2020-09-05加密與證書

0905作業(yè)

  1. 在 CentOS7 中使用 gpg 創(chuàng)建 RSA 非對稱密鑰對

    [root@CentOS7 ~]#gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: jacklee
Email address: 
Comment: 
You selected this USER-ID:
    "jacklee"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
-------------------------------------------------
gpg: key 659DF37C marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024R/659DF37C 2020-09-05
      Key fingerprint = A9AD 6CD4 CDF8 18FB F9B9  3892 8A27 C6EA 659D F37C
uid                  jacklee
sub   1024R/CEE16899 2020-09-05

[root@CentOS7 ~]#
[root@CentOS7 ~]#gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub   1024R/659DF37C 2020-09-05
uid                  jacklee
sub   1024R/CEE16899 2020-09-05

  2. 將 CentOS7 導(dǎo)出的公鑰,拷貝到 CentOS8 中,在 CentOS8 中使用 CentOS7 的公鑰加密一個文件

    # 從centos7導(dǎo)出公鑰
[root@CentOS7 ~]#gpg -a --export -o jacklee7.pubkey
[root@CentOS7 ~]#ll
total 4
-rw-r--r-- 1 root root 988 Sep  5 21:54 jacklee7.pubkey

# 傳輸?shù)絚entos8
[root@CentOS7 ~]#scp jacklee7.pubkey 10.0.0.8:
root@10.0.0.8's password: 
jacklee7.pubkey                                                   100%  988   401.9KB/s   00:00 

# 在centos8導(dǎo)入
[root@CentOS8 ~]#gpg --import jacklee7.pubkey 
gpg: key 8A27C6EA659DF37C: public key "jacklee" imported
gpg: Total number processed: 1
gpg:               imported: 1

# 查看導(dǎo)入結(jié)果
[root@CentOS8 ~]#gpg --list-key 
/root/.gnupg/pubring.kbx
------------------------
pub   rsa1024 2020-09-05 [SC]
      A9AD6CD4CDF818FBF9B938928A27C6EA659DF37C
uid           [ unknown] jacklee
sub   rsa1024 2020-09-05 [E]

# 使用centos7公鑰加密文件
[root@CentOS8 ~]#gpg -e -r jacklee pass8
gpg: 8577BD7ACEE16899: There is no assurance this key belongs to the named user
sub  rsa1024/8577BD7ACEE16899 2020-09-05 jacklee
 Primary key fingerprint: A9AD 6CD4 CDF8 18FB F9B9  3892 8A27 C6EA 659D F37C
      Subkey fingerprint: 6AEA 4B58 52DD 833D B7A3  9668 8577 BD7A CEE1 6899

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y

[root@CentOS8 ~]#ll pass8.gpg 
-rw-r--r-- 1 root root 593 Sep  5 21:59 pass8.gpg

  3. 回到 CentOS7 服務(wù)器,遠程拷貝 file.txt.gpg 文件到本地,使用 CentOS7的私鑰解密文件

    # 在centos7上拷貝centos8上的pass8.gpg
[root@CentOS7 ~]#scp root@10.0.0.8:/root/pass8.gpg /root
root@10.0.0.8's password: 
pass8.gpg                                                         100%  593   424.3KB/s   00:00    

[root@CentOS7 ~]#ls
jacklee7.pubkey  pass8.gpg

# 使用centos7私鑰解密
[root@CentOS7 ~]#gpg -d pass8.gpg 
gpg: encrypted with 1024-bit RSA key, ID CEE16899, created 2020-09-05
      "jacklee"
Usage: passwd [options]
Valid options are:
-help              Display this summary
-in infile         Read passwords from file
-noverify          Never verify when reading password from terminal
-quiet             No warnings
-table             Format output as table
-reverse           Switch table columns
-salt val          Use provided salt
-stdin             Read passwords from stdin
-6                 SHA512-based password algorithm
-5                 SHA256-based password algorithm
-apr1              MD5-based password algorithm, Apache variant
-1                 MD5-based password algorithm
-aixmd5            AIX MD5-based password algorithm
-crypt             Standard Unix password algorithm (default)
-rand val          Load the file(s) into the random number generator
-writerand outfile Write random data to the specified file

  1. 在 CentOS7 中使用 openssl 軟件創(chuàng)建 CA

    [root@CentOS7 ~]#cd /etc/pki/CA/
[root@CentOS7 CA]#tree
.
├── certs
├── crl
├── newcerts
└── private

4 directories, 0 files
-----------------------
# 首先創(chuàng)建頒發(fā)證書的必要文件
[root@CentOS7 CA]#touch index.txt
[root@CentOS7 CA]#echo 01 > serial
[root@CentOS7 CA]#ll serial index.txt 
-rw-r--r-- 1 root root 0 Sep  5 22:12 index.txt
-rw-r--r-- 1 root root 3 Sep  5 22:12 serial
--------------------------------------------------
# 創(chuàng)建CA的私鑰
[root@CentOS7 CA]#(umask 066;openssl genrsa -out private/cakey.pem 1024)
Generating RSA private key, 1024 bit long modulus
..............................................++++++
..............................................++++++
e is 65537 (0x10001)
[root@CentOS7 CA]#ll private/cakey.pem 
-rw------- 1 root root 887 Sep  5 22:14 private/cakey.pem
-----------------------------------------------------------
# 給CA頒發(fā)自簽名證書
[root@CentOS7 CA]#ll serial index.txt 
-rw-r--r-- 1 root root 0 Sep  5 22:12 index.txt
-rw-r--r-- 1 root root 3 Sep  5 22:12 serial
[root@CentOS7 CA]#ll private/cakey.pem 
-rw------- 1 root root 887 Sep  5 22:14 private/cakey.pem
[root@CentOS7 CA]#openssl req -new -x509 -key private/cakey.pem -days 999 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:poly
Organizational Unit Name (eg, section) []:caokunzi
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@CentOS7 CA]#ll cacert.pem 
-rw-r--r-- 1 root root 899 Sep  5 22:17 cacert.pem

  1. 在 CentOS7 中使用 openssl 軟件創(chuàng)建一個證書申請請求文件,并使用上面的根證書對其進行簽署

    # 生成用戶私鑰
[root@CentOS7 CA]#mkdir /data/qq
[root@CentOS7 CA]#tree /data/
/data/
└── qq

1 directory, 0 files
[root@CentOS7 CA]#(umask 066;openssl genrsa -out /data/qq/qq.key 1024)
Generating RSA private key, 1024 bit long modulus
...........................++++++
.......................++++++
e is 65537 (0x10001)
[root@CentOS7 CA]#tree /data/
/data/
└── qq
    └── qq.key

1 directory, 1 file
---------------------
# 創(chuàng)建證書申請文件
[root@CentOS7 CA]#openssl req -new -key /data/qq/qq.key -out /data/qq/qq.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:poly
Organizational Unit Name (eg, section) []:qq        
Common Name (eg, your name or your server's hostname) []:qq
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@CentOS7 CA]#tree /data/
/data/
└── qq
    ├── qq.csr
    └── qq.key

1 directory, 2 files
-----------------------
# CA簽署證書
[root@CentOS7 CA]#openssl ca -in /data/qq/qq.csr -out certs/qq.crt -days 99
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep  5 14:23:48 2020 GMT
            Not After : Dec 13 14:23:48 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = hubei
            organizationName          = poly
            organizationalUnitName    = qq
            commonName                = qq
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                4C:FA:14:36:D1:00:73:75:A4:6F:5C:3A:FC:73:6C:7D:BA:26:AC:C2
            X509v3 Authority Key Identifier: 
                keyid:59:4F:AB:77:22:3E:06:C7:1D:2F:32:D1:EB:C8:14:D1:20:0C:E5:C4

Certificate is to be certified until Dec 13 14:23:48 2020 GMT (99 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@CentOS7 CA]#ll certs/qq.crt 
-rw-r--r-- 1 root root 2985 Sep  5 22:23 certs/qq.crt

  1. 吊銷已經(jīng)簽署成功的證書

    # 查詢證書的 serial 編號
[root@CentOS7 CA]#openssl x509 -in certs/qq.crt -noout -serial
serial=01

# 查看qq證書的狀態(tài)
[root@CentOS7 CA]#openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)

# 吊銷
[root@CentOS7 CA]#openssl ca -revoke newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

# 檢查狀態(tài)
[root@CentOS7 CA]#openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)

# 生成證書吊銷列表文件
[root@CentOS7 CA]#echo 01 > crlnumber
[root@CentOS7 CA]#openssl ca -gencrl -out crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@CentOS7 CA]#ll crlnumber crl.pem 
-rw-r--r-- 1 root root   3 Sep  5 22:29 crlnumber
-rw-r--r-- 1 root root 483 Sep  5 22:29 crl.pem

# 以文本格式查看吊銷列表
[root@CentOS7 CA]#openssl crl -in crl.pem -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=CN/ST=hubei/L=wuhan/O=poly/OU=caokunzi
        Last Update: Sep  5 14:29:48 2020 GMT
        Next Update: Oct  5 14:29:48 2020 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: 01    #編號01證書已經(jīng)被吊銷
        Revocation Date: Sep  5 14:27:57 2020 GMT
    Signature Algorithm: sha256WithRSAEncryption
         12:64:65:ab:57:2b:9a:2b:34:e5:86:71:0c:31:f4:0a:dc:6d:
         30:23:e8:6e:1b:46:95:e2:d8:ef:a6:02:db:bf:8e:09:59:09:
         d0:18:eb:3c:7d:a2:99:20:e4:5a:11:fc:3e:1a:32:aa:d8:4c:
         41:f7:55:45:75:e2:91:bb:fe:e2:8c:65:ab:f6:46:90:42:fa:
         02:b9:3d:19:1a:10:0b:be:1a:07:5f:eb:04:63:65:6d:ce:99:
         07:ce:83:fd:b8:6d:fa:ea:37:47:ab:d4:52:cb:d2:75:62:b0:
         13:af:eb:4d:56:c2:86:41:e6:bb:12:d1:a0:1a:6d:7f:17:ee:
         19:7e
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

友情鏈接更多精彩內(nèi)容