥 rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 3、验证: 再次安装wget成功 转载于:https://www...
Centos下运行gpg --gen-key生成key时出现卡住解决方案笔记
weixin_34007291的博客
06-29 573
为什么80%的码农都做不了架构师?>>> ...
centos yum/dnf 命令安装报错 Error: GPG check FAILED
mls0311的博客
06-26 4318
3.修改CentOS-Base.repo中的gpgcheck参数为0 ,然后重新import gpgkey。2.使用–nogpgcheck 参数 dnf install git --nogpgcheck。再把gpgchekc改成1,最后重新安装dnf install git。尝试了几种方法都不行。
docker安装
weixin_44613138的博客
09-16 2005
利用阿里源安装 #使用 apt-get 进行安装 # step 1: 安装必要的一些系统工具 sudo apt-get update sudo apt-get -y install apt-transport-https ca-certificates curl software-properties-common # step 2: 安装GPG证书 curl -fsSL https://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key
CentOS-7-aarch64-NetInstall-2009.iso
07-21
CentOS是免费的、开源的、可以重新分发的开源操作系统,CentOS(Community Enterprise Operating System,中文意思是社区企业操作系统)是Linux发行版之一。...CentOS-7-aarch64-NetInstall-2009适用于ARM64 (aarch64)
CentOS-7-aarch64-Minimal-2009.iso
07-21
CentOS是免费的、开源的、可以重新分发的开源操作系统,CentOS(Community Enterprise Operating System,中文意思是社区企业操作系统)是Linux发行版之一。...CentOS-7-aarch64-Minimal-2009适用于ARM64 (aarch64)
CentOS-7-i386-Minimal-2009.iso
07-23
CentOS 7.9版本(CentOS-7-i386-NetInstall-2009)适用于i386 CentOS是免费的、开源的、可以重新分发的开源操作系统,CentOS(Community Enterprise Operating System,中文意思是社区企业操作系统)是Linux发行版...
CentOS-7-aarch64-Everything-2009.part01.rar
07-22
CentOS 7.9版本(CentOS-7-aarch64-Everything-2009)适用于ARM64 (aarch64),必须集齐9个文件才能一起解压缩使用,9个文件下载地址: CentOS-7-aarch64-Everything-2009.part09.rar ... CentOS-7-aarch64-Everything-...
linux的gpg密,linux:GPG密和解密
weixin_33662445的博客
05-15 216
下面,让我们一起来看看,gpg如何密和解密的吧。创建密钥gpg --gen-key你要求输入一下内容,这些内容,基本英文,还是很好明白root@g140:~# gpg --gen-keygpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.This is free software: you are free t...
Ubuntu通过阿里云镜像站安装docker,安装GPG证书的新方式
卯兔
03-15 2743
笔者最近在服务器上面安装docker的时候发现很慢,于是乎跑到阿里云镜像站换源。新版本将不再支持原来那种apt-key的方式安装GPG证书[具体我也不清楚],笔者发现阿里云镜像站还是这种方式,便参考官网稍微改了一下。
gpg使用
Zeeeitch
11-24 2036
安装gpg2.0 生成我的密钥对 gpg2 --gen-key 查看密钥 gpg --list-keys gpg --list-secret-keys 密文件 gpg -ea 1.txt gpg -ea -o 1.asc 1.txt gpg -ea -r jack -o 1.asc 1.txt 解密文件 gpg -d 2.txt.asc gpg -o 2.txt -d 2.txt.asc 签名文件 gpg --detach-sign 1.txt gpg2 -u AE4
gpg生成秘钥对和导出公钥及签验签过程
weixin_43575711的博客
05-12 1743
一.用gpg生成秘钥对和导出公钥过程 生成秘钥对 执行命令:gpg --gen-key Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 4 RSA keys may be between 1024 and 4096 bits lon...
gpg解密教程
zhangrenfang的专栏
01-14 847
我们输入下列命令查看本机是否安装   Linux$rpm-qa│grep gnupg   gnupg-1.4.5-11   说明已经安装 接下来生成密钥   [root@localhost tmp]# gpg --gen-keygpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc. This program come
获取 GPG 密钥失败:[Errno 14] curl#37 - "Couldn't open file /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7"
vah101的专栏
01-07 8731
cd /etc/pki/rpm-gpg/ wget https://archive.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
centos GPG简单使用
weixin_33973609的博客
10-18 935
一.生成密钥 gpg –gen-key 二.查看密钥 查看公钥:gpg --list-key查看私钥:gpg --list-secret-keys 三.导出密钥: 提取公钥:gpg -a --exportnewkey>newkey.asc 提取私钥:gpg -a --export-secret-keysnewkey>newkey_pirv.asc...
关于Centos下安装rvm的gpg问题
Hectorhua的专栏
01-22 3040
rvm是ruby的版本管理工具,安装完rvm后可以很方便的安装并管理ruby,具体流程网上有很多示例了,推荐http://blog.csdn.net/maijunjin/article/details/30643685中的说明,我在安装rvm过程中总是出现gpg解密验证问题,换了新的系统也还是有问题,根据提示执行了命令curl -sSL https://rvm.io/mpapis.asc | gp
centos7-2003mini
10-30
CentOS 7-2003 Mini是一种轻量级操作系统,基于CentOS 7制作而成。这个迷你版的CentOS 7-2003可以在资源有限的环境中运行,例如虚拟机、嵌入式设备或云计算平台。 CentOS是一种开源的Linux发行版,它是Red Hat ...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值